It’s difficult nowadays to avoid the subject of rapid technical (r)evolution. Innovation impacts both consumers and companies (financial and non-financial) alike. Buzz words like “fintech”, “insuretech,” and “regtech” have become part of our common language. The way consumers and businesses interact is evolving fast: Mobile is the new communication tool (both touch and voice), blockchain offers many long-term promises, robo-advisors are changing how one saves for retirement, and alternative lending is challenging the traditional methods.
This trend of constant technology innovation and evolution of human interaction is changing and unlikely to slow down. Long-term trends in demographics also impact how businesses operate. A combination of an aging workforce and millennials – each with very different technological sophistication -- offer an interesting challenge for businesses both for managing their workforce and for interacting with customers. With these new opportunities also come new risks. It’s personal (who knows about your personal digital identity?). It’s business (What is the impact to my business if it gets hacked – or that of my clients or suppliers)? It’s political. It’s global.
Regulators are paying attention. Many of them, including CPMI- IOSCO (The Committee on Payments and Market Infrastructures and the Board of the International Organization of Securities Commissions), the Office of Financial Research, or the NY Department of Financial Supervision, have identified technology and cyber risks in particular as key threats to financial markets, with potentially systemic consequences.
This means that the role of risk management in financial institutions is evolving. It is becoming ever increasingly complex. No longer is the role of risk management focused on market and credit risk. It includes monitoring and managing global macro risks and, of course, technology risk (which introduces ‘unknown unknowns’). Technology risk, although understood by technology teams, should go beyond the IT structure of the business – it expands to risks of service providers as outsourcing non-core tasks becomes more prevalent, to potential investments (what would happen if an investment company suffers losses from a cyber-attack?), to suppliers (is their technology up to date?). With an ever increasing number of potential disruptors, companies are stuck between the anvil of doing nothing, or the hammer of adopting untested technologies.
It’s personal. It’s business. It’s political. It’s global.
This implies an evolution of the risk culture recognizing the interplay of different types of risks. This requires a clear framework, which includes coordination amongst stakeholders, clear accountability, education, and communication. One should systematically run extreme, but plausible, scenario analysis, not just about market movements, but about technology and macro risks – what would happen if my cloud provider went down? Do I know how many of my third party services or customers rely on that same cloud provider?
Technology is moving faster than ever. It comes not only with significant advantages, but also risks that should be identified and managed proactively. How confident are you that your risk framework takes into account ever-changing technology risks?