The perks of a successful risk strategy has been saved
The perks of a successful risk strategy
Pivoting banks towards the future
This blog is part of a series on rethinking risk management for digitally operating banks. In the first episode we focused on the risk management framework. We touched upon rethinking the governance structure and better alignment of the first- and second-line activities to support innovation and new ways of working. In this second blog we will discuss the topic of risk strategy, which is essential for digital transformation and innovation as a whole.
Written by Jorien Martinius & Jim de Wolf
Go directly to
- Incorporating risk strategy
- The four elements of an effective risk strategy
- Innovation and the lack of a regulatory framework
- Risk strategy as the backbone for innovation and transformation
Incorporating risk strategy
Many banks have undergone consecutive sequences of (digital) transformations, often performed in silos. The results were often incoherent and concerned only part of the organisation. This has led to unnecessary risks, avoidable losses and costly harmonisation projects. Some of the more common pitfalls are: underestimating the role of the bank or financial institution within the ecosystem, and the (unanticipated) impact of changes on the business units or the risk profile of the organisation, resulting in the incorrect identification of risks and consequently to either overdoing or underplaying mitigation measures. When it comes to innovation, good ideas are often aborted in an early stage, and bad or non-compliant ideas will need an overhaul later on.
To assess whether a risk strategy can prevent these pitfalls and therefore should be an integral part of your (digital) transformation, let's first elaborate on what a risk strategy is. Basically, a risk strategy provides a holistic and structured approach to the identification, assessment and management of risks. However, this description leaves plenty of room for - often conflicting - interpretations. Therefore, we will have a closer look at four elements that should be covered to define an effective risk strategy.
The four elements of an effective risk strategy
- Purpose of innovation and overall aim
First of all, a financial institution needs to establish in advance the overall goal of the innovation or transformation and how this is affecting the role of the institution within the ecosystem. A changing role might involve other responsibilities and requirements. Once the desired outcomes and design principles are set, the regulatory impact can be determined.
- Regulatory framework
Secondly, there needs to be a clear definition of the regulatory framework that will impact the innovation or transformation. This might involve more than just the law that is directly applicable, as regulators increasingly issue guidelines that need to be adhered to and organisations have various obligations towards external partners by means of private contracts (e.g. outsourcing, clients terms and conditions and other third-party service providers).
- Risk appetite
The third element is the definition of the financial institution’s risk appetite. In the design phase of the innovation or transformation, it is vital to have a clearly defined view on how much risk an organisation is willing to take. This forces the developers to take risks into account during the design phase. It also provides clear guidance for the innovating business units initially, as to the amount of room to manoeuvre within.
- Risk management
The fourth element is to set up a framework and enable monitoring in order to enhance early identification, assessment and the subsequent management of risks. This framework consists of clear boundaries, a proper understanding of the legal context, a view on the ecosystem, KRIs, Risk Appetite Limits and Early Warning Levels. An important asset for this is the application of measurable data points that enable clear insight as to whether the imagined innovation or transformation will remain within the risk appetite, and also whether commercial and risk strategies are still aligned. This data provides essential insights into the organisation’s priorities in order to focus on the more imminent or inherent risks.
Innovation and the lack of a regulatory framework
Covering these elements of risk strategy in the set-up for innovation or transformation projects, will support informed decision-making. In-depth knowledge and understanding of regulations will help project participants to incorporate the predefined requirements in the design and anticipated potential (regulatory-driven) shortcomings and pitfalls. This enables greater agility in proposition development.
When it comes to innovation, there is often no fixed regulatory framework. Clear regulatory guidelines set by regulatory bodies such as the EBA are absent at the time of the innovation, leaving much of the interpretation of (new) regulations open to the market. So is there a risk of non-compliance? During the innovation, how will you know whether regulatory action will cause considerable pushback, which in turn could render the investments worthless? The uncertainty forces the organisation to proactively develop a vision based on specialist knowledge of regulatory topics, the institution’s risk appetite, and a thorough understanding of the risk-based ”way of thinking”. This requires a documented risk strategy and a risk appetite, creating a solid audit trail of the reasons behind innovation choices. By anticipating regulatory lines of reasoning and addressing potential risks systematically, the innovation leaders actually might set precedents for the market and the regulator. This will result in a competitive advantage and will potentially increase the market share of the organisation. In any case, it shows both internal and external stakeholders that the decision-making process and risks were well-considered along the way.
Risk strategy as the backbone for innovation and transformation
So how can a risk strategy enable innovation? There are several answers to this question. First of all, it helps to develop realistic plans. “Outside of the box” should not mean “outside of the law”. Regulatory expertise, knowledge of the regulatory landscape and of the strategic positioning of the organisation will enable the sketching of outlines within which the innovators are free to roam and experiment. This is ensured by the set-up of good governance that sets checks and balances and also prevents unwillingness between departments or major blockades. Defining a risk appetite is a good starting point. Align the project goals with the (existing) risk appetite and assess where the organisation is not willing to waiver its commitments to good governance. These guidelines help a team to ensure that the project will stick to the core principles of the organisation by sheer enthusiasm over the potential of the innovation projects. Identify the potential regulatory risks in advance (as well as operational, IT security and financial risks) by providing insight into regulatory requirements and upcoming changes. This will help to define regulatory requirements to prioritise potential risks, and it will offer insight into which risks need mitigation.
Having a risk strategy helps project teams to navigate various norms to which an organisation is bound. Risk strategy can provide clarity on the feasibility of the innovation or transformation in advance. It sets out the goals for the innovation or transformation, clarifies the legal norms as well as identifies regulatory uncertainties, it ensures insight into the policy requirements of the organisation itself, takes into account the expectation and guidelines of the supervisor and many other variables that have a stake in innovation projects. To structurally embed the risk strategy means to set out a clear risk framework and include risk expertise as part of the innovation or transformation.