PRMIA Intelligent Risk - April, 2021 by PRMIA Org

INTELLIGENT RISK knowledge for the PRMIA community

PROFESSIONAL RISK MANAGERS’ INTERNATIONAL ASSOCIATION CONTENT EDITORS

INSIDE THIS ISSUE

Steve Lindo

003

Editor introduction

Principal, SRL Advisory Services and Lecturer at Columbia University

005

PRM spotlight - Alex Khayat

Dr. David Veen

006

Securing endpoints amid new threats

Director, Evaluation Services - IT at Western Governors University

010

Building interpretable AI models: a model risk management challenge - by Ushasi Sengupta & Sanjukta Dhar

014

Corporate resilience and the pandemic - by Merlin Linehan

017

The COVID-19 pandemic: emerging risks to be aware of by Rupal Patel

SPECIAL THANKS

020

COVID’s impact on cyber and operational risks vs. corporate resilience - by Fatema AlSaad

023

Impact of the pandemic on global supply chains by Aleksei Kirilov & Valeriy Kirilov

028

Making sense of models: a parsimonious solution by Dr. Gary Nan Tie & Dr. Bob Mark

032

A risk manager’s journal of the plague year by Elisabeth A. Wilson & Sunil K. Kansal

036

Chapter spotlight: PRMIA Mumbai

039

Calendar of events

Nagaraja Kumar Deevi

Thanks to our sponsors, the exclusive content of Intelligent Risk is freely distributed worldwide. If you would like more information about sponsorship opportunities contact sponsorship@prmia.org.

FIND US ON

prmia.org/irisk

002

@prmia

Intelligent Risk - April 2021

editor introduction

Steve Lindo Editor, PRMIA

Dr. David Veen Editor, PRMIA

Nagaraja Kumar Deevi Editor, PRMIA

This month’s issue of Intelligent Risk continues the COVID-related themes of recent issues, with a focus on resiliency. The articles submitted by PRMIA Sustaining Members cover a variety of perspectives, ranging from how the pandemic has impacted operational risks such as cyber security and supply chains, to its impact on corporate culture, technology and the role of risk managers, as well as observations on the risks and opportunities of advanced risk modeling. As the pandemic begins to loosen its grip on the world economy and social practices, risk managers around the world are taking a step back from crisis management to evaluate what changes to expect in post- pandemic risk management standards, and how to acquire the necessary skills and expertise. We hope that you find the articles in this issue of Intelligent Risk as interesting and enjoyable to read as we did to edit.

Intelligent Risk - April 2021

003

our sponsor

Dell Technologies is a unique family of businesses that helps small business owners and entrepreneurs build their digital future and transform how they work and live. Dell provides customers with the industry’s broadest and most innovative technology and services portfolio spanning from edge to core to cloud. The Dell Technologies family includes Dell, Dell EMC, Pivotal, RSA, Secureworks, Virtustream and VMware. Through the partnership of PRMIA and Dell Technologies, members have access to an array of valuable benefits. These include exclusive discounts, dedicated Small Business Advisors & complimentary onsite technology consultations to help provide tailored solutions catered to your business needs. Visit www.dell.com/PRMIA for more benefit information.

004

Intelligent Risk - April 2021

PRM Spotlight – Alex Khayat As Chief of Portfolio Management & Financial Institutions, Alex Khayat has used his PRM™ credential to thoughtfully analyze potential investment opportunities. “The PRM has proven to be a very valuable asset for me in my role in investment management. Performance and risk analytics are an essential part of my job, and the knowledge gained through PRMIA has been a very important dimension in helping me develop a multi-faceted approach to investment analysis, management, and monitoring.” Alex credits the PRM case studies and overall in-depth training in risk as essentials for helping him develop new risk solutions and metrics on the job. “The learning enhanced my knowledge in risk management and provided me with round perspective on investment allocations and exposures. I have recommended the PRM Designation to others.” Completing the exam in just 12 months can feel like a very fast track to the PRM, but Alex found the materials provided by PRMIA comprehensive enough to prepare him to sit for the exam. “I spent evenings and weekends preparing, but it was worth it,” he added. Asked if he felt there were additional opportunities for him because of his PRM, he smiled. “It is a very good asset which allowed me to take on additional responsibilities throughout my career.” Today, Alex adds the PRM to his long list of credentials including CFA, CAIA, CMA, CFM and CIPM. He appreciates the sharing that occurs at risk conferences that brought the PRM credential to his attention and summarizes what the PRM means to him, “The PRM has broadened my perspectives.”

PRM™ Designation Holder Alex Khayat

Intelligent Risk - April 2021

005

securing endpoints amid new threats Giving employees the flexibility to be fully productive while working remotely makes it critical that businesses have endpoint security measures in place to prevent, detect and respond to the growing threat landscape while allowing employees the flexibility to work remotely. As IT leaders scan the horizon for the end of the COVID-19 pandemic, many are planning on a new normal with a far higher number of remote workers than ever before. While many companies and their employees will benefit due to higher productivity and a more flexible work style, a price must be paid in terms of protection. The spike in remote work due to COVID-19 has made defending endpoints more difficult – 84% of IT leaders say protecting a remote workforce is harder1. One likely explanation is the 148% increase in ransomware attacks on global organizations amid the pandemic outbreak2. What makes this a sobering statistic is that home office workers rely on email as their primary means of business communication, which has led to a 350% increase in phishing attacks3.

ongoing cyber security trends The sudden shift to remote work takes place against a backdrop of many troubling cyber security concerns, which are taxing the expertise of cyber security professionals. These include: 1. BIOS-level attacks – exploited vulnerabilities in hardware or silicon. When the BIOS is compromised, the attacker often remains hidden while the device has credentialed access to the network and data. 63% of companies have experienced a data compromise or breach due to such attacks4. 2. Advanced Persistent Threats (APTs) – sophisticated threats that often lurk silently as they gather behavioral information as a prelude to siphoning off valuable data. Victims may not realize for a long time – 108 days on average5 — that a silent attack has occurred. 3. File-based and fileless malware • File-based malware – usually file types with familiar extensions such as .DOCX and .PDF – the kind employees need to do their jobs. When a user opens the file, embedded malicious code is executed.

