Owning the Risk Agenda

In theory, a financial services firm’s compliance program should be an extension of the firm’s larger efforts in mitigating risk and protecting investors. In reality, however, a firm’s risk management function is limited in its resources like any other corporate function, and therefore must pick its battles. More often than not, for obvious reasons, risk management ends up being largely shaped by the compliance requirements set by regulators.

But just as generals fight the last war, regulators tend to focus on preventing problems of the past from reoccurring rather than preemptively mitigating against new and future crises. We can see this in the themes that have dominated the global regulatory compliance landscape over the last decade. Risk management at banks has largely been defined by the global banking regulatory reform that occurred in response to the excessive leverage and “shadow banking” exposed by the 2008 financial crisis. Similarly, firms that trade in over-the-counter derivatives have had to implement the transparent trading, clearing, and reporting required by regulations put in place after the crisis. In addition, institutions along the financial services spectrum have spent considerable effort complying with increasingly complex regulations designed to combat longstanding threats from money laundering, terrorist financing, and tax evasion.

However, while regulators and firms have been focused on these concerns for the last decade, new risks have been emerging. Many of these emerging risks tend to fall into one or more of the following four categories:

1. Operations
   Business models and products are becoming more complex and specialized as financial services institutions compete to serve increasingly sophisticated consumers and to provide better returns on investment. But regulations addressing operations tend to lag behind reality, especially as products rapidly evolve in the field.
2. Data and Technology
   Financial services over the next decade will see further automation and use of data analysis in decision making and transactions. However, as technology simplifies, it also complicates, setting in motion effects that can be difficult to predict–even more so as multiple high¬speed platforms powered by machine learning and artificial intelligence begin to interact.
3. Outsourcing
   As value creation becomes more specialized, customer bases become global, and industries converge, outsourcing and partnerships are increasingly critical parts of the business. But reliance on third parties brings a host of concerns ranging from performance risk to reputational risk.
4. People
   The move toward greater automation does not mean that people will be playing less of a role but rather that the role will increasingly draw on innately human qualities such as creative judgment, persuasion, and connection. Finding people with these attributes in abundance is inherently difficult. More importantly from a risk perspective, judgment, persuasion, and connection must be properly harnessed to proper communication and incentives. This is a hard formula to get right. 

A disconnect has widened in places between the risk agendas of regulators and the actual risks that industry faces–a disconnect that is itself a significant risk.

These emerging risks have not yet caused crises or made headlines; they remain discrete challenges at individual firms. As such, they are still making their way onto the regulatory agenda, which by definition is focused on establishing rules that can apply to the entire industry (or at least a defined subset of it) rather than on creating specific solutions to specific problems. But these issues are very much on the minds of firm risk managers and strategic decision makers.

To be sure, regulators and financial institutions alike are starting to identify and plan around these risks. There are rigorous processes for onboarding new technologies. Due diligence of third parties is becoming more extensive, expanding beyond financial and legal matters to encompass a larger sense of the counterparty’s business practices and business relationships. There is a greater awareness of the role that recruiting, training, and retention play in human capital.

However, most firms will admit that they are far from being out in front on these issues. And this is likely to remain the case so as long as firm risk management follows regulatory priorities, and those regulatory priorities are primarily focused on preventing past crises from reoccurring.

In other words, a disconnect has widened in places between the risk agendas of regulators and the actual risks that industry faces. This disconnect is itself a significant risk, increasing the probability that a crisis could emerge from the range of issues currently brewing. Industry should not wait for regulators to solve this problem. Instead, industry needs to become more proactive in setting a risk management agenda that starts with regulatory compliance but then goes beyond it to include the systematic and collective examination of risks in their earliest stages. This will require collaboration between firms and the sharing of data and experience–including vulnerabilities and what has and has not worked in countering them.

For all its limitations, the strategy of letting regulators set industry’s risk agenda can also become somewhat comfortable. Financial services firms need to break out of that paradigm, both to solve the problems in front of them and to strengthen the foundation for the financial system’s long-term stability.