Risk management: how to increase banks’ security

Theoretically, risk management in the banking sector is ‘the logical development and implementation of a plan to face potential losses’. In practice, it is the ability to manage a credit institution’s exposure to losses or risks as well as to protect the value of its assets.

In any case, banking activity is always considered risky. So much that banks usually manage those risks as part of their ordinary operations.

However, from whatever perspective we look the question at, the fact remains that banks typically face several risks: from the reliability and changeable expectations of their customers to digital frauds and cybersecurity, from market up-and-downs and unpredictability to regulatory compliance.

Many risks can be difficult to anticipate, identify and address. Moreover, banks’ customers expect no wrong moves, which may result in losing their savings and investments as well as penalties and reputational damage suffered by the credit institution.

Any bank is aware that, to be successful, it has to take risks. That is why they develop powerful mechanisms to prevent or manage them. As risks are mutable, these mechanisms are constantly evolving.

Risk management: the meaning

Risk management means to weight out the possibility that a negative outcome might occur due to a particular action, activity or choice. It is common knowledge that an undertaking will never grow, never make profits without taking some risks. To this ‘rule’ no bank can make an exception: risk management is a fundamental, ever-growing and rapidly evolving part of banking activities.

With a few variables, banks are generally exposed to the following risks:

• credit risk;
• market risk;
• operational risk, including data governance and reporting risks;
• liquidity risk;
• technological and IT risk;
• strategic risk.

Moreover, it should be pointed out that banks also face risks arising from external events, over which they have no direct control (e.g., climate risks).

Risk management: how does it work in the banking sector

How do banks manage every risk they are exposed to? By setting up a risk management plan, which identifies all possible risks and tries to counter them in the bud, finding solutions and striving so that they won’t materialise in the future. This latter case reflects the risk mitigation strategies, aimed at neutralising and preventing risks.

For instance, a bank may leverage on advanced analysis and automated data acquisition to monitor its own operations in a constant manner. Such continuous, technologically aided supervision of risks helps banks to develop and adapt key risk indicators (KRI), to warn the relevant risk management teams early enough.

The automated supervision allows these teams to focus on high-risk and high-value areas, instead of carrying out limited, casual and expensive audit in terms of time and money.

Specifically, banks follow the steps below when implementing a risk management plan:

• identification: detection of the major risk cause. For example, an inappropriate assessment by the bank is the main trigger for credit risks, if associated with a mortgage;
• analysis and valuation: uniform assessment of risk, to determine its likelihood and prioritise corrective efforts;
• mitigation: reduction of risk exposure, cutting down the likelihood of an accident;
• monitoring: collection of metrics as well as accident testing and correction, to ensure control effectiveness and address emerging trends, determining the progresses realized in risk management initiatives;
• relationship building: linking points between risks, business units and mitigation strategies to recognise dependencies, identify systemic risks and design centralised controls;
• reporting: generation of reports on the risk management program’s progress to provide a dynamic view of the bank’s risk profile and show the plan’s effectiveness.

Risk management challenges for banks

Risk management is not void of obstacles. Progress in business model, new technologies as well as cultural and regulatory changes have in fact remodelled the way banks and financial companies face risks.

Risk management teams of banks and financial institutions have to keep up to date with the latest market and regulatory developments. Moreover, they need to address several significant challenges, including:

• customer expectations: today mobile devices are used also to perform banking transactions. Customers require functional digital solutions comparable to what they find in the physical premises. This leaves the bank struggling with security risks and problems when designing their online platform.
• evolving regulatory requirements: new regulations or amendments to existing ones are by now standard procedures for credit institutions. Banks need to comply, otherwise they get exposed to compliance risks;
• threats to cybersecurity: an industry offering banking and financial services which is increasingly based on technology suffers from continuous cybersecurity attacks through malwares, phishing and other threats;
• identity theft and frauds: they are detrimental to banking operations, pose risks to banks’ security and customers and affect the overall customer experience, proving to be quite expensive for banks;
• strong competition: local and regional banks are facing growing competition with technological companies breaking into the financial service industry and digital banks;
• inefficient processes: banks invest lots of resources in operational costs, to prevent commercial or liquidity risks. Without strict practices in place, these costs can rapidly accumulate and result in credit, operational and compliance risks.