1 / “The State of DLP 2020,” Tessian. 2 / VMWare Carbon Black Blog, Patrick Upatham and Jim Treinen, April 15, 2020. 3 / The 2018 U.S. State of Cybercrime Survey. 4 / “Match Present-Day Security Threats with BIOS-Level Control,” A Forrester Consulting Thought Leadership Paper commissioned by Dell, June 2019. 5 / The 2018 U.S. State of Cybercrime Survey

006

Intelligent Risk - April 2021

• Fileless malware – usually a legitimate program that infects a computer. When the user launches such a program from an email, the fileless malware infects the computer and potentially the network, successfully evading many security technologies. 4. Nation-state-based attacks – typically from China, North Korea, Russia, and Iran. With the technological expertise and financial backing of such nation-states, attacks are often sophisticated and very damaging. However, many of these attacks exploit systems that lack the latest updates and patches. The FBI’s CISA unit sends out advisories regularly. 5. Cloud-based attacks – increasing as cloud-based collaborative and productivity applications replace desktop applications. With the use of more than 2,400 cloud services in the average enterprise, 93% of organizations are moderately or extremely concerned about cloud security6. Protection must include data loss prevention (DLP) and threat protection in the cloud. In addition, user authentication must be protected against spoofing, and data must be encrypted to and from the cloud. 6. Compliance regulations – aimed at protecting personally identifiable information (PII). To prevent PII from falling into the wrong hands and ultimately being used for identity theft, some industries have adopted stringent regulations carrying stiff penalties. These include HIPAA in health care, PCI-DSS in financial services and retail, and GDPR for companies doing business with European citizens. 7. Crippling risk – resulting from $6 trillion in cybercrime losses predicted in 2021, an increase from $3 trillion in 2015. Losses are due to damage and destruction of data, stolen funds, lost productivity, intellectual property theft, personal and financial data theft, post-attack disruption, reputational harm and more, according to Cybersecurity Ventures7.

rethinking endpoint security Endpoint security: Part of enterprise security Faced with a larger population of remote workers than ever, many of whom must handle sensitive data to do their jobs, IT leaders should assess the current state of endpoint security at their organizations. But rather than looking at endpoint security by itself, they should consider it as an integral part of enterprise security to implement protection in depth – and they should look beyond the endpoints to include storage, networks and cloud-based services. A holistic approach to creating “trusted devices” within the enterprise must take into account these factors:

Built-in Security Rather than rely solely on software to protect endpoints, a comprehensive approach calls for the use of trusted devices – end-user computing devices that implement security within the devices themselves. 6 / Cybersecurity Insiders Cloud Security Reports, 2018, 2019 7 / Cybersecurity Ventures, 2020

Intelligent Risk - April 2021

007

Such devices protect PII and play an important role with regard to regulatory compliance, should a device be lost or stolen. End-user devices should also include privacy screen technology, which limits the ability of coworkers and office visitors to view confidential information on a computer screen.

Protection above and below the OS Above the OS. IT needs visibility, monitoring, and data security, as well as threat prevention, detection and remediation. On-device encryption is also very important to meet compliance requirements, however, should not slow down performance to degrade user productivity. Below the OS. IT needs BIOS protection as well as chip authentication due to the frequency of attacks on firmware and hardware. A compromised BIOS can provide attackers with access to all data on an endpoint, including credentials, enabling attackers to move within an organization’s network and attack the broader IT infrastructure. AI and ML. With today’s increasingly sophisticated attacks, the use of artificial intelligence and machine learning in detection and remediation is essential for endpoint protection. By observing behavioral patterns, AI and ML algorithms can detect unusual activity that could indicate and prevent a breach. Secure Supply Chain. In the manufacturing process, it is possible for bad actors to introduce compromised components to enable a backdoor attack. Once embedded in a manufactured product, such components might enable a breach that could be extremely damaging and difficult to detect. It is therefore critical for both suppliers and manufacturers to implement stringent security measures at critical points along the supply chain.

conclusion The spike in remote work due to the COVID-19 pandemic increases danger across an already threat-filled cyber security landscape. A new, holistic approach to endpoint protection is needed. Rethinking endpoint protection starts with trusted devices that are protected both above and below the OS. Such a strategy also looks beyond the endpoints themselves to take an enterprise view of cyber security that includes servers, networks, cloud-based services and regulatory compliance. The Dell Trusted Devices portfolio embodies such a comprehensive approach. Dell endpoint protection spans the enterprise to include multi-cloud data protection solutions that can be delivered as software-defined and/or appliance-based solutions. Above all, Dell Trusted Devices enable users to remain highly productive by defeating increasingly sophisticated attacks in the new remote work paradigm. For more information around solutions, please see: https://www.delltechnologies.com/en-us/endpoint-security/index.htm

008

Intelligent Risk - April 2021

How do I lead in these turbulent times?

How can remote work help me and my business? How do I communicate business plans amid uncertainty? How should I handle difficult remote conversations with my customers and employees?

Uncertain Times Call for Trusted Facts. PRMIA Sustaining Members have complimentary access to The Wall Street Journal. Become a member today at www.prmia.org

building interpretable AI models: a model risk management challenge

by Ushasi Sengupta & Sanjukta Dhar introduction Steered by demand for automation, efficiency, and personalization and availability of intense and diversified data, financial institutions have started leveraging AI across the value chain. An IDC spending guide says that global spending on artificial intelligence (AI) is going to double over the next four years, reaching more than $110 billion in 2024.1 Not just in financial decision making, AI models are present across different touchpoints - customer acquisition, detection of fraudulent transactions, emotional analytics, and leveraging alternate (Alt-data) datasets associated with financial transactions. As organizations are adopting AI rapidly in various ways, the demand for nimble decisions and accuracy in machine driven complex decision-making is also growing. So does usage of black box AI systems. This, in turn, necessitates the need for fair decision engine that will help organizations protect their reputation and customer base from potential vulnerabilities of opaque decision models. These models, due to lack of interpretability, may have unprecedented financial implication as well as impact on goodwill. To avoid this, financial and risk models need to be reoriented such that they be more: 1) Transparent 2) Auditable 3) Analogous and 4) Explainable. To attain these attributes, institutions need to reimagine the traditional Model Risk management framework.2 The governance plan to ensure fair decision systems needs to span across model data & algorithm, model responses and business impacts. These new governance aspects of model risk management components will include: 1) Model oversight and Control 2) Model Outcome Validation 3) Model Data Validation. This article will explore various methodologies to reorient model risk management towards this desired state so that complex financial models can be made more interpretable.

1 / https://www.idc.com/getdoc.jsp?containerId=prUS46794720 2 / https://www.federalreserve.gov/supervisionreg/srletters/sr1107a1.pdf

010

Intelligent Risk - April 2021

black-box to white-box – looking at the checkboxes / critical attributes As mentioned above, an opaque decision engine needs to possess 1) Transparent 2) Auditable 3) Analogous and 4) Explainable traits in order to be transformed into a white-box model. 1. Transparent: A transparent AI model should be able to answer the audience the system functions i.e. how and why a system behaves in certain manner. Stakeholders of any AI model – developer and users – need to know about the model. Creating transparent AI models helps build an AI system with a clear understanding of its behavior and attributes. 2. Auditable – AI auditability ensures that an independent authorized user can validate model behavior across different use cases. This will help in periodic assessment of the model risk and reliability, by identifying consistency of decisions, responses in outlier scenarios, impact of marginal changes in broader ecosystem, and possible recovery recommendations. 3. Analogous – Outcome of a black-box model needs to be benchmarked with that of a similar white-box model. In this case, the white-box model could be a reference model with analogous outcome to validate the correctness. 4. Explainable – AI explainability describes different factors that contribute to AI decision systems. It can be broadly categorized into two broad sections – Pre-modeling explainability and Postmodeling explainability. a. Pre-Modeling Explainability – In a pre-modeling stage, data is the most important aspect. So, understanding data – meta data, data structure - data classification, summarization, clustering, and relationship play significant roles. Different methods such as EDA, K-means Clustering, and feature engineering help understand the dataset. b. Post-modeling Explainability – Post-model explainability is backward tracing of model outputs. One of the methods of post-modeling explainability is Shapley Score. It determines the marginal score of each parameter depending on their contribution. Sensitivity Analysis is another method that identifies parameter sensitivity by varying values and observing model outcome deviation.

re-imagining the model risk management components – our propositions As discussed above, institutions need to implement model risk management in a complex model ecosystem to ensure fair decision engine and a white-box AI system. The governance aspects are inter-dependent and span across a micro-level structure to the organization level macro oversight. As mentioned above, three pillars of the model risk management are Data Validation, Outcome Validation and Model oversight and Control.

