Deloitte: financial institutions reengineer risk management

Seventy percent of the financial services executives surveyed by the firm said their firms have either recently completed an update of their risk management program or have one in progress. A big part of this revitalization, according to Deloitte, will be leveraging emerging technologies: Forty-eight percent of respondents are planning to modernize their risk infrastructure using new technologies, including robotic process automation (RPA), cognitive analytics, and cloud computing.

The findings from the 11th biennial edition of the survey of financial institutions, titled “Reimagining Risk Management to Mitigate Looming Economic Dangers and Nonfinancial Risks,” are based on the responses of 94 financial institutions around the world, representing a total of $29.1 trillion in aggregate assets. The institutions surveyed provide a range of financial services, including banking (61 percent), investment management (49 percent), and insurance (46 percent).

“Financial institutions face a formidable set of challenges posed by today’s more complex and uncertain risk environment,” says Edward Hida, a partner with Deloitte Risk and Financial Advisory at Deloitte US and the author of the report. “With budget cuts common—and a big focus on effectiveness and efficiency as the torrent of regulatory change has slowed—this will require institutions to rethink their traditional assumptions and employ fundamentally new approaches.”

“Digital technologies have the potential to fundamentally reengineer virtually every aspect of risk management,” Hida added. “Financial institutions are now at the early stages of this transformation of their risk management functions.”

Only a minority of institutions are employing these types of technology currently, “and often in small doses within their organization,” the survey notes. The technologies that institutions surveyed most often reported using were cloud computing (48 percent), Big Data and analytics (40 percent), and business process modeling tools (38 percent). “Most surprisingly, given the attention paid to the potential of RPA to reduce costs and improve accuracy by automating repetitive manual tasks without human involvement, only 29 percent of respondents said their institutions are currently using it,” Deloitte observed.

Other tools are being used by even fewer institutions, such as machine learning (25 percent); business decision modeling tools (24 percent); and cognitive analytics, including natural language processing/natural language generation (19 percent).

“These tools can reduce costs by automating manual tasks such as developing risk reports or reviewing transactions,” Hida says. “They can also automatically scan a wide variety of data in the internal and external environments to identify and respond to new risks, emerging threats, and bad actors. Some banks, for example, have developed real leading-edge platforms for identifying potential conduct risk situations.”

Growing importance of cyber-security risk

Financial services executives were also asked what “three risk types” they believed would increase the most in importance for their institutions over the next two years. Cyber-security, predictably, was the top challenge identified by two-thirds of respondents (67 percent), far more than the percentage commanded by any other risk factor. Only about half the respondents felt their institutions were “extremely” or “very” effective in managing this specific risk.

Although cyber-security also held the pole position in the survey’s 2016 edition, there was a dramatic uptick in the current research. More respondents considered it as one of the three risk types that would increase most in importance (67 percent, up from 41 percent) and cited it as the No. 1 risk (40 percent, up from 18 percent).

For specific types of cyber-security risks, respondents most often considered their institutions to be extremely or very effective in managing disruptive attacks, financial losses or fraud, cyber-security risks from customers, loss of sensitive data, and destructive attacks—each above the 50 percent mark. They were less likely to consider their institutions to be as effective when it came to threats from nation-state actors (37 percent) or cyber-security risks from third-party providers (31 percent).

“In addition to their supervision of individual institutions, regulators across the globe are beginning to address the risks that cyberattacks could pose to the financial system as a whole,” says Ed Powers, risk and financial advisory cyber-risk services leader at Deloitte. “Given the increasing interconnections among financial institutions, their technology partners and financial markets around the world, good cyber-governance and oversight is imperative to the ability to respond and recover effectively when a threat is detected, or an attack is realized. It is well known that a cyber-attack has the potential to quickly damage the global financial system.”

Among the survey’s additional findings:

• When asked to assess the overall effectiveness of their institution in managing risk, 82 percent of respondents considered it to be extremely or very effective, an increase from 69 percent in 2016.
• While institutions have become more skilled at managing financial risks, non-financial risks continue to assume greater prominence as the exposure and consequences from these risks has become more evident. Respondents were less likely to consider their institutions extremely or very effective in areas including reputation risk (57 percent), business resilience risk (54 percent), model risk (51 percent), conduct and culture risk (50 percent), strategic risk (46 percent), third-party risk (40 percent), geopolitical risk (35 percent) and data integrity risk (34 percent).
• Eighty-three percent of respondents expected that regulatory requirements on their institutions would increase over the next two years, with one-third expecting a significant increase.
• Credit risk was seen most often as being extremely or very challenging to manage in commercial real estate (31 percent).

Lines of defense?

Financial institutions confront significant challenges in effectively employing the “three lines of defense” risk governance model—which details the appropriate roles in risk management of business units, the risk management function, and internal audit—according to the survey. This model has long been a regulatory expectation and a prevailing practice. Forty-three percent of survey respondents said their institutions either have revised their three lines of defense model, are reassessing, or are planning to reassess their models. Deloitte, in its analysis, expects the impact of emerging technologies to be a key consideration in these changes.

“Financial institutions will need to consider how to effectively reengineer their ‘three lines of defense’ in this technology-powered environment,” Hida says. “One of the biggest issues in the three lines of defense will be making sure that business units are engaged in their ‘first line’ role, as the survey found that more than half said their institutions have increased, or plan to increase, the risk management responsibilities of business units to manage the risks they assume. There is a great deal of work to do in this arena in the volatile environment that companies face today.”