What Every FinTech CEO Should Know About Risk Management

 

AAEAAQAAAAAAAAjOAAAAJDk4OGUzOTM0LTI5ZTktNDlhZi1hYzI3LTkyMjI0NjZlMzNkNQ.png

A FinTech CEO who doesn’t understand risk management is at a crushing disadvantage.

Why?

Banking at its core IS the business of managing risk.

Banks don’t just have to be risk-aware. They are in the business of managing risk on other people’s behalf – that’s the primary reason they exist.

Banks look after our deposits, ensuring they don’t get lost or stolen. They make loans, and take on the risk of default. They make payments, and take on the risks of incorrect execution, delays and currency fluctuations. Banks sell a huge variety of risk management products, especially to companies. These products let the companies worry about their own businesses without having to predict economic and political effects.  A good example would be the big drop in the value of Sterling after Brexit.

So, again, why?

Any FinTech CEO who wants to partner or interact with a bank needs to understand:

  1. The bank’s culture is centered around managing risk.
  2. Working with new vendors and technologies introduces new kinds of risk that banks need to manage.
  3. Banks are increasingly looking to technology to help with managing risk. This is a huge opportunity for FinTech and younger sibling RegTech.
  4. Banks are fiercely protective of their capital, the scarcest resource they own. The way a Bank manages risk impacts the amount of capital they need to have tied up as regulatory insurance against the failure of the bank. Tying up capital is massively expensive for banks.
  5. Managing any business involves risk. Any CEO needs to know how to manage his or her own company’s risks. (Actually life itself is full of risks, and we make risk management decisions all the time – whether good or bad. Even crossing the road is full of risks that are differently managed by different people. Do you typically use a pedestrian crossing, jaywalk, wait for a green light, etc?

What is Risk Management

First, what risk management is not: it is not about avoiding risk at all costs. That is a recipe for immