In the modern FSI industry, technology risk management is about much more than just keeping the lights on. Having faced crisis after crisis since 2008, banking leaders are risk-worn and looking to wrestle the bull into submission through real-time risk control and resilience. As customers do more of their banking online through apps, bots, and websites, it has become apparent that risk is something that is there for all to see, rather than something only the board discusses. In the 2020s, every bank employee must be a risk officer.
According to its central authority, the United Arab Emirates’ banking sector has an aggregate asset base worth US$1 trillion. Financial institutions here have enthusiastically embraced technology to dazzle customers. Many have understood that technology risk management can be turned on its head to become a competitive advantage. Yes, the customer demands new digital experiences delivered in a steady, innovative stream. And yes, this brings risks like cyberattacks, fraud, and service failure. But this is not the whole story.
ServiceNow recently interviewed 750 senior banking executives around the world. The findings, published in our “Conquering technology risk in banking” report, paint a picture of the Bank of Tomorrow, in which the capability to innovate is inextricably linked to the quality of risk management. In fact, some 70% of CEOs and CROs said accelerated digital innovation was driving a need for enhanced technology risk management. The modern bank must therefore take a fresh look at best practices as they relate to the intersection of risk management and tech innovation. Here are the five ways banks can turn technology risk into an advantage.
- Build a single source of truth
Data will be central to both innovation and risk mitigation. Data is how we personalize customer experiences, but it is also how we improve our threat posture. Both use cases call for the enabling of visibility across the enterprise so that decision-making by experience leaders and risk managers is supported by homogeneous information. Often, vendor risk data must reside side by side with customer and transaction data. Advanced analytics, dashboards, and other tools are going to be commonplace in all departments to enable the extraction of insights, be they risk-related or experience-related.
- Equate risk and innovation
Banks must align risk and business priorities so they can take knowledge-based decisions and make the right trade-offs. This is impossible without collaboration, not only between internal business units, but between the bank and its partners and suppliers. The bank of the future will introduce risk management across functions, ensuring they innovate together and handle risk together.
Automation is a great way to bring more efficiency to the identification and detection of risk, as well as the protection of assets. It can also speed up response, compliance, and analysis. Automation allows significant leaps in accuracy and improves data quality. Integrated risk platforms use automation to provide banks with a comprehensive view of cyber, technology, enterprise, and operational risks. Normalized data and common toolsets allow organizations to innovate within the context of risk. An integrated platform can facilitate effective transference between different kinds of risk. It can, for example, allow for scenarios like a systems failure that shuts down trading.
- Invest in next-gen technology
Adopting the latest technology can, in and of itself, mitigate the risk posed by that technology. Legacy systems are notorious for being out of support or close to it. By modernizing their IT systems, banks can take advantage of the cloud for resilience and cybersecurity orchestration. Banks would be well served to ramp up their investments in more sophisticated cybersecurity defense technologies, such as security information and event management systems (SIEM), which can help spot patterns in security data; cloud-access security brokers (CASB), critical for securing sprawling cloud platforms; quantum cryptography to improve encryption; and endpoint detection and response (EDR) to continuously monitor end-user devices.
However, arguably one of the areas we will see the biggest investments is in artificial intelligence tools that will enable banks to reduce human error and identify and respond to risk more quickly. Another area is blockchain, which can also improve security, as well as the transparency and traceability of transaction data, all of which combine to lower the risks of errors and fraud. And predictive analytics and digital twins can combine to build simulations that allow senior decision makers to gauge risk probabilities and impacts.
The list goes on. A range of IT, security, and risk management tools are already available to improve security posture and automate workflows to mitigate human missteps and boost productivity. Others monitor and address regulatory matters and automatically audit risks.
- Unite teams
Culture is crucial. If banks want to effectively manage tech risk and ensure resilience, they must communicate the essence of risk — its identifying marks and its impacts — to every employee. All stakeholders must be involved in strategy, and all departments must be trained on risk and collaborate on execution. It is important to assign critical tech risk roles to varying functions in the bank, including operational risk, cybersecurity, data privacy digital transformation, IT risk management and data quality and governance. Furthermore, to aid in coordination it would be beneficial to assign IT risk to the job description of the CRO.
- Modernize governance
In an ESG-driven world, banks must address the need for compliance planning, monitoring, and maintenance while tracking changes in national, regional, and international regulations. Each institution must be able to identify, measure, test, and report these risks and incorporate them into their own, preferably non-financial, frameworks. Technology risks represent potential impact in areas like strategy, finance, operations, compliance, and reputation, so it is essential that the board is actively involved — data is crucial in enabling these decision makers to insulate the organization from fallout.
The Bank of Tomorrow
Following these best practices brings many benefits. In risk and compliance, we see reporting, risk identification, response, control testing, and issue resolution are all faster, leading to fewer breaches. And on the performance side, we see reduced costs and improved revenue (which leads to higher profitability) in addition to accelerated innovation, and enhanced customer retention rates. Organizations are also more scalable, with faster times to market. And these are all hallmarks of the Bank of Tomorrow.