To be effective in the next five years, risk functions and CRO’s must embrace technology to transform how risk is managed and to support organisations in their digital journey.
Cognitive Computing, Robotic Process Automation (RPA), ecommerce, digital mobility, the cloud and big data are transforming organisations – but they are just the start of an unprecedented technology-powered future.
However, Guy Holland, Partner, Technology Advisory, KPMG, says while technology transformation projects in support of the digital agenda are being embraced, he is concerned that “many organisations are not yet aware of the overall impact these changes will have on their business, including its risk profile”.
The risk function must be at the frontline of this technology change. Firstly, it needs to engage with advanced technology in its own practices, to lift its ability to broadly and deeply assess risk. For example, big data and analytics can boost the speed, insight, accuracy and coverage of critical risk oversight functions.
“Much of the compliance, monitoring and review activities currently performed by risk staff will be replaced with cognitive and automation technologies,” Holland says. “Traditional manual verification of small sample sizes will no longer be effective. Change will be driven by the need to maintain effective risk oversight in a digital environment, and cost efficiencies will be a secondary benefit.”
Cognitive technologies will redefine how the risk function handles large amounts of structured and unstructured data. This means less staff will be needed to review changes in regulations and to assess how they will impact control frameworks.
“A broader set of data will be available quickly to accelerate setting the risk appetite. Automated preventative controls and monitoring will reduce the exceptions requiring manual follow up,” Holland says.
Beyond their own function, CROs must have a wide but detailed understanding of the new technologies being engaged across the whole organisation, and pre-empt where new risks could surface.
“The risk function of the future will still need some traditional risk assessment capabilities – to monitor the flow of risk and the impact to the broader operating environment – but they must develop a greater understanding of technology, how things knit together and how data flows,” says Ian Shiels, Partner, Advisory, KPMG.
James Mabbott, Partner, KPMG Innovate says that as organisations shift from legacy to advanced technologies, their exposure to new risks can quickly amplify.
“So for incumbent organisations, the complexity of managing technology risk is more difficult than for new entrants.”
For example, with countless organisations moving to cloud services, questions are raised around the safety of customer data and the ability to access it.
“Who has the data, where is the data hosted, and do the different jurisdictions that the business operates in have different rules?” Mabbott asks.
Organisations face the risk of new start-ups launching their businesses on advanced technology and gaining an immediate competitive edge.
“They are leveraging things like Facebook to engage broadly with potential customers, or platforms like YouTube – a very cheap method of uploading videos to promote an ecommerce business that can be built on scalable platforms like Amazon Web Services,” Mabbott says.
Other organisations are experimenting with new technologies such as block chain, where the risks are not yet fully understood. As block chain and other technologies progress, the risk function will need to evolve in terms of capability and approach.
“How do you play with this new technology while at the same time maintaining those things that make you great, and keep your reputation in place? When new technologies fall over, your organisation is at risk,” Mabbott says.
Mabbott says at this “tension point” it’s important to be proactive about risk, but also to keep a sense of agility and experimentation. He emphasises that the risk function should not be perceived as a road block to innovation.
To bring the most insight to an organisation, the risk function must investigate and experiment with new technologies to better facilitate its risk controls and risk assessment.
“People are trying to think ahead and say, with the emergence of learning machines, machine management and ‘artificial intelligence’, what efficiencies can the risk function harness?” Mabbott says.
In a financial institution, this could include engaging automated credit risk technology to check the validity of transactions in real time, or ensuring they are meeting regulatory obligations.
“It might mean sourcing new skill sets and competencies within your risk function. A traditional compliance professional with a legal background may need to be supplemented with a knowledge of data science, and an understanding of how new technologies function and operate,” Mabbott says.
The potential for a competitor to completely disrupt the way an industry operates should not be taken lightly. Tech-savvy startups are creating ground-breaking credit risk analysis technology and customer service platforms. These disruptors are changing the paradigm for what customers expect.
“At KPMG we are working ‘at the edge’ where the weak signals of change exist, exposing people to the new technologies and start-ups. It could be in the rapidly evolving area of payments, or developing ‘robo advice’ tools to communicate with clients,” Mabbott says.
Shiels says new technology means the traditional cost barrier to entry is gone, so the risk function must have “one ear to the ground constantly in terms of the new technologies”.
“That is where the future of industry is being created.”
As technology connects customers, businesses, suppliers and more, the risk function must look down the line to external threats.
“You have a lot of moving parts, and a lot of non-traditional vendors coming into spaces that have been dominated by big companies for a long time,” Holland says.
Conversely, the risk function must also look within its own organisation.
“A big risk can be people that have legitimate access to systems, so it’s essential to specifically authenticate people using the systems, and ensure the person belongs to the profile,” Shiels says.
Failing to prepare for new technology risks could lead to the closure of an organisation, unnecessary costs or reputation damage.
“You could be paying more than you should for acquisitions, or lose sight of where your customers are at with behaviour and preferences. You risk implementing technology that is not compatible with your customer’s expectations and you could fail to deliver a positive customer experience.
“There is also a competitive advantage component to getting technology risk right,” Shiels says.
Technology is just one of the many areas that the risk function must adopt as it prepares for the future. Find out more in our article The change challenge for risk.