Intelligent Risk - April 2021

011

Figure 1- Model interpretability value chain and its key components

1. Data Validation – This is part of the 1st line of defense of model risk management. Knowing data becomes very important as a model can carry forward the biasness of data set in its decisions. Specific business challenges can also arise due to an imbalanced data set. So, Data Validation needs to take care of data discovery, preprocessing and feature engineering. Let’s take an example of a Financial Lending model that classifies the credit worthiness of a customer, by analyzing a customer’s demographic (age, gender), financial (credit history, annual income), behavioral (criminal record, employment history), and biometric information. Data discovery or feature engineering intends to pick up the most critical parameter from the input parameters. So, in our case it can be credit history, age, and annual income. By analyzing data and understanding its pattern, a model can also decide on the algorithm to select. So, for identifying customers’ credit worthiness, the best out of Decision Tree/ Random forest/K-means clustering could be used as it is a classification (creditworthy or NOT creditworthy) problem. Thus, entire pre-modeling explainability comes under Data Validation purview. 2. Outcome Validation – Model outcome validation is part of both 1st and 2nd lines of defense of model risk management. Components of post-modelling explainability are part of model outcome validation. A model might face periodic decay due to data drift or concept drift. Governance aspects around Model provenance can be established to document the dependencies of various data sets, data lineage and their impact on model materiality. Also, sensitivity analysis, SHAP score can help model certify fit or re-calibrate if necessary.

012

Intelligent Risk - April 2021

3. Model oversight and control - Considering this wide spread of complex AI models, organization needs to define a set of model design criteria and periodic review and rating system through model oversight and control. The various tenets of overall model oversight are Transparency, Auditability, Explainability, Analogy, Accountability and Fairness. The model governance framework needs to be conceptualized and operationalized as per the interest of stakeholders and business. This article portrays an overarching framework of managing and remediating potential vulnerabilities of AI based financial black-box models. This opens avenues to probe further the internal layers of governance. In our subsequent discussions we will explore each of these individual components and governance aspects of their respective modules.

authors Ushasi Sengupta Tata Consultancy Services Ushasi Sengupta is a senior Research Analyst in corporate functions of Tata Consultancy Services India. Her responsibilities revolve around research insights and advisory, catering through the customer journey in the Banking and Financial Services value chain. She has been engaged in exploring new business opportunities and technology and industry trajectory. She is also enthusiastic about recent developments and technology risks in financial domain and has shared her thoughts through different publications.

Sanjukta Dhar Tata Consultancy Services Sanjukta Dhar leads the Risk and Regulatory Compliance practice of Tata Consultancy Services for Canada Geography. Sanjukta comes with 18 years of domain and technology experience across Market and Counterparty credit risk modelling, aggregation and reporting functions for major banking institutions. She has led and participated in many critical build-the-bank risk & regulatory compliance programs such as Risk finance Integration, FRTB Standardized approach, VaR Back Testing framework, BCBS239 and SR11/7. She is based out of Toronto and frequently writes/talks about applied analytical tools and techniques (Data Science, Machine learning, MLOps) in the Financial Risk management domain. Intelligent Risk - April 2021

013

corporate resilience and the pandemic

by Merlin Linehan The Dragonslayer App matches your personality to different travel experiences around the world to help select an ideal holiday. The App launched three months before Covid hit the USA, so its business model was quickly dead in the water. Rather than packing up, the founder refocused and relaunched the venture in September 2020 as a subscription-based service that gives travellers up-to-date information about COVID restrictions across the globe. The company had taken a radical approach and adapted swiftly to the new environment, demonstrating its resilience in the face of crisis. The global pandemic was the crisis that no one could avoid. Corporate resilience was tested as businesses were squeezed in many directions: loss of demand, supply issues, and workforces facing sudden mass remote working. But how has corporate resilience evolved over the course of the pandemic to deal with a business landscape which has moved a decade in a single year?

McKinsey survey A McKinsey Survey of 300 executives found that half of the respondents reported that COVID exposed weaknesses in their companies’ strategic resilience and that business model innovation was the most effective response. Over 60 percent of the respondents felt that these innovations would last beyond the crisis. Interestingly, 42 percent felt it had weakened their position, while only 28 were in a stronger position. Companies that were in the right sectors such as online retailers, software firms and pharmaceuticals enjoyed a boom, whereas companies in the vulnerable sectors such as energy, retail and transportation were hardest hit.

traditional retail Two stories from the retail sector demonstrate how agility and adaptation can be the difference between success and failure. Traditional retail was one of the hardest hit sectors in the pandemic; busy high streets were left desolate, and shops shuttered. 014

Intelligent Risk - April 2021

Retailers without a significant online presence faced ruin. In the UK, household name, Debenhams, dependent on physical shops and so unable to reach its customers filed for bankruptcy. In contrast, another traditional retailer Mars Petcare innovated quickly during the pandemic by moving beyond traditional lines of dog food and pet products to providing animal telemedicine. Telemedicine is a field that has shot to prominence in the last year. Mars Petcare demonstrated it is not just for humans, as it helped many veterinarians shift online to treat patients.

hybrid working As the world looks gingerly towards a post-COVID world, hybrid working has appeared as a term, which promises to make organizations more resilient. In theory, a more dispersed organization (with staff split between office and home) will reduce dependence on physical buildings, and more flexibility could result in a more contented workforce. However, hybrid working at this new vast scale is untested. Many workers have to adapt to new technology and another change in working practices. In addition, there is a potential conflict between those who favour working face-to-face and those who prefer technological solutions.

the lessons of the pandemic The pandemic has provided a number of lessons for organizations striving for resilience. The companies that are adaptable, agile and understand risks will thrive in the future. As Microsoft CEO Satya Nadella commented in 2020; “We’ve seen two years’ worth of digital transformation in two months. The quarter is the new year, and the fastest will win”. Adaptability: Organizations can change processes, structures, and business models, or design them with maximum flexibility in order to adapt to new circumstances. For this to work, the organization needs to have a willingness and desire to learn from mistakes and evolve through trial and error. In a similar vein, volatility and exposure to stress, rather than seen as a negative should be viewed positively. The experience of this (unless taken to an extreme) will help the organization face the future. Adaptability can come at the price of stability. Agility is usually easier for a startup like DragonSlayer but much more difficult for a vast lumbering multinational. Understanding Risks: Many firms in the software, online delivery, and pharmaceutical sectors did well during the pandemic, but that does not mean they will thrive in another crisis. In fact, their success may blind them to risk in the future. Identifying and prioritizing risks as they appear is critical for a resilient organization. Organizations should be asking what risks will appear in the future, how they will play out over time, and are we equipped to respond effectively to these threats as they appear. Intelligent Risk - April 2021

