Emerging Focus Areas in Risk Management for the Next Decade

Post the Digital Revolution, the world has converged into a small intricately connected entity with
many inter-dependencies. Today, the impacts of Events on one part of the world can be seen all
across the globe. Hence, the risk ecosystem is evolving at an unprecedented rate. While
conventional risks have been tackled to a greater extent due to advent of technology but we may
have created a Frankenstein’s Monster in the process. In a recent Global survey of about 100 top
financial institutions conducted by Deloitte, cyber-security was named as the top-most risks whose
importance is believed to continuously increase in the next few years. Cyber-security has gained a
heightened focus of regulatory authorities because of numerous instances of hacks and digital
intrusion attempts on the financial organizations.

The next on the list is strategic risk, cited by 27% of organizations in the survey. The increased
attention to strategic risk is due to current uncertainty and unevenness in the global business
environments and markets. Regulatory/compliance risk features third on the priority list. Although
the financial institutions still have to comply with an extensive regulatory framework, the changes in
the system have decelerated. Apart from the top three, data integrity, conduct and culture have
emerged as concerns which would be receiving more and more importance attention both form
organizations and regulatory authorities.

Considering the financial risks, the Financial reserve board and OCC have pointed out that banks
have moved away from their post-2008 crisis conservative posture to lowering the underwriting
standards to facilitate loan growth. With the large-scale concentration of commercial real-estate
loans across institutions, there is increased probability of potential deterioration of the credit quality
in case of interest rate increase. This can cause an increase in cap rate, tanking of collateral values
and increased defaults. New impairment approaches have been introduced under CECL Current
expected credit loss model and IFRS 9 to address the delayed recognition of credit losses by making it
mandatory for institutions to report all currently available information including “reasonable and
supportable forecasts”. The basal committee has introduced strict minimum capital requirements,
quality standards, stress testing exercises for systemically important financial institutions which has
helped manage the market and liquidity risk to a great extent.

While lot of organizations are fairly confident about managing the financial risks, there has been
broad acknowledgment of challenges faced in effectively managing non-financial risks such as
operational risks. Regulatory expectations in this area is less well defined, methodologies are less
sophisticated and gaining access to relevant data even more difficult. The losses from the
cyberattacks were an estimated US$ 445 billion across all industries in 2016 up 30% from three years
before. The SWIFT and US Treasury department have issued warnings against the increase in the
sophistication of attacks ranging from installation of ransomware to disruptions of online systems.

Third party relationships present an unique set of operational risks including non-performance,
intellectual property theft, violation of laws and unethical conduct, data breaches and infrastructure
breakdown or disaster. The actions of third parties can cause significant financial loss and
reputational damage and financial institutions retain the responsibility for the action of its vendors.
Hence, maintaining an internal loss event database, facilitating incident reporting and increased
focus on risk analytics are some essential measures to handle non-financial risks. Options like RPA
and cognitive analytics can increase efficiency and keep the compliance costs low. Risk appetite and
risk utilizations need to assessed regularly and built into the products and strategic goals. Cognitive
analytics, machine learning and natural language processing hold great potential in automation of
risk assessments, scanning risk activities and flagging anomalies for review by human professionals
to the best of their judgement. Digitisation of Risk management could help in generating early
warnings about impending risks, offer insights to factors that increase risk, free risk professionals
from repetitive tasks allowing them to concentrate on identifying emerging risks and add value.