The future of risk management in the
digital era
We
collaborated with the Institute of International Finance (IIF) and more than 50
institutions around the world, including banks, regulators, and fintechs, to
explore critical questions on the future of risk management. This report aims
to answer these questions and shares insights to help organizations navigate a
digital transformation of the risk function—now and in the long term.
The facts about the
digital era are becoming familiar
but remain astonishing. Computing power has doubled annually since the 1970s,
and costs have fallen at about the same rate. With every human activity now
digitally recorded (even sleep, in Apple’s new health app), more data have been
generated over the past two years than in all of previous recorded history. The
number of interactive devices is also increasing fast. Four billion smartphones
were active in 2016, with two billion more to come. And all those smartphones
(and laptops, tablets, sensors, cameras, and so on) are busily creating
torrents of yet more data—2.5 exabytes every day.
The future of risk management in the digital
era
McKinsey partner Holger Harreis
discusses the challenges in digitizing risk management, the potential benefits,
and a path forward.
Data, analytics, and the digital tools to harness themare transforming all aspects of
life, including business and industry. Banking is undergoing its own digital revolution,
with significant implications for risk management. In the 2017 IIF/McKinsey
digital risk survey, we find that 70 percent of banks have digital risk
prominently on the radar, with a middling level of management attention, and 10
percent have it on the high-priority list. Correspondingly, respondents
indicate that 22 percent of banks—nearly 30 percent in Europe and the rest of
world—have invested more than 25 percent of the annual risk budget to digitize
risk management. Six main trends are behind this transformation, either
directly or because they build a case for change.
Front and center are
customers and their ever-rising expectations. Today’s consumers and
businesses are accustomed to personalization through social media and to rapid fulfillment
through e-commerce. They expect the same kind of near-instantaneous service and
customized products from their banks.
A second force is
greater competitive pressure: aggressive fintechs, some prominent nonbank
lenders, and early-adopting incumbents have enhanced their customer offerings,
largely automated their processes, and made their risk models more precise. As
a result, they can undercut traditional banks on price (our research has shown
that digital attackers’ cost/income ratio is 33 percent, compared with 55
percent at incumbent banks).
Third, cost pressures
come from another direction too: regulatory constraints and low interest rates
have, in many cases, brought the average return on equity below or close to the
cost of capital. While these cycles may turn, the pressure is likely to remain,
especially as banks have added substantial staff to manage risk and enforce
compliance.
The fourth trend is
related to emerging and evolving risk types that arise from new business
models. For instance, digital channels present new kinds of risk (including the greater
exposure of digital assets). The rise of analytics requires risk managers to
pay close attention to model risk, and the greater level of interconnectedness
among businesses requires vigilance on contagion risk.
A fifth trend,
regulation, may surprise some people who think that banking has reached “peak
regulation.” Thirty percent of the respondents in our survey say regulatory
cost for risk increased by more than 50 percent over the last five years.
Moreover, 46 percent predict costs will continue to increase somewhat over the
next five years. Though some aspects may begin to be deregulated slightly,
banks can expect an overall increase in regulatory constraints on topics including
supervision (for instance, TRIM and SREP), systemic risk (such as stress tests
and Basel III), data protection (like GDPR), and customer protection (for instance, PSD II). While
many participants in the working groups (and many of the chief risk officers in
a forum that McKinsey recently convened) said that regulation “has become a
stable element of our new business as usual” this means that regulation is
driving parts of the digitization agenda. Digitization can also strongly help
to cope with the repercussions—nearly 100 percent of the respondents,
irrespective of geography or category (G-SIB versus D-SIB), state that digitization
is an important lever to cope with the regulatory burden. On the other hand,
regulation is not a key impediment to digitizing risk. The most important
impediments, according to the respondents, are legacy IT (85 percent), data
challenges (70 percent), culture (45 percent), a shortage of talent (40
percent), and complex organizational structures (40 percent). These all score
higher than regulation (35 percent).
Finally, a sixth trend
concerns a banking-services ecosystem that is now springing up, offering new ways to undertake
vital functions. For example, banks have used fintechs in credit risk
underwriting partnerships, fraud detection, and (through industry utilities)
regulatory compliance or supervisory reporting. Overall, 70 percent of survey
respondents believe that fintechs will help to digitize the risk function. The
most important topics here are mitigating losses from operational risk,
managing ALM liquidity, risk stress testing, identifying emerging risks, and
monitoring and managing risk portfolios. Also, 30 percent of the respondents
(60 percent in North America) plan to use utilities and partnerships to cope
with regulation.
