The Scope and Complexities of Risk Management in Financial Services
By Renato Fazzone, FTI Technology
With increasing digitalisation, banks and financial service providers are exposed to an increasing spate of risks. Cybersecurity threats are steadily rising. Data privacy authorities are ramping enforcement and the scope of sector-specific regulations are widening. In the financial services industry, many of these risks are heightened, adding significant complexity to risk management and cybersecurity preparedness within financial institutions.
Digitalisation changes the way we handle money
Today, risk management for banks is challenged by digitalisation more than in almost any other industry. It is true that new technologies have always determined the way financial institutions work. For example, the number of employees in the German banking industry has fallen continuously over the last two decades, while total assets have increased by roughly 50% in the same period, according to the Deutsche Bundesbank. This productivity boost has been made possible not least by the increased use of technology.
However, the results of technological change have never been as drastic as they are today, because they are now affecting and changing banking business models, as well as the way people and companies spend, save, borrow or invest money. The financial industry is suddenly competing with online retailers, media companies and technology companies that are building their own financial systems.
New technologies, new players, new risks
According to CB Insights, investors founded 27 fintech unicorns, or private companies valued at more than 1 billion U.S. dollars, in 2020. In 2021, the number of new “unicorns” reached 157, and 70 fintech companies were listed among the world’s 500 most highly valued unicorns.
The majority of these new players do not have a banking licence. Most often, they are specialised in individual processes of a banking service or a technical support, e.g., credit scoring, mobile payment or cloud services. Banks have begun cooperating with start-ups and fintechs by outsourcing processes, making outsourcing an irreversible trend in the banking sector. Just like all other aspects of digitalisation, collaboration with fintechs has introduced new, complex risks for banks.
The more digital the financial world becomes, the more data is processed, and new technologies are used, the more risks arise and the more issues of cybersecurity and risk management become critical for banks. As the European Commission announced at the end of 2020, the number of cyber attacks on financial institutions increased by 38% during the pandemic.
So, it is no longer just a matter of meeting the minimum requirements for risk management (MaRisk) and the banking supervisory requirements for IT (BAIT). Not every new risk can be combated by backing it with equity and liquidity. Non-financial risks must also be addressed.
Terror, war, cybercrime, natural disasters, climate change, sanctions and geopolitical upheavals must be assessed as threats and integrated into banks’ risk management. Closer integration of the risk and compliance functions will also be needed.
In this landscape, numerous questions have arisen in the implementation of risk management for banks. These include:
- How do you prevent a server failure lasting several hours with all its financial consequences?
- What risks do cooperation with external service providers entail, for example the outsourcing of special processes?
- How do you protect yourself against hardware and software failures?
- How do you prevent technical errors when setting up IT systems?
- How can weak points in the IT structure be recognised?
- How well are the interfaces in the IT system protected?
- How do you protect large amounts of data from external access?
- How do you prevent manipulation and fraud by employees?
- Which employees must have which administrative rights?
- What knowledge do the board and staff of the banks have regarding risk management?
- How should the global climate risk be countered?
- How to react to geopolitical upheavals, war and shortages of raw materials?
- What to do in an emergency if an attacker paralyses the entire IT system?
Supporting bank risk management through legal requirements
To help banks build a strong security posture, including a well-functioning risk management that can withstand attacks of many kinds, the European Commission presented a draft Digital Operational Resilience Act (DORA). This proposal is part of the Digital Finance Package, a set of measures designed to further harness the potential of digital finance in terms of innovation and competition while mitigating the resulting risks.
According to the EU Commission, the Digital Finance Package includes a digital finance strategy for the EU financial sector with the following objectives, among others:
- Strengthen and further ensure the digital operational resilience of financial firms.
- Consistently monitor third-party information and communication technology (ICT) service providers working for financial institutions.
Financial firms should continue to bear their responsibility in this regard.
In Germany, the Act to Strengthen Financial Market Integrity (FISG) was passed in June 2021 and accordingly numerous laws in the financial sector have been amended. Among other things, the financial supervisory authority BaFin is able to directly access those companies to which banks outsource essential processes and activities.
Employees at the centre of banks’ risk management
In view of the complex threat situation for banks’ IT systems, it is not enough to turn individual screws. The task of risk management in banks is to increase the resilience of the financial institution against all attacks from outside and inside. Digital resilience must be continually improved. Risk management in banks must be seen as a business imperative that not only concerns the IT departments of financial institutions, but also involves every employee and every technological development: big data, cloud solutions, artificial intelligence and robotic process automation, among others.
Potential of digitalisation and automation of risk management in banks
It seems obvious that with the digitalisation of the financial sector as a whole, digital solutions will also be applied accordingly in risk management. However, this has not been the case to date. Only about 10% of banks have fully automated most of their risk management activities according to the 2021 study “From Crisis to Opportunity: Redefining Risk Management” from the Financial Times subsidiary Longitude. Only 6% have fully automated large parts of the risk modelling process. According to the study, the institutions leading this transformation are already seeing strategic benefits. This includes, for example, the ability to generate data-driven insights faster and on a larger scale in an increasingly uncertain market.
The benefits of applying the latest technologies to banking risk management are obvious. However, implementation is not always straightforward. Investments in systems, tools and enhanced analytics capacities are necessary. Big data, AI and machine learning will be integral to enabling capacity without significant resources. While new programmes require investment, they will reap rewards in the form of stronger data protection, mitigated risk and resilience in the face of an ever-evolving cyber threat landscape.
Banks and financial institutions will consistently drive their digital transformation in the coming years. Digitalisation will always produce new business models, which also always harbour new risks. Banks must move quickly in response to new technologies and be proactive as new risks arise. If the business strategy is consistently accompanied by robust risk management, digital transformation will result in tremendous business opportunity.
Renato Fazzone is a Senior Managing Director at FTI Consulting and is a member of the Technology practice based in the Düsseldorf office, which he founded in 2020. He works solely in the technology field.
The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates, or its other professionals.