How Can Banks Refine Their Risk Management for the Era of Digital Ecosystems?

Sep 3, 2019 · 7 min read

By Paul Rohan

Banks have long enjoyed relatively direct interactions with customers: for the most part, customers came to specific channels that the bank operated, whether brick-and-mortar branches, ATMs, websites or mobile apps.

Today’s economy challenges this model, as consumers prefer to have services (banking or otherwise) available to them in the context of what they’re already doing, whether it’s making a purchase via a smartphone, making a purchase at a physical point of sale, sending money via a messaging application or executing some kind of financial transaction from within a social media experience. Rather than having customers come to them, brands have to insert themselves into the experiences customers value.

Moreover, many consumers are no longer content with basic banking products. They demand extra value layered atop account balances and transaction capabilities, so they’re empowered to do more with their money.

These developments, among others, are one reason digital ecosystems are of paramount importance to today’s banks. In these ecosystems, customer interactions are not defined by a single provider’s services but rather by the sum of many providers’ technologies cohering into a seamless user experience that translates across applications, interfaces, and digital and physical spaces.

Entering these ecosystems may require a variety of operational and strategic adjustments throughout the organization; as I’ve written before, for example, it can significantly evolve how a bank conceives of and markets its brand. In this article, I’ll explore another aspect of banking that may require refinement and reinvention as banks enter digital ecosystems: risk management.

External environmental risks

Banks participating in digital ecosystems run the risk of being unable to respond to market volatility — and that market volatility will arise is basically inevitable. It is perhaps the most obvious external environmental risk a bank, or any business, faces.

For example, if a bank makes its entry into digital ecosystems, its leaders won’t know for certain whether customers will adopt its offerings, whether rivals will quickly replicate any of its valuable features, and how valuable any particular ecosystem effort is likely to be. In this uncertainty, the potential for volatility is ample. The ecosystem’s inherent fluidity means a bank can’t just be prepared to launch an offering — it also needs multiple paths of business optionality to adapt to the ecosystem’s reception of that offering.

One way of creating this optionality is to invest in innovations that provide not only for a present, one-off project but also for potential future innovations.

Many successful enterprises, including banks, are navigating these present-and-future demands by using application programming interfaces, or APIs, and API product management as foundational elements of their ecosystem strategy. APIs enable software systems to connect to one another and have a long history in enterprise IT as a system integration technology. More recently, enterprises have begun to design and manage APIs as products, with an emphasis not just on connecting systems but also on helping developers to repeatedly access, combine, and reuse functionality and data for new digital experiences.

For example, traditional functionality, such as looking up an account balance, might be expressed as an API that provides value not only for whatever projects are underway today but also for as-yet-unimagined innovations that require account balance look-up functionality next year. New features — such as the technology to let bank customers interact with voice assistants — typically involve their own sets of APIs, meaning that if those APIs are well-designed and managed, even if a bank’s first effort with the new features is not successful, it possesses the capability and optionality to quickly and agilely reassemble its capabilities for adjustments and new strategies.

In addition to market volatility, banks need strategic optionality to respond to technical volatility. Technological evolutions within an ecosystem are often unpredictable and banks and other enterprises need the IT agility to adopt new user interfaces that rapidly gain traction, engage with new partners whose technology platforms unexpectedly become important to customers, or to otherwise adjust to volatility by integrating their IT systems with a partner’s IT systems. Market volatility can sometimes be reduced by simply waiting (though waiting too long can be dangerous) — but technological volatility can typically only be reduced by doing something. The greater the technical volatility, the greater the value of the flexibility created through strategic optionality — and the APIs and API management capabilities that provide it.

Aside from market volatility and technical volatility, banks may encounter environmental volatility from unanticipated regulatory intervention into ecosystems, as well as security threats such as cyberattacks on data exchanges. APIs generally play an important role in these areas as well; many regulations are satisfied via APIs managed to mediate what data is accessible to whom, and API management platforms can play an important role in thwarting bad actors from illicitly accessing data.

External economic risks

In addition to external environmental risks, banks that participate in digital ecosystems are also likely to face macroeconomic instability and other external economic disruptions that cannot be forecast with a high-level of reliability.

In times of economic instability, for example, banks may experience partners that exit collaborative agreements or go into bankruptcy. These events potentially require a rapid effort to replace the contribution made by the partner; at minimum, prompt and extensive communications will be needed with customers.

