Our willingness to embrace digital and technological advancements is illustrated by 81% of the UK population now owning a smartphone, only nine years after the inception of the first iPhone.
One month into 2017, perhaps these developments are just part of the normal evolution of technological risks and opportunities for business operations. On the other hand, it may be a more dramatic shift, given the pervasive nature of digital adoption.
The mental model of risk – a different mind-set
How we define the problem often affects the solution. Risks can be seen as something to defend against – a clear threat, easily comprehended and managed. Some responses include establishing a secure perimeter, applying a logical response, setting clear direction, using drills to ensure any response is successful and adding a series of protection layers. These types of threats are relatively understandable and identifiable.
Another view considers threats as a mutating virus - a model of multiple viruses attacking any weakness of a system, with unknown risks until their (often catastrophic) effect is realised. The complex threat is often from multiple directions and can happen at any time. In this scenario, the unknowns increase the uncertainty, and consequently the potential loss. These types of threats are far scarier, more complex, and more difficult to manage.
Our evolving financial services world has far more of the virus type problems, complex risks that need a different approach requiring clear governance and collaborative expertise. This is the flipside of the fundamental business need to embrace innovations.
Complex risks for financial service companies follow the following themes:
- speed: the capabilities to deal with risks in real time
- data and connectedness: ensuring the organisation has the skills to understand the risk combinations and cross contamination of those risks
- behaviour: managing and measuring the attitudes of the people involved in the organisation
Organisations’ evolving requirements for speed has a number of dimensions:
- speed of delivery - services and transaction delivery has been reduced to days, and in many cases access to information is in real time. Response time is critical and a source of competitive advantage. Relying on “batch” or “out of hour” processing is a problem for 24/7 services
- speed of response - threat identification mechanisms need to identify and react with an agreed and tested action plan
- speed of impact – when something goes wrong, the impact is instantaneous and often very public.
Speed means a significant increase in the need to quickly identify, quantify and understand the multitude of new technological and market threats to ensure an appropriate response. This response must be within the organisation’s tolerances and must include designing systems to inherently manage and assess threats, real time dashboards and event driven monitoring.
Data and connectedness
Companies are increasingly connected to their customers, suppliers and the regulator through more interactions, which brings a correspondingly increased exposure to new risks
- Provision of real time services means the inner workings of businesses are more exposed which is set to continue with open APIs (Application Programming Interfaces). This is not just the technical aspects of company data and systems, but access to the employees, via social engineering, social media, and other phishing type acts.
- The interlinked nature of the web means that we are exposed to global digital threats, rather than national or local situations. Malicious software written in any region of the globe can be transmitted in seconds by an unthinking click of an e-mail attachment. The NY times assessment of USA election hacking is a serious wake up call for those not taking this seriously.
- There is a growing need to manage complex risk where a series of minor risks across different functional verticals connect to form a significant risk.
This connectedness requires a clear response in the automation of risk monitoring and analysis to deal with real time service across connected functions. The rise of regtech and risktech, applying new technologies to regulation and risk, is in direct response to these changes and as noted in the FCA regtech feedback statement, is something that will continue in 2017.
Successful management of operational risk is fundamentally dependant on the behaviours of customers, employees and suppliers.
- A clear risk framework is crucial to clarify risk ownership and responsibilities across each organisation. This clarifies the ownership and understanding of risk tolerance, the ability to assess the appetite and to take risks within that appetite. To find out more download Driving business strategy with effective risk frameworks [PDF, 1,780 kb] [ 445 kb ].
- Mandating behaviours to manage and monitor risks in a vast complexity of scenarios is a significant challenge requiring the application of alternative levers to achieve resilience. Levers including culture, the conduct agenda and the necessity to measure and evidence that company values are lived through all levels within the organisation. For more information download Managing operational risk – understanding the sources and minimising the impacts [PDF, 4,890 kb] [ 753 kb ].
- Behaviour of suppliers which falls into material outsourcing risk management and protection of value throughout the value chain remains a core area of risk assessment to ensure resilience.
The pervasive nature of digital technologies means the introduction of new risks into the operations of organisations, and not just “cyber risks” but people and process risks too. To deal with the combined, connected and complex nature of operations requires seeing the environment in a very different way and building resilience to respond to risk within this environment.
To find out more about Driving business strategy with effective risk frameworks or Managing operational risk – understanding the sources and minimising the impacts please contact Paul Young (Paul.L.Young@uk.gt.com).