How can banks overcome risk management obstacles

Banks and financial institutions need to embrace and support change in order to overcome the abovementioned challenges and manage risks.

Here are some actions which may be swiftly implemented by banks:

• risk management automatization: it reduces costs and limits the adverse impact of the implementation of frequent regulatory amendments to banking operations;
• investments in technologies focused on customers: to acquire tools providing the customisation and technology level required by customers, to avoid business risks and stay competitive;
• cybersecurity solutions through smart technologies: artificial intelligence (AI) and other ‘smart’ technologies rapidly identify and solve identity theft and fraud issues, rationalising security efforts and saving resources;
• use of cloud technologies: cloud computing introduces money-saving efficiencies for banks;
• update of existing offers: reviewing customer engagement strategies to interact with them and meet their expectations.

Why do banks need to manage risks

There are many reasons why banks manage their risks, including:

• prevent potential losses;
• ensure their own survival;
• protect their reputation;
• safeguard stakeholders’ interests;
• comply with current regulations and laws;
• protect the bank’s credit ratings.

However, as banks and the banking system play such an important role in any national and global economy, the implications of a poor risk management are far-reaching. This has become evident during the 2007-2008 financial crisis, when governments had to join to save banks.

Even on a smaller scale, as the activities of a bank concern money and money multiplication, if a credit institution is in need it could reduce or even cut off lending. This would affect fund availability for undertakings and slow down economic growth.

For this reason, banks and financial institutions are regulated at national and international level.

Why is risk management important for banks

In a 2021 study on global risk management by Accenture the 77% of risk managers expressed concerns about operational and financial risks emerging faster and faster.

It should be considered that what is normally defined as ‘risk landscape’ is now becoming even more frenetic, volatile and complex.

In this context, just think about the domino effect of risks triggered by the COVID-19 pandemics on a global scale, which affected all sectors. It would be sufficient to add that financial risks are further exacerbated by international crisis and economic uncertainty, with an increased number of frauds and cyberattacks.

However, it should be admitted that even the best conceivable caution, forecasting and preparation cannot totally protect banks from risk: in one way or another, they must come to terms with it. Those involved in risk management in the banking sector need robust but flexible plans to respond to any eventuality.

How do banks manage risks

In a nutshell, banks manage risks by implementing policy, procedure and control frameworks requiring careful planning and review as well as periodic updates.

To overcome some implementation challenges, banks have adopted sector standard frameworks such as ISO 31000:2018, which aims to enable every organization to identify, prevent and manage all potential risks within its business through a structured approach. Or the COSO ERM – Integrated Framework, which declines the ‘performance’ component under which an organization identifies and assesses the risks potentially affecting its ability to reach business strategy and goals. It prioritises risks based on their seriousness and considering its own risk appetite.

Nonetheless, as it is impossible to completely eradicate risk, banks need to detect and analyse risks within each business unit.

This is why the risk management division is the nervous system of any bank or financial institution. In fact, the chief risk officer (CRO) of a bank reports to the Board of Directors, the regulatory body and the CEO.

Working in risk management

The risk management division of a bank is a team responsible for identifying, assessing, measuring, mitigating and reporting risks. It means working very closely with colleagues from other departments, in order to develop, evaluate and adopt actions aimed at protecting the bank itself.

Who is the risk manager of a bank

A bank’s risk manager is a professional with good analytical competences and excellent interpersonal skills. He or she must also be logical, well organized, flexible and intellectually curious, other than have sound values and strong determination.

More than a risk management consultant has described him/herself with these words: ‘You need to be arbitrator, ambassador and executor’. And also: ‘It is crucial to have a good nose for knowing what requires a more careful and in-depth assessment and what does not. This job is never boring, although it is fundamental for the bank’s survival’.

In SAVE Consulting Group we support CROs and their areas through our consulting and training services as well as our TigreArm platform for the following topics:

• Production of ICAAP/ILAAP reporting
• Public disclosure (Pillar III) management
• Drafting of the methodological note on NPL
• AQR
• Drafting of ESG action plans