Risk management transformation

Risk management practices are undergoing a significant transformation as banks in Hong Kong adapt to the fast-paced evolving regulatory landscape, technological advancements, geopolitics and changing business demands. Furthermore, traditional risks, such as credit risk, are heating up again while new risk types are on the horizon, such as “deep fakes” and social media risk.

There are seven key drivers that are pushing banks to transform:

1. Cost management pressures: Firms continue to tighten expectations for efficiency in non-revenue-producing functions. For risk managers this means reducing costs while maintaining or improving quality¹.

2. Risk and compliance gaps: Despite expensive and time-consuming assessment activity, risk and compliance teams have had mixed success in identifying new risk hotspots and potential control weaknesses before they crystallise.

3. Regulatory expectations: Globally, regulators are expecting more linkage between strategic investments and enhanced risk management capabilities.

4. Increasing scope: New focus areas, including virtual assets and ESG risk, are expanding the mandate of risk management teams.

5. Emerging risks and threats: New risks and threats such as cybersecurity threats continue to proliferate in scope and potential to do harm.

6. Complex operating models: Financial services organisations are leveraging new ecosystems of suppliers and partners to deliver products and services to clients and customers, leading to greater reliance on third parties.

7. Financial services digital transformation: The industry has evolved to be “digital first” to meet client and customer demands.

Key questions for banks as they prepare for risk management transformation include:

• Which risk functions should stay in-house and which could be outsourced?
• What is my average cost per risk FTE?
• Can some of the current risk oversight functions be consolidated?
• Do we have the right talent with the right skill sets for the future?
• Is the current risk infrastructure ready to scale if needed?
• Are data, processes and controls environments ready for a digital upgrade?
• Are my risk and finance inputs / outputs consistent across business lines?
• How many risk processes and risk models do we operate today?
• Are our people currently focused on the right risk management priorities?

Banks understand that they must adapt and transform to ensure that they are prepared to deal with the constantly evolving risk landscape. One of the key trends is an increased focus on developing robust and agile risk management frameworks. To support these frameworks, banks are beginning to explore investing in advanced analytics, artificial intelligence (AI) and machine learning to enhance their ability to identify, assess and mitigate risks more effectively and economically.

For risk executives, there are a number of levers that can be engaged to support transformation:

• Functional and organisational rationalisation: Development of a clear action plan to reduce redundancies, align risk skillsets for the future, and implement an agile refreshed risk management framework.
• Outsourcing: Consider using third parties to help on select risk management and regulatory activities that are not core.
• Risk strategy: A well-defined vision for a long-term target operating model with a clear strategy that is aligned to the business objectives on growth and costs.   
• Refreshed risk culture: Senior management should lead by example in embedding risk culture throughout the organisation, including refreshing KPIs to reflect risk appetite and proactively upskilling staff.
• Risk simplification: Alignment and rationalisation of risk models, risk processes, assessments, methodologies to streamline the burden of risk execution and oversight while still maintaining quality.
• Risk measurement: Optimised set of common risk definitions and taxonomy, and use best-in-class risk models and predictive analytics to gain insights into risks including correlated risks and concentrations (i.e. more dynamic stress testing and scenario analysis).
• Data and tech: Organisations should have a clear strategy relating to data and tech for risk. They should also be using systems that are scalable, support automation at scale, and are state-of-the-art providing real-time dynamic risk assessments, including the use of AI and machine learning.
• Cost take out strategy: Organisations can start analysing how many staff are involved in current risk programmes, what is the average cost to the bank per full-time equivalent, and how much time is being spent in assessing risk versus managing risk. In addition, banks should review manual risk processes and the number of risk platforms they are using. These actions will help to establish current readiness status and highlight the areas where the bank will need to focus.  

Many efforts to transform risk functions have failed to yield maximum and sustainable result. Banks should be looking at areas including roadmaps, regulatory requirements, project management, data and risk models optimisation, outsourcing reviews, digital migration, and people and change. We hope that the practical and thought-provoking concepts in this article will help to create and protect value for banks as they plan their risk transformation journey.