iNFRont Magazine - Apr - May 22 Edition

PLANNING FOR EXTREME EVENTS

Leveraging lessons learnt from the pandemic

AI & MACHINE LEARNING

Removing bias from the model output

SANCTIONS

How to stay ahead of rapid change

VENDOR RISK

Top 5 third-party risks of 2022

ESG

The evolution of climate risk

Central banker’s perspective

DIGITALIZATION

Transforming financial services through IT

RISK

Alessia Falsarone, CeFPro Fintech Advisory

INSIGHT TOP 5 VENDOR & THIRD-PARTY RISKS FOR US & EUROPEAN FIRMS

Alice Kelly, CeFPro

RESPONSIBLE FINANCE

RISK MANAGEMENT: HINTS ON QUANTIFICATION APPROACHES

Tiziano Bellini, Prometeia

REVIEW UNITING OPERATIONAL RISK PROFESSIONALS

CELEBRATING THE RETURN OF FACE-TO-FACE INTERACTION

Mike Guglielmo

Darling Consulting Group

This issue of iNFRont addresses some of the most pressing topics currently affecting non-financial risk professionals. From climate risk and avoiding bias in machine learning to sanctions regimes and IT transformation, staying ahead of these concerns and more is essential as we navigate our way through changing times.

With so much to discuss, the return of live events could not be more welcome. In March, I had the opportunity to take part in CeFPro’s Advanced Model Risk Management and Treasury & ALM conferences, which took place in New York City. The depth of the topics covered and the level of interactivity on show served as a timely reminder of the benefits of in-person learning and networking.

We welcome contributions. If you or your organization are interested in featuring in our next issue, please contact editor@cefpro.com

ADVERTISING & BUSINESS DEVELOPMENT

If you are interested in sponsorship and advertising opportunities, please contact: sales@cefpro.com

HEAD OF CONTENT & EVENT PRODUCTION

To participate in our research and forthcoming conferences, please contact Alice Kelly: alice.kelly@cefpro.com

MARKETING INQUIRIES

During the Advanced Model Risk Management program, participants shared their thoughts and perspectives on a variety of important issues, including the validation of AI/ML and fraud models, climate risk modeling, MRM and validation automation, and talent acquisition/retention. Attendees also gained insights from participating examiners, including David Palmer of the Federal Reserve, a principal author of SR 11-7. As chair of Day Two’s program, I led several group discussions during the day, with more than a dozen panelists involved overall. Attendees unquestionably came away with several ideas inspired by face-to-face interactions with so many of their peers.

To discuss media and marketing collaborations or to join us at our conferences, please contact Amy Greene: amy.greene@cefpro.com

PUBLISHER Andreas Simou andreas.simou@cefpro.com

UNDERSTANDING FUTURE USE OF CENTRAL BANK DIGITAL CURRENCY

18 EVENT REVIEW FRAUD & FINANCIAL CRIME USA: MANAGING THREATS TO MITIGATE FRAUD RISK 19

Aleksi Grym, Bank of Finland

20

EVENT PREVIEW RISK EMEA: TAKE YOUR PLACE AT EUROPE’S LEADING EVENT FOR THE FINANCIAL RISK INDUSTRY

22

REPORT SUMMARY EFFECTIVE SPREADSHEET MANAGEMENT

23

TALKING HEADS DEFINING NFR

The inaugural Treasury and ALM conference attracted banking executives from various disciplines including balance sheet management, risk, compliance, audit, modeling, and technology. Participants were immersed in lively discussions about the current economic challenges we face and explored ways to address them and their potential impact on net interest margin, liquidity, earnings, and capital. I particularly enjoyed presenting my perspectives on ALM modeling and reporting techniques that drive ALCO’s strategic decision-making, and reconnecting with industry peers and practitioners over the two days.

We hope you enjoy the full reviews and previews of further live events featured throughout this issue of iNFRont, as well as the valuable insights shared by our expert contributors. Written by the industry, for the industry, this is your magazine so please get in touch if you’d like to feature in a future issue.

MAGAZINE ADVISORY BOARD

MANAGING EDITOR Kate O’Reilly kate.oreilly@cefpro.com

HEAD OF DESIGN Natasha Marino www.cefpro.com

Oskar Rogg MD, Head of Treasury, Americas Credit Agricole CIB

Angela Johnson de Wet Cloud enabled Business Transformation – Head of Function Lloyds Banking Group

Alpa Inamdar Transformation Leader AIG

AI & MACHINE LEARNING: A RESPONSIBLE FUTURE

WHAT STEPS CAN BE TAKEN TO ENSURE BIAS (INCLUDING UNCONSCIOUS BIAS) IS REMOVED FROM DATA AND ULTIMATELY, THE MODEL OUTPUT?

Agus: This is about responsible AI. When we talk about bias and fairness, we need to think about societal or human bias, not just statistical or algorithm bias. We must be mindful about the data when building models. If the training data, particularly the target outcome, stems from human decisioning, it will naturally include human bias. Therefore, we should question if we want to use the data to build the model. We must be very careful and decide upfront whether or not to apply it, given the societal bias we may have. What we are talking about here is possible disparate treatment, intentional bias, or disparate impact unintentional bias. We must consider whether information should or should not be used, and understand whether the way we collect data can introduce bias. Proper fairness oversight and testing must be applied with the right context.

Imir: I’ll add that some classes of algorithms, such as binary classifiers (i.e. a default model that predicts borrower default), are trying to

maximize the distance between the centers of the two clusters (default and non-default groups in a default model). A good algorithm would maximize this distance, and therefore it would be a strong mathematical discriminant function.

The algorithms themselves are mathematically designed to amplify and interpolate the historical patterns identified in the training data and may very well amplify historical biases if they are present.

We must also be careful of biases against protective classes. There are ways of addressing this, such as input/ output comparisons, model inputs and scored outputs, marginal response testing, feature sensitivity testing, etc. I have also in the past identified and labeled instances in datasets where the model produces biased or unreliable results; run a second model that predicts those biases; and then used that as an additional feature in making predictions. In short, a separate model can predict the bias of the first model, and anomaly detection and a separate binary classifier algorithm could then also be run. Accounting for and managing bias is a very important design specification, especially in lending use cases.

up policy that covers accountability, roles, and responsibilities to manage model risk across the company. In addition, policy and procedure to guide the practice also play an important part in establishing risk culture in the organization to manage model risk. At Wells Fargo, our model risk management team on the second line includes more than 300 people. This demonstrates our commitment to manage model risk. For every three model developers, there is one independent model validator. Organizationally, the Head of Model Validation is at the same level as the Head of Model Development and has the authority to approve or reject models.

WHAT ARE SOME OF THE KEY CONSIDERATIONS TO ENSURE ETHICAL DECISION-MAKING AND TRANSPARENCY?

Imir: Just like bias, ethical considerations and transparency are contextual to the use case. In health care, ethical considerations might be the highest possible consideration because someone’s life could depend on it. The level of scrutiny that needs to be applied in this context will be higher than the level applied in other examples. Ultimately, the level of ethical scrutiny, transparency, and explainability needs to be proportional to the use case and its impact on the targeted population. In past roles, the legal team has reviewed potential ethical considerations where, if a client is affected by an algorithm (especially in the fields of health care or finance), they are entitled to have a human being explain to them how the decision was reached, especially in Europe.

Agus: It starts with accountability and accountability starts with senior management. Banks, particularly large banks, have established practice of designating an independent senior leader as the head of model risk management who reports to Chief Risk Officer and is responsible for setting

In terms of transparency, SR11-7 provides very good guidance at a high level around conceptual soundness. A number of different things form conceptual soundness; transparency is one of them, which poses a problem with black box models. For me, the label ‘Explainable AI’ is a misnomer if we are talking about a black box model with post hoc explainers, which is why we don’t use it for areas of critical importance or sensitive applications. In these instances, we only use inherently interpretable models that provide full transparency.

Imir: Explainability is very important and it starts with conceptual soundness, even before finalizing the algorithm or the variables for their response. Do the variables make business sense? Are they supported by economic or financial theory? Are they widely used in the industry? Are they market standard variables? Does a subject matter expert in the field agree with the use of those variables? Typically, when we qualify a use case or a project, we start by asking the risk owner what variables they think are important in predicting the outcome they are interested in. We try to embed this transparency and explainability into the decision-making process as early as possible.

ONCE WE HAVE ADDRESSED DATA CHALLENGES, HOW CAN WE ENSURE EXPLAINABILITY THAT SATISFIES THE REGULATORS?

Agus: The purpose of having explainable models is not to satisfy the regulators but because they are

a necessity to ensure conceptual soundness of a model. The level of explainability depends on the critical impact of the model, what unintended consequences arise, and the negative impact models can create. Depending on whether or not it is a high-stake environment, the level of explainability and transparency will be different. For example, we only use inherently interpretable models in areas like credit decisioning, because this impacts people in terms of their access to financial products. For less critical areas, we can use other tools such as post hoc explainers, as the potential negative impact might be acceptable when the explanation is less accurate. Given the wide availability of inherently interpretable models such as GAMI-Net or Explainable Boosting Machine, I would argue that black box models with post hoc explainers should only be applied if warranted and if no other alternatives are available. The use of black box models for high-risk applications should be avoided.

Imir: There are certain types of use cases, especially regarding lending, which deal with protected classes. As such, certain regulatory requirements like adverse credit codes need to be systematic, and the polarity of the variables needs to be consistent and monotonic.

There are other use cases, such as information security, where it may be beneficial to use inherently black box algorithms, at least as a starting point. However, there should always be a preference for explainability and for trying to understand what the algorithm is doing, what variables are important, how they are contributing, and the level of their contribution both locally and globally within the model.

WHERE DO YOU SEE THE FUTURE OF AI AND MACHINE LEARNING MODELS IN FINANCIAL SERVICES?

Agus: Machine learning is very powerful and has wide range application opportunities in financial services. However, if we are not careful, it has the potential to create considerable reputational damage. This will lead to heightened scrutiny by the public, politicians, or regulators. It is the responsibility of our community, the people who develop

and provide oversight of this area, to up our game to apply the tools responsibly. Dealing with sophisticated tools also requires more sophistication in model risk management across model design, testing, and usage to ensure both their conceptual soundness and outcome. In addition to interpretability, more sophisticated testing beyond accuracy is needed to ensure model robustness, reliability, and resilience. The potential of machine learning is vast – there is so much that we can do with these wonderful techniques and machinery. But we need to be very cognizant when designing and using them, or the damage will be irreparable. Unless we practice responsibly, it will be a tough road ahead.

Imir: I’m optimistic about the future of AI and machine learning models in financial services, especially with regard to predictive analytics, automation, and customized services and support. I also firmly believe that with the proliferation and generation of more data – especially with Web 3.0., the fourth Industrial Revolution, and 5G – AI and machine learning models will be the standard modeling algorithms to be applied in the future. However, there are some challenges, and more needs to be done to understand the algorithms to enhance trust. I also believe more regulation will come, especially in Europe.

Ultimately, I believe that the future of modeling is AI and machine learning. The traditional modeling approaches were largely invented at a time when calculations were performed by hand. As such, they are not receptive to large amounts of data. As we generate more and more data, we have had to adapt our modeling approaches to account for it, and AI and machine learning algorithms do that very well. However, we have a severe shortage of talent in financial services to help design, implement, and explain AI and machine learning models, which will need to be addressed.

Stream One of CeFPro’s upcoming Risk Americas event (10-11 May, NYC) features a panel discussion on AI and Machine Learning, as well as sessions on cryptocurrency, digitalization, climate risk, and more. For the full agenda or to book your place, go to www.risk-americas.com

THE EVOLUTION OF CLIMATE RISK

other segments to define the impact of transition – whether of policy advances or energy technology innovation – into offerings.

What is changing rather dramatically is the view from the top, where climate risk is taking center stage in the work of the audit and risk committee of the board. That’s where I see the most activity so far in elevating risk processes enterprise-wide to much needed tools of governance effectiveness, at least for publicly listed companies.

HOW HAS CLIMATE RISK EVOLVED AND BECOME EMBEDDED INTO ENTERPRISE RISK PROCESSES?

The impacts of climate change on the stability of the economic system are broadly recognized as financial risks. The dialogue which started at the macroprudential policy level by the Network for Greening the Financial System in 2017, continues to fuel the development of individual use cases for financial institutions. In just five years, it has affected the level of transparency and institutional commitment to dedicated monitoring and reporting functions, all the way to new product development. However, when it comes to micro-level adoption, aside from specialized cases, financial institutions are still followers rather than leaders in the space.

Real estate funds continue to stand out from the average. They have historically developed the most sophisticated approaches to operational risk assessment related to the physical damages caused by extreme weather events, while also moving faster than

HOW CAN ORGANIZATIONS BEST EVALUATE AND MONITOR PORTFOLIO EXPOSURE?

The short answer is not all systems are created equal. Neither are the questions to be addressed or the tools we need to answer them. With the emergence of new data platforms, most tools are still in development stage, especially when the focus is on environmental impacts such as water stress and biodiversity loss. Incumbents continue to work with innovators while adapting their internal climate strategy to reflect the insights from the integration of new data sources and intelligent automation.

When it comes to portfolio exposure –whether financial or operational – most practitioners would agree that climate risks are not fully reflected in asset valuations. The different time horizons and the dynamics of transition vs. physical risks highlight how mapping point-in-time exposures can only go so far in enabling active and intentional management of climate risks. Whether climate scenarios stretch to 2050 or beyond, the dependency of results over

short-term actions is well researched. Adopting broad spectrum tools such as integrated assessment models (IAMs), which combine knowledge from a variety of disciplines within social sciences (including earth systems), would directly refocus the COSO lens of ERM practitioners to consider the economic and financial choices that affect environmental objectives, and vice versa. Asking questions such as, ‘How would the world look if gas reserves do not meet historical capacity by 20XX year?’, as well as enabling scenarios which adopt future climate pathways and challenge conventional wisdom, would provide a framework to directly integrate a stream of future climate and economic policies with current regulatory asks.

