Beware the invisible enemy

Banks should step up their automation efforts to help them deal with growing operational risks

By Adela Wiener, CEO, Aurachain

Banks and financial services companies have never been strangers to risk. However, from increased cyber threats exacerbated by potential cyber warfare to the impact of economic sanctions on key financial markets, risk remains firmly on the radar.

For several years now, market analysts have predicted a more turbulent and changing risk landscape that requires banks to build a more resilient and agile response to risk management than they have had in the past.

Deloitte’s 2022 banking and capital markets outlook cites “designing a modern toolbox for risk and compliance” as one of six focus areas. Equally, McKinsey claims that, “the risk landscape is changing rapidly. Internal and external risks are rising while stakeholders…expect banks not to make any mistakes. We (McKinsey) believe successful banks will deploy highly skilled, diverse, and agile risk organizations, enabling them to develop a strong and dynamic understanding of risks and much-improved organizational mechanisms for managing them.”

Let’s face it, when we look at the macroeconomic landscape of the last two to three years its clear to see that the external factors threatening banks are huge. Some hardly need mention, such as Brexit, Covid and a new War in Europe. But it’s the side effects of these events that really bite. The increased threat of cyberwarfare, global supply chain disruption, and rising inflation and cost of living.

Banks clearly have a huge job to do to ensure they can manage the risk landscape of today and tomorrow. Whatever the world throws at them they must be ready and able to react. With this harsh macro climate it would be easy, but wrong, to assume that risks facing banks are just external factors. However, all aspects of a bank’s business operations, from the data and technology it uses, through to the expectations of their customers, presents significant risk, as well as opportunity.

In fact, despite the current heavy burden of macro and external risks there’s a consensus among banks that their top threats in the next ten years will come more from within. A recent study of over 1,000 C-suite and board executives by Protiviti, charted the changing impact of 36 macroeconomic, strategic, and operational risks over the next decade. Today, banks’ top five perceived risks are mostly macroeconomic, such as government policy arising from the pandemic to economic conditions in markets. But by 2030, there’s an anticipated shift to rising operational risks, such as regulatory changes and the lack of digital IQ in the workforce.

Are banks in danger of being blind-sighted by the macro factors when approaching risk management? Quite possibly, but they must keep these closer to home risks in focus and ensure they are putting measures in place to mitigate them. Otherwise they have the potential to become invisible enemies within.

The good news is that these operational risks are more in reach of control and management for banks. The unwelcome news is they are more symptomatic of the banks’ own operations and inability to modernise and manage change effectively. For example – poor processes could pose a risk in customer onboarding or bad service, affecting a bank’s competitiveness. Another could be caused by the inability to bridge the widening skills gap in software development, seizing up the bank’s agility to change.

How do banks address these rising risks hidden in plain sight? Bearing in mind this shift to operational (or controllable) risks is likely to happen in parallel with the drive towards digitalisation and automation, I think banks must focus on three areas to ensure they build risk resilience into their IT strategy effectively.

1. Effective IT and business collaboration

Risks are a shared responsibility across the entire business. Often, the challenge in finding solutions to them (not exclusively in banks) is that the agents involved don’t collaborate effectively in the process. Commonly, ‘the business’ is concerned with designing a solution, and IT is tasked with building it to the business’ specification. This is ‘risk tennis’ and doesn’t work because the two sides aren’t sharing their knowledge and working in parallel to build a relevant but also technically compliant solution to the problem. The latest iterations of low code application development are helping banks do this.

2. Tighter governance and security over IT developments

Banks are no stranger to governance but there’s a risk that, if more agile IT approaches are adopted to build resilience and adapt to change, IT governance will be weakened. This could create further risks, for example, around security and data protection. Gartner has predicted that 30% to 40% of IT spending in large enterprises goes to shadow IT, but also that 30% of breaches will also be due to shadow IT. As banks search for solutions to operational risks they must consider how they keep governance top of the agenda. Weaker security and control cannot be a trade-off for more agile processes and ways of working. Banks could investigate blockchain principles as a way of building tightly governed process automation.

3. Improving business agility and the ability to respond quickly to regulatory changes, macroeconomic shifts, and new operational needs.

Risks are changing at pace. Banks cannot act like shipping vessels in this environment and must find ways of adapting quickly. There’s little time for wholesale IT changes, such as ripping out core systems and going through lengthy replacements. The answer is reusing what you have got in your IT stack and building new risk management processes upon it. Technologies such as low code application development are aiding rapid change and integration of existing systems across dynamic processes and automation.

Improving operational risk management is intrinsic to effective digitalised processes embedded in a bank’s service to its customers. Although highly regulated, banks and financial services organisations are often behind other sectors in terms of digitalisation. They have much of the data and infrastructure they need. What they lack are the means to quickly adapt and automate processes, or to drive insights from various data sources to stay one step ahead of risk. However, if risks become more ‘internal’ as Protiviti claims they will, banks need to pay greater attention to their responsiveness, and use technology to quickly automate business processes without going through massive IT change.

One example of this is CEC Bank, a large and long standing Romanian bank with a sizeable network of ATMs. CEC Bank found it difficult to respond to ATM and point of sale (POS) outages quickly, which was impacting customer service. It required an incident management system to automate the process of identifying ATM/POS issues and rectify them. CEC adopted Aurachain’s low code application development platform and used it to deliver the incident management system in 15 days, covering 2650 devices. This is just one example of how CEC has used low code to develop process automations enabling better control of operational risks.

While the macro climate shows no signs of abating, banks must pay heed to the growing enemy within in the form of operational risk and be aware that their technical response to these risks is increasingly crucial to their effective management.

This is a Sponsored Feature