Digital
risk: Transforming risk management for the 2020s
Significant
improvements in risk management can be gained quickly through selective
digitization—but capabilities must be test hardened before release.
Digitization has become deeply embedded in banking strategy, as nearly all businesses and
activities have been slated for digital transformations. The significant
advantages of digitization, with respect to customer experience, revenue, and
cost, have become increasingly compelling. The momentum to adopt the new
technologies and operating models needed to capture these benefits continues to
build. The risk function, which has seen significant growth in costs over the
past decade, should be no exception. Indeed, we are starting to see digital
transformations in risk create real business value by improving efficiency and
the quality of risk decisions. A digitized risk function also provides better
monitoring and control and more effective regulatory compliance.
Experience shows that the structural
changes needed to bring costs down and improve effectiveness in risk can be
accomplished much like digital transformations in other parts of the bank. The
distinguishing context of the risk environment, however, has important
implications. First, risk practitioners in most regulatory jurisdictions have
been under extreme pressure to meet evolving regulatory requirements and have
had little time for much else. Second, chief risk officers have been wary of
the test-and-learn approaches characteristic of digital transformation, as the
cost of errors in the risk environment can be unacceptably high. As a result,
progress in digitizing risk processes has been particularly slow.
This status quo may be about to change,
however, as global banking leaders begin to recognize how substantial value can
be unlocked with a targeted digital agenda for risk featuring fit-for-purpose
modular approaches. In addition to the objective of capturing value, this
agenda incorporates risk-specific goals. These include ensuring the ongoing
effectiveness of the control environment and helping the risk function apply
technology to better address regulatory expectations in key areas—like risk
measurement, aggregation, and reporting.
What is
digital risk?
Digital risk is a term encompassing all
digital enablements that improve risk effectiveness and efficiency—especially
process automation, decision automation, and digitized monitoring and early
warning. The approach uses work-flow automation, optical-character recognition,
advanced analytics (including machine learning and artificial intelligence),
and new data sources, as well as the application of robotics to processes and
interfaces. Essentially, digital risk implies a concerted adjustment of
processes, data, analytics and IT, and the overall organizational setup,
including talent and culture.
Three
dimensions of change: Processes, data, organization
To realize the full
benefits of process and decision automation, banks need to ensure that systems, processes, and
behaviors are appropriately fitted for their intended purpose. In the risk
environment, prioritized use cases are isolated in such areas as credit
underwriting, stress testing, operational risk, compliance, and control. In
most banks, current processes have developed organically, without a clearly designed
end state, so process flows are not always rational and efficient. Operational
structures will need to be redesigned before automation and decision support
can be accordingly enabled.
Data, analytics, and IT architecture are the key enablers for digital risk management.
Highly fragmented IT and data architectures cannot
provide an efficient or effective framework for digital risk. A clear
institutional commitment is thus required to define a data vision, upgrade risk
data, establish robust data governance, enhance data quality and metadata, and
build the right data architecture. Fortunately, processes and analytics techniques
can now support these goals with modern technology in several key areas,
including big data platforms, the cloud, machine learning, artificial
intelligence, and natural-language processing.
The organization and operating model will require new capabilities to drive rapid
digitization. Although risk innovation takes place in a very specific, highly
sensitive area, risk practitioners still need to create a robust culture of
innovation. This means putting in place the right talent and nurturing an
innovative “test and learn” mind-set.
Governance processes must enable nimble responses to a fast-moving
technological and regulatory environment. Managing this culture of innovation
in a way that is appropriate for risk constitutes a key challenge for the
digitized risk function.
Adapting
digital change to the risk context
Most institutions are digitizing their
risk functions at a relatively slow pace, taking modular approaches to targeted
areas. A few have undertaken large-scale transformation, achieving significant
and sustainable advances in both efficiency and effectiveness. Either way, in
the risk context, care must be taken when adapting test-and-learn pilots
commonly used in digital transformations in other parts of the bank. Robust
controls must be applied to such pilots, as the tolerance for bugs and errors
in risk is necessarily very low. When digitizing processes relating to comprehensive
capital analysis and review (CCAR), for example, solutions cannot be introduced
into production before thorough testing has convinced designers and
practitioners of their complete reliability and effectiveness. In certain other
risk areas—such as monitoring and early-warning systems in commercial credit
risk—banks can use test-and-learn approaches effectively.
Sizing
the opportunity
Our experience suggests that by improving
the efficiency and effectiveness of current risk- management approaches, digital
risk initiatives can reduce operating costs for risk activities by 20 to 30
percent. The state of risk management at most global, multiregional, and
regional banks is abundant with opportunity. Current processes are resource
intensive and insufficiently effective, as indicated by average annual fines
above $400 million for compliance risk activities alone.