WHAT ARE SOME APPROACHES TO MOVE THE INDUSTRY FROM IDENTIFICATION TO IMPLEMENTATION?

Moving from identification (of climaterelated exposures) to implementation (measurement and management of climate outcomes) requires a programmatic upgrade of basic climate science knowledge among financial professionals, including economists. Macro-prudential policies need to move in sync with micro-level implementation, one firm at a time. Identifying exposures to environmental externalities is merely step one and if done incorrectly, may slow down implementation.

The dearth of professionals with both financial and climate/environmental knowledge and experience is well documented. Organizations will need to develop extensive efforts to support continuous training and upskilling.

The highly cooperative work carried out by international networks such as the UNEP FI Principles for Responsible Banking, the Principles for Responsible Investment, and the World Business Council for Sustainable Development (and its GHG accounting protocol) provide forums where industry professionals can share and build knowledge to outline operating frameworks and evolve the principles themselves.

WHAT ARE SOME OF THE CONFLICTING EXPECTATIONS OF CLIMATE RISK GLOBALLY AND HOW CAN ORGANIZATIONS IMPLEMENT A SUCCESSFUL RISK APPROACH?

The first and most frequent misconception is that climate risk can be treated as a traditional risk category and made to fit traditional parameters across asset classes/financial products and geographies. While that may be the case for central banks expanding their macro-prudential tool kit to integrate climate-related dimensions, it is less so among financial sector participants. Cookie-cutter solutions to categorizations of climate parameters

“What is changing rather dramatically is the view from the top, where climate risk is taking center stage in the work of the audit and risk committee of the board. That’s where I see the most activity so far in elevating risk processes enterprise-wide to much needed tools of governance effectiveness, at least for publicly listed companies.”

that encompass already direct and indirect definitions of its tangible outcomes (think Scope 1, 2, and 3) can be quite ineffective. Operational frameworks that embed climate risk in the archetypes of ‘known’ financial risks are likely to create a more useful approach to enterprise integration, both from a regulatory compliance perspective and regarding institutional buy-in and operational effectiveness. To that end, climate scenarios that challenge BAU mode are a key ingredient of organizational strategy around tackling environmental impacts of climate-related uncertainties.

The second misconception is that once a framework for assessment of climate events is rendered through metrics that inform public disclosures and stakeholder communications, the holy grail of climate readiness is found. Few organizations have had the foresight to use scenario analysis as a planning tool for a climate alignment strategy that gets adjusted over time, and even fewer have moved from reporting and transparency over exposures to defining climate outcomes.

A successful risk approach makes sense of the three pillars – organizational exposures, climate alignment, and environmental outcomes – and elevates the dialogue beyond reporting and regulatory compliance to strategy and stakeholder communication. Building a climate risk culture with strong internal messaging from the top down is key. Whether from corporate or supervisory boards, the inquiry has already started to expand outside of audit and regulatory compliance into aspects such as M&A

due diligence and corporate strategy, as a result of energy security and geopolitical concerns which are likely to be amplified by climate disruptions. Implementation is effective and tangible when climate risk considerations blend with a vision for organizational opportunities.

WHERE DO YOU SEE THE FUTURE OF CLIMATE RISK MANAGEMENT WITHIN FINANCIAL SERVICES?

I see it tackling the second misconception highlighted above and moving from climate risk management to climate alignment strategies to fully close the gap on governance accountability in financial institutions. Focused cross-functional training and sharing of best practices will be essential to ensure the sector builds organizational awareness towards climate outcomes from the current basic evaluation of risks.

The commercial opportunities that await financial institutions in the low carbon transition are abundant. Opportunityoriented approaches to solve the climate crisis are more easily supported than risk mitigation or adaptation policies on their own, which unfortunately remain labelled as a cost of doing business.

Legal Disclaimer: The opinions reflected in this article by the author are expressed in personal capacity and are not attributable to any organization. They do not constitute a financial nor an investment advice. CeFPro Magazine Issue 3 2022

SANCTIONS COMPLIANCE IN A SHIFTING LANDSCAPE

In March 2022, CeFPro returned to New York City for the first time since the start of the pandemic with a series of live events, including Fraud & Financial Crime USA. A key talking point at this conference was the evolving sanctions landscape and how to stay ahead of rapid change and escalation. Here, we summarize the key takeaways from our in-depth sanctions panel discussion, which featured the following industry experts:

Bryant Moravek Director of AML & Sanctions Compliance, Risk Advisory Services

Kaufman Rossin (Chair)

Evan Weitz Managing Director, International Controls Executive Wells Fargo

The panel chair began by outlining the current landscape, warning that the stakes have never been higher. As a result of actions by the Russian Federation in Ukraine, unprecedented global disapproval has resulted in the most comprehensive sanctions ever levied against a nation. An alternative retaliation to violence, sanctions have replaced military intervention for many nations, with Russia receiving similar treatment to the likes of North Korea and Iran.

Amber Vitale Managing Director, Financial Services FTI Consulting

Dr. Henry Balani Global Head of Industry & Regulatory Affairs Encompass

and 14065. These include the addition of a specifically designated nationals and blocked persons list, including President Putin, Minister of Foreign Affairs Sergei Lavrov, Russian officials, oligarchs, and their families.

Bharat Sadula Director AML/ ATF and Sanctions Audit, Global Head of Transaction Monitoring Audit Scotiabank

and exports of Russian goods, and investment in certain sectors. The current sanctions landscape aims to cripple the Russian banking industry, counteracting the need for military intervention.

The panel therefore highlighted the importance of information sharing, not only across organizations externally but also internally within teams. Investigations and intelligence professionals must ensure that they are communicating with each other and leveraging the information gained on both sides to aid compliance and identify red flags. Obligations of financial institutions do not end at settlement; as a best practice, organizations should also investigate post-payment to proactively identify red flags and raise awareness of payments to block in the future.

ENHANCING REGULATORY COMPLIANCE

The panel then considered opportunities to enhance audits and ensure regulatory success. Documentation is critical to being able to demonstrate compliance and take appropriate next steps as with such extreme sanctions in place, any weaknesses in programs will be difficult to hide. Panelists advised organizations to review their current risk assessments to ensure clear and concise documentation of areas such as risk methodology, risk identification, risk appetite, and risk mitigation.

The final area under discussion was cryptocurrency and the ongoing debate around its use as a way of evading sanctions. The panel was clear that currently, there is not enough use of crypto for it to be an effective tool to evade sanctions. The market capital of the entire cryptocurrency economy is just under $3tn; Russia is the world’s 11th largest crypto economy; therefore, there simply is not enough liquidity to effectively evade sanctions, and the crypto economy was viewed as not being structurally mature enough to have an impact.

