Banks have been responsible for the smooth functioning of economies for decades. However, the credit crisis, global recession and the Covid-19 pandemic have been major setbacks for the banking sector, and it is anticipated that by 2025, risk functions in banks will become more unpredictable. Unless banks act immediately and get ready for these longer-term changes, they will be swamped by new constraints and demands.
Today, risk management is the focal point of extreme regulatory examination and is central to senior management strategy building and decision-making. Risk management within banks is going through many changes and the integration of risk management processes is at the core of this evolution. Integrated risk management is the broad risk-taking approach that involves robust risk identification, dynamic risk assessments, strong control evaluation, key metrics definition and monitoring, loss reporting, issue management, and comprehensive risk reporting . It involves developing larger business strategies, management expertise, capital strength, and general willingness to assume risk approved by the bank’s board.
The risk of loss as a result of errors, infringements, disruptions, damages, either accidental or intentional caused by internal processes, people, external events, or systems come under the ambit of Operational Risk. Damages from operational risks can be devastating, not just in a financial sense, but in terms of the overall impact on the bank’s business, which could threaten its survival. In the recent past, banks worldwide have been plagued with headline-garnering scandals sparked by an inability to limit operational risk.
Despite being a challenging task, banks need to put all their resources to control Operational Risks. In comparison to financial risk, operational risks are more complicated and tough to limit and manage.
Several banks fail to understand, measure, and manage the interrelated factors that add to operational risk, including administrative processes, IT systems, and human behavior. They struggle to build cultural, management, and administrative structures to control these risks.
Here is a list of some commonly known operational risks in the banking sector:
Losses from swindling activities within a bank can originate from misuse of assets, forgery, bribes, theft, and tax non-compliance.
Fraudulent acts perpetrated by third parties such as theft, check fraud, breaching system security, data theft, and hacking.
Progressively, banks are counting on vendors, which implies identifying, evaluating, and controlling vendor risks during the relationship lifecycle with those firms. However, banks also have to recognize and assess risks associated with suppliers and contractors that vendors use.
Software or hardware system malfunctions, disruption in telecommunications, and power failures can disturb a bank’s business operations and lead to financial loss.
Even as banks ramp up their IT security endeavors, cyber threats, including phishing and ransomware are regularly occurring and pose a huge risk to financial institutions.
A complete approach to ORM involves four broad areas:
Regulators have raised the number of guidelines that banks need to follow since the global financial crisis. Banks functioning in several territories may have to confront conflicting and overlapping regulatory systems. Errors can be costly and upsetting, causing customer defections and regulatory sanctions. The pace and scale of regulatory shifts can be overwhelming. As banks try to control costs, they must invest in people, systems, and processes that promote compliance.
Even today, employees and the customers they converse with can cause significant damage when they do not perform tasks appropriately, either unintentionally or on purpose. Trouble can occur from several other factors, such as deliberate and unlawful policy breaches, poor execution, lack of training and knowledge, and unclear procedures.
By spelling out ambitious sales targets and applauding employees for fulfilling them, banks can encourage and condone unsuitable risk taking. Such actions, when revealed, can lead to shareholder losses, regulatory fines, and changes in management. In addition, effective processes and practices may lead to operational failure.
Systems can be breached, data can be distorted or stolen. The risks faced by banks extend to third-party IT providers. As a result, several banks today rely on cloud-based storage. Systems can crash, leaving ATMs inaccessible to customers. Even the rate of technological transformation poses an operational risk. With the cyber ecosystem evolving so swiftly, banks could face difficulty in keeping pace with new threats.
There are four key steps involved in risk management in banks:
With risk identification, banks can take stock of where they begin to comprehend and control operational risks.
This process seeks to identify, assess, and control various operational risk exposures or hazards facing a bank and lets them know if an adverse event may negatively impact their business.
Banks must ensure effective controls exist at the various risk-evolution stages. The sooner the controls are put in place in the risk journey, the more robust the risk detection and mitigation mechanism will be.
Improvements in operational risk management depend a lot on the willingness of senior management to be proactive and prompt while appropriately addressing operational risk managers’ concerns.
Internal loss events are key components of the operational risk framework toolkit. While Key Risk Indicators and Scenario Analysis and Risk Control Self Assessment involve different degrees of subjectivity, internal loss event data offers the most objective source of information as the losses can be quantified and verified.
Internal losses appear from real events, i.e. the materialization of operational risks, and reflect the bank’s own experience. Hence internal loss events can be used as a basis for assessment and management response.
Losses arising from a lack of control or some unanticipated event represent a view of the past while risk management must be forward looking. But, unless controlled, events that have taken place could occur again, and involve more substantial impact, especially if linked to consequential loss events or additional control failures. In this manner taking the opportunity to learn from hindsight can help in building foresight.
If executed properly, the positive results of the internal loss event process will not only be a response to current risks but will also help in managing future risks. With MetricSteam, you can minimize loss events by capturing, analyzing, categorizing, and remediating internal risk events and losses across multiple impacted organizations in compliance with industry regulations like Basel Accords.
Conventionally, measuring operational risk is very challenging. Basic statistical models have grappled with unavailability of data. However, several banks and other financial institutions have observed the following key trends:
The entry of digital fintech players in the banking sector has transformed how traditional banks operate as customers prefer the ease with which they can transact. Once these risks are identified, steps can be taken to mitigate them. Without a doubt, digitization can increase risks for community banks that do transform. The answer to this problem is enhanced digital banking risk management.
Technology is at the top of the list of transformative forces in the banking sector. The move from monolithic players towards the platform economy is producing a more interdependent and interconnected marketplace. While this creates prospects for incumbents, new market players and customers, it also raises key questions about regulation and accountability, especially as customer data becomes more valuable.
To shield their business from changing regulations, it is imperative for banks to make sure their GRC program stays agile. They must be able to incorporate new regulations into their program as they are introduced. It is important that they leverage internally and externally sourced broad-spectrum threat intelligence to keep the risk management processes on alert.
Business complexity with regulatory and market scrutiny, is pushing firms to embrace a structured approach to GRC. The objective is to effectively define, control, and observe the business environments. Technology has an enabling role in offering consistency, sustainability, transparency, and efficiency across this GRC process.
Today external and internal networks can be examined in greater detail. This broadly addresses the data challenge plaguing conventional models. However, it also builds an entirely new problem, as this data is not in a conventionally organized form and can exist as charts, texts, voice files, images, and other formats. Consequently, businesses need a compelling new set of analytical tools. This is a key factor pushing all financial institutions and banks to leverage AI in their risk and compliance processes. AI and ML today have an extensive role to play in the context of operational risk management.
In regulatory reporting, the major areas of AI use have been in handling and authenticating data, certifying results against preset criteria, and supervising overall compliance.
In the future to make sure that AI grows into a key element of fundamental business processes in risk management, instead of deploying an outlandish tool it is important to have a practical understanding of AI with basic statistical processes. This issue is common in capital markets, where methodological objectivity is highest, and lowest in retail banking, where AI is well-embedded. Undeniably, large banks are among the strongest AI adopters with huge investment in areas such as retail banking, financial crime, and data management.