The digitization of risk
Digitization in banks
has so far concentrated mostly on customer-facing “journeys” (such as online marketing)
and the operations that support those journeys (customer onboarding, customer
servicing). Only recently have banks expanded their transformations into other
parts of the organization, including the risk function. Banks note the
importance of digitizing risk. Seventy percent of respondents reported that
senior managers are paying moderate attention to risk-digitization efforts; 10
percent say that senior managers have made these efforts a top priority. Risk
digitization is clearly an established topic in the executive suite.
This is not yet
reflected in banks’ investment, however. Only about 10 percent of risk groups
have allocated more than half of their budget to digitization; another 15
percent have allocated between a quarter and a half of their budget. Risk teams
in Europe are investing more in Europe than in North America.
Lagging investment is
likely to catch up soon. Digital risk transformations are already a reality at
the largest banks: 70 percent of G-SIBs stated that a digital risk
transformation is now in place. Moreover, many respondents have high ambitions
to digitize 80 percent or more of risk process in the next five years.
Furthermore, senior management’s mandate is now to drive such transformations;
only 9 percent of respondents view a lack of senior management attention as a
key challenge to digitizing risk.
Given the trends we
have laid out, it is imperative for the risk function to accelerate its
digitization efforts, since it will be increasingly hard to stay analog while
customer-facing activities and operations race ahead into digital. As one risk
executive noted, “the risk function should not be the bottleneck to a highly
digital [bank].” Another said that “there is no way channels can be truly digital
without working with risk.” However, only 39 percent of respondents considered
their risk function to be a significant contributor to the bank’s overall
transformation.
A digital
transformation for risk would mean a number of changes. Chief among them, risk
would capture and manage information from a broader and richer set of data,
looking into nontraditional sources like business-review ratings online. It
would automate processes it controls, and work with others to do the same for
decision-heavy processes. It would use advanced analytics to further improve
the accuracy and consistency of its models, in part by greatly reducing the
biases. Risk would embed its solutions in a bank’s website, its mobile trading
app, and its corporate-banking platform, while deploying a flexible risk data
architecture. Inside the bank, leaders would consult self-serve dashboards
informed by risk analyses—and thus act on risk-driven strategic advice. Risk
would review and reshape its mandate and role to capitalize on its ability to
provide faster, more forward-looking, and deeper insights and advice. It would
alter its organizational setup, as well as its culture, talent, and ways of
working.
But to get there, risk
must overcome a set of challenges. First, risk systems have significant IT and
data constraints. IT systems are often patchwork, which means that data quality
is often poor. Eighty-six percent and 63 percent of risk managers viewed legacy
IT systems and a lack of easily accessible high-quality data, respectively, as the
main challenges to digitizing risk. The working group noted the contradiction
involved in encouraging people to seek additional and creative data sources
while not mining fully trusted internal data as a result of the challenges of
legacy IT systems.
Second, risk leaders
are inherently and appropriately conservative, given their mandate. They will
need to adopt and adapt concepts like iterative design, “fail fast,” and
multivendor teams. Forty-six percent of risk managers viewed culture as a main
challenge in digitizing. Risk staff often lack the most up-to-date knowledge of
analytics and next-generation technologies that will be needed in a more
digital state. Forty-three percent of risk managers saw talent as a key
challenge in digitizing. The working group actively debated how to attract and
retain talent both proficient in risk and comfortable with digital
technologies.
Third, risk has
bankwide interdependencies. The risk function is highly involved in thousands
of daily decisions across the entire bank. It requires considerable
collaboration from others to deliver a digital risk solution. Thirty-seven
percent of risk managers viewed a complex organizational structure as a main
challenge in digitizing. As one risk manager stated, “strategic alignment is needed
between different groups ahead of time [to drive the risk] digitization.”
Regulation is another
challenge. As 34 percent of the respondents noted, regulatory requirements for
transparency, auditability, and completeness could limit the depth and speed of
the technology’s adoption. The working group consequently observed that “black
box” machine-learning techniques have had a slow rate of adoption in regulatory-reviewed
models. Finally, digital transformation in risk is a special case. Not unlike
open-heart surgery, everyone must know the playbook to the last detail, and a
range of safety measures and fallback options must be in place to safeguard the
bank and its customers and keep operations running at the highest possible
levels.
Nevertheless, it can be
done. Many capabilities are in place, others can be amassed, and several banks
have laid promising foundations. Further, there is a strong economic case for
taking on these challenges and digitizing risk; 40 percent of respondents
believe that credit risk costs will fall by more than 25 percent (we explore
the economic case in detail, below). Leading banks and fintechs have proved
that a number of oft- cited transformation barriers, such as a lack of digital
talent and heavy regulatory requirements, can be overcome. In essence, the
research that underpins this report makes a clear case for digitizing risk. Now
the question is how far and how fast digitization can go.