Panel members sought to address the challenges of complying with various sanctions regimes levied against the Russian Federation, Belarus, and the separatist regions of Ukraine. At the time of discussion, sanctions by the US Department of Treasury’s Office of Foreign Assets Control (OFAC) centered around two key executive orders: 14024

OFAC also issued sanctions on banks and financial institutions that collectively control around 80% of banking assets in Russia. SberBank, Russia’s largest bank and involved in many international transactions, was targeted with sanctions, along with 25 of its subsidiaries. The US and its allies also announced plans to remove Russian banks from the SWIFT messaging system and impose restrictive measures to prevent the Central Bank of Russia deploying its international reserves, estimated to be around $650 billion.

In addition to these unprecedented measures, OFAC imposed sectoral sanctions on a number of Russian-owned entities, as well as banning imports

Discussion then moved towards sanctions enforcement. The current landscape is unprecedented and such extreme sanctions against an economy the size of Russia and Belarus brings inherent complexity. In a zero-fail compliance environment, ensuring adherence to all requirements is a key challenge. Even something as simple as an incorrect name – whether due to spelling variations, popular family names, or translation into English – can make it difficult for an organization to execute a sanction. And in the context of real-time payments and settlement, there is little time to verify information.

When discussing how financial institutions can best prepare, the panel concurred that the starting point is risk assessments. Specifically, compliance programs should be tailored to unique business and risk profiles, taking into account the size and complexity of an organization, its customer base, its exposure to geographies, and the complexity of its product offerings.

Panelists agreed that organizations must establish internal controls, outlining four key areas to consider:

• Data: Developing comprehensive, accurate, and complete data to feed through on a timely basis; considering both transactional and reference data, including customer data internally and from vendors.

• Effectiveness of sanctions screening systems: Tuning and calibrating sanctions screening and payments models.

• Managing false positives: Implementing false positive management controls and effective calibration to limit false positives or negatives.

• Operational controls: Ensuring operations teams are established for triaging alerts adequately and understanding sanctions exposure.

“I was getting my hair cut yesterday and my barber asked me to explain SWIFT. It occurred to me that we’re in a very different landscape when it’s not just the government that cares about sanctions enforcement, but my barber also sees it as a priority.”

Sanctions Panelist, Fraud & Financial Crime USA

Gaining C-Suite buy-in by aligning the risk appetite statement with senior management and ensuring consensus with senior leadership can also help to increase support throughout an organization. With numerous teams involved in sanctions decisioning, aligning processes and procedures across departments can enhance outcomes to ensure nothing slips through the cracks. However, the panel raised the point that in larger organizations, there are greater challenges in collaboration and coordination across teams and levels of management, making it important to address this upfront.

One example provided by our panel was that it takes 10 minutes to clear a transaction on Bitcoin’s blockchain –when looking at millions of dollars, the network is not equipped to manage the increase. Therefore, if cryptocurrency is being used to evade sanctions, the transactions are likely to be small.

5 TOP TIPS TO MITIGATE RISK

The panel then discussed the role of technology providers in supporting banks and financial institutions with sanctions compliance. Although access to black box models is required, it was highlighted that certain controls must be in place to ensure the technology provider retains competitive secrets, for example, through NDAs or anticompetitive clauses.

Reflecting the challenges outlined earlier regarding variations in names, access to technology and black box models can be equally difficult – one panelist noted that there were 64 variations of spelling for one name, making identification increasingly tough. Despite such issues, the panel agreed that technology can certainly help to mitigate the challenges of identifying sanctioned individuals or entities.

Our panel of sanctions experts advised financial institutions to anticipate any business dealings with Russian organizations or entities to be increasingly limited and regularly changing. They outlined five ways to mitigate the risk posed by recent sanctions regimes:

Identify exposure to the Russian Republic, Belarus, and separatist regions.

Capitalize on existing technologies.

Stay up to date with sanctions regimes, as they are constantly evolving.

Approach vendors for supplementary information.

Revisit risk appetite for reputational risk.

Our European sister event, Fraud and Financial Crime Europe, will take place in London, September 20-21, 2022. With the ongoing sanctions regime expected to remain firmly on the agenda, you can register your interest for this topical conference at www.cefpro.com/fraud-europe

TOP 5 VENDOR &

RISKS FOR US & EUROPEAN FIRMS

As we count down to our Vendor & Third Party Risk series of live events this summer (June 1-2, NYC and June 15-16, London), CeFPro’s research team has undertaken a campaign to explore the disparities and similarities between financial institutions in both the US and Europe towards this key area of non-financial risk. As each location continues to develop and rebuild after the global pandemic, third-party risks remain a crucial challenge, with supply chain issues causing residual impacts to be felt long after initial recovery. Here, we highlight the key vendor and third-party risk focus areas for firms on both sides of the Atlantic…

THIRD-PARTY RISK #1: ESG

Immediately evident across both sets of research is the fact that ESG is a key priority within vendor and third-party risk. Many firms are grappling not only with the challenge of incorporating ESG into their onboarding process, but also with the need to provide ongoing assurance and monitoring of their current third parties.

While the research for North America highlighted a trend towards developing metrics and scoring criteria and ensuring compliance with a range of expectations, the focus within both US and European organizations is on the ‘E’ within ESG. Firms on both sides of the Atlantic are striving to ensure sustainable practices across their supply chains, yet many are grappling with how far to look to ensure compliance with their ESG strategy and targets. As regulations for both audiences continue to evolve, effort is being aimed at compliance and setting company-specific targets that must be maintained across all outsourced activity, as both the reputational and compliance risks lie with the financial institution itself.

Organizations have focused on the social considerations within their third parties for many years, and ESG has only enhanced this. Topics including modern slavery and ethical supply chains remain a priority; however, areas such as diversity and inclusion are increasing in importance. Many firms are now including diversity criteria within their onboarding processes and are encouraging enhanced collaboration with minority and female-owned businesses to ensure supplier diversity. With updates to the Modern Slavery Act and increased pressure to actively demonstrate ESG compliance and progress, organizations are scrutinizing their supply chains in more detail than ever before to ensure a sustainable and ethical outsourcing program.

THIRD-PARTY RISK #2: RESILIENCE

An area of heightened focus for the North American audience is resilience. Firms in this region are considering what lessons can be learnt from the UK/PRA implementation and what the requirements look like in practice.

As a result of the global pandemic, resilience plans have taken center stage, enabling firms to build upon business continuity and strengthen their processes. Many organizations across the globe are still operating in either a remote or hybrid working environment, with most also having in place travel bans that impact collaboration and hinder the integration of teams. Office-based employees work in a secure or controlled environment; however, home working opens up potential vulnerabilities and weaknesses within security controls. With such a rapid move to working from home and the subsequent migration to hybrid working, controls are having to be constantly updated to ensure security internally and across supply chains. Organizations must remain agile to stay ahead of new risks as working environments continue to adapt, to ensure sensitive data and information is protected. Regulators are increasing their focus on resilience planning and ensuring robust controls, both as a direct result of the pandemic, and its long-term repercussions regarding changes to the working environment.

