Risk management and control frameworks have always been a critical function for banks, but in recent years, they have become even more important in light of increased regulation in the aftermath of the global financial crisis and growing consumer privacy concerns. The pandemic environment of 2020 revealed gaps in existing risk management and control frameworks as banks were forced to rely more on their digital infrastructure and more fraudulent activity occurred. Many large US banks were fined heavily by regulators in 2020 for poor and inadequate risk management controls and practices, resulting in increased pressure on banks to overhaul their existing rule book. A report from LexisNexis Risk Solutions found that the amount large US banks spent on anti-financial crime compliance operations increased by 43.4% in 2020 as compared to 2019.

Today, many banks are reexamining risk management to serve their customers safely and effectively and minimize fraud, data leakage, and cybersecurity issues. And banks that have a strategic focus on growth, digitization, and customer experience are considering upgrading or rewriting their risk and control frameworks to develop greater operational resilience and improve governance.

Leading Strategic Imperatives to Improve Risk & Control Frameworks

This challenging environment – coupled with changes in banking regulations, the need to create more and better digital products, and the rise of non-bank (fintech) competitors – is creating a need for banks to redefine their core operating models away from legacy practices and towards new-age requirements. Banks need to build a new culture around risk management and governance if they want to thrive in the near-term and position themselves for the long-term.

Boards of directors and C-suite executives will be crucial in defining risk tolerance and fostering a culture that puts risk management and governance at the center of strategy and operations. Better risk management and governance demand the creation of detailed risk models, improved management information systems, risk/return-based management, early warning systems, and stress tests. Banks must leverage a risk-based prioritization framework while incorporating automation and standardization in internal controls to test their governance and cultural design and to increase operational resilience.

Imperative 2: Break down silos to improve collaboration

In the current environment, a key to growth and the development of new products, capabilities, and experience is breaking down silos within the bank. Traditionally, business units operate within their lines and don’t take a holistic view. Not only does this hamper growth but a siloed approach also generates risks that might be unobserved by executive management.

The treasury function is an example that faces the impact of inter-departmental conflict in the data flow, resulting in higher costs and lower revenues. According to a report from BCG, “It’s Time for Banks to Self-Disrupt,” 70% of banks’ treasury functions lack the data, modeling, and analytical tools to address balance sheet and risk management in a meaningful way. The survey also observed that better collaboration between internal teams can help provide relevant information at the right time, which could help improve treasury operating costs and net interest income.

The need for collaboration becomes even more essential today, as banks continue to develop and add new system architectures on top of their existing IT frameworks. New additions can result in breaches and failures can emerge in unanticipated areas mainly because of the lack of attention given to legacy systems. Today, banks must be vigilant about collaboration and consolidation to reduce risks, ensure efficiency, and increase productivity.

Imperative 3: Embrace new technologies

Controlling identified risks requires a fundamental change in banks’ outlook as they formulate and execute their risk strategy. The commonly adopted technology-based use cases – automation of the risk function, migration to the cloud, and strengthening financial crime capabilities – have led to increased flexibility and reduced costs.

Banks maintain large amounts of data, and most have data in multiple, unconsolidated systems – a situation with enormous risk management consequences as hackers look for vulnerabilities. Many banks already apply advanced technologies to operational processes to identify risks, but they should also explore investments in advanced analytical management information systems to anticipate risks.

The BCG report says that North American banks paid $228 billion in penalties for non-compliance between 2009–2019. Data breaches and fraud are the primary reasons for increased regulatory scrutiny of the banking industry (particularly large institutions).

There are several advanced technologies available for risk management, and banks need to have a clear strategic roadmap to pick the most relevant technology innovations. They also need to evaluate these technologies from the perspective of interconnectedness to derive maximum efficiency and effectiveness.

Imperative 4: Strengthen operational and procedural resilience

Today, operational resilience is as important to banks as financial resilience. Banks are adding new functionalities to their businesses by revamping legacy systems, embracing digitalization in operations, and collaborating with fintechs. All of these initiatives can help banks anticipate and identify problems much more quickly. Reports on disaster response, data security, third-party vendor management, and business continuity plans have become government-mandated requirements.

As banks embrace digitalization, strong board and management involvement in defining governance, operating models, and cultural change is critical. While uncertain circumstances are inevitable, the focus should be on defining the tolerance level of the bank including recovery time and the financial impact of unrest. A well-thought-out response strategy and disaster management execution plan should be part of all operational initiatives undertaken by banks.

Data is another area that should be prime risk management and governance focus for banks. One instance of a data breach could cost a bank significantly, both in terms of reputational damage and money. Ensuring data quality and data governance should be critical aspects in developing operational and procedural resilience.

Three Tactical Ways to Improve Risk & Control Frameworks

The changing risk management challenges require banks to focus on staying up to date with new methods to deal with risk and control frameworks. Here are three tactics for banks to strengthen their risk management and control frameworks in this rapidly changing operating environment.

1. Innovate with contemporary technologies
   

   For many banks, the critical way to improve risk management is to move away from legacy architectures and invest in updated technology that provides real-time information. Large banks already spend substantially to ensure regulatory compliance and risk management systems, but focusing on investment in contemporary technologies can help with the ongoing challenge of risk management.

   Blockchain and artificial intelligence, for example, are starting to demonstrate real potential in the risk and compliance space, according to BCG. Banks should also consider partnerships with the emerging “regtechs” (regulatory technology) companies that understand the challenges of global banking and apply information technology to address them. Regtechs can provide a risk management roadmap to simplify organization structure and streamline security and compliances processes to avoid failures and data breaches.

2. Automate, Automate, Automate
   

   Automation has helped banks become the highly efficient enterprises they are today, but automation’s potential to improve efficiency and minimize risks remains enormous. There are multiple success stories of automation techniques helping companies predict customer defaults faster, resulting in more effective risk prevention. Traditional banks should consider rebuilding the value chain for every function and analyze what automation technologies each value chain demands. This must be done with an emphasis on consolidation to support seamless information flow across all systems while also ensuring compliance and security. 

3. Think broadly about the future
   Risk management and control demand a forward-looking perspective to enable banks to anticipate issues before they become costly or dangerous problems. Planning for the unexpected is not just a technology challenge; it must also reflect the experience and judgments of people. No system, for example, could have predicted the kind of chaos that resulted for banks during the pandemic. But banks that had considered contingencies like disaster planning and working from home were better equipped during the pandemic than banks that hadn’t. Now is the time to think about issues that are gaining importance, like climate change and cybersecurity. Prioritizing risks also helps make better decisions about addressing them. 
    

In a regulated industry like banking, it’s important to manage risk in all its forms and to ensure compliance with the letter of the laws and regulatory mandates. Effective risk management and control frameworks must continuously improve and evolve. Technology, of course, has a substantial part to play in this challenge. The right technology, implemented effectively, can help banks manage known and predictable threats and do so in ways that save time and money. Today’s technology can make every enterprise more resilient, and resilience is an incredible asset when dealing with a changing environment.

But dealing with change, particularly dealing with the unpredictable, also demands leadership, to build a culture that recognizes the critical importance of risk management and control, that reinforces values and ethics, and that understands what failure in risk management can bring. Periodic reviews of policy, governance, regulatory changes, technological advances, and industry best practices can help. The best way to proceed is by developing a strategic roadmap for risk management and making it an enterprise agenda to create a competitive edge in the changing operating environment.