A vision for digital risk
A fully digital risk
group could be game-changing for key stakeholders given the observed trends and
impact at stake. Consider how their experiences would improve:
·
Risk
executives will focus on
more strategic and high-value decisions as routine work is automated away and
fewer exceptions require manual handling. They will use advanced-analytics
capabilities to generate insights that are hard to produce today (such as
complex correlation and trend analyses) to help the front line optimize its
decisions and offerings. Risk executives will deploy a centralized “nerve
center” where newly powerful self-learning models will harness improved
connectivity to set limits dynamically and to detect emergent risks (credit,
market, and operational)—evaluating those risks immediately, setting cross-risk
mitigation strategies in motion, and dynamically adjusting limits. This nerve
center will thus improve forward-looking risk identification and management
across different risk types. To access these nerve centers, risk leaders will
consult self-service, highly customized dashboards that gave them the ability
to drill down into the headline figures and run self-defined analyses, mostly
in real time. Risk executives will lead a smarter, nimbler, and smaller
organization (60 to 70 percent of the current size in full-time equivalents, or
FTEs) with a very different distribution of skills, including many more people
with analytics and digital skills. Risk’s responsibilities will grow, however,
in the view of more than 80 percent of respondents. Nearly two-thirds also
think that more activities will move from the first line of defense into the
risk group.
·
CEOs
and heads of business will receive
automatically generated strategic advice on risk- oriented business decisions,
such as identifying origination opportunities, shrinking unwanted exposures,
managing investment portfolios, and allocating capital. Here too, executives
will rely on an intuitive visual tool to provide advice on demand at an
appropriate level of detail (such as specific markets, portfolios, or
products). This advice will be grounded in live analytical views of the bank’s
projected performance. CEOs will come to rely on a tool that readily
illustrates, say, the implications for risk appetite of taking on credit and
market risk in a given country under various macroeconomic scenarios.
·
Retail
and corporate customers will
have individualized banking experiences that meet their high expectations.
Banks will be present at key moments in people’s lives, helping them make more
informed decisions, adroitly anticipating their needs, and offering customized
solutions. No longer will customers need to communicate over multiple channels
or shuffle through reams of paper. Banks’ advice might range from simple nudges
to avoid overdrafts or late-payment fees to more sophisticated help managing
account balances to optimize interest income. The advice will come in real time
and will be fully embedded in the customer journey. For corporate customers,
the bank will also be able to integrate into the supply chain, assessing risks
and providing timely financing; here too, advice and decisions would be fully
embedded in the customer journey. CFOs could expect comprehensive financial
advice (subject to regulatory constraints), including views on risk from, say,
adverse market trends and benchmarks that might compare the company’s customers
with industry metrics. Customers could, moreover, confidently expect the bank
to keep their data safe.
·
Regulators will move from consuming reports to
receiving near-live data. While our respondents were divided on whether
regulators will have direct access, most think that the provision of data will
be timely and painless. Regulators could swiftly perform ad hoc analyses (for
instance, impromptu stress tests) and provide banks with enhanced guidance on
systemic risks. They could flag potentially noncompliant actions, allowing
banks to deal with and mitigate any related risks to prevent them from
ballooning into material systemic issues. Regulators could also oversee
nonbanks, including fintechs and corporates with financing arms, in the same
digitally enabled ways.
The value at stake
Risk managers agree
that considerable value is already at stake for banks in achieving this digital
state in the near term (two to three years). This value would be derived mainly
from efficiencies, reduced losses, and even indirectly through an enhanced customer experience and increased revenues. Twenty-eight percent of
respondents expect automation to reduce costs by at least 30 percent. Nearly
two-thirds think that a reduction of at least 15 percent is likely and that the
time to make credit decisions will fall by at least 25 percent across
portfolios. About 80 percent think that more timely decisions will be another
benefit. Seventy percent expect higher productivity.
We estimate that the
annual steady-state value from digitizing risk management (including revenue
effects) will be approximately the same as the total investment over the first
three years. This equates to a return on investment of about 450 percent for a
first-mover bank with a well-executed program. For a G-SIB, this would
translate to about $600 million to $1.1 billion of annual, steady-state impact.
A typical G-SIB with a $1 trillion balance sheet would have to make a $200
million investment annually for three years. Since digital transformations are
much more modular than classic large-scale IT replatforming programs,
higher-impact areas can be targeted first in a precise way. As a result, the
ROI would be even greater in the short term, with early impact potentially
funding later investments in an agile deployment of initiatives. These estimates
are contingent on risk and the bank’s successful execution of a large
change-management program of many initiatives; it is possible or even probable
that banks will not meet their expectations on all initiatives.
