Risk and compliance. Sounds boring, right? 😴
If you work in Fintech, particularly if you are regulated, this is an area you will need to get your head around. Whether it’s for applying for regulatory permissions, going through the due diligence to partner with a bank, or even hiring someone to manage Risk and Compliance, you will undoubtably come across the need to identify risks relevant to what you do and explain how you manage these.
It’s actually important to get right as well as this covers how you plan to keep your company and customers safe — pretty fundamental for a business.
Think you sound clever? 👨🏼🎓
Language is one area in particular which makes risk and compliance unnecessarily complicated and alienating. Monzo identified a similar issue in the language that banks tend to use and created a tone of voice guide for their employees which they have made public. They make some interesting observations including on the need to speak your audience’s language:
“When we say ‘terminal’ do we mean ‘card machine’? When we say ‘funds’ do we mean ‘money’? When we say ‘reversal’ do we mean ‘refund’? And if not, do we explain why?
We can’t get around the fact that sometimes we have to use technical language, and that some terms have nuanced meanings (like ‘refund’ versus ‘reversal’). But we can always be precise about exactly what we mean, and help out people who aren’t familiar with the subject.”
This made me wonder if the same logic could be applied to risk and compliance. What effect would swapping the normal terminology for something a lot more simple have on the experience of having to do a normally dull risk related task? And could I get rid of language completely and rely on the universally understood emoji? 😍
The experiment 🕵🏽
For the task I decided to use a risk assessment. A risk assessment is an activity you do to identify all the events which could go wrong in your business and all the things you have in place to help stop these happening or fix them if they do. With this information you can understand which events should be your biggest current concern and take actions to address them.
Lots of Fintechs will have to do risk assessments. The FCA require all companies registered or authorised for Open Banking to submit a risk assessment as part of their application and then annually after that. Regtechs working with banks will need to explain how they manage their risks as part of on-boarding processes. Risk assessments are part of daily life at established banks and generally require dedicated teams to help ‘non risk savvy’ people complete these due to their complexity.
For the purpose of the test I imagined a startup called Smarter Theatre 🧠🎭which would access Open Banking data to make theatre recommendations to people based on their transaction data. It would also initiate payments on the behalf of customers to take advantage of the best theatre offers when these come up.
Next I follow 5 steps to do a basic risk assessment infused with emoji…
Step 1: Identify what your company needs to protect
The first step of doing a risk assessment is identifying what needs protecting. In risk speak these are called impact categories. For Smarter Theatre I chose:
👫 Customers (without these I have no business)
💰 Money (always critical for a startup)
🏛 Regulator/ FCA (as I need regulatory permission to access Open Banking)
😳 Reputation (key to building trust as a new business)
Step 2: Figure out what could go wrong to put these at risk
Depending on the level of detail you need to go and the complexity of your business into this can get quite complicated. For a thorough approach you would want to create a list of things that could go wrong first from brainstorming, then go through an industry standard list (‘risk taxonomy’). For this example I’m just going to look at things which could go wrong for my Customers 👫.
📴 The app is unavailable due to a technical issue (‘Systems availability’)
🤔 Poor recommendations made to customer (‘Conduct risk’)
🍯 Employee is tricked into giving logon details to someone (‘External fraud’)
😈 Hacker steals customer data from our systems (‘Information Security’)
😤 Unhappy employee steals customer data to sell. (‘Internal fraud’)
Step 3: Decide how much of a problem these are
To decide how much of a problem these are you first need to work out a rating system so you can compare different risks later (‘risk rating’). Ratings are normally based on the impact and likelihood of something happening.
For my impact rating scale I have used the face of the CEO if it happens.
😕 — downcast CEO, mildly annoying to customers
😠— ruffled CEO, annoying enough for customers to complain about
😡 —angry CEO, bad enough to stop customers using my app
🤬— fuming CEO, major disruption to customers or their financial well-being
For now I won’t base it on the numbers of customers impacted but as I grew my customer base this is something I would want to add.
For rating how likely something is to happen I will use a scale based on my chances of seeing the following animals in the next 24 hours.
🦄 Unlikely <10% chance
🦉Not very likely 10–50% chance
🐰 Fairly likely 50–90% chance
🐈 Highly likely >90% chance
(This scale is obviously 🇬🇧 specific, in other countries you may see 🦄 every day!)
Using this scale I can now rate my risks to decide how much of a problem they are. For simplicity I’ll just take the last example to look at, my unhappy employee 😤 stealing and selling customer data.
I think this would be a major issue for my customers as someone might use their data to access other accounts they have and cause them a lot of disruption. That’s a 🤬 or fuming CEO for impact.
Given I only have a couple of employees I don’t think this is very likely. That said, they are only taking equity at the moment so may be desperate for money and I have only known them for a short amount of time. That gets an 🦉or not very likely.
Normally you would now combine these two together to get an overall rating (‘inherent risk”). I’m going to leave this for the time being to avoid getting too complicated.
Step 4: Decide if you want to take any action to do anything about them
Now I have rated my risk I can decide what I want to do about it (‘risk treatment’). My options would be:
👊 Make it less of a problem (“reduce”)
👌 Do nothing (“accept”)
👉 Make it someone else’s problem (“transfer”)
👋 Stop doing whatever makes this possible (“avoid”)
Based on the fact employees stealing data would have a very high impact 🤬 on my customers, I decide I want to make it less of a problem. 👊
Step 5: Design ways of stopping the events happening or fixing them if they do happen
So now I have to think of ways I can make this less of a problem. For a thorough approach I’d look at tried and tested ways how other people tackle this problem (‘controls library’). For now I’m just going to use my common sense to think how I can:
🛑 Stop it happening (“Preventive controls”)
🔍 Figure out if it has happened (“Detective controls”)
🎁 Put it right if it has happened (“Corrective controls”)
To stop it happening, I could restrict who can access the customer data by setting up access controls. If this isn’t an option as I need all my 3 staff to access this to service customers for example, then I could log every time the customer data is accessed and set up alerts for any behaviour which looks suspicious. 🔍
To help stop it happening 🛑, I could also talk regularly with my employees to understand if they are unhappy about anything and prioritise being able to pay salaries so they are less likely to be in a situation where they are desperate for money.
My reflections on emoji in risk assessment 🤔
- Emoji work very well for identifying the impact categories (things I want to protect) and the risk ratings (how much of a problem it is).
- Emoji are a lot more engaging than risk language and they can make you smile just using them.
- It’s hard to find emoji for the risk types (things that can go wrong), doing this for a whole risk taxonomy would really be a big job. Simple language would work better for this.
- The emoji library needs some additions. Why is there no robber emoji? Or a plug being pulled?
Smarter Human is rethinking risk management for Fintech. We believe existing approaches to risk and compliance do not work for companies looking to deliver at pace using agile software delivery. Our mission is to make managing risk an activity which adds value rather than overheads.
We are going back to basics to deconstruct the accepted ways of doing risk and compliance, test the assumptions underpinning these and rebuild solutions using what we learn.
If you would like to join us on our journey, by sharing pain points, ideas and trying out our early prototypes, get in touch at firstname.lastname@example.org or sign up to our Fintech Risk Hackers meetup group.