Leaders and managers at financial services companies are constantly evaluating and reporting on financial risks. Depending on the institution’s size and nature of services, a company may be required to submit data regarding its exposure to certain risks to supervisory agencies, such as the call reports sent to the Federal Deposit Insurance Corporation. As a result, the regulated companies have established mechanisms to obtain and analyze data about financial risks, such as liquidity risk, market risk, and credit risk, and report information to management and regulators.
Despite such longstanding risk management practices, many financial institutions may fail to comprehend, and then address, their risk posture fully. To strengthen risk management and more fully address regulatory compliance, companies should ensure they take a comprehensive, data-driven approach to assessing the variety of risks they face. To achieve this, good data, effective tools, and responsible data science practices for risk assessment are essential, and they must be available to all lines of defense.
In addition to financial risks, companies face operational risks, compliance risks, reputational risks, and strategic risks. Many companies already devote substantial resources to implement analytical approaches to some specific risks in these categories, such as fraud, money laundering, or cybersecurity. However, these systems may be a “black box” to many internal stakeholders, whether they have been developed within the enterprise or provided by an external vendor. This lack of analytical transparency may lead to false reporting or deceptive results. These issues do not require that the system be poorly configured or badly managed, for even well-designed systems can be misinterpreted by users and executives not intimately acquainted with the underlying risk scoring. Managers and teams assessing particular risks should train to understand the data science principles behind any analytical solutions.
Meanwhile, other risks in these categories may be managed through manual processes or simple desktop applications. Financial institutions continue to rely on spreadsheets for many sensitive and risk-relevant business processes. For example, an institution's determination of all the rules and regulations that apply to it, which is fundamental to a complete understanding of its compliance risk, often resides in a simple spreadsheet. For an institution with many varied responsibilities, such a spreadsheet will be cumbersome to maintain and prone to error. Of course, moving from a spreadsheet to another type of application is no guarantee against mistakes. To the extent possible, the risk assessment should be driven by automated data pipelines, analytics, and reporting, designed with input and awareness from all stakeholders to ensure the timeliness of the information and visibility of changes.
Finally, some risks may receive limited attention in terms of systematic, data-driven analysis. Aspects of reputational or strategic risk, in particular, may be primarily or exclusively considered through expert judgment. For example, what are the potential impacts of unexpected, “long-tail” events, such as a global health crisis or major geopolitical conflict, on specific products and the institution? Companies should consider what inputs, metrics, and models for these types of risks might augment their current approach to risk assessment.
In addition to expanding the set of risks covered by data-driven approaches, it is crucial to consider the full range of stakeholders for any given risk. These stakeholders are not limited to the business units and enterprise functions directly involved in the relevant business process. Financial institutions typically maintain three “lines of defense” against risks: management, compliance, and internal audit.
For example, the business unit responsible for a product, the first line of defense, may be required to review a report of transactions daily and flag potentially fraudulent ones for further investigation. The second line of defense, the compliance team, must validate that business units are following the relevant external rules and regulations, and internal policies and procedures. Finally, the third line of defense, the internal audit team, provides an independent review of the effectiveness of both the design and operation of the management team’s approach.
In this example, the data behind the report, the report itself, and the process of reviewing the report are all essential to a complete understanding of how the enterprise manages the risk. Therefore, each of the lines of defense must be appropriately equipped to obtain, analyze, and render decisions about the elements of this process. This requirement applies to the whole variety of risks faced by the institution.
Failing to maintain the resources and skillsets necessary to implement data-driven approaches across the lines of defense may lead to gaps, incidents, and, ultimately, unwanted regulatory attention. For instance, the financial crisis of 2007-2008 highlighted that even large and sophisticated institutions, such as Lehman Brothers, can fail to understand the scope of the risks they face. To guard against adverse outcomes and further regulation, financial services companies should take the initiative to continue building out data technologies and skills across all of their risks and all the teams responsible for managing them.
Data Society lives by the maxim that robust risk assessment relies on good data, effective tools, and responsible data science practices. Therefore, Data Society arms practitioners with data science solutions to extend their risk assessment capabilities. In addition, Data Society helps teams across the lines of defense get to the next level of maturity in data science practices with instructor-led training and capstone projects focused on real risk management challenges. In future blog posts, I’ll discuss some of these tools and techniques in more detail, offering insights into how they can be applied to bring more robust and confident risk assessment and mitigation.
Robust risk assessment relies on good data, effective tools, and responsible data science practices. That's why Data Society created Camelsback, an AI solution for continuous risk assessment in financial services. Camelsback is based on our award-winning risk evaluation framework developed for the FDIC’s Resilience Tech Sprint.