Our analysis considered
several levers. Recent efforts with risk automation and robotics suggest that
FTE productivity could rise by 10 to 20 percent. With machine learning and
other technologies, risk models can become more predictive, which suggests that
credit losses may fall by up to 10 percent. As automation and analytical tools
reduce the number of human errors, and as new multichannel surveillance
techniques detect inappropriate employee behavior more capably, the frequency
and magnitude of operational and compliance losses and fines could decline by
10 percent. However, evolving risks (such as cyberrisk) might increase the
potential for high operational losses, offsetting the gains to some extent.
IT costs for risk could
decrease by 10 to 20 percent as the function optimizes its application-development
and -maintenance capabilities and simplifies its data and application
environments. Finally, there is also the potential for a capital reduction of
up to 8 percent—depending, of course, on regulatory restrictions. As data
quality and processes improve, and as analytics supplies greater precision,
banks will be able to deploy capital more efficiently, lowering their
risk-weighted assets.
We also see the
potential for a revenue uplift of up to 4 percent for a first-mover bank that
overlays risk models onto marketing models to develop a view of risk-adjusted
returns from prospecting for new revenue sources, and from providing excellent
risk-based decision tools to customers, in or near real time.
Over time, we estimate
that most of these benefits would expand, as more advanced technologies, better
algorithms, and more automated processes come online.
Real-world progress
Parts of this future
vision are already taking shape as various banks show strong progress in key
applications of digital risk. Of numerous examples we encountered, two stand
out. A midsize European bank implemented a digital-risk “engine” in its mortgage
business to combat imminent competitive pressures. The bank retooled the
process, removing a number of breaks. It kept most of its previous risk models,
but upgraded its pricing model and optimized its credit policies and
decision-making criteria, replacing a complex and overlapping set of rules. In
six months, the bank transitioned from nearly 95 percent manual decision making
(two weeks of approval time) to 60 percent straight-through processing (less
than one minute of approval time) with a completely paperless process. It
reduced the customers’ burden of data provision by 75 percent thanks to reusing
information it already had or could easily find. The decision process
integrates seamlessly into the advisory process, allowing for instant credit
approval by the RM.
The second example
comes from a US universal bank that is currently digitizing its CCAR process. Production time is slated to decrease by 30 to 50
percent, freeing up experts to focus on review and challenge before submission.
The bank also anticipates FTE productivity gains of approximately 20 percent.
Risk is collaborating with finance and business units to reengineer the
process; critically, several steps that used to be done sequentially now take
place in parallel. The bank is automating workflows, including the production
and review of documentation, and applying advanced analytics and automation to
enhance controls, thereby making the output more reliable and reducing the need
for rework.
These are just two
specific examples of high-impact use cases that could serve as parts of a
broader digital risk transformation, which could include initiatives, such as
rapid limit setting across the portfolio, automated early-warning and
collection systems, and automated compliance controls. Many participants and
interviewees spoke of similar experiences, demonstrating that the capabilities
to digitize risk safely are already in place, and that techniques like the
agile organization allow risk to focus closely on high-impact areas in a
modular way, building a transformation quickly.
The seven building blocks of digital risk
Banks can harness the
seven building blocks of a digital transformation to construct a successful
digital risk program. It is not necessary to excel in each category; rather,
risk should prioritize those that enable the strategy of the bank and capture
its unique opportunities.
1.
Data
management. Enhanced data
governance and operating models will improve the quality of the data, make risk
and business decisions more consistent, and ensure responsiveness to risk’s
data needs. One important enhancement is the need to consider data risk as a
key element of the risk taxonomy, linked to a specific risk-appetite statement
and data-control framework. Another is to accommodate far more varieties of
data. Approximately 30 percent of the respondents say that new data sources
will probably have a high impact on their work. And of course, risk must
prepare for a lot more data.
2.
Process
and workflow automation. As
risk automates tasks such as collateral data entry, often through robotic process automation (RPA), it can combine several of them into smart workflows:
an integrated sequence performed by groups of humans and machines across an
entire journey (for instance, credit extension fulfillment). In addition to
greater efficiency, smart workflows create a more seamless and timely
experience for customers. About a quarter of respondents believe that more than
15 percent of costs can be cut across different risk disciplines, except in
credit, where the number is a bit above 60 percent. Around 30 to 45 percent of
respondents see 5 to 15 percent cost-reduction potential from automation,
depending on risk type. Ninety percent see benefits from increased precision
and 55 percent believe automation will improve compliance with regulation. As a
knock-on effect, risk people will focus more on the value-adding activities
they have been trained for. And 84 percent of respondents expect an increase in
customer and employee satisfaction.