THIRD-PARTY RISK #3: STRATEGY

For European firms, exit planning is top of the agenda – an area that is attracting increasing attention from both regulators and the industry at large. Closely aligned with risk #2, organizations must develop exit strategies and test exit contingencies (both immediate and longer term) to ensure business resilience in the event of supplier outage.

As regulatory focus increases, the right to include exit plans and risk reviews will need to be updated and included within contractual terms. However, there is a degree of ambiguity and uncertainty around the nuances of the regulatory requirements, especially in testing exit plans and scenario planning for stress scenarios. Ensuring that services are maintained, and that an orderly exit can be managed where required, will be key to business resilience.

Within the area of vendor and third-party risk, CeFPro’s researchers have typically observed more sophisticated systems and processes across North America. But with UK regulators further ahead regarding resilience agendas, UK organizations now seem more advanced in respect of resilience expectations and implementation.

THIRD-PARTY RISK #4: SUPPLY CHAIN

A key area highlighted by firms across both regions is 4th to Nth party risk, in particular monitoring risk exposure across the supply chain and enhancing transparency. As highlighted earlier, organizations are grappling with how far to deploy resources across the supply chain to ensure subcontractors are identified and effectively managed. Control and insight into subcontractors’ operations can be limited, not least because contractual terms are negotiated by, and fall under the responsibility of, the third or fourth party. This leaves the financial institution with minimal control and transparency. Identifying all subcontractors and the resulting risk exposure to fourth parties and the wider supply chain therefore remains a top priority for institutions in both Europe and North America.

However, as a result of more detailed regulatory guidance in North America, the focus there has moved towards oversight and due diligence of fourth parties and beyond, with more established processes typically being embedded. With organizations outsourcing services to potentially thousands of providers, challenges remain in securing exit strategies and business continuity and resilience agendas as supply chains increase in complexity.

THIRD-PARTY RISK #5: FINTECH

The final area of focus, primarily uncovered through our North American research, is that of managing fintech relationships. An increasingly prominent area of development within financial services, collaboration with fintech service providers has become more important in recent years as digitalization accelerates. Fintech collaboration allows for enhanced agility to keep pace with change when complex organizations could otherwise be left behind. The challenges lies in how best to manage the relationship and protect the organization to ensure privacy and cyber risks are managed effectively.

As fintech is still an emerging area, large, complex organizations tend to run trials or pilot programs with fintech providers to better understand the risks and opportunities involved. By doing so, they open up potential vulnerabilities to be managed by thirdparty risk teams. Working with a fintech company is often under an acquisition scenario or strategic partnership, further adding to the complexity of its treatment as a third party. When reviewing strategic partnerships, unique due diligence and monitoring processes are required to maintain security, often making collaboration opportunities difficult to align. As a relatively new area within vendor and third-party risk, management and collaboration with fintechs pose a number of questions and challenges to established financial institutions, alongside the opportunity to strategically align with a more digitally advanced organization with limited legacy systems.

RESEARCH CONCLUSIONS

In the main, conclusions from our US and European research remain closely aligned, with both areas primarily concerned with ESG and business resilience. However, the European research highlights a heavier focus on regulation and ensuring compliance to strengthen security as we emerge from the pandemic. Conversely, North American firms show a shift towards technology, agility, and preparing for a changing risk environment as the industry embraces more digital capabilities.

For more CeFPro research, surveys, and reports, go to www.cefpro.com/research/

Hear from industry experts on these topics and much more at at our Vendor & Third Party Risk sister events, taking place June 1-2, NYC and June 15-16, London.

For the US agenda and to book your place, go to www.cefpro.com/vendor-usa

For the European agenda and to book your place, go to www.cefpro.com/vendor-risk JUN 1-2

RESPONSIBLE FINANCE RESPONSIBLE FINANCE

THE RISE OF ESG AND SUSTAINABLE

INVESTMENT

Environmental, social, and governance (ESG) is one of the biggest trends in financial services today. While far from a new concept, its popularity has risen in recent years, particularly since the pandemic. Investors are now increasingly interested in ESG issues, prompting the vast majority of banks and investment firms to offer sustainable investment funds as part of their portfolio. Companies that place ESG at the heart of their business can also reap other rewards in the form of increased customer and employee loyalty, reduced costs, and satisfied stakeholders. However, firms must take care to avoid accusations of greenwashing by ensuring that any ESG initiatives are deep and meaningful and not merely a box-ticking exercise. Here, we take a deep dive into the ESG revolution…

LEVERAGING IT TRANSFORMATION TO MODERNIZE FINANCIAL SERVICES

Where do you see the opportunities to transform IT to modernize the financial services industry?

Among financial institutions, the digital transition has steadily gained momentum and is set to accelerate in the coming decade. New technologies are enabling banks and other established financial services companies to overhaul their operations and find different ways of reaching their clients. There are also opportunities for challenger businesses in many areas, from payments to capital markets, retail banking, and broader financial inclusion; but these also require greater attention to security, trust, and transparency from regulators, customers, and other stakeholders.

The digitalization trend in finance is underpinned by a fundamental change in customer preferences. Attracted by speed, transparency, lower costs, the ability to tailor the service using a wide variety of ancillary tools, and immediate access to information – coupled with the rise of internet banks and other online lenders – consumers and businesses can now access finance without the need for physical bank branches.

How are business models evolving to better support long-term sustainability?

A growing knowledge base of digital expertise expands the pool of skills and solutions available, albeit these are unevenly spread between countries. The growth of big data and AI has further created opportunities to automate some financial services, for example, through algorithmic lending. However, if unchecked, AI-enhanced credit scoring also risks applying discriminatory lending terms to typically underserved segments. Digital divides in access to and use of technologies risk becoming development divides, by precluding access to economic opportunities and essential services for certain groups, such as women, people with disabilities, older workers, individuals in rural or remote areas, or those with lower levels of education and skill.

As technology evolves, what are some of the security implications organizations should consider?

Cybersecurity is emerging as a key issue in all sectors and economies, with ever-growing threats from criminal, geopolitical, and ‘hacktivist’ actors with the potential to significantly disrupt both the client’s and the EBRD’s own business. External policy and investment in promotional activities should take into account cybersecurity issues to establish individual organizations as credible and trusted partners in the digitalization agenda. This includes the need to undertake an appropriate level of cyber due diligence to ensure the compliance of investee companies and third-party suppliers where necessary.

Where have you seen the most significant advances in IT transformations within the industry?

The ability of most modern IT systems to manage and analyze large datasets has been one of the key advances in recent years. While the conceptual and analytical approaches underpinning these advances are often decades old, it is only now that the IT infrastructure is able to make progress with AI to perform tasks that usually require human interaction; that the internet of things allows interconnected devices to send and receive data in real time; that we have more realistic augmented and virtual reality; and that workable solutions for blockchain technologies can be introduced on a large scale.

Where do you see the biggest technology opportunity over the next five years in financial services?

Increasing pressures on the underlying business model in the financial sector arising from more robust regulation and low interest rates since the global financial crisis, combined with recent inflationary trends, have squeezed the cost and revenue base of incumbent financial institutions, encouraging further progress in automation and digitalization. At the same time, new fintech entrants without expensive legacy systems and the constraints of regulatory requirements have increased competitive pressure, and will continue to force incumbents to enhance their digital capabilities, optimize business processes, and cut costs.

