By Dr. Jenny J Birdi, Head of Operational Risk & Risk Strategy UK, HSBC
What, for you, are the benefits of attending a conference like the ‘New Generation Operational Risk: Europe’ and what can attendees expect to learn from your session?
The conference gives people the unique opportunity to hear from subject matter experts in the field of operational risk, network with their peers, understand what is happening in their industry, gain insight into where the thinking is going in the field of risk, and hopefully to take away elements of best practice that they can implement within their companies to improve risk management.
In my presentation, I will hopefully set out what non-financial risk is, it’s the latest buzzword bingo phrase, but what does it really mean? Why is it so important, and why should our Boards care about it? How do we join up the dots, and get a consistent and aggregated view of our risks? How do we bring the specialisms together, breaking down the silos between our risk types to get that holistic view?
In your opinion, what are some of the key non-financial risks to be aware of?
The non-financial risks that face us today are significant, and we risk professionals really are living in interesting times! We have come through a period of unprecedented change in the Industry and in risk Management in particular over the last 10 years. We have and continue to move so fast, I keep telling my team that change is the new normal and of course that brings with it execution risk.
We can’t ignore the digital revolution, which I believe will be one of the biggest shapers of risk management in future. And whilst this can bring big benefits to both our customers and our business, it brings with it a whole new set of risks and challenges to manage.
The cloud brings great benefits in terms of its resilience, scale, flexibility, security and capability. But the cloud brings its own risks with it – concentration risk on a few key cloud providers for example is a key risk. All of this technology evolution (or is it revolution?) can be harnessed by the Risk functions to great effect, and it can really help to hone and improve our risk management models. One big challenge however is the quality, accuracy and completeness of our data.
Another key driver or change agent has to be Regulation. Regulation has become increasingly customer focussed, for example how can we protect vulnerable customers? Customer detriment and harm is a big risk for the industry.
And finally one risk that is currently receiving a lot of attention currently is Operational Resilience, which is essentially about our ability as FIs and as an industry as a whole to absorb and adapt to shocks rather than to contribute to them. It’s about how we ensure the continuity of our critical economic functions to our customers and the wider economy. These are but few of the risks that we are dealing with today, there are numerous others that I haven’t mentioned…
Why is identifying risks and correlations across portfolios important?
For me, this is about joining up the dots, to enable us to see the patterns and trends in our risks that we might not otherwise see’ leveraging analytic tooling to help us join those dots. The use of such analytics gives us a powerful tool in our risk arsenal, it enables us to do that read across and really get on the front foot, leading to prevention rather than cure. And the benefits of this are clear to see, – early detection and prevention of risk is improved, business performance is improved, and costs are reduced.
How can departments effectively coordinate to combat non-financial risk?
The skills and capabilities required of us as risk professionals is evolving fast and is very different to that 10 years ago. We need to have a broad understanding of all risk types, and particularly the non-financial risks – it is these, not the traditional credit risks that will knock us off our strategic aims and imperatives, and in the worst cases can take a company out of business.
To effectively manage some of those more complex risks that I mentioned above which I think we are now facing, we need to bring the different risk specialists together to look at the more complex risks in a holistic manner to ensure there are no gaps in risk coverage. This is especially key for those risks that are pervasive or that cut across many different risk areas, such as data or operational resilience. To do this effectively, our wider teams need to have a diverse set of skills and backgrounds. We also need to think about how we aggregate the view of these risks across those different functions/departments.
I also think that this is about having clear accountabilities for the management of the risks so that there is no ambiguity in who is expected to bring the different specialists together to manage the risks.
We also need to join up on innovation and promote the tools and techniques that will help us to get on the front foot of risk management, for example exploring behavioural analytics.
What do you see ahead for the future of non-financial risks?
If only I had a crystal ball I might have this cracked! If we look at how the FI industry has changed over the last 10 years, particularly in regard to regulation, I am sure that many of us 10 years ago would not have predicted that we would be where we are today.
What I am certain of is that non-financial risk will continue to dominate the risk agenda. There are some key risks today that are shaping our destiny as risk management organisations and risk professionals. I mentioned the digital revolution earlier, which I believe will be one of the biggest shapers of risk management in future. Within Risk, we can leverage technology and the recent evolution of AI, machine learning and big data analytics to help us these risks. We have vast amounts of data but we have typically not harnessed it for risk management, as until recently, it has been a difficult, complex and time consuming process.
We need to exploit not just our own internal data however, but external data as a rich seam to supplement our own data and give us better patterns and results. This includes transaction data, behavioural data, credit bureau data, government data, chat and voice data, social media data. This raises the question of whether we need to collaborate more, to share more of our data, both internally and externally so that we have a more collective risk management approach.
Machine learning is increasingly finding a space in driving automation and improving controls as well, which poses the question ‘are we are moving into an age of self-learning controls and what this may mean for risk management?’
With technology we can now leverage rapid iteration to aid our learning, and we can use the outputs that we obtain as a driver to further improve the quality and comprehensiveness of our data, as it helps us to quickly identify gaps, errors and omissions. And of course, with our reliance upon risk models, model validation becomes even more key than it is today.
An area that is emerging at present and where we can harness our data is behavioural analytics and the use of cognitive technologies to supplement our human decision-making. This is about interpreting and analysing what people do, rather than what they say. We can use it to identify and analyse patters of data, such as email traffic, calendar activity, and messaging platforms to predict areas of risk. The technology identifies the patters of behavioural risk in areas such as misconduct, violations of company policy and regulations, employee retention, the embracing of company values. It can help us to measure the effectiveness of for example cultural change programmes.
Corporate Social Responsibility is another interesting and emerging area that we will need to consider in our future risk management approaches. It covers amongst other things, our approach to diversity and inclusion, community engagement and sustainability. Our regulators recognise that FIs can exert a very strong influence on sustainable development for example, and it is increasingly influencing which customers we do business with. It is quite often thought however that CSR only has an upside in improving brand and reputation, but we can still get it wrong, and if we do, it can introduce a whole series of risks for us, including reputational, legal, regulatory, third party on other operational risks. This begs the question as to whether we need a greater understanding of ethics in the risk function and a need to look at this more holistically?