The potential benefits of digital risk
initiatives include efficiency and productivity gains, enhanced risk
effectiveness, and revenue gains. The benefits of greater efficiency and
productivity include possible cost reductions of 25 percent or more in
end-to-end credit processes and operational risk, through deeper automation and
analytics. Risk effectiveness can be strengthened with superior transparency,
gained through better management and regulatory reporting and the greater
accuracy of model outputs due to better data. Revenue lift can be achieved
through better pricing or an enhanced customer and frontline experience—for
example, by reducing the know-your-customer (KYC) cycle time from one week to
under one day, or the mortgage-application process to under 30 minutes, from 10
to 12 days. Improved employee satisfaction can also be achieved through
focusing talent on high-value activities.
Target
risk processes: Credit risk, stress testing, and operational risk and
compliance
The possible action areas for digital risk
are extensive, but in our view three specific areas are optimal for near-term
efforts: credit risk, stress testing, and operational risk and compliance.
Alhough no one bank has fully digitized all three of these areas, we are seeing
leading banks prioritize digital initiatives to realize discrete parts of the
total savings available. The following discussion is based on actual digital
risk initiatives across risk types and processes.
Credit
risk
Credit delivery is hampered by manual
processes for data collection, underwriting, and documentation, as well as data
issues affecting risk performance and slow cycle times affecting the customer
experience. Digital credit risk management uses automation, connectivity, and digital
delivery and decision making to alleviate these pain points. Value is created
in three ways: by protecting revenue, improving risk assessments, and reducing
operational costs.
To protect revenue in consumer credit,
digital risk strengthens customer retention. It improves the customer
experience with real-time decisions, self-service credit applications, and
instant credit approvals. The improvements are enabled through integration with
third parties for credit adjudication and the use of dynamic risk-adjusted
pricing and limit setting. One European bank is exploring the potential for
digital risk to expand revenue in consumer credit within the same risk
appetite. Digitized credit processes will permit faster decision making than
the competition while the bank maintains its superior risk assessment.
Value is also created by improving risk
assessment. Advanced analytics and machine-learning tools can increase the
accuracy of credit risk models used for credit approvals, portfolio monitoring,
and workouts. It can also reduce the frequency of judgment-based errors. The
integration of new data sources enables better insights for credit decisions,
while real-time data processing, reporting, and monitoring further improve
overall risk-management capabilities. Operational costs are also reduced as
credit processes are digitized. A greater share of time and resources can be
dedicated to value-added activities, as inputs and outputs become standardized
and paperless.
In addition to improving default
predictions, we have seen credit risk improvements in these areas creating a
revenue lift of 5 to 10 percent and lowering costs by 15 to 20 percent.
Stress
testing, including CCAR
Banks find that significant value can be
captured through a targeted digitization effort for stress testing, including
CCAR. The current approach is highly manual, fragmented, and sequential,
presenting challenges with data quality, aggregation, and reporting time frames
and capacity. The processes are prime candidates for digital automation and
work-flow tools.
The underlying stress-testing process is
the starting point. The improvement program will aim at optimizing resources.
Dedication of resources will be prioritized based on materiality of risk.
Institutions can achieve additional efficiency through parallel processing,
centralization, and cross-training of staff, as well as better calendaring.
Templates and outputs are standardized, and “golden” sources for data are
designated. The resulting process becomes increasingly transparent and effective.
Process optimization is supported by digital-automation initiatives for data
loading, overlays, Y14A reports, and the end-to-end review and challenge
process. Real-time visualization and sensitivity analysis are digitally enabled
as part of the transformation. In addition to optimizing stress testing
directly, banks are also looking for opportunities to harmonize the data,
processes, and decision-making models with business planning.
We have seen digitization in CCAR and
stress testing bring significant cost improvements and—even more important—free
up capacity so that experts can apply more insight and improve the quality and
use of outputs.
Operational
risk and compliance
At many global banks, manual processes and
fragmented systems have proliferated across operational risk and compliance
controls and activities. In anti-money laundering (AML), for example, processes
and data have become unwieldy, costs have skyrocketed, and efforts have become
ineffective. Significant opportunities to increase the effectiveness and
efficiency of AML operations lie in thorough end-to-end streamlining of the
alert-generation and case-investigation processes.
In alert generation, digital risk
improvements ensure that reference data available for use in the analytic engine
is of high quality. Advanced-analytics tools such as machine learning are used
to test and refine the case-segmentation variables and support
“auto-adjudication” where possible. In addition, digitization and work-flow
tools can support smart investigations and automated filing of
suspicious-activity reports, an improvement that enhances the productivity of
the investigation units.
Our experience of digital risk initiatives
in AML is that they invariably improve effectiveness and efficiency, typically
in the range of 20 to 25 percent. The overall impact of such improvement is
even greater, however, given the large cost base of this function across
institutions and the risk of not identifying bad actors.