June, 2022. For the full preview, see p20-21 or go to www.risk-emea.com

MODEL RISK MANAGEMENT: HINTS ON QUANTIFICATION APPROACHES

Models are an integral part of modern decision-making processes in financial institutions. They are used to price transactions, value portfolios, and optimize returns, and are key elements of the regulatory framework. However, they require constant vigilance. Risk measurements and financial analytics must be continuously monitored for effectiveness and relevance. Simplifications and assumptions that models must necessarily employ can sometimes come at the cost of accuracy and structural integrity under stress, which can expose a financial institution to model risk.

STEPS TO MODEL RISK SUCCESS

A thorough process is needed to ensure effective model management. Change management programs, in conjunction with integrated IT solutions, are key to tackling this challenge. The following building blocks summarize the critical areas for an advanced Model Risk Management process:

• IDENTIFICATION. Risks related to a specific model should be mapped throughout their whole lifecycle. A flexible IT platform will extract information from various sources (e.g. validation reports, internal audit findings) to classify models based on a customized set of rules, while holistic taxonomy will ensure consistency throughout the entire process.

• CONTROL. A comprehensive process should be designed to monitor risks and trigger appropriate actions. Residual risks, related to unavoidable potential adverse events, must be appropriately scrutinized to inform effective decisions.

• GOVERNANCE. Rules must be defined and embedded into a comprehensive IT solution to align model risks to a firm’s specific risk appetite. Qualitative and quantitative assessments are crucial for setting and monitoring appetite, tolerance, and risk capacity.

• QUANTIFICATION. Well-shaped methods and consistent IT tools are key to a model’s effectiveness at capturing the main features of the phenomena under analysis. Traditional statistics, integrated with Bayesian methods and machine learning/AI, are crucial when quantifying model risk. Silos, as well as complex networks of model analyses, should be performed to summarize a model’s individual weaknesses, as well as when part of an integrated system.

UNDERSTANDING THE APPETITE FOR MODEL RISK

Model risk is interpreted as the potential loss an institution may incur as a result of decisions based on the output of models. Errors can occur in the development, implementation, or use of models, and the uncertainty this can cause is at the very heart of such potential losses.

In the last few years, financial institutions have been developing model risk quantification solutions to set and monitor the appetite for model risk; to design new Margin of Conservatism paradigms; and to measure the impact of extreme scenarios on model performance. Prometeia is pioneering this field by proposing a comprehensive framework based on the following pillars:

• MIS-SPECIFICATION AND CALIBRATION ANALYSIS. The chosen model must be capable of representing the phenomenon under analysis. Is the model suitable for this purpose? Is it effectively calibrated? Appropriate metrics must be specified to address these questions. A comprehensive definition of modeling error is also required to embed issues related to both model choice and parameter fitting. The aim is to disentangle these two aspects to set model risk appetite limits (e.g. in the development phase); monitor them (e.g. model usage); and facilitate the entire model risk management process.

• SENSITIVITY AND WHAT-IF ENQUIRIES.

A model developed on all available data and using appropriate techniques has the potential to represent the phenomenon under analysis as it develops. Nevertheless, changes in internal conditions (e.g. portfolio composition) or external factors (e.g. macroeconomic situation) may reduce its efficacy. For this reason, it is vital to review the circumstances that could cause a model to fail. What-if analysis, based on a stressed set-up together with reversestress mechanics, is particularly effective in defining model risk tolerance limits and monitoring them over time. Bayesian statistics, machine learning, and AI can also be useful in exploring and generating scenarios to highlight a model’s potential weaknesses.

• COMPLEX MODELING INTERACTIONS.

Integrated modeling frameworks characterize banking processes and management decisions. Uncertainty in each component may impact on dependencies. Functional analyses, in combination with a solid simulation architecture, are key success factors in quantifying interaction uncertainties (e.g. stress testing exercise, balance sheet planning).

In essence, thorough model management requires integrated efforts. Processes, governance, and IT solutions, in conjunction with enhanced quantification methods, are crucial to strengthen a financial institution’s resilience by fostering an effective decision-making process.

To find out more, contact tiziano.bellini@prometeia.com

UNITING OPERATIONAL RISK PROFESSIONALS

Demonstrating that the appetite for live, in-person events has well and truly returned, CeFPro’s New Generation Operational Risk Europe conference attracted hundreds of risk professionals with a packed agenda that covered every aspect of this constantly evolving sector.

Held in central London on 29-30 March, delegates enjoyed eight individual panel debates and a host of expert presentations across a range of key topics affecting the industry today, including ESG, culture risk, regulatory requirements, and change management. As well as the chance for attendees to enhance their learning, the event delivered welcome opportunities for face-to-face networking, with the post-event drinks reception on day one proving as popular as ever!

DAY 1 HIGHLIGHTS:

THE FUTURE OF OPERATIONAL RISK

Day one began with a lively panel discussion on maintaining an established risk culture amid changes to the working environment. SAGA’s Gary Savil, NEST’s Lorraine Solway, and AIG’s Sucharita Banerjee Lodha considered the difficulties in monitoring staff, mitigating against disenfranchisement, and embedding culture in a long-term working from home climate.

This was followed by an engaging address by Michael Sparks of BNY Mellon on whether there is still a place for the operational risk ‘generalist’, given the recent creation of niche sub-sectors within the risk division. A debate on the rise of the machines by a team from BCS Consulting, the official event Knowledge Partner, provided some interesting food for thought, before the morning sessions concluded with a presentation on GRC risk management by David Vose of Archer. Introducing the audience to the concept of bowtie risk analysis, David outlined the value of quantified risks, as opposed to risk scores, when conducting risk analysis.

The day progressed with a variety of expert panel discussions on key operational risk topics, including the Enterprise Risk Management Framework, change management, and third-party risk management. Speakers including Wendy Quintal (Investec), Carlos Martin (JP Morgan), Sean Titley (Metro Bank), and Abhishek Khare (Société Générale) shared their views and sparked lively debate, prompting a series of direct questions from the hundreds of delegates assembled in the audience.

DAY 2 HIGHLIGHTS: TAKING RESPONSIBILITY

Day two, meanwhile, was moderated by Henry Umney of Mitratch, who opened the panel discussion on the evolution of ESG requirements. Sophie Dupré-Echeverria of GIB Asset Management warned against accusations of greenwashing, advising firms “to start with interrogating their purpose and not to follow taxonomy blindly, but to do your own research” when choosing where to invest. Nordea’s Søren Agergaard Andersen’s presentation on greenwashing risk in asset management continued this theme, stating that “robust governance and control, transparent and truthful communications, and aligned regulation and requirements” must be at the heart of any company that takes its ESG responsibilities seriously.