015

Businesses should employ horizon scanning and identify key emerging risks that will affect them in the future. Adopting the precautionary principle: Murphy’s Law states, “If anything bad can happen it probably will.” This pessimistic view was borne out by the evidence; most people have a bias towards optimism and a tendency to ignore even obvious risks. For example, the World Economic Forum Global Risk report has been warning of a global pandemic for many years. Inadequate planning in many western countries has created an opportunity for this threat. Businesses can adopt this principle through contingency planning across business units and stress testing of their activities for weaknesses. Business units should draw up contingency plans and test these in live scenario exercises. Of course, these measures are often time consuming and disruptive, but increasingly organizations will have to adopt them if global crisis and widespread systemic change continues to be the norm.

author Merlin Linehan is a Risk Manager at the European Bank for Reconstruction and Development. He works in the Risk Department focusing on Crisis Management and Business Resilience. His focus in the last year has been the Crisis Management Team, which has guided the Bank through the COVID-19 crisis and now planning the safe return to their offices. In response to the pandemic the Bank has shifted to remote working in the UK and across 40 different countries of operation in Eastern Europe, Central Asia and the Southern Mediterranean.

HAVING

PRM AFTER YOUR NAME IDENTIFIES YOU TM

AS AMONG THE

best in the profession

ENHANCE YOUR PROFESSIONAL CREDIBILITY www.prmia.org

APPLY NOW

the COVID-19 pandemic: emerging risks to be aware of

by Rupal Patel More than a year since the pandemic surfaced, financial services firms are beginning to take stock. Ecosystems have fundamentally changed, as have working practices and the operational risks that require scrutiny. Now is the time for firms to rethink how they are impacted by altered and emerging risks, as well as consider how they should be measuring, managing, mitigating, or transferring them. Last but not least, firms need to focus on building operational resilience into processes that could be impacted by these risks. Here we consider five risks that are now at the forefront of non-financial risk (NFR) management:

cyber risk The financial services sector is being hit hard, according to the Bank for International Settlements1. Financial criminals have adapted quickly to pandemic conditions, shifting to a more digital focus almost overnight to capitalize on more people being online. The transition to working from home (WFH) is also a significant driver for the rise in cyber risk. A recent survey of financial institutions by the Financial Services Information Sharing and Analysis Center (FS-ISAC) found a substantial rise in phishing, suspicious scanning and malicious activity against webpages through which WFH staff access the network 2. Firms should reformulate cyber strategies fast to boost defenses and improve resilience. Also, boards and senior management should be demanding internal cyber risk and control metrics, as well as external industry benchmarks, that are driven by data and expressed in business language, not technical jargon.

process risk Despite Microsoft CEO Satya Nadella’s now famous comment, “We’ve seen two years’ worth of digital transformation in two months,”3 many manual processes still remain within financial services, and they are failing more frequently as a result of WFH arrangements. So, investment in digitization and intelligent automation should be on the agenda, to support business as usual and boost operational resilience. Firms should reconsider the controls they have in place to detect or prevent a process breakdown, but they should focus on quality not volume.

Intelligent Risk - April 2021

017

For example, looking at front office controls inventories, by benchmarking on a peer-to-peer network, toptier global banks have been able to reduce the number of controls they have in place by 62% on average4.

conduct risk Financial services regulators are raising the alarm about conduct issues such as market abuse. They are worried that WFH Sales and Trading teams have been communicating with clients on unauthorized, untracked platforms, or exchanging material non-public information. Internal fraud is also a growing concern, especially around government loan schemes. Since COVID-19 emerged, 60% of data-driven risk intelligence requested by firms has been conduct risk-linked, with a spike at the height of the first lockdown, with traders working from home and clients needing increased collaboration5. A new approach to technology, surveillance and control frameworks is required to better support the challenges of remote working and create an enterprise-wide risk culture that supports operational resilience.

compliance risk A significant outcome of the pandemic is the phenomenon of ‘regulatory debt’ – a liability that comes in two forms. First, in the early days of the pandemic, financial supervisors around the globe indicated they would be temporarily lenient around enforcement of certain rules, so that financial firms could continue to operate. Initially, regulators eased recording requirements, which presented significant challenges for some firms. Now, these rules are being reinstated, and firms must be able to evidence compliance. Second, regulators are beginning to make up for lost time when it comes to rulemaking and implementation. Regulatory change in areas such as operational resilience, third party risk management, and even operational risk itself are set to accelerate in the coming months and years in many jurisdictions around the globe. Firms need to address these compliance risk issues in a strategic, data-centric way to ensure compliance and avoid punitive sanctions.

reputational risk All financial firms are navigating challenging waters. According to a survey by the UK Financial Conduct Authority (FCA), 4,000 financial services businesses operating in the UK are now at risk as a result of the pandemic6. Firms must carefully consider how they treat and manage customers, investors and third-party suppliers they engage with. Boards and senior managers should also consider their individual reputations. New personal accountability rules such as the UK’s Senior Managers & Certification Regime (SM&CR) could impact them if they fail to “take such steps as a person in their position could reasonably have been expected to take to avoid the contravention occurring or continuing.” As a result, they should seek better quality and timelier metrics around risks and controls to keep not just their firms, but themselves covered. 018

Intelligent Risk - April 2021

what has the world learned? In short, although financial firms have experienced a year of dramatic change in their operational risk profile, more evolution is to come. All financial institutions must take stock of their non-financial risks and consider how the fallout from the pandemic may continue to impact their resilience. This means revisiting their operational risk frameworks and quantifying operational risk to build operational resilience – much as they have done with market and credit risk in the past.

references 1. https://www.bis.org/publ/bisbull37.pdf 2. https://www.bis.org/publ/bisbull37.pdf 3. https://www.microsoft.com/en-us/microsoft-365/blog/2020/04/30/2-years-digital-transformation-2months/ 4. Acin Network data 5. Acin Network data 6. https://www.ft.com/content/fdcfd4db-0eb9-46c2-9918-2f1a5a3e8972

author Rupal Patel Rupal Patel is the Network Engagement and Insights Lead at Acin, specialising in digitising non-financial risk management across financial services. She has extensive experience at Tier 1 Banks, with expertise in Front Office, Finance and Operational Risk and has successfully tackled topics ranging from supervision to regulatory questions on the design and creation of risk frameworks. Rupal is passionate about non-financial risk management (NFRM) and has the experience, understanding and sensitivity to leverage data, digitisation and industry collaboration to solve client challenges across all functions. Rupal is also founder of the ‘Women In Risk and Control’ initiative which is supported by Acin to positively impact gender diversity at senior levels within NFRM.

