Top of mind for a CRO: A holistic view of risk

Melissa Sexton, Chief Risk Officer, BNY Mellon Wealth Management

Below is an insight into what can be expected from Melissa’s keynote session at Risk Americas 2023.

The views and opinions expressed in this article are those of he thought leader as an individual, and are not attributed to CeFPro or any particular organization.

Why has the level of technology risk increased for Financial Institutions over the last 5 years?

One simple word: Data. There has been an explosive increase in the amount, sources, and types of data being used by Financial Institutions.

  • The increased amount of data being used increases possible data loss, error, or bias – especially given the rise in algorithmic systems
  • More data sources increase possible privacy violations, cyber-attacks, or system disruption. Reliance on third party technology in particular has made it harder to view the entire attack surface
  • More data types increases the difficulty to integrate and maintain complex systems, resulting in higher technology cost and therefore, greater strategic risk

It’s important to note, however, that assuming more technology risk (or more of any type of risk for that matter), is neither good nor bad. The question is whether taking more risk results in higher value to the organization. I feel lucky to have had a front row seat watching technology and data evolve from being merely useful to absolutely essential. Some examples of data used today that weren’t readily available 5 years ago include

  • Climate maps to measure hurricane winds and propensity of flood to assist with mortgage lending
  • Social media to identify reputation risk, new revenue opportunities
  • Biometric tools to identify and mitigate fraud risk
Why does viewing risk holistically allow for more effective oversight?

First, let’s define holistic risk management. To me, it means that

  • organizations have a comprehensive understanding of all risks facing it
  • they understand how risks relate to one another and especially how losses can be amplified
  • they develop effective mitigation strategies aligned with their risk appetite

In order to capture all the risks, we need to make sure there are no risk silos. Practically, this means that one part of the firm shouldn’t be taking risk that another part isn’t aware of and that there are proper escalation channels. Risk reporting that is high quality, dynamic and as granular as desired is essential. Also, organizations need to embed risk management into every business and process, making it increasingly cross-functional and collaborative.

The Sep 11 terrorist attack is a good example to illustrate the importance of seeing how losses can be amplified. Corporations in lower Manhattan experienced losses in human capital, losses in data and operational resilience due to weak or no disaster recovery plans, financial losses as asset values fell and credit quality deteriorated, and maybe even experienced increased reputation risk if they had financing relationships with terrorists. While the event was horribly tragic, it was a lesson for firms and in most cases made them much better prepared for future events like Covid-19.

How can Financial Organizations look to manage the interconnected nature of risk?

There is no substitute for preparedness. Stress testing and scenario analysis should be performed regularly. There are so many historical events that can be studied and varied and customized so as to prevent certain catastrophic losses across an organization. This does require dedicating time and assembling teams of experienced and imaginative people to do this important work.

I think reverse stress testing is particularly useful since it helps identify scenarios where liquidity buffers are insufficient or there are threats to financial stability. While Alternative Intelligence techniques can be used – they are particularly good at handling large amounts of data – these models will probably not be very good at prediction or forecasting if the event(s) aren’t in the computer’s training set.

How do you see the holistic view of risk developing over the next five years?

I see 2 key themes.

  • Technological advancements will continue to create new risks and vulnerabilities (cybersecurity, data privacy), but advancements in areas like automation, data analytics, and AI will help identify risks and patterns more quickly, help to distill large amounts of information, and enable more efficient risk mitigation
  • The ability to learn from experience and apply skills learned in one situation to new and unfamiliar areas will continue to be the key skill for successful risk managers