Digital
risk is different
A digital risk program must be designed in
recognition of those aspects of the risk function that distinguish it from
other functions, such as frontline digital sales. For risk, regulators will not
accept the characteristic approaches of traditional digital transformations.
Live launches of “minimum viable products” to be tested and refined in
production is not an appropriate path for most risk activities.
Most approaches to digitization focus on
improving the customer experience. Digital risk will involve some actual
external customers, such as in credit delivery, but in most areas the focus
will be on internal customers, stakeholders, and regulators. Moreover, digital
risk is never a self-contained effort—it will depend on data from all
businesses and functions. Development thus proceeds at a pace limited by the
careful management of these interdependencies. Innovative approaches such as
agile and digital labs provide effective options to implement solutions
incrementally.
Direct
impact will be felt in cost and risk reduction
While digital risk offers clear
opportunities for significant cost reduction, the impact on revenue is less
obvious but implicitly understood by leaders. Frontline digital transformations
are often aimed at direct revenue improvement; proof of this impact from digital
risk programs is more elusive, since risk is an enabling function. Faster
turnaround times for loan applications is a typical digital risk improvement.
This will likely drive higher lending volumes and, consequently, increased
revenue—even if the correlation cannot be precisely determined. Given the
indirect impact on revenue, digital risk programs should focus primarily on
reducing risk and cost. The exception is digital credit, where the case for
revenue lift will be clearer.
Designing
a program
An effective digital risk program begins
with chief risk officers asking the right questions—those that point the
institution toward specific initiatives for digital innovation. “Can we reduce
the time needed for structured credit approvals to a few minutes?” “How can we
increase straight-through processing rates?” “How can we improve the efficiency
and streamlining of KYC activities to reduce pain points in the account-opening
process?” “How can we make CCAR less sequential and resource intensive?” “How can
we improve the timeliness of reporting to meet regulatory objectives?” “What
value can we extract from better use of internal data?” “What is the
incremental benefit of including new data sources?” The answers will help shape
initiatives, which will be prioritized according to current resource-allocation
levels, losses and regulatory fines, and implementation considerations, such as
investment and time.
Digital risk programs can incorporate the
familiar design features of digital transformations, such as zero-based process
and interface redesign and an agile framework. The testing and refinement,
however, takes place entirely within a controlled environment. The design
approach, which can be modular, must also be comprehensive, based on a thorough
review of risk activities, appetite, and policies.
The designs cannot be migrated into
production until they have been thoroughly tested and syndicated, often with
regulatory bodies. Because of its highly sensitive environment, risk is
digitized end to end over a longer timeline than is seen in customer-service
areas. Specific capabilities are developed to completion and released
discretely, so that risk management across the enterprise is built
incrementally, with short-term benefits.
The
anatomy of a transformation
A digital risk program can get a running
start by capturing high-value opportunities first. The anatomy of the
transformation will resemble that of other digital transformations, with the
usual three stages: 1) priority initiatives are identified according to the
value at stake and the feasibility for near-term implementation, 2) digital
solutions are designed to capture that value and tested and revised according
to stakeholder input, and 3) the improvement is introduced into production,
with continued capability building to embed the design, engineering, and change
management into the operating model and invest in the right capabilities and
mind-sets.
The opportunities identified in stage one
are matched in stage two with digital and other solutions that will reduce
waste and optimize resources while improving standardization and quality. These
solutions will involve work-flow automation, digital interfaces, and the use of
advanced analytics and machine learning. The technology design may use a “two
speed” architecture to support fast innovation in IT while allowing the main IT
infrastructure to operate normally. New functionality is rigorously tested
prior to migration into production, to ensure a smooth, error-free transition
for critical risk functions. Iterative test-and-learn processes take place
within environments featuring higher control standards than typical elsewhere.
Stakeholder feedback and often regulator syndication are obtained prior to
production release.
In the third stage, where the innovation
is introduced into production, the organization focuses on change management.
In itself, this is no different from typical digitization programs in other
business areas. The focus is on embedding the design into the operating model
and continuing to invest in digital capabilities to build momentum for further
launches. Having the right talent in place, whether drawn from internal or
external sources, is the key to a successful transition to digital risk.
The path to digital risk will be a multiyear journey,
but financial institutions can begin to capture significant value within a few
months, launching tailored initiatives for high-value targets. As the risk
function becomes progressively digitized, it will be able to achieve higher
levels of efficiency, effectiveness, and accuracy. In the future, risk
management will be a lean and agile discipline, relieving cost pressures,
improving regulatory compliance, and contributing to the bank’s ability to meet
escalating competitive challenges. The first steps toward that future can be
made today.
By Saptarshi Ganguly, Holger Harreis, Ben Margolis, and Kayvaun
Rowshankish
http://www.mckinsey.com/business-functions/risk/our-insights/digital-risk-transforming-risk-management-for-the-2020s?cid=other-eml-alt-mip-mck-oth-1702
No comments:
Post a Comment