Intelligent Risk - April 2021

019

COVID’s impact on cyber and operational risks vs. corporate resilience

by Fatema AlSaad “COVID-19 is a black swan”: a statement we have been hearing ever since COVID-19’s impact materialized after the first quarter of 2020. The impact of this pandemic on our lives, businesses and the way work is being conducted has been far beyond the world’s expectations. Unlike the 2008 Financial crisis, COVID-19 impacted all sectors and business models and increased most financial and non-financial risks. This article will focus on the impact on cyber risk and will discuss how proper corporate resilience can aid in meeting the challenges posed by the pandemic.

COVID-19 and cyber risk In an interview with the New Yorker conducted in April 2020, Nassim Nicholas Taleb, Distinguished Professor of Risk Engineering NYU Tandon School, published “The Black Swan”, proposed antifragility in systems, that is, an ability to benefit and grow from a certain class of random events, errors, and volatility. Professor Nassim said, “The great danger has always been too much connectivity”1. Today, almost a year since his interview and more than a year into the pandemic, we have seen that the vulnerability of the world to a global crisis has actually increased due to the increasing global connectivity. COVID-19 that first erupted in Wuhan, China ultimately resulted in cybersecurity breaches worldwide. As employees started working remotely, they started using technologies they are not used to. That has become the new normal. Cyber-attackers saw this as an opportunity to exploit the employees working from home and their interest in coronavirus related news. In fact, in Switzerland, one in seven survey respondents said that they had experienced a cyber-attack during the pandemic. According to swissinfo.ch, there were 350 reported cyber-attack cases in Switzerland in April 2020 as against the norm of 100-150 cases. Furthermore, in July 2020, the City of London Police reported that since January 2020, losses due to COVID-19 scams reached GBP 11 million. Hackers were also able to gain access to the different video conferencing services to steal the personal data of the users and obtain confidential information. This information is then being sold or made available to the public in order to damage the company’s reputation2.

1 / Bernard Avishai, 2020. “The Pandemic Isn’t a black swan but a portent of a more fragile global system”. The New Yorker (Daily Comment). 2 / Nabi, C., (N/A). “The Impact of COVID-19 on Cybersecurity”. Available on https://www2.deloitte.com/ch/en/pages/risk/articles/impact-covid-cybersecurity.html.

020

Intelligent Risk - April 2021

operational risks For banks, the changes to policy due to regulatory expectations from various regulatory agencies in EU and UE, with change in requirements to defer payments posed new challenges: customer service employees were not well informed about the technicalities and charges associated with these deferments. Not to mention that the IT systems were not well equipped to deal with such changes which caused numerous errors (double charging, wrongful loan installment deductions, etc.). This caused confusion and delays for the customers and negatively impacted the banks’ reputation. Furthermore, companies limiting themselves to one or two vendors faced increased supplier risk and to avoid future third party or fourth party risks. Those businesses reliant to certain geographical locations industries such as tourism - suffered tremendously.

was your company resilient enough? The world knew about COVID-19 ever since its outbreak in Wuhan and spread in China. However, companies on the other side of the world did not start planning responses. In fact, the SARS outbreak in the early 2000s should have made the world more prepared for a pandemic outbreak. This highlighted the fact that most Boards of Directors would prefer not investing large amount of money in order to control major catastrophic risks with low probability of occurrence3. Companies with an environment that judge performances on the short term were the ones that suffered the most. Business Continuation Plan (BCP) and Incident Response Plan (IRP) should be holistic, flexible, and constantly updated – without having to wait for quarterly or semiannual meetings or going through rigid processes. Unfortunately, for most organizations, both BCP and IRP proved to be inadequate or even nonexistent for dealing with a pandemic4. To maintain a resilient business, we need a system that senses what is happening in real time and allows us to take early actions before a risk escalation. Therefore, a more dynamic BCP and more of “sense and respond” Enterprise Risk Management (ERM) philosophy. The below figure shows the three aspects needed in this evolution5:

3 / Texeira T., Milanese S., Beard M., Salvador E. and Eagar R. (2020). “Risk: Strengthening business resilience after COVID-19”. PRISM/2/2020. 4 / Deo P., Raj G. and Perumal R. (2020). “How COVID-19 is Dramatically Changing Cybersecurity”. TATA Consultancy Services. 5 / Texeira T., Milanese S., Beard M., Salvador E. and Eagar R. (2020). “Risk: Strengthening business resilience after COVID-19”. PRISM/2/2020.

Intelligent Risk - April 2021

021

companies cultures and grey rhinos COVID-19 should have been treated as a ‘grey rhino’ rather than a black swan: highly obvious and probable but neglected6. Most companies proved that they were ill equipped to deal with such probability. Focusing on building a firm with strong cultures while focusing on discipline in processes, controls and continuity plans as well as supporting this culture by adequate systems will promote resilience and ensure the firm’s survival with fewer challenges.

author Fatema AlSaad became a certified Professional Risk Manager in 2019. She holds a Master of Science in Risk Management from University of Southampton, UK. Fatema is currently holding a Senior Risk Manager position in the Bank of Bahrain and Kuwait which is the second largest local bank in The Kingdom of Bahrain. Fatema is handling many projects within her bank and department such as the IFRS9 Expected Credit Loss system, ICAAP and Stress Testing. She has worked in both Market Risk Unit and Credit Risk Unit gaining experiences in both aspects.

6 / Moore, S. (2020). “Recasting Operational Risk in COVID-19”. Available on https://www2.deloitte.com/au/en/blog/covid19-blog/2020/recasting-operational-risk-covid.html

022

Intelligent Risk - April 2021

impact of the pandemic on global supply chains

by Aleksei Kirilov & Valeriy Kirilov highly vulnerable to a pandemic Over the past 20-30 years, there has been a global redistribution of production capacities in the world due to the deepening division of labor and specialization of certain regions and countries. The global economy has become highly interconnected due to supply chains. These supply chains have made it possible to significantly increase the efficiency of the world economy. But they have created new problems. The past year has shown that global supply chains are extremely vulnerable to a pandemic. At all stages of the production of a particular product, from the procurement of raw materials to the delivery of the finished product to the end consumer, a lot of bottlenecks have appeared randomly, preventing normal operations. This has caused disruption to the production processes of many enterprises and prevented business continuity. That is, it has caused operational risks. The importance of supply chain continuity for American companies has been discussed at the highest level. Remember that, at the end of February, President Biden signed an order to conduct a review of supply chains of critical materials for American industry1.

pandemic-induced shift in trade patterns Due to the introduction of quarantine measures in Europe since the spring of last year, there has been an intense increase in consumer demand for a number of goods which are mainly produced in Southeast Asian countries, such as computers, tablets, TVs, and chips. On the other hand, the production of export goods in Europe and the demand for these goods in Asia fell dramatically. Therefore, there is an excess of ships in the ports of Europe, and in Asia there is an acute shortage. This led to supply disruptions and delays, and a sharp change in the cost of freight on these routes. Figure 1 shows the change in freight costs from Southeast Asia to Northern Europe and vice versa. Data was kindly provided by the Freightos Group https://fbx.freightos.com.

