As the sector faces further regulatory intervention, what will it take to bring about real change?
The ongoing COVID-19 crisis has shined a bright spotlight on the relationship between risk management and financial institutions. As a result, the industry learned about the impact of its ever expanding reliance on third-party service providers, often a critical component of supply chains and operational support functions.
Given the widespread disruption experienced in 2020, we can expect several major changes to emerge in the coming year, with a risk regulation overhaul leading the pack.
Fines resulting from poor risk management controls targeted all aspects of the financial industry in 2020. Recently JPMorgan was charged $250 million over inadequate risk management in its wealth management business. This followed the $400 million in fines Citigroup faced for major deficiencies with their risk program.
As we head into the new year, three things are clear: bank boards will continue to intensify their oversight of the risk program; banking executives need to rethink the short and long-term consequences of poor risk management; and risk strategies must be refocused on how to get ahead of the drastic regulation changes on the horizon.
Repercussions of static risk management
New findings from this year’s Regulatory & Risk Management Indicator survey, which illustrates the overall level of regulatory and risk management pressures that US banks and credit unions face, shows an eight-point increase on the Main Indicator Score from the previous year.
Despite the increased pressure and fines, and the expectation that they will both continue into the new year, we still haven’t seen enough real change. Instead of shifting approaches and solving the core problem, some banks are considering these penalties a cost of doing business, which is a risky and unsustainable proposition.
Managing changing regulations was one of the top challenges banks faced in 2020, and in reality, has been an ongoing compliance and control weakness. The market lacks an effective and efficient one-stop-shop resource for staying on top of regulatory changes, which leads many banks to rely exclusively on their control functions and compliance units.
While these compliance and control teams are “holding the line”, there has been limited consideration of the long-term effects and ramifications of such reliance.
In addition to gaps in regulatory compliance that leave the industry significantly more exposed to regulatory failings, there has been very little attention paid to cascading risks, catastrophic events and sudden shifts in risk across the client and third-party landscape.
Damage to reputation and trust that stem from a breach or disruption can multiply the cost exponentially beyond the initial fine, leaving an impact on profitability and growth that may be felt for years.
Regulatory change is coming
Considering the increasing number of breaches and disruptions across the financial industry, many of which originated at a third-party vendor, we can expect regulators to rewrite their playbook on risk management due-diligence in 2021. The new emphasis will be proactive and continuous risk monitoring of the entire supply and sourcing chain.
The reason is quite simple. Current financial risk management practices and due-diligence strategies leave organisations and consumers exposed.
Take third-party risk, for example. The majority of due diligence and risk assessment is performed at the initial engagement stage, with limited, if any, ongoing monitoring of the vendors financial, regulatory and cyber risk. This approach is reactive and overlooks critical risk factors like location, people, geopolitical and more.
The current risk environment is dynamic and changes occur at a rapid pace. Monitoring programs must be designed to be proactive and forward focused or face the consequences of their failure to stay ahead of risk.
The vague language regulators use to discuss risk management controls results in individual financial institutions relying on interpretation to determine the methodology they will use to address the regulatory requirements.
Take, for example, the language used in the regulatory guidance on risk tiering: “it should be commensurate with the risk associated”.
While regulatory language will probably continue to be vague by design, regulators will undoubtedly have increased expectations for direct and clear processes, internally and externally, that take advantage of the advancements in risk management technology and innovation, like automation, real-time monitoring and AI. These tools used to improve product delivery and increase profits must be an integral part of the risk identification and avoidance program.
One area of risk that we expect to see more highly regulated in 2021 is Environmental, Social, and Governance (ESG).
Climate Change and Systemic Racism, both primary ESG factors, are two of President-Elect Biden’s four core focus areas. It is highly likely that organisations will face heightened reputational and compliance risks if they fail to establish adequate ESG controls.
While some banks have existing environmental and social risk approaches, new standards and consumer demands will almost certainly emerge.
Every financial institution – even the most established banks – will need to keep abreast of the changes and adapt their strategies. Success requires increased visibility into the entire risk landscape.
Take proactive steps today
How can industry leaders prepare for the new year? The first step: Establish a proactive risk management program with a holistic view of risk where continuous monitoring providing real-time visibility into the complete risk landscape. Total visibility will be the operating lever for all compliance, risk and business objectives organisations have on their agendas in 2021 and beyond.
For banks, shifting to a continuous, real-time risk monitoring strategy is critical. It’s time the market moves beyond point-in-time assessments, which are static and can miss sudden, unpredictable risk events, and starts monitoring risk with real-time technology. If you don’t make the shift today, regulators will force you to tomorrow, and the cost and operational disruption will be multiplied.
If COVID-19 has taught us anything, it’s that everything can change in the blink of an eye. We have to be ready to react. We have to be resilient. With COVID-19 vaccines beginning to roll out, a presidential inauguration right around the corner, and a brand-new year to look forward to, there’s significant change on horizon for every organisation.
The difference between proactively preparing for change and tackling issues at the core, versus simply accepting the fallout, will distinguish the risk leaders from the laggards for years to come.
Atul Vashistha is a leading expert on supply chain risk and global business services. He is founder and chair of Supply Wisdom.
He recently served as vice chair for the US Department of Defense Business Board.