Once upon a time, technology risks were relegated to the IT world. Any problem with the bank’s systems was an IT problem. However, this mindset is changing. Since the adoption of digital banking, these problems are getting bumped up the chain of command. As potential threats to the whole organization emerge, tech risks are appearing on the radar of Chief Risk Officers.
In fact, industry leaders and regulators see a significant number of risks emerging in the financial space. As the complexity and vulnerability of underlying IT systems intensifies, reevaluating risk is crucial. Many IT systems are outdated or consumed with technical debt. Ignoring the problem only creates more issues. These issues are often harder to address down the line.
With a growing reliance on technology and a spotlight on risk governance, CROs are shifting their attention to technology risk.
Empowering the Chief Risk Officer Post-2008
Fifteen years ago, the role of the Chief Risk Officer (CRO) was somewhat nebulous in the corporate hierarchy. That changed after 2008. After the world financial crisis, policy makers in the U.S. adjusted their expectations of financial leaders and risk oversight. Right off the bat, authorities introduced regulations calling for enhanced risk governance. In fact, the focus on risk governance has ramped up significantly since the early 00s. For example, in the 2016 Basel guidelines “risk appetite” is referenced nearly 50 times, versus not at all mentioned in the equivalent guidelines back in 2006.
By 2010, the Dodd-Frank Act highlighted the need for risk committees in financial institutions. Four years later, the Office of the Comptroller of the Currency (OCC) required risk oversight boards for certain U.S. banks. It also obliged large FIs to escalate the reporting line of the CRO to risk committee boards and the CEO. By 2015, 90% of U.S. bank holding companies with assets greater than $10 billion claimed to have their risk appetite statement (RAS) reviewed annually by an outside risk committee.
Notably, these efforts are not without merit. According to the 10th annual EY/IIF Global Bank Risk Management Survey, risk executives are quick to acknowledge that the global regulatory reform agenda was positive overall. One risk executive notes, “increased discipline with respect to stress-testing, capita management, and liquidity management is a positive for the industry as a whole.”
Generally speaking, banks have far more capital and liquidity than in past decades, especially large, systemically important banks. Given the improvement, CROs are shifting their attention to the growing number of non-financial risks. These include industry disruption due to new technologies, pace or breadth of change from digitalization, and geopolitical risks.
Growing Concern over Core Banking Technology
One challenge that has loomed over the IT department for decades is legacy technology. Many Chief Risk Officers are aware of the issue. In fact, 56% of CROs say they are prioritizing the problem of IT obsolescence/legacy systems in 2020, according to EY/IIF.
For one, legacy technology complicates new initiatives. According to one executive:
“Internally we are debating whether, given the pace of technological change, rather than continuing to fix and upgrade clunky systems, there is a way of building a totally different bank on the side. The [systems are] so entangled, it is really hard to ever get where you want to get to, given the legacy systems.”
Indeed, the task of modernizing legacy systems is daunting, but minimizing the risk must be done. That’s why experts believe continuous modernization, or a phased migration approach, is the best way to achieve time sensitive goals with minimal risks. The 2020 World Retail Banking Report asserts that a phased modernization allows banks to progressively transform their core banking system and leverage the API network to build an open and scalable platform.
How to Manage Technology Risk
In the end, Chief Risk Officers must instill the bank’s risk appetite firmly in the day-to-day decision making. That’s why McKinsey and Company recommends six principles regarding technology risk management:
- Adopt a business-first approach – One way to do this is to implement fusion teams, such as an IT-risk group to identify the most critical business processes and information assets.
- Coordinate across the sub-disciplines of IT-risk management – Coordinate with sub-disciplines, like information and cybersecurity, resilience and disaster recovery, architecture development and testing, to ensure there are no gaps in risk governance nor any duplication efforts creating inefficiency.
- Close the gaps in the three lines of defense –Banks should carefully clarify the roles and responsibilities in managing technology risk for each line of defense.
- Integrate with enterprise risk management – Without a common risk-management technology platform shared by both the IT-risk team and the ERM or operational risk groups, there’s a struggle to aggregate data consistently to allow managers to make decisions.
- Change the performance incentives for IT managers – Add forward looking metrics. Track the number of incidents and the actual recovery times for highly critical service chains to align business and IT managers with a risk-management mindset.
- Invest in specialized talent – It’s important to build a core group of IT-risk professionals to define architectural-review committees, establish a consistent software-development life cycle, and monitor test results.
Have questions about modernizing your legacy systems? Contact us.