When we think about the historical components of industrial revolutions, one of the core characteristics is a notion of a period of rapid change that is highly disruptive to existing practices, designed to transform society for better, or for worse. As technology has advanced, and the capabilities of automation and digital operations have been truly unlocked, I think the fourth industrial revolution is well and truly underway. Our economy, and the financial services industry, in particular, has moved operations dramatically into the digital sphere, and this has only been fast-forwarded this year in the face of a global pandemic, accelerating both the consumer adoption of digital channels along with the rapid movement of companies to embrace virtual working practices. This shift has entirely broadened the realm of possibilities of failures and unknowns, both across technology and humans, which then brings into question the traditional view of dynamic risk management. As attitudes change, and hybrid business models emerge, the time has come to drive the technology agenda forward to maintain pace with the challenges and transformative nature of our industry.
Today’s operating model
New technology capabilities have enabled automation and process at speed, replacing repetitive manual tasks and even augmenting humans in decision making and judgment calls. This adaptive autonomy is transforming the enterprise, creating a level of organizational agility that accelerates innovation in both business models and business practices. These changes are acutely felt at the boundary between human and machine. Today’s operating model invariably features a complex system of processes that bring together human and machine, a world that is hard to observe and arguably hard to manage. As we adapt our practices, we, therefore, need to take a closer look into - and beyond - how humans and machines work and act in an enterprise, and what that means for the resilience of the services delivered to consumers and society at large.
What that means for banks is a significant shift from older, legacy monolithic systems to a collection of applications that are interfaced together to form a technology ecosystem. This new technological landscape is made up of interconnected applications and results in operations that are far more distributed, spanning multiple locations and often multiple enterprises (i.e third-party providers) with an equally dispersed human interface. This expansive and increasingly complex ecosystem of operations is what differentiates today’s organizations from past enterprises. In turn, the observability of those linkages, handoffs, and activity pathways has become increasingly challenging, further amplified by the catalyst of the pandemic, which in turn, heightens the risk of enterprise mishap and failure.
We need a risk revolution
Existing risk management practices, the analog approach of periodic inspection, assurance, improvement, and supervision are no longer sufficient. Simple tinkering with risk and control assessments and promoting the three lines of defense model will not deliver the resilience outcomes that we need to prevent the failures and blow-ups of the past. We now need a revolution in risk management practices and culture to respond to the needs and dynamism of the ensuing commercial revolution.
This is in part a consequence of a heavily-prescribed regulatory agenda that has reinforced the focus on improving established practices. Both organic and ecosystem innovation need to be accelerated, with a more pioneering attitude, in order to drive a step change in risk management capability. We are on the edge of something exciting and here we see the potential for new entrants with new ideas, exploiting technological advancement to present an opportunity to accelerate risk management innovation. The focus needs to be on building capabilities that deliver the right outcomes; protecting consumers, fostering efficient and fair markets, providing sustainable returns to shareholders, and restoring the trust of society at large.
Responding to a problem, not reacting to failure
In the frame of operational resilience, to safely control the complex ecosystems that have rapidly developed, we have to add observability to every critical service and its underlying processes. This is about how we augment human expertise and experience with machine-led capabilities, for example, taking expansive micro-operating data and powerful algorithms to create embedded, dynamic risk management in day-to-day operations. These techniques can enable a predictive view of what may fail and a more responsive approach to managing risk as a result. This ability to respond ahead of time, to the problem, rather than reacting to the failure, is a potential game changer for the Financial Services industry. Not least because this is the same Financial Services industry that has been plagued with a litany of operational and conduct failures in the past, continues to face mounting regulatory pressure, and has yet to restore the trust of its customers and society as a whole. It could equally be argued that the reputational and financial cost of failure has never been higher. Our societies will not tolerate another period of banking failure, the likes of which we have seen in the recent past. The risks are particularly elevated in today’s world of expanding transaction volumes, with its consumer-facing interfaces and cash-free societies. This brings us back to resilience and the need to manage and prioritize resilience so that it does not translate into failure and consumer harm.
How do we build responsiveness into organizational DNA?
With the help of machine learning, combined with the pooling of micro-operating data, we can move to create real-time insights on how any given critical service risk profile is changing, so that we can build a responsive set of actions that anticipate and act to prevent failure. We see this happening in other industries, such as aerospace, where intelligent monitoring systems predict component failure ahead of time, rather than relying on ad-hoc and point-in-time inspections. By using operating data sets over a time series and intelligent algorithms trained on those data sets, pattern variance signals can be generated in real time, enabling predictive models that anticipate failure within a given system. This type of capability allows us to create an entirely dynamic form of risk management, embedded within day-to-day operations. This integrated and data-driven approach can help businesses operate effectively and safely, as part of their operations, rather than as a bolt-on approach, like assurance and inspection.
The development of foresight as central to risk management will remove obstructions to the way that we view risk and resilience for organizations, and with a holistic framework that looks at both machine and human elements, it will elevate the issue, making it far more than a just a technology concern but a C-level, risk priority.
Stay the same, at our peril
Crucially, the right approach to resilience is no longer a nice-to-have, and operational risk is well and truly in the frame. Organizations are not well managed if they lack an effective strategy for operational resilience for their critical services. Practically speaking, that means we are tasked with making sense of a complex technology landscape and understanding how work and activities are orchestrated end to end. Central to this is ensuring that we make critical end-to-end processes observable, actionable, and therefore managed responsively and proactively. From my experience, monolithic risk solutions aren’t the future - our industry needs to see far more innovation and needs to be open to new ideas and capabilities which can challenge and change the current practices to drive better outcomes. We need to make it easier for the Financial Services community to work with new providers to create the opportunities to experiment and iterate the management of risk. It requires a change in mindset to embrace new ways of working, new ideas, and the technological capabilities that are on offer. It has the capacity through collaboration and the sharing of data to even address the asymmetry that exists between the banks and their customers to make the entire banking system safer and more secure, particularly in areas like fraud, financial crime, and cyber threats.
We now have the opportunity to revolutionize not just the businesses themselves, but how these businesses are risk-managed. We need to challenge the current thinking in order to not only keep up but to evolve into a better place and to restore the public trust in our banking institutions. If as an industry we fail to embrace this revolution of risk management, we do so at our peril. As the current practices will not be sufficient, failure will surely follow, for which forgiveness will be in short supply. The step changes needed in the world of operational risk are not going to be solved via iterative change. The remit of the operational risk function has fundamentally changed, and we therefore need to think of this as a revolution, not an evolution, and be braver in a way that reimagines emerging technologies to safeguard these critical business processes.
For more in-depth information about the "risk revolution", download the white paper from Mark Cooke here.
Mark Cooke is currently a HSBC Group General Manager, most recently as the Group Head of Operational Risk. He has also held a number of senior Risk leadership roles prior to HSBC, both as Divisional CRO and in Business risk roles in other major European Institutions. He is a Senior Industry Advisor and Former Chairman of ORX, the Industry association for Operational Risk Management and a Board Trustee for the Royal Hospital for Neuro-disability. The views expressed are his own and do not reflect the views of any entity present or past that he is affiliated with.