This article is co-authored by Vaibhav Dubey, Priyanka Mishra, Suresh Thevar & Vaibhav Grover
Banking continues to be in the forefront of driving digital and process transformation. Many banks are on a transformation journey when it comes to core banking or back-office operations. These journeys are initially focused on cost reduction, making effective
decisions leveraging data and AI, and customer experience, often considering risk and compliance only at a later stage. Risks are generally mitigated or remediated on an ad hoc basis, and not by design. Those transformation journeys often lead to black box
operations where legacy systems are de-commissioned, several processes re-engineered, multiple new applications are deployed and integrated, and the end state lacks transparency in terms of clear documentation, system architecture and traceability of data
movement.
However, as transformation journeys get more complex and scale increases, the ad hoc approach to risk and compliance fails. Banks often pay heavily for the failure to consider risk and compliance at the initial planning stage of the transformation journey.
It not only causes significant delays in delivering the projects, but banks may also end up going through regulatory scrutiny or paying hefty penalties due to compliance breaches. In the end, banks often pay larger regulatory penalties than the cost reduction
or revenue enhancement achieved through a transformation initiative.
In 2020, a large US bank agreed to pay USD 80 million fine to Office of the Comptroller of the Currency (OCC) over a major hacking incident in 2019 where approx. 100 Million credit card applications were illegally accessed. The OCC said in a statement that
the said bank was fined “based on the bank’s failure to establish effective risk assessment processes” before it moved a major portion of its computer data to a cloud storage system, “and the failure to correct the deficiencies in a timely manner.”
Risk management ‘by design’
Banks should include risk management as one of the key objectives of the transformation program to ensure adequate leadership focus and prioritization is given to identify and manage risks during the transformation journey.
The first- and second-line risk and control groups, including Business Risk, Operational Risk, Compliance, and Information Security teams, should be involved from the beginning of the transformation program to ensure they can provide credible challenges
throughout the design and development phases instead of just performing post-facto review and audits at the end.
Further, embedding risk experts in the engagement teams ensures key risks are identified and steps are determined to manage them through the regular solution design and development process. For example, risk experts participate in solution sprint and release
planning activities to highlight risk and control consideration, while providing a risk appetite statement for the transformation underway.
How can Banks de-risk transformation
Typically, transformation engagements go through four key phases using multiple levers, such as re-designing journeys, simplifying processes, optimizing workforce, automating/digitizing processes and leveraging AI/ML, to transform the processes. Following
the risk management by design principle, embedded risk experts should consider an approach that effectively integrates risk management activities across the four key phases noted below:
1) Planning Phase (Risk Assessment) – Perform process change impact analysis and identify new risks which may need changes in the existing control environment. For example:
· Incomplete data transfer or data leakage issues can occur when new digital and analytics solution interventions are introduced to automate manual processes
· Using third party data sources to verify a new customer being on-boarded or sending customer data to a vendor for processing checks and mail can lead to operational resiliency and data privacy related issues, such as unavailability of critical business
services and data breaches, due to operational/technological failures or security vulnerabilities at the vendor company
· Process changes such as use of remote (non-face-to-face) customer identification should comply with regulatory requirements that ensure banks take reliable steps to prevent impersonation or identity fraud
2) Design Phase (Controls Design) – Participate in process re-design workshops, solution development sprint sessions, and review epic user stories to identify controls and establish needed controls for any gaps. For example:
· Using secured file transfer protocol mechanisms and data encryption controls can help protect data at rest and transit from unauthorized edits
· Establishing preventive automated controls, such as auto-population from source systems and non-editable field configuration, can prevent unauthorized or excessive customer payments
· Pseudonymization or anonymization of PII data collected as part of customer onboarding can protect sensitive customer personal data disclosure to unauthorized people
3) Implementation Phase (Controls Design Evaluation) – Control parameters designed must be configured completely and accurately during system deployment so risk experts should perform control design evaluation and application testing during UAT phase,
obtain evidence and liaise with other business teams and risk partners to ensure any gaps are identified and addressed before going live or production. For example, risk experts can participate in release review sessions and review system generated exception
reports to ensure controls related user stories have been accurately executed by the development teams
4) Monitoring Phase (Controls Monitoring) – Measuring process and controls health post transformation is important to understand if the designed controls are working as intended. Risk experts should support ongoing monitoring of established controls
through operating effectiveness testing and quality assurance activities, including working with business operations, internal and external auditors to implement a remediation plan and actions for any control issues or incidents
Risk proof, accelerated transformation
Swift transformation is vital for banks to grow and thrive post-COVID. Embedding strong risk management interventions in the beginning of the transformation journey is non-negotiable for banks to accelerate their transformation roadmap and to mitigate risks
in the rapidly changing environment. This will ensure that there are no delays or roadblocks in achieving targeted outcomes of the transformation projects.
Disclaimer : The postings on this site are my own personal opinions. This content is not read or approved by my current or former employer before it is posted and does not necessarily represent their positions, strategies or opinions.