Banking continues to be at the forefront of driving digital and operational transformation. Many banks are on a transformation journey when it comes to basic banking or back office operations. These journeys initially focus on cost reduction, effective decision making that leverages data, artificial intelligence, and customer experience, often only considering risk and compliance at a later stage. Risks are generally mitigated or addressed on an ad hoc basis rather than by design. These transformation journeys often result in black box operations where legacy systems are decommissioned, many processes are re-engineered, many new applications are deployed and merged, and the end state lacks transparency in terms of clear documentation, system architecture and data traffic traceability.
However, as the complexity of transformation journeys increases and scale increases, the risk-and-compliance ad hoc approach fails. Banks often pay a high price for failing to consider risk and compliance at the initial planning stage of the transformation journey. Not only does this cause significant delays in project delivery, but banks may also end up subject to regulatory scrutiny or pay heavy fines for compliance violations. In the end, banks often pay greater regulatory fines for cutting costs or increasing revenue generated through the transformation initiative.
In 2020, a major US bank agreed to pay a fine of $80 million to the Office of the Comptroller of the Currency (OCC) for a major hacking incident in 2019 that was approx. 100 million credit card applications were accessed illegally. In a statement, the OCC said the aforementioned bank had been fined “based on the bank’s failure to establish effective risk assessments” before transferring a significant portion of its computer data to a cloud storage system, “and failing to correct the deficiencies in a timely manner.”
Risk Management “By Design”
Banks should include risk management as one of the main objectives of the transformation program to ensure adequate focus on leadership and prioritization of risk identification and management during the transformation journey.
The first-line and second-line risk and control groups, including the business risk, operational risk, compliance and information security teams, should be involved from the start of the transformation program to ensure that they can deliver credible challenges through the design and development stages instead. Than just doing a retrospective review and reviews at the end.
Furthermore, integrating risk experts into engagement teams ensures that key risks are identified and steps are identified to manage them through a systematic solution design and development process. For example, risk experts participate in the race for solutions and launch planning activities to highlight risk and control considerations, while providing a statement of risk appetite for the ongoing transformation.
How banks can eliminate the risk of transformation
Transformation engagements typically go through four main stages using multiple tools, such as journey redesign, process simplification, workforce optimization, process automation/digitization, and leveraging artificial intelligence/machine learning, to transform processes. In accordance with the principle of risk management by design, incorporated risk experts should consider an approach that effectively integrates risk management activities across the four main stages listed below:
1) Planning stage (risk assessment) – conducting a process change impact analysis and identifying new risks that may need changes in the existing control environment. For example:
Incomplete data transfer issues or data leakage can occur when introducing new digital and analytics solutions interventions to automate manual processes
Use of third party data sources to check for a new customer on board or sending customer data to a vendor for check and mail processing can lead to operational resilience and data privacy issues, such as unavailability of critical business services and data breaches, due to operational/technological failures or Security weaknesses in the supplier company
Changes in operations such as the use of remote (non-face-to-face) customer identification must comply with regulatory requirements ensuring that banks take reliable steps to prevent identity theft or identity fraud
2) Design Phase (Designing Controls) – Participate in process redesign workshops, solution development sprint sessions, review of epic user stories to identify controls and set controls for any vulnerabilities. For example:
Use of Secure File Transfer Protocol mechanisms and data encryption controls can help protect data in a sleep state and from unauthorized edits
Creating preventive automated controls, such as automatic collection from source systems and non-editable field configuration, can prevent unauthorized or excessive customer payments
Anonymization or anonymization of personally identifiable information data collected as part of customer setup can protect disclosure of sensitive personal customer data to unauthorized persons
3) Implementation Phase (Controls Design Assessment) – Designed control parameters must be fully and accurately configured during system deployment, so risk experts must conduct control design assessment and application testing during the UAT phase, obtain evidence and liaise with other work teams and risk partners to ensure any are identified Vulnerabilities and address them prior to start-up or production. For example, risk experts can participate in release review sessions and review system-generated exception reports to ensure relevant user story controls are implemented accurately by development teams
4) Monitoring stage (monitoring controls) – the measurement process and controls related to the post-health transformation is important to understanding whether the designed controls are working as intended. Risk experts should support the ongoing monitoring of the controls in place through operational effectiveness testing and quality assurance activities, including working with business processes and internal and external auditors to implement a remedial plan and procedures for any control issues or incidents
Proof of risk, rapid turnaround
Quick turnaround is vital for banks to grow and thrive after COVID. Including robust risk management interventions at the beginning of the transformation journey is a non-negotiable for banks to accelerate the transformation roadmap and mitigate risks in the rapidly changing environment. This will ensure that there are no delays or obstacles in achieving the targeted results of the transformation projects.
Co-authors : Vibhav Dubey, Priyanka Mishra, Suresh Thivar
disclaimer : Posts on this site are my personal opinions. This content has not been read or approved by a current or previous employer prior to its publication and does not necessarily represent their positions, strategies or opinions.