1 / Executive Order on America’s Supply Chains, THE WHITE HOUSE, February 24, 2021, https://www.whitehouse.gov/briefing-room/presidential-actions/2021/02/24/executive-order-on-americas-supply-chains

Intelligent Risk - April 2021

023

Figure 1

Fig 1 shows the cost of transportation from Southeast Asia to Northern Europe has more than quadrupled. This situation disrupted the operation of supply chains, led to disruptions and delays, that is, to the realization of operational risks.

effect on prices Let’s see how this affected the price changes for some commodities during the pandemic. From our point of view, the dynamics of changes in prices for commodities can serve as an indicator of the functioning of global supply chains. We selected the following commodities for analysis: soybeans, lumber, iron ore and aluminum. The data used was from January 1, 2020 to February 20, 2021. The resource https://www.investing.com was used as a source of price changes for these commodities. The largest volume of transoceanic soybean shipments occurs on the US - China route. Therefore, soybean prices were compared with the change in freight costs from the US West Coast to Southeast Asia. Parameters change graphs are shown in Figure 2. The largest aluminum producer in the world is China. China produces more aluminum than all other countries in North America and Europe combined. Aluminum prices were compared with changes in freight costs from China to the US west coast. The graphs are shown in Figure 3. Figure 2

024

Intelligent Risk - April 2021

Figure 3

Prices for soybeans and aluminum correlate well with changes in freight costs in the respective direction over the time period under consideration, see Table 1. Table 1

During the quarantine restrictions, the demand for aluminum could not increase significantly. However, as we can see, its price has grown noticeably. It can be assumed that the change in world prices for soybeans and aluminum from early 2020 to February 2021 was largely dependent on the terms of delivery of these commodities. The analysis of changes in the prices of lumber and iron ore used rail transportation data in the United States. Namely, traffic volume data presented on the website of the Association of American Railroads: https://www.aar.org/. The volume of transportation of this type of commodities was used as a criterion for the analysis. And the number of cars was used as a measure of the volume of traffic. Figure 4 shows graphs of changes in the price of lumber and the volume of transportation. Figure 5 shows graphs of changes in the price of iron ore and the volume of transportation of iron ore and steel, since the Association of American Railroads does not provide data on the transportation of only iron ore. Figure 4

Figure 5

Both figures show the difference between cumulative traffic in 2019 and cumulative traffic in 2020. Thus, the graphs actually show how much traffic fell during the pandemic. As can be seen from the graphs presented, the prices for lumber and iron ore correlate well with the decline in traffic, as demonstrated in Table 2.

Intelligent Risk - April 2021

025

The decrease in the volume of transportation of the commodities profiled here can be explained by the emergence of many micro-bottlenecks at all stages of production and delivery of these goods to the final consumer. As a consequence, the price of these commodities on the exchanges rose in response to the decrease in supply.

industries most affected Due to disruptions and delays in chip supply chains, major car manufacturers in the US and Europe have been forced to scale back or, in some cases, even suspend production. In some regions, there have been problems with the supply of medicines and food. Global supply chains have proven unable to ensure uninterrupted supply in the face of the pandemic. As a result, many companies, even large ones, have been unable to maintain their production processes and are unable to ensure the continuity of their business. This has been especially evident in companies that adhered to the “just in time” approach. The lack of significant stocks of materials and components in the context of a supply cutoff led to an immediate halt in production or services.

what risk managers can do Supply chain managers and risk managers need to develop algorithms to prevent such situations or reduce their negative consequences. The most obvious, and at the same time the most costly, are the duplication of supply chains and the creation of reserve stocks of materials and components in companies. Other alternatives in some cases could be insurance or changing pricing approaches. Let us consider these options briefly. Supply chain duplication in transoceanic transport is often difficult or impossible to achieve. Reserve inventory also does not solve the problem, as it is difficult to imagine a profitable business stockpiling several months in advance. Insurance can compensate partially or completely for the losses of a particular company in some cases. But insurance will not be able to get the supply chain to working again. And in the face of a prolonged pandemic, insurance companies sometimes refuse to renew insurance coverage for their clients2. Raising prices also does not solve supply chain problems. For example, prices for the commodities discussed above are determined on exchanges.

conclusion The task of ensuring business continuity in the face of disruption to supply chains does not have a universal solution. Risk managers need to prepare individual proposals in each specific case, develop a limit policy in relation to individual suppliers and delivery methods, analyze stress testing scenarios, specify the number and location of manufacturing sites, and determine the appropriateness of insurance. 2 / Duncan Mavin, Julie Steinberg and Margot Patrick. Long Before Greensill Imploded, Credit Suisse Saw Danger. The Wall Street Journal, March 4, 2021, https://www.wsj.com/articles/long-before-greensill-imploded-credit-suisse-saw-danger-11614869809?mod=djemMoneyBeat_us

026

Intelligent Risk - April 2021

They also have to evaluate different solutions in terms of the ratio of potential losses and the cost of protective measures, based on risk appetite. Probably in the medium term, as a result of the pandemic, the configuration of supply chains will gradually change to increase resilience, just as the sectoral structure of the American stock market is gradually changing due to the pandemic, as noted in our earlier article3. In conclusion, it should be emphasized that 2020 showed the need to improve supply chain risk management, both for companies and for governments.

authors Aleksei Kirilov Partner, Conflate LLC Conflate is a Russian management consulting company specialized in strategy, risk management, asset management and venture investment. As the partner of Conflate, Aleksei is responsible for asset management and venture investment. He specializes in the US stock and debt markets. Aleksei has more than 15 years of experience in financial services including development of financial strategy and financial KPI, liquidity management; controlling system, allocation of expense on business unit, financial modeling and debt finance. He has cross industries experience: banks, oil & gas manufacturing, real estate. Aleksei has an MBA from Duke University (Fuqua School of Business), a financial degree from Russian Plekhanov Economic Academy and an engineering degree from Moscow Engineering Physics Institute.

Valeriy Kirilov General Manager at Conflate LLC Valeriy is the General Manager at Conflate LLC. He has 15+ years’ experience in risk management and management consulting (BDO, Technoserv, then at Conflate). Besides he previously worked in the nuclear power industry (safety of Nuclear Power Plants). Valeriy has an MBA from London Metropolitan University as well as a financial degree from Moscow International Higher Business School MIRBIS and an engineering degree from Moscow Engineering Physics Institute. He holds the PRM and FRM certifications and the certificate of Federal Commission for Securities Market of series 1.0. Valeriy was a member of the Supervisory board of the Russian Risk Management Society in 2009 – 2010.