As the morning’s session continued, discussions moved towards regulatory requirements. OneTrust’s Nikki Stoy outlined the expectations of the forthcoming Digital Operational Resilience Act (DORA), due to come into effect in 2024, before turning her attention to the more pressing PRA SS2/21. Coming into force the very next day, the timing of this event could not have been more apt, as the Bank of England’s Javier Martinez acknowledged during his presentation on supervisory expectations in 2022 and beyond.

“It’s been a really educational two days – I’ve learnt a lot. What’s clear is that operational risk cannot operate in silos. A joined-up approach is what’s required.”

Reassuring the audience that firms will have up to three years to comply with the requirement to be able to remain within impact tolerances, Javier nevertheless highlighted that operational resilience is a priority for the Bank of England and is viewed with as much importance as financial resilience, stating: “A resilient financial system is one that can absorb shocks rather than contribute to them”.

After lunch, attention turned to embedding resilience into BAU and navigating updates to legacy systems. Andrew Sheen of AJ Sheen Consulting declared, “Doing something because the regulator tells you to is the wrong reason – do it because you want to be a better, more resilient financial institution.” The event concluded with a final panel debate on leveraging lessons learnt from the pandemic and planning for future extreme events. Aside from war and further pandemics, Anit Deb (Deutsche Bank), Merlin Linehan (EBRD), and Zuzana Vybiralova (Nomura) cited cyberattacks, geopolitical uncertainty, climate-related events, and digitalization as key risks to be aware of over the coming years. As Anit concluded, Covid-19 has shown us that we must ‘think the unthinkable’.

Operational Risk Management USA will take place in New York City this October. For more information and to book your place, go to www.cefpro.com/oprisk-usa

DAY 1 HIGHLIGHTS: COPING WITH COVID FALLOUT

TO MITIGATE FRAUD RISK

The 4th Annual Fraud & Financial Crime USA Summit took place in New York City on March 16-17, one of the first in-person events that CeFPro has held in the US since the start of the pandemic. The two-day congress brought together industry experts from institutions such as the FBI, Bank of China, Morgan Stanley, TIAA, Wells Fargo, Homeland Security, Scotiabank, and many more, sharing their knowledge and experience through presentations, panel discussions, and interactive Q&A sessions to enhance collaboration and encourage the sharing of ideas across the sector.

The Fraud & Financial Crime USA series will return to NYC in 2023. Our European sister event, Fraud and Financial Crime Europe, will take place in London, September 20-21, 2022. For full event information including the upcoming launch of the agenda and speaker line-up, visit www.cefpro.com/fraud-europe

Day one delivered a detailed panel discussion on the impact of Covid-19 on fraud and financial crime. As we move closer to a business-as-usual environment under the ‘new normal’, developing processes and controls to manage hybrid working environments and the evolution of threats was a key topic for discussion. The pandemic prompted a change both internally, increasing insider fraud risk, and externally, with differences in consumer behavior. And with government stimulus providing a new avenue for fraudulent activity, the panel debated future behaviors and the escalation of scams.

Gemini Advisory provided insight on staying ahead of merchant breaches and payment card fraud as P2P and instant payments continue to evolve. With immediate access to funds with same day ACH, the real-time environment creates an increased risk. The remainder of the morning sessions explored the ongoing challenges posed with identity theft and protecting customers’ ID. With accessibility of government stimulus and limited availability for in-person identification, the industry saw an increase in identity theft and fraudulent account openings.

The second panel discussion of the day focused on leveraging technology to move to a proactive risk management approach and staying ahead of evolving fraudulent attempts. An expert panel featuring representatives from Scotiabank, TIAA, Elliptic, Berenberg Capital Markets, and SYSTRAN explored the uses of AI, advanced analytics, and robotic process automation as a tool within fraud and financial crime, and leveraging large-scale pattern analysis to identify anomalies.

Harold Davis of the FBI then highlighted the importance of establishing international partners and relationships and developing processes to exchange information. Fraud and financial crime are global challenges, often multijurisdictional; coordinating and collaborating across jurisdictions would significantly alter the landscape.

DAY 2 HIGHLIGHTS: DATA AND REGULATION

The second day opened with an overview of the changing standards under the AML act and their impact on financial institutions. Nicole De Bello (Morgan Stanley) and Sabeena Liconte (Bank of China) discussed the alignment with privacy constraints and incorporating changes into programs. The day then moved towards sanctions and ensuring compliance with an ever-changing sanctions landscape, discussed in more detail on pages 8-9.

The afternoon comprised two back-to-back sessions on data, including data governance and managing data quality. Michael Ivie and Ed Longridge of Phyton Consulting debated the FCC and CLM regulatory changes and data governance adoption, followed by Sudharshan Narva who provided an introduction to data management processes and managing data quality to streamline practices.

The event concluded with TIAA’s senior experts from the Fraud Intelligence Unit reviewing different types of scam tactics and mitigation techniques. Bookending the event’s introductory Covid-19 session, this final presentation reviewed how tactics have evolved, providing a reminder to attendees that the landscape is fluid and education remains paramount.

UNDERSTANDING FUTURE USE OF CENTRAL BANK DIGITAL CURRENCY

banks are working on CBDC in one way or another, and it is likely that we will see several implementations in the next few years. It will make the overall retail payment landscape more diverse and offer new alternatives to the many payment services already on the market.

WHERE DO YOU ENVISAGE THE MOST POTENTIAL FOR BENEFITS AS CBDC ADOPTION INCREASES?

payment systems are being improved and clearly defined problems are being solved, it may not matter whether we call the solution CBDC or something else.

WHAT IMPACT COULD CBDC HAVE ON BALANCE SHEET AND DEPOSIT INFLOWS?

HOW DO YOU SEE THE FUTURE OF CENTRAL BANK DIGITAL CURRENCY?

Central bank digital currencies (CBDC) are being developed around the world, but they may end up looking rather different depending on the country. It comes down to what problem each country or currency area is trying to solve with their CBDC project. For smaller, developing economies, the key objective is often to increase financial inclusion and offer easy-to-use, low-cost digital payment services that previously may not have been widely available. For large, developed economies, the policy goal may be to improve the resilience of the digital economy by adding an additional payment rail or to consolidate a fragmented payment market.

It may also be that some countries decide not to move ahead with implementing a central bank digital currency. If the payment market is working well and good solutions are already in place, there may not be a strong case for a central bank digital currency. Nevertheless, most central

The key benefit may be to bring more people and businesses into the digital economy and to provide digital payment solutions to those who may not have had easy access to them before. In doing so, CBDC can act as a catalyst for the digitalization of the wider economy.

In my experience, this has been the mindset of most central bankers working on this topic.

Central banks do not wish to compete with commercial financial services providers but rather complement and support their services. Ideally, CBDC should be designed in a way that does not disrupt existing markets, instead filling market gaps which are currently underserved. In addition, they can provide the foundational infrastructure for other payment services by enabling instant settlement of payment transactions. This may be not what many had in mind when the concept first emerged, but as long as existing

The idea of central bank digital currency was for it to act as a digital version of cash. As a result, central banks are trying to design it as a substitute for cash rather than a current account. Moving money from a bank account to a CBDC would be more akin to withdrawing money from an ATM, rather than simply transferring it to another bank – think of it like having an ATM in your pocket.

