Rethinking the risk management framework for digitally operating banks


Risk management revisited

Rethinking the risk management framework for digitally operating banks

With most banks embracing digital operating models, existing risk-mitigation methods are clearly becoming less sustainable. This blog is the first in a series dissecting how to structure risk management in these new models. Each blog examines the topic from a different angle, ranging from the risk management framework, risk strategy & innovation, data management and required risk capabilities to the cost of compliance.

Written by Jim de Wolf

Setting the scene for incumbent banks

The past decade has seen banks undergo a major transformation from physical to digital service providers. Suddenly, incumbents, which for decades had relied on being steady and reliable holders of funds and offering a comprehensive product portfolio, were forced to reinvent their customer approach and service lines. Products and services became more standardized, while competitors focused on customer experience rather than on all sorts of niche products. These changes occurred at a time when the financial world was experiencing its worst crisis since the Great Depression and which led not only to reduced financial capacity but also to greater regulatory pressure and access to customer data (PSD2), as well as to newcomers launching innovative services to fill the void left by banks.

These incumbents have consequently found themselves wedged between moving forward with digitalization while also having to deal with legacy issues from the pre-crisis era. And nowhere is this more evident than in risk management: the cost of compliance has risen by 60%1 in recent years, with banks having to resolve legacy issues at the same time as overseeing remediation projects to reshape their risk exposure. Meanwhile, client demands, cost control and competition have been driving innovation at an increasingly rapid pace, and responding to these changes requires agility. In this highly pressurized environment, the second line of defense (traditionally associated with legal, risk control and compliance) has struggled to find its position. And the resultant misunderstandings and sense of isolation are, in turn, hampering progress. So, what should a digital bank’s risk management framework look like?

Improving the risk management framework

Answering that question requires some scoping. Firstly, what do we mean by a ‘digital bank’? In this blog series, we generally use the term to refer to the larger incumbent banks that provide services through digital interfaces while still retaining certain legacy elements. In essence, therefore, we’re talking about digitalized ‘non-natives’ that have adapted to the new (digital) reality.

Secondly, our focus when describing risk management frameworks is predominantly on the roles and responsibilities traditionally defined in the 3 lines of defense (3LoD) model, which is still the most widely used governance framework. In this model, product and process owners own and mitigate risks in the first line, while the second line focuses on risk identification and compliance management, and the third line on independent assurance. The downside of this model is that it promotes working in silos and can lead to delays and organizational disunity. Indeed, the Global Institute of Internal Auditors recently updated this structure in recognition of this aspect.

As well, therefore, as taking a closer look at the functioning of risk frameworks in the face of increased digitalization in the first line of defense, this blog highlights challenges arising from the new reality of digital banking and, lastly, considers how to design risk management within an agile operating model.

Pairing first- and second-line activities

Banks’ new operating reality has been created by society’s drive for digitalization. No longer are 24/7 availability, on-demand services, and insight and interoperability just a nice-to-have. Instead, they have become essential if businesses are to remain relevant. Clients are demanding more control over their financial products and challenging legacy institutions’ traditional processes. At the same time we are seeing the emergence of new technologies that demand proper understanding and also responsible use. And banks have to adapt to this new reality – and rapidly – if they are to survive.

Although digitalization of banking services enables better connections with consumers, these client-facing innovations rarely reduce the workload in the second line. Separating duties between the first and second lines admittedly maintains a certain distance between the part of the bank developing new ways of working and the part responsible for detecting and advising on risks. But this distance directly impacts on the speed of new business development. And misunderstandings on both sides of the argument for and against an innovative initiative can lead to estrangement and frustration.

Doggedly sticking to a strict division of responsibilities often means sacrificing agility, with new processes and products designed by the first line subsequently being challenged by the second line. But breaking down the barriers between risk owners and the traditional second line can come at the expense of objectivity and oversight. Adding to this complexity are new technologies that are not yet fully regulated and so can hamper or evade proper compliance controls. On the other hand, innovation is, in itself, seldom a linear process able to be subjected to comprehensive controls.

Innovation challenging the 3LoD model

The separation of duties provided for in the 3LoD model makes it the first line’s responsibility to innovate and the second line’s responsibility to check the innovation. In practice, the first line often starts a certain innovation, only to find it being rejected by compliance. Maybe because of risks (foreseen or unforeseen), unclear regulatory boundaries or requirements, or insufficient risk appetite. Or maybe through miscommunications or a lack of commitment by one side or the other.

But while the very nature of innovation requires a culture of openness and transparency, it also inherently involves uncertainty. Being allowed to make mistakes, to test and discuss dilemmas and to take risks are all pivotal for the success of a new idea. Operating in this way is universally embraced in methods such as Scrum, which encourages agile working. Another well-tested way of innovating is by using a Minimum Viable Product (MVP), which accepts the bare minimum for a product to take shape and be tested before further development.

Something these methods have in common is that they all use an incremental way of improving and reiterating work in progress. This means creating a ‘faulty’ or imperfect product and then using this to drive testing and improvements along the way. This then challenges the existing role of the second line, where risk management should challenge the ideas and outcomes of innovation efforts. But rather than viewing this challenge as a consecutive, linear process, it should be incorporated as an integral part of the development method. Innovating in this way requires both first- and second-line expertise, albeit at different stages of the process, with the second line supporting and reinforcing rather than slowing down and frustrating innovation.

Going forward: risk management revisited

The 3LoD model is generally a useful tool for defining risk management roles and responsibilities. It clearly identifies the key activities that should be in place and advocates a certain separation between them. However, it is less suited to an agile, digitalized operating model. Separating the control function from the first line weakens the insight needed to make sound judgements on the extent of regulatory prescription and ethical boundaries. This, in turn, encourages a reflex of pumping the brakes because of unfamiliarity or inability to keep up with change.

Innovation, by contrast, requires a combination of judgement and the ability to apply incremental procedures and agile working and to learn to rely on teams’ ability to overcome failure and to re- and upskill. Compliance officers have to understand that just checking regulatory and other shortcomings in innovations is not enough. Instead, traditional second-line experts need to cross the invisible divide between them and ‘the business’ and take a seat at the table. That way, they can create a framework for innovation to take place. And if these boundaries do not yet exist or need redefining, it is better to explore them together, in line with the bank’s risk strategy and appetite, rather than investing time and money only to conclude that it was all for nothing.

While there is still a place for separating bank duties in terms of risk assessment and assurance, taking expertise forward and reskilling risk managers to align with the bank’s operations are now paramount for success. As is a shared notion of responsibility for the success of innovation in the business and the need for innovation to be compliant.


Did you find this useful?