3 / Aleksei Kirilov, Valeriy Kirilov. Change in the sectoral structure of the American stock market due to COVID-19 as an additional risk factor. Intelligent Risk (PRMIA), November 2020, https://issuu.com/prmia/docs/intelligent_20risk-oct_202020-issuu

Intelligent Risk - April 2021

027

making sense of models: a parsimonious solution

by Dr. Gary Nan Tie & Dr. Bob Mark models shape decisions We all need to understand how scientists, economists and doctors use models. This is especially true today since models are used to guide our public health policy for pandemics, and we are in the early stages of receiving vaccinations against the SARS-CoV-2 virus1. A subway map, a wind tunnel aircraft mockup, an architect’s virtual preview are simple examples of models. A more sophisticated model consists of mathematical distillations of relevant features of a problem that we want to solve. Mathematical models guide us in understanding and predicting actual behavior for the purpose of making a decision. In particular, a mathematical model is a flexible mechanism which is adaptive and enables inference which: • can explain and predict phenomena • is consistent • can be vetted • is reproducible • can be updated upon

arrival of new information • allows us to extrapolate • articulates our risk performance • can be perturbated and stress tested

• permits ‘What-if?’ investigation • allows comparison with alternative views • guides rational decision making

Mathematical models enable both qualitative and quantitative reasoning. Quantitative reasoning endeavors to numerically estimate a quantity along with how much give and take there is in an estimate. Qualitative reasoning typically describes how networks of relationships interact with one another, inferring possible cascades of consequences that are directionally correct but not necessarily temporally or quantitatively accurate. Qualitative models may arise, for example, because of a lack of data to parameterize a model but their logic is nonetheless useful.

1 / As we go to press, more than 245 million doses have been administered across 107 countries, according to data collected by Bloomberg. The latest rate was roughly 6.79 million doses per day. See https://www.bloomberg.com/graphics/covid-vaccine-tracker-global-distribution/ 2 / See Nan Tie, G. & Mark, B., Sept 2020,’Parsimony;’A Model Risk Paper’, PRMIA Institute

028

Intelligent Risk - April 2021

what is a parsimonious model We had touched upon the difference between statistical dependence and causation in our parsimony paper but it’s worth reminding ourselves of the ramifications. Anecdotally, we can observe the correlation between the kitchen barometer and the weather outside. We all know that changing the barometer does not change the weather3. Selecting a germane model which informs us in the context of decision making under uncertainty calls for a model that faithfully describes historic behavior and is robustly predictive. Moreover, the model needs to be neither too simplistic nor overly elaborate but be just right4! Experts need to be able to clearly communicate model results. A layperson does not need to know how the watch was made in order to tell the time. Most can relate to receiving some medical test results and asking ourselves ‘Is this good or bad?’ Some steps for better communication of model results include: 1. Provide intuition, by analogy or simple example. 2. Stress the significance of results. How concerned should we be? 3. Put things in perspective. Relative to other risks, where is this? 4. Are the results actionable? What do we do with this information? 5. Give a recommendation with caveats and describe how one arrived at this conclusion. We now explore in more detail the notion of parsimonious model selection that is fit for purpose5. Models are used to explain data as well as to make predictions. Data is usually collected from observations or experiments. Associated with each data point is a label value or outcome. Put another way, each input is associated with an output. The prediction problem is to construct a function from inputs to outputs which behaves reasonably on existing inputs and will make plausible predictions of outputs on as yet unseen inputs. The reasonableness and plausibility are where parsimonious model selection comes in. A regression problem is one in which the output values are from an interval, for example numbers between 6.5 and 29. When the output values are a discrete handful, like 0 and 1, we call this a classification problem. Notice the quantitative nature of regression (we care about the precision of the output) and the qualitative nature of classification (we care about the correctness of the output).

3 / In general, we could estimate observational probability p where p(Y |X = x) is the distribution of Y given that we observe X taking on the value x. We can jointly observe X and Y at random times to estimate p(Y| X) = p(X,Y)/p(X). Y and X are statistically dependent but Y is not necessarily caused by X, so setting X to x may not affect the distribution of Y. 4 / Ibid Nan Tie, G. & Mark, B, ’Parsimony, A Model Risk Paper’ 5 / For example, in the commons problem we can ask fit for whom?

Intelligent Risk - April 2021

029

Moreover, in terms of fitness for purpose, many machine learning applications naturally fall into either regression or classification type problems. Machine learning algorithms typically construct the best fitting function from inputs to outputs from a given class of functions6. So, although we can explicitly describe what the algorithm is doing, we may not necessarily have intuition about the resultant function chosen. Communication of model results can begin with narratives such as analogies and heuristics. The narrative should be followed by a summary analysis of the algorithm giving perspective and context. In particular, the analysis should highlight the significant differences to alternative approaches with numerical examples demonstrating the sensitivity of results to perturbation, and conclude with recommendations, caveats, and applications.

lockdown – a parsimonious example To illustrate these ideas, suppose for example our purpose was to understand the economic impact of potential interventions to temper the number of people infected with the coronavirus, so as not to overwhelm hospitals. There is a spectrum of risk. One extreme is do nothing, the epidemic spreads exponentially, hospitals are overwhelmed, and many die as a result of lack of hospital beds and ventilators. The other extreme is a prolonged lockdown, people lose their jobs, demand for goods decline, businesses fail, and a recession sets in. Neither risk is desirable, perhaps there is a middle ground, because the health of people and economic prosperity are linked. For example, too many sick employees reduce the workforce and productivity. What if core workers were allowed to keep the economy alive and non-core workers temporarily locked down to reduce the spread of infection? Fortunately, authors at Cambridge University in partnership with two researchers at the US Federal Reserve7, combined macroeconomics with aspects of epidemiology in a model to study the economic consequences of social distancing. They found there is no absolute tradeoff between the economy and human health. It is possible to have your cake and eat it too. A parsimonious model allows you to make an optimal decision in advance to avoid adverse outcomes as opposed to an afterthe-fact seat of the pants knee jerk reaction. A structured lockdown is smart by parsimoniously balancing economic and health intervention. Yes, all models are wrong in the sense they are representations of reality. Nonetheless, they are useful in making policy. Smart lockdowns are possible. It is not a binary choice.

what we can do The scientific method of systematic observation, measurement, and experiment, and the formulation, testing, and modification of hypotheses as new information becomes available also applies to mathematical modeling.

6 / For the technically inclined, the Representer Theorem. 7 / Bodenstein M., Corsetti, G.and Guerrieri L., 2020, ‘Social Distancing and Supply Disruptions in a Pandemic’, Cambridge-INET Institute Working Paper Series No: 2020/17

030

Intelligent Risk - April 2021

As new data arrives, we can update or rethink models. So, all models are provisional and how we select a model fit for purpose is on the basis of parsimony. As we pointed out earlier, not too hot, not too cold, but just right is the key to finding a parsimonious solution. Mathematical models are being used to make decisions, sometimes on your behalf without your knowledge. We all need to be savvy consumers and educate ourselves by critically asking questions, scrutinizing evidence, examining chains of reasoning, checking that model selection is parsimonious and fit for purpose, appreciating whether model results are qualitative or quantitative and most importantly realizing model results are provisional. Things change, as can our minds!

authors Dr. Gary Nan Tie Mu Risk LLC Dr. Gary Nan Tie engages in cross-disciplinary mathematical research, discovering connections across disparate fields to bring new insight in bridging theory with practice. In the beauty of nature there is wisdom. Always the beginner’s mind!

Dr. Bob Mark Managing Partner, Black Diamond Risk Enterprises Dr. Bob Mark serves on several boards, led Treasury/Trading activities and was a Chief Risk Officer at Tier 1 banks. He is the Founding Executive Director of the MFE Program at UCLA, co-authored three books on Risk Management and holds an Applied Math PhD. Bob is a cofounder of PRMIA and GARP Risk Manager of the Year.

