Navigating The World Of Risk

Striking the right balance between successful innovation and risk management is crucial to any business.

Our clients and stakeholders demand that we launch and improve our products and services as quickly as possible. It’s of course the right thing to do, but as a large, regulated financial institution, we also have a major elephant in the room to manage: risk.

Cyber risk is a top concern among our leaders, consistent with trends across the industry. An EY study from earlier this year found that 72% of global chief risk officers view cybersecurity as the top year-ahead risk, followed by credit and environment risks. Global cyberattacks increased by 38% in 2022, according to a report from Check Point Research. The growth of artificial intelligence (AI) tools, including generative AI capabilities, can amplify the cyber threat, the report said. There are also financial stability risks associated with particular decisions. Our business relies as much on the nimbleness of the tech as the trust our clients and partners place in us. I think firms in our sector can successfully innovate and manage risks through a few internal governance design steps.

Our way of working also involves taking a shared responsibility for managing risk: Risk management is at the heart of what we do every day to protect our clients’ information as increasingly sophisticated cyberattacks challenge the industry. We have to remain vigilant, with everyone taking responsibility, coupled with continuous discussion and communication when implementing systems or tools that present more risk than our typical activities.

How we think about risk

We look at risk by forecasting when outcomes are likely to bear fruit, and we develop procedures for all possible scenarios. That might sound simple, but it involves extensive research, data gathering and processes and controls across the company. We also look at the financial ramifications of each risk outcome. Amid market volatility, the consequences of a single mistake can be significant.

In addition, we need to be concerned about the follow-on risks associated with a particular outcome. Think of it this way: Would our failure in one area cause a systemic issue across the markets? Something that affects one client could ricochet across several clients, and we need to be ready for that with process and accountability checks.

We cannot simply launch a product into the marketplace and allow it to fail. The need for risk forecasting and management should be baked into the process of launching a new product or service. So instead of killing innovation, risk management efforts strengthen it by setting new products and ideas up for success. It might slow things down a little, but it can significantly cut down the chance that catastrophic events could upend our efforts.

Any product needs to go through a rigorous set of controls throughout our organization. The product review process should take into account security and vendor management considerations. We also perform stress tests to look for idiosyncratic events that could cause harm.

I remain committed to exploring how transformative emerging technologies could become a core part of how we do business. AI, for example, could transform the financial services industry, with banks, insurance companies, and others investing in the technology to improve efficiency and client experiences. Of course, there are risks we need to manage, including the possibility that biased AI algorithms can produce poor decisions and sub-optimal outcomes. To root out bias, you need robust model validation controls. This means an impartial panel — separate from the one that developed the AI model — must validate the model to detect instances of bias.

Embedding risk management into everything we do

As we consider how to foresee and detect risk, a key enabler is cultural change. We now find that accountability for risk management is far more diffuse across the organization, and everyone shares that responsibility. Cyberattack preparedness, for example, is no longer the sole domain of the risk team; it’s the responsibility of every person and every organizational unit to take the necessary preventative steps.

I am excited about the next stages of technological advancement, particularly the rollout of tools that help us manage our data more efficiently and help us offer more value to our clients. As the speed of product evolution picks up, we will be looking to roll out new products and services at an ever increasing pace. We cannot afford to resist innovation — we must embrace it and realize the benefits for our employees and customers. But we need to launch these improvements in a way that minimizes the potential for harm, and consistently following a risk and governance framework can help get us there.