If a CBDC is primarily designed to function as a basic, cash-like payment instrument, it may not become a major problem in terms of attracting large inflows from bank deposits. We have seen from existing e-money products, for example, that these services have not had a large impact on bank deposits. Whatever the outcome, holding limits and transaction limits can be added to CBDC to mitigate the risk of large capital flows. Moreover, in addition to hard limits, it may also be possible to control the flow of funds by applying an interest rate to CBDC accounts. However, this risks complicating the system, and may not be necessary.

Customer Experience and Digital Banking USA is a brand-new event taking in place in New York City this November. For more information, go to www.cefpro.com/cx-digital-usa

CeFPro is celebrating the return of live events with our 11th Annual Risk EMEA Summit, talking place in London on 13-14 June, 2022. Attracting over 300 attendees, this two-day summit encompasses a packed agenda featuring expert presentations and lively panel discussions on key topics including emerging risks, regulation, and resilience. With unrivalled networking opportunities across both days, including a drinks reception, it’s an event not to be missed.

Attracting hundreds of like-minded risk professionals from across Europe, Risk EMEA 2022 is the ideal place to network, debate, and catch up with industry colleagues.

Our exclusive post-event drinks reception on day one, plus lunch and session breaks on both days, provide opportunities for valuable in-person interaction among delegates and speakers alike. Book your place today at www.risk-emea.com

Encompassing three workstreams across two days, Risk EMEA features no less than 46 different presentations and panel debates. With sessions ranging from ERM, Libor, and non-performing loans, to climate stress testing, digital transformation, and open banking, this event promises to deliver countless opportunities to increase your knowledge around the key risk trends for 2022 and beyond.

EFFECTIVE SPREADSHEET MANAGEMENT

ESTABLISHING A SOLID FOUNDATION OF ACCURATE DATA TO ENSURE COMPLEX MODELS AND CALCULATORS ARE REFLECTED IN CRITICAL BUSINESS DECISIONS

A WORD FROM THE INDUSTRY...

DEFINING NFR

Non-financial risk is an evolving term, encompassing traditional areas like operational risk while embracing emerging risks such as ESG. As such, its definition often provokes debate within the financial services industry. At CeFPro’s recent New Generation Operational Risk event, which took place this March in London, we asked some of the sector’s leading figures to share their definition of NFR…

The Center for Financial Professionals, in partnership with Incisive Software, conducted an extensive research project to better understand the implementation levels of spreadsheet management programs across the financial services industry. The survey also aimed to review and provide clarity on the full range of benefits a spreadsheet management program can realize. The below is a snapshot of the final report and some key findings – to download the full report please click here.

EXECUTIVE SUMMARY

The benefits of using a spreadsheet management program are real. Companies that have gone down the path to implementation have received clear, measurable rewards, validating the investment made. For those that have not decided to implement one, it is important to review the key benefits in the full report. The clear and proven results outlined by current users should act as an influencer for future investment.

CURRENT STATE OF SPREADSHEET MANAGEMENT PROGRAMS

When asked to identify where they are in the process of implementing a spreadsheet management program, 32% of respondents are already implementing one, either fully or partly, 18% are not currently implementing a program but are seeking options, and 26% are not seeking to implement a spreadsheet management program.

EXPECTATIONS AND BENEFITS DELIVERED

Of those that have already begun implementation or are investigating options to do so, nearly 80% highlighted process efficiency and increased productivity as a key benefit. A further 69% cited increased confidence in data as a realized benefit of implementing a spreadsheet management program.

Successful enterprise organizations are built on a foundation of accurate data. Confidence in the results generated by complex models is essential to make shrewd business decisions. Often, these critical business decisions rely on data embedded in complex and highly specialized spreadsheets. Yet just one poorly managed spreadsheet, fat finger error, incorrect formula, or missed reference could expose an operational risk with the potential for significant financial and reputational losses.

Software provides spreadsheet management applications that empower enterprises to identify and mitigate spreadsheet risk, resulting in reduced risk exposure and improved data quality, allowing companies to trust the data that drives their business.

31% of organizations operate entirely manual spreadsheet management programs, with only 5% being fully automated

Efficiency, streamlining processes and systems, and reducing costs ranked as the highest expectations for implementing a spreadsheet management program

50% of organizations are implementing a spreadsheet management program (either fully or partly) or seeking options to begin implementation

Risk mitigation ranks as the biggest catalyst to starting a spreadsheet management program, with 71% rating this reason as either ‘significant’ or ‘most significant’

NFR is an emergent, collective term for risks other than traditional financial risks (credit, market, liquidity). Its scope is therefore broad and goes beyond operational risk; it can include elements such as compliance, conduct, reputational, and strategic risk. Increased focus on these and other emerging risks like ESG demonstrate changing industry expectations; it’s no longer enough to just do things right, institutions must also do the right thing. This nascent term will continue to evolve, but although a convenient catchall, non-financial risk shouldn’t diminish the importance of effectively managing these distinct, interdependent risks – which can have material financial consequences.

The term non-financial risk is a convenient way to aggregate strategic and operational risks, and a lens through which to view the expansion of operational risk, with deeper focus on subcategories; for example, third party, resilience, technology, or conduct risk management. It also provides a convenient umbrella under which we can capture the growing number of non-financial risk ‘stripes’ and a banner under which better GRC practices can evolve.

39% of organizations not implementing a program are ‘waiting for a problem to arise’ before initiating change

I look at NFR as an evolution. The first capital that Basel wanted firms to set aside was against credit risk; then they created a category for market risk; and then finally, they realised they needed to think about operational risk. The focus was on financial risks for a long time; the quantifiable ones that are on your balance sheet. Nonfinancial risk is everything that doesn’t fit into that category. Operational risk is part of it, but it is much larger than that; all business and strategy risks are also part of non-financial risk. It’s about looking at things in a more holistic manner, rather than just through mathematical metrics.

Sean Miles

Associate Director, Risk CompareTheMarket

I define NFR by what it’s not – ie any operational or strategic enterprise risk that’s not credit, market, or treasury. It’s evolving to include wider issues like ESG and in the future, I expect it to cover the metaverse and fungible products.

Sean Titley

Director of Enterprise and Operational Risk Metro Bank

I define non-financial risks as the key risks that impact all organizations in addition to financial risks such as credit, market, liquidity, and capital risks. NFRs have included the impacts of the biggest events that have hit the world in recent years, including the pandemic, war in Ukraine, and climate change; for example, operational risks such as the impacts on people, physical security, and increased information security and fraud risks. In addition to operational risk, I would classify regulatory, financial crime, conduct, and legal risks as NFRs.

Model Risk Industrialization

Multiply your model validation workforce by 30% or more with automation

• Achieve a more efficient handoff process from 1st to 2nd line across ALL model types and methodologies

• Automate validation testing and flag potential findings

• Automatically draft a Validation Report based on automated testing

• Speed Annual Model Reviews (AMR) through automated production monitoring and AMR documentation generation