by Andrew Gray, managing director and group chief risk officer, Depository Trust & Clearing Corporation
Over the years, the risk management function has expanded from focusing on credit, market and liquidity risk to include operational, systemic and, more recently, technology, information and physical security risk, as well as business continuity. There are several forces driving this transformation.
First, firms understand that they can be negatively impacted by a wide variety of incidents, such as technology outages, operational breakdowns, or a cyber attack. This can be devastating not only to the firm itself but also to the wider industry, due to the interconnectedness of the financial system. Second, the risk management function helps to establish clearer distinctions for responsibility of policy definition and risk assessment, particularly in the case of technology and information security risk. Third, there is a need for a holistic view of risk and a consistent approach to measuring and managing it. Lastly, firms require greater transparency into the connections between various risk types because issues in one risk family can have a knock on effect in other risk categories.
Establishing a systems view
A clear understanding of the interconnectedness of the market is critical to the way firms manage risk because there is increased complexity and unpredictability in the nature and impact of the risks institutions must defend against today.
As a result, it is important for risk managers to reorient how they view the financial system, recognising that it is complex and adaptive with a diverse set of interconnected components. Today, risk is not always transparent, which means that firms have to expand their understanding of risk to include the extended enterprise, such as market participants, clients, vendors, vendors of vendors and many other players. In addition, firms must place greater emphasis on mitigating extreme but plausible risks by taking a more forward looking view than they have in the past.
Many financial institutions have responded to these changes by developing scenario analyses to help measure, understand and mitigate risk. But in taking a systems view of risk, firms need to consider the full range of risk types, including operational or technology incidents when performing these analyses.
Building resilience
Systems breakdowns are inevitable nowadays because the modern financial system is open and, therefore, more susceptible to attack. This reality, combined with the increased complexity and diversity of the threat and greater unpredictability in the nature and impact of risk, requires firms to be prepared to detect problems and recover from them as efficiently as possible. As a result, the focus today needs to be broader than just managing risk — we need to focus on building resilience.
A key element in enhancing resilience is changing the culture of an organisation and establishing frameworks and processes that encourage appropriate conduct and behaviour with regards to risk — most importantly by expanding ownership of risk management to all employees of a firm and empowering and incentivising them to act as risk managers.
Another important way to bring greater employee focus to risk and resilience is by nurturing a learning mindset that raises awareness of what is happening within the organisation, continually looking at what could go wrong, questioning assumptions and encouraging learning the lessons of the past, including near misses.
What to do with the data?
While establishing a systems view of risk and strengthening resilience are essential, the industry will need to address several key challenges to fully achieve these objectives.
For example, a lot of effort has been expended on collecting large amounts of data across the financial system, but data collection itself is only a means to an end. We must be able to successfully manage the data by developing more sophisticated analytical tools that can mine this information to identify risk trends, including events that could potentially spark contagion or create systemic shocks.
Given the nature of complex adaptive systems, we need to re-evaluate and supplement the tools we have traditionally used in risk management, which have been based on assumptions of normal distributions and linear behaviour, to now include the ability to capture interconnectedness.
A good example of this is the recent recommendation by the US Office of Financial Research that the industry should consider using tools from process systems engineering to tackle difficulties in identifying, modelling and analysing data in the financial system. Further, the industry must continue to share information and increase collaboration across geographic boundaries to paint a more robust picture of interconnections.
While the industry has made tremendous progress in advancing risk management since the start of the financial crisis, the evolution of market structure and the ongoing transformation of financial institutions reinforce that there is still much work to do to ensure that we are prepared to protect against the many new and emerging risks the industry faces.