3.
Advanced
analytics and decision automation. Sophisticated risk models (for instance, those
built on machine-learning algorithms) can find complex patterns (such as sets
of transactions indicative of invoice fraud) and make more accurate predictions
of default and other risk events. Nearly three-quarters of risk managers
surveyed expect advanced analytics to have a significant impact on their work.
Fifty percent say credit decision times will fall by 25 to 50 percent. A few
respondents even believe that times could fall by 75 to 100 percent.
4.
A
cohesive, timely, and flexible infrastructure. The risk infrastructure will
evolve to support several other building blocks: innovative data-storage
solutions, new interfaces, easier access to the vendor ecosystem, and so on. It
will use techniques like application as a service, obtained from application
service providers (even on open banking platforms). Approximately 45 percent of
the respondents see innovative technologies as a high-impact building block.
“No code” and “low code” solutions will put control further in the hands of
risk executives and reduce the number of end-user computing tools. Nearly 60
percent of the respondents expect innovative data-storage structures to have a
significant impact on risk management.
5.
Smart
visualization and interfaces. Risk will deliver its insights in more intuitive,
interactive, and personalized ways through risk dashboards, augmented-reality
platforms for customers, and other interfaces. Nearly 20 percent of risk
managers expect nascent technologies, such as augmented reality, to have a high
impact.
6.
External
ecosystem. Risk will partner
with external providers to vastly improve customer onboarding, credit
underwriting, fraud detection, regulatory reporting, and many other activities.
Two-thirds of respondents see fintechs more as enablers than disruptors, while
63 percent of North American respondents plan to use industry utilities to deal
with regulatory burdens.
7.
Talent
and culture. Risk will have a
far greater share of digital-savvy personnel with fluency in the language of
both risk and the business, operating within an agile culture that values innovation and experimentation. The
new profiles seen as most critical in a digitized risk function include data
scientists and modeling experts. Many risk leaders think that their teams will
need to develop these skills rather than hire nonrisk professionals and expect
them to learn risk.
A road map for success
A digital risk
transformation is complex and potentially confusing. It includes all the tasks
of digitization efforts elsewhere in the bank, such as getting alignment among
top executives, prioritizing specific high-ROI and time-bound initiatives, and
changing the culture. But the digitization of risk must be handled with even
greater care than the bank uses elsewhere. “Move fast and break things” is not
the right motto for digital risk. Risk is the bank’s watchdog, and no digital
improvement is worthwhile if it keeps risk from its appointed rounds.
While difficult,
digital risk transformations are not impossible, and more banks are taking them
on. As noted, 43 percent of the interviewed respondents (and 70 percent of
those at G-SIBs) currently have a digital risk transformation in place. The
survey, working groups, and interviews revealed the secrets of making digital
risk a reality in each of the three main thrusts of a transformation:
·
Defining a vision for
digital risk, including a view on the key activities risk will perform in the
future, and in what way; the corresponding mandate and role of risk; and the
metrics that will be used to determine success. Critical insights here include
understanding the ways that risk’s role will evolve, to include activities such
as providing strategic counsel to the top of the house.
·
Determining the
opportunities for digitization, through a bottom-up assessment of risk
processes, a plan for applying digital tools to the most promising activities,
and a business case that estimates the total impact. One key insight: banks
should not wait for perfect starting conditions before getting started; often,
they can take significant steps even while they are building vital assets and
skills, which can be added later.
·
Running a swarm of
initiatives that meets the strategic goals and captures the defined
opportunities, through a considered approach to governance and the operating
model, and new techniques such as agile sprints and digital factories. One
important finding from the research: even as it moves to agile development,
risk must put in place hard measures to ensure safety, such as running old and
new processes in parallel for a while, and conducting more back-testing on new
analytical approaches.
Given the high value at
stake and the dangers of procrastination, banks should embark on the digital
risk transformation journey as soon as possible. Most risk functions have at
least some of the building blocks they’ll need to get started. They can harness
these for short, agile initiatives that build momentum toward the necessary
digital risk vision and address any lingering internal doubts. As one risk
executive told us, “By delivering proofs of concept, we can convince those remaining
skeptics that the new technology and innovations at our disposal can and should
be used in [achieving the critical digital risk transformation].”
https://www.mckinsey.com/business-functions/risk/our-insights/the-future-of-risk-management-in-the-digital-era?cid=other-eml-alt-mip-mck-oth-1712
No comments:
Post a Comment