Let’s start with a question. Do you see risk management as:
- The responsibility of the Chief Risk Officer, involving a lot of paperwork, and largely a tickbox exercise with no real benefits, but something we have to do; or
- Everyone’s responsibility, and a chance to have some difficult conversations in a safe environment?
These two options are very much at either end of a continuum, and in reality few organisations will genuinely answer (a) or (b). But if your organisation is realistically rather closer to (a) than (b), you may be missing a trick. Even more, your organisation could be actively putting itself at risk of damage, both reputational and financial.
A changing landscape
The traditional view of risk management was very much about compliance. You must do this, or the regulator will mark you down. Organisations appointed a risk officer to ensure that they complied with all the necessary rules.
There is a disadvantage to appointing a risk officer, however. Everyone else within the organisation starts to believe that risk management is the responsibility of the risk officer, and therefore that nobody else has to do anything. This attitude even tends to spread into the c-suite, who really ought to know better. As a result, the risk officer can struggle to get anything done. In reality, they do not have access to anything like all the levers they need. In just the same way, the data protection officers required by the General Data Protection Regulation will struggle to identify personal data held by organisations without support from business colleagues.
More importantly, however, the risk officer may be unaware of the strategic landscape in which the organisation is operating, or the challenges that it faces. Why does this matter? Because many of the key challenges and risks faced by any organisation today do not lie in traditional risk areas.
Let’s take the financial sector as an example. The biggest challenge that banks face today is not managing risk in the traditional sense. They have algorithms that predict credit risk, often in a highly risk-averse way, because of the current regulatory climate. Since the credit crunch and financial crisis, banks’ credit risks are no longer likely to bring them down.
Instead, the biggest risk is that they will be out-competed by up-and-coming fintechs. But what risk officer is able to put in place any mitigation against that? It is an issue for the whole board: a question of overall organisational strategy. Nor is the financial sector by any means the only area where new disruptive business models threaten established players. Organisations need a new way of thinking about risk that involves the whole organisation.
A recent report from Deloitte suggests that the changing landscape driven by new technology companies is leading to an increase in tolerance for failure. In other words, companies are recognising that to get rewards, you sometimes have to take risks. The issue is to ensure that these are calculated risks, driven by informed decisions taken in an intelligent way.
In practice, this means using data from new and established sources to create better, more holistic models, including risks. For example, it may soon be possible for social media data to be used in individual credit risk assessments. This might open up the credit market to new customers, giving new sources of income. It is not, however, without risk, because it is new and untried. New analytic models would allow the idea to be tested and tried, informing the decision about adoption.
The challenges of a networked economy
The other issue which is changing risks is the rise of the networked economy. Organisations no longer stand alone. They share data, and therefore risks, with others. Crowd-sourcing and other collaborative models are growing in popularity. In a wider ‘ecosystem’, however, a single risk officer stands even less chance of identifying and mitigating against all risks.
Instead, organisations and stakeholders need to work together to identify, mitigate and manage risks within the network or ‘ecosystem’. They also need to decide on what level of risk is acceptable. A collaborative approach to risk enables difficult conversations about the direction of travel, together with questions of strategy, approach, and even culture.
By all means, designate a risk officer either as a whole or for each organisation. But do not expect them to be able to do the job alone. Risk, and risk management, has to become ‘everyone’s business’ if organisations are to survive and thrive in this changing landscape
Machine learning as a contributor
Another potential “team member’ is the collection of machine learning algorithms. As Marcel Lemahieu puts it in his post:: "Artificial Intelligence (AI), and in particular the development known as machine learning, promise to automate mundane tasks such as driving a vehicle or recognizing individuals in a crowd. Indeed, more and more, these techniques mimic human behavior: learning, classification, correlation, prediction, decision-making. They reduce the number of scenarios and help to anticipate events by learning automatically from the past.” These algorithms augment the knowledge of humans and make us more effective. But is the risk landscape ready for it?
The risk and compliance agenda is more crowded than ever. Financial institutions continue to feel pressure from regulators, auditors, boards and investors to manage risk more proactively and comprehensively. Model risk governance is becoming more and more critical. As a result, financial institutions must operate their risk and finance functions in a more unified, cost-conscious and transparent manner that requires tighter organizational integration and more informed reporting.