Operationally, to manage these risks, banks should be able to respond agilely if important third-party data suddenly becomes unavailable. Intersections between a bank’s first-party APIs and other APIs within the ecosystem — that is, between the banks’ data and the data of its ecosystem partners — define end users’ experiences, so managing the absence of any part of that experience is often at least in part an API management use case.

Internal management risks

Effective enterprise risk management often requires top-down leadership. When banks and other enterprises participate in digital ecosystems, inadequate C-Suite coordination and risk management can be damaging.

Because APIs express the reusable business capabilities that fuel ecosystem participation, effective C-suite coordination often requires that each executive have a relationship to APIs and to the API management platform used to control API access and generate insights from API adoption and traffic patterns:

  • The Chief Information Officer should see the API management platform as the foundation for delivering the bank’s services to customers throughout digital ecosystems.
  • The Chief Digital Officer should see the API management platform as the source of reusable business capabilities that accelerate innovation and increase strategic maneuverability.
  • The Chief Financial Officer should see the API management platform as the source of shareholder information on the bottom-line impact of the enterprise’s API strategy on its overall business execution.
  • The Chief Marketing Officer should see the API management platform as essential to implementing brand strategy and to how the brand surfaces in end user experiences.
  • The Chief Risk Officer should see the API management platform as a critical governance tool that captures information about hacking attempts, service availability issues, and other risks of ecosystem participation.
  • The Chief Information Security Officer should use the API management platform to capture and analyze data movements both within the bank and where bank APIs meet partner APIs at the boundary of the bank.

While risk management takes its cues from the top echelons of a bank, the disciplines and best practices of ecosystem risk management need to take root throughout the enterprise. There needs to be adequate staff education on ecosystem dynamics. Oversight of decision-making needs to be effective. As there are many fuzzy definitions of “digital” and “innovation” in banks, objectives and language need to avoid confusion between growth targets from ecosystems and process optimization efforts within existing business models. Banks need to avoid inappropriate team structures that create unnecessary silos. They need to ensure digital ecosystem entry is led by senior executives. Finally, as the world of APIs is new to banking, robust risk management may be needed to mitigate the risk of excessive institutional reliance on key individuals.

Internal technology risks

Ecosystem participation obviously involves the risk of interacting with external systems, but there may be significant internal technology risks as well.

These risks include delays due to shortages of key technical skills and the difficulty in hiring appropriate candidates, late delivery of data from legacy technologies, and technologies within the banks’ IT infrastructure that are not appropriate for ecosystem activities. As banks move to install new technology that is geared toward ecosystems, design problems could arise because of inexperience and immature processes among IT teams. Luckily, these internal technology risks can be forecast with some reliability, and therefore, banks have a reasonable chance of anticipating and controlling them.

Internal legal risks

Like internal technology risks, many of the internal legal risks that arise from ecosystem participation can be somewhat reliably predicted. Intellectual property rights are sometimes not respected in ecosystem environments, for example — so for a bank beginning its ecosystem journey, foreseeable priorities should include both technical mechanisms to detect abuse and legal resources to deal with it.

Ecosystem participation also means contractual difficulties may arise with customers due to misinterpretation of service terms, such as how data may be shared with an ecosystem partner. Given the market power demonstrated by platform ecosystems, the most influential ecosystem participants may also face risks related to claims of anti-competitive practices. Ecosystem participation, in short, may entail a wider range of legal specialties and challenges than many banks are accustomed to.

Risk is inevitable — so manage it

APIs and API management can help banks reduce risk and respond agilely when external volatility arises, and by examining the challenges faced by companies that have already entered ecosystems, banks can often predict and mitigate the risks involved in getting their internal leaders, technologies, and legal processes prepared for smooth ecosystem entry. Understanding new risks is the cost of embracing any innovation, but with the right mindset and capabilities, banks — and enterprises in general — can help themselves to enjoy the unprecedented scale of digital ecosystems without suffering the potential pitfalls.

[Looking to learn more about driving business value with APIs? Check out our ebook series “Inside the API Product Mindset.”]


Written by


The cross-cloud API platform. Delivering the products that make every business a digital business.

APIs and Digital Transformation

APIs are the de-facto standard for building and connecting modern applications. They connect applications to one another and to the data and services that power them - enabling businesses to combine software for new products.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade