Risk Management and Controls in a Digitised World

By Raakesh Nair and Raghu Krishnamoorthy

Digitisation, robotics and automation are no longer just buzzwords in the financial services industry, with banks and fintechs spending a bulk of their IT budget towards new-age technologies.

Banks are increasingly forming consortiums and relying on outsourced technology solutions over cloud services in order to improve process efficiency and lower operational costs.

Along with the rapid development in technology and automation over the last few years, banks have adopted newer engagement models in collaboration with vendors, partners and business counterparts. Crowd sourcing, cloud solutions and as-a-service delivery models have placed enormous reliance on vendor data security and robotics, rather than customary human resources expertise within banks, to define, manage and report controls.

There has been almost a false sense of confidence, even within senior management, that newer technologies and automation itself will result in improved risk management. To the contrary, there have been no let-downs in sensational news in the press about banks paying huge fines for regulatory failures, or cases of financial fraud and abuse. It’s not just the financial loss, but also the reputational damage that has an adverse impact on the financial institutions, making it extremely critical to focus on fundamental risk management and control.

WANT TO BUILD A FINANCIAL EMPIRE?

Subscribe to the Global Banking & Finance Review Newsletter for FREE
Get Access to Exclusive Reports to Save Time & Money

By using this form you agree with the storage and handling of your data by this website. We Will Not Spam, Rent, or Sell Your Information.
All emails include an unsubscribe link. You may opt-out at any time. See our privacy policy.

These are only a few examples of leading global banks failing to deal with fundamental risk controls. It begs the question, what has gone wrong, why is investment in newage technology not helping in basic risk controls, and what should the banks do to manage these risks? The problem lies in the fact that often, new age technology and new models of engagement do not solve risk-related problems, they only move the failure points to a different set of activities and steps in the process. While many of the “traditional” industries such as defence, manufacturing and retail have incorporated the fundamentals of quality control process within the value chain, risk control and management within the financial services industry — in spite of the high stakes involved — leaves much to be desired. FMEA is one framework that has been widely and successfully adopted in other industries, and if implemented in the right manner, can help banks keep the focus on fundamental controls, while also getting the most of digital technology advancements.

Using FMEA framework for setting up and managing risk controls

Failure Mode and Effects Analysis (FMEA) offers a structured methodology to define controls that enhance the reliability of processes and systems. Its inception was in the military, and other industries such as manufacturing have since adopted FMEA to improve the process and quality of output. Customising the model, while retaining the key characteristics, provides a robust framework for setting up a control model for financial services firms.

FMEA examines a process from the standpoint of its potential for failure. Each failure point is then assessed across multiple dimensions for severity, the frequency of occurrence, and detection measures. Risk Priority Number, derived from the severity, the frequency of occurrence, and detection measure ratings, provides a means to prioritise corrective actions. FMEA is not a one-time activity — once corrective actions are identified and implemented, FMEA should be repeated to assess the effectiveness of the corrective actions.

Figure 1:  Approach for establishing a Control Model
Figure 1:  Approach for establishing a Control Model

The objectively derived Risk Priority Number (RPN) is used to rank different failure modes that have been identified and helps in prioritising corrective actions. Corrective actions, which could take the form of failure prevention controls or failure detection controls, are defined for items with high RPN and assigned to specific individuals or groups.  These controls are further classified as process controls, system controls, operational controls and infrastructure controls depending on the failure mode being addressed.

Control Room: Tracking, Monitoring, and Reporting the State of Controls

With the right implementation of the FMEA framework, a bank is halfway through with defining a structured framework for improved management and early-identification of risks. The other half of the problem really lies in how effectively and efficiently the controls are monitored, tracked, reported, and acted upon in case of a failure. Access to real-time view of the state of the controls provide the management at division, business, and entity levels within the organisation, necessary information and tools to make decisions to limit and manage the impact of control failures.

Consolidated to a division or entity level, will help track high-risk areas that need immediate management attention or intervention. With advancements in big data analytics, combining the current state analysis with historical data can provide huge impetus to tracking issues upstream – whether it’s a data issue, a system or infrastructure issue, or an issue with a manual process. This level of insight and predictive analytics delivered to the management fingertips at real time throughout the day is the real power of digitisation.

 Figure 2: Control Room provides a real-time view of the state of the controls
Figure 2: Control Room provides a real-time view of the state of the controls

Conclusion

Setting up a robust control framework requires not only a strong knowledge of the business process, but also a clear understanding of the interaction model between the various actors including the system, process and people. This requires a unique combination of operations, IT systems, and program management skills across the different business functions. Experience in setting up the controls, especially leveraging established and successful models such as the FMEA framework, can help fast track the process. Senior management at financial services firms no longer have the choice on whether to embark on the road to digitisation. It is critical;however, that they do not compromise on the fundamentals of risk management and controls, while embracing the newage technologies and delivery models.

About the Authors:

Raakesh Nair is a consulting partner in the Post Trade Services practice at Wipro. He has over 20 years of Consulting and IT Delivery Management experience serving clients in the Banking and Financial Services industry across North America and Europe.  This includes the definition of Target Operating Models and Target IT Models for transformational programs in the post-trade space.

Raghu Krishnamoorthy is a senior domain consultant at Wipro and heads the Capital Markets Post Trade Services domain practice. In his 18+ years of IT experience, Raghu has provided consulting services to global financial services firms to execute large transformational programs. He has helped define service delivery models, transformation roadmaps, and target IT and op models across post trade functions.