The focus of financial institutions has long been on customers, profit and growth. Risk management has often been seen as a necessary burden.
Now, in the aftermath of the pandemic, the supply-chain crisis and other global challenges, there is no better time to turn the tables and put risk management first. When this is done right, customers, profit and growth will follow.
Modernizing the risk approach is foundational to modernizing the enterprise—and vice versa. With technology underpinning the foundation of every bank, it has become increasingly clear that technology risk and business risk can no longer be kept separate. It would be easy if this change could be done at the top, but regardless of an individual or group’s role, every banker needs to be a risk officer.
With risk management, it has become all hands on deck—everyone must be engaged because everyone is responsible. The most successful banks make risk a priority across the organization by making it easy to vocalize, share and even own risk. This mindset requires a holistic approach that works across the silos that have long plagued banking. It necessitates a foundational shift that can’t happen overnight.
With this in mind, ServiceNow recently joined forces with the ThoughtLab Group to survey 750 banks globallyabout risk and resilience leadership. The survey asked about their plans and actions over the next two years related to technology risk across six pillars of excellence: organization, process, integration approach, governance, data and technology.
There’s no question that risk is top of mind for the industry. Nearly three-quarters of CEOs and more than half of banks report that tech risk is the bank’s biggest issue. Meanwhile, for 30% of banks, the board plays a key role in managing technology risk and resilience.
But few banks have developed a solid approach to managing tech risk. In fact, just 19% of banks can be considered true leaders in technology risk management and resilience. Perhaps unsurprisingly, almost all of those have made risk a high priority and feel that they are well prepared to effectively manage the risks they will face in the next two years.
For the banks that want to start the journey to stronger risk management, the survey yielded strong and sound advice. The first step is to establish the right foundational frameworks. More than 70% of banking risk beginners are going to be focused on building technology and cybersecurity risk into their risk-appetite framework over the next two years. Many risk leaders may have already taken this step, but it is still a focus area for 44%, according to the survey.
DATA AND INTEGRATED RISK MANAGEMENT
Banks also need to advance the use of data in their risk-management processes. This requires trustworthy sources of data, pushing ahead with automation and investing in data science, artificial intelligence and machine learning. Sixty-four percent of risk leaders plan to invest in data to improve risk identification and management and their overall resiliency position in the next two years. More than half of risk leaders also plan to create data-management solutions that integrate data across the enterprise.
Adopting a more data-driven approach to risk also requires banks to embrace integrated risk platforms to manage the volume, but also to get a holistic, enterprise-wide view of risk. This has to come from the top so that it ripples across—and permeates into—the industry’s notorious silos. Back office and front office, which are two very different worlds, both have to be on board.
Only 30% of beginners are currently doing so, but our research shows that this will increase to 70% by 2026. If we turn our focus to those banks that are seen as the risk leaders, we see that 60% are already using an integrated risk management platform, a figure that jumps more than 20 percentage points over the same period. Without a doubt, automation and the use of AI/ML are set to drive change in many industries. But in this space, leaders in risk expect to make significant advancements. The fastest improvement for them is happening in risk detection—roughly three-quarters expect to be largely or fully automated in two years, up dramatically from 32% now.
Savvy risk leaders recognize that technology risk can’t be separated from business risk and are therefore investing in high-impact digital solutions. Modernized IT systems and the cloud top the list of important investments today, with nearly half of leaders stating it is one of their most important investments. Looking out two years, risk leaders say the most important investments for banks to improve their technology risk and resilience will be in cybersecurity defenses, blockchain, AI/ML and cybersecurity orchestration, according to the survey.
CREATING A POSITIVE RISK CULTURE
Equally important is creating a positive culture around risk. Tech can help spot risks and implement preventative controls, but if there is a culture of blame or fear around risk, the organization won’t transform. Making it easy to highlight potential risks and ensuring cross-enterprise support for remediation where required is key but can also be difficult with the heavily regulated world in which banks operate.
Driving a positive risk culture from the top should be nonnegotiable. This may also involve personnel changes, with more than one-third of risk leaders planning to expand the chief risk officer role to include IT/cyber risk, while 54% plan to appoint a senior executive to manage IT, risk and cybersecurity.
Strong risk management can be a driver of innovation and growth, and in the survey, we found that nearly two-thirds of leaders plan to better involve IT and cyber risk management teams to do just that. Strategies include using IT to reduce vulnerabilities and automate mitigations, integrating business risk management processes with security operations and IT controls and bringing cybersecurity into IT development.
With a majority of leaders stating that they plan to create a more positive risk culture across their organization, we can see clearly how putting a strong focus on risk now will drive growth, profit and, most importantly, satisfied customers. It doesn’t have to be overwhelming: start small with something specific. There’s no point saying, “Let’s have a three-year plan with training courses” that overwhelms employees. Build top-down recognition, and culture will follow. There’s no risk in that.
Simon Coxis chief transformation officer at ServiceNow.
The Community Reinvestment Act (CRA) was designed to encourage commercial banks and savings associations to help meet the needs of borrowers in all segments of their communities, including low- and moderate-income neighborhoods. Recently, a final rule was announced that updates...