PRMIA Sustaining Members are invited to read more on this topic by downloading the complete paper Parsimony – A Model Risk Paper. If you are not currently a Sustaining Member and would like a copy of the paper, join now.

Intelligent Risk - April 2021

031

a risk manager’s journal of the plague year

by Elisabeth A. Wilson & Sunil K. Kansal abstract The aim of this article is to share the key learning experiences from the challenges presented by COVID-19 that Risk Managers have had to accept and live through.

how it all begins Last New Year’s Eve, one of us proposed a toast, a final farewell message to 2020. It was brief and succinct. It was heartfelt. And it was worded in the strongest possible terms. Our grandmothers would have blushed. But like everyone (who may have toasted out the old year in a similar fashion), we despised 2020—a year so terrible it felt like it actually encompassed two years, with the month of March serving as the great divide between the normal, daily grind and the dissent into a dystopian hell. Great change often fosters great upheaval. The COVID-19 Pandemic has not only ushered in the most striking physical and mental health crisis of our age, but it has caused widespread

concern and economic hardship for consumers, businesses, and communities across the world. One of the immediate effects of the pandemic felt by the banking industry triggered from retail clients, and then, slowly, credit risk stemming from corporate clients materialized. The pandemic necessitated that banks make liquidity assistance available quickly and readily to their clients to keep them afloat. The challenging task was how to ensure related processing times were kept at a minimum, customers did not face any hardship, information could be exchanged electronically, all while ensuring internal controls were not bypassed.

risk challenges presented by the situation As we mentally prepared for ever more depressing news to come on the television, it struck us that, suddenly, we all now had to conduct our day-to-day work from home. Abruptly, the banking operating model was in dire need of change, such as the re-configuration of tasks, processes, and management of the remote workforce, to address and meet the services customers expected banking institutions to deliver.

032

Intelligent Risk - April 2021

Now the entire banking industry had to rely heavily on technology. Of course, all those institutions that had already invested heavily in technology had far less to worry about than those that were now repenting their past reluctance when it came to financing technological solutions. The quickest possible adoption of technology was the only way to make this transition happen, while simultaneously ensuring that revised operating models and processes were risk-secured.

how we fought through All risk managers live in constant anticipation of risks and their interconnected repercussions. But while our role may be to predict and minimize potential impacts, a large part of that job is also to harness the lessons of the past—and right now, the present—to build more comprehensive and effective risk management frameworks. At the outset of 2020, risk managers across the banking industry faced the following challenges: • Internal digital coordination (including risk reviews) to ensure internal controls were not weakened • Rapid risk analyses to support online exchange of documents submitted by customers (including review, analyses, processing, and credit re-ratings in the back office) • Establishment and expansion of application and processing routes for the effective use of subsidy programs • Online resources to support retail customers who needed to restructure their loans • Online analyses of the impact on customer creditworthiness and the extent of loans • Online review and adjustment to overdraft/drawdown limits • Setting up digital communication offerings to retail customers. The advent of these rapidly installed technology solutions has introduced new and evolved vulnerabilities to banks’ operating models. Risk Managers must now reevaluate heightened cyber security risk exposures and assess potentially more nuanced business process failures—and determine the extent of reputational ramifications one or both might entail. Predictive models and other control designs need to be restructured to account for unanticipated gaps. Automation, always a double-edged sword, must be balanced against a robust, clearly defined risk culture to ward off pitfalls stemming from lack of manual intervention and detection. In addition to newly introduced technology risks, operational breakdowns and errors may start cropping up right and left. If these remain unchecked, en masse they could pose broader financial, legal, regulatory, and reputational ramifications, while generating increased employee fatigue and burnout, fueling a vicious cycle. Empathy is needed more than ever as risk managers struggle through current upheavals.

Intelligent Risk - April 2021

033

It is easy in times of economic downturn for companies to remain focused on the balance sheet and stock prices while forgetting the humanity making the hamster wheel turn. The more company employees and consumers (and Risk Managers) endure, the more they can suffer from heightened fatigue and burnout that can lead to missteps, misstatements, and misalignment.

lessons learned With 2021 slow to show some promising improvement, we have been tempted to compose an equally succinct epitaph for this year as well. Writing this article, we realized that trying to seek answers to the trials we face today simply breeds more questions. But these are questions that we, as risk managers, are equipped to help solve. Risk managers’ perspective of the world has always been tinged with a little pessimism because we are paid to think endlessly on what potentially could go wrong. Ironically, this mode of thought should fuel optimism. Because, like the mythical phoenix rising from the ashes, from great catastrophes come comprehensive and well documented risk studies. Because risk managers have studied great downfalls and failures of the past, we implicitly understand how to remain resilient and how to rebuild. Living through the challenges of today will make us a little stronger and a little wiser when it comes to predicting the next black swan event. And it reminds us that we need to be ever vigilant—not just in preparing for the next pandemic—but in ensuring our institutions are agile and dynamic enough to pivot from one crisis to the next as the challenges mount in the years ahead.

authors Sunil Kansal Managing Director at Shasat Consulting Sunil heads the Consulting and Valuation division at Shasat Consulting and has been leading several IFRS, US GAAP, Risk Management, Valuations, IBOR Transition, and technical advisory projects. He has over 20 years of industry experience working with ING Group and Bank of America as well as with all the big four accounting firms in several jurisdictions. Sunil has authored many technical articles and books touching on the most pressing, accounting, risk management and industry issues (Banking and Insurance) including credit risk in the valuation of derivative instruments (CVA, DVA, FVA and XVA). He is a regular speaker through various forums. Sunil is a fellow of the Institute of Chartered Accountants in England and Wales (ICAEW).

034

Intelligent Risk - April 2021

Elisabeth Wilson Operational Risk Manager at Atlantic Union Bank Elisabeth Wilson has worked for over 13 years in the financial industry. She was recruited to Atlantic Union Bank’s Enterprise Risk Management Department in 2016 to support development of the company’s then-burgeoning risk management framework. She continues to build, implement, and manage key risk programs, driving regulatory alignment and promoting bank-wide engagement while simultaneously supporting business line risk oversight. Elisabeth is based in Richmond, Virginia.

Disclaimer: All views expressed in this article are our own and do not represent the opinions of any entity that we may be associated with.

VIRTUAL EVENT

CYBER RISK MANAGEMENT FORUM Be a part of this timely discussion on the rapidly evolving cyber risk landscape

PRMIA Intelligent Risk - April, 2021

Articles inside

Chapter spotlight: PRMIA Mumbai

A risk manager’s journal of the plague year by Elisabeth A. Wilson & Sunil K. Kansal

Building interpretable AI models: a model risk management challenge - by Ushasi Sengupta & Sanjukta Dhar

PRM spotlight - Alex Khayat

Making sense of models: a parsimonious solution by Dr. Gary Nan Tie & Dr. Bob Mark

Securing endpoints amid new threats

COVID’s impact on cyber and operational risks vs. corporate resilience - by Fatema AlSaad

Corporate resilience and the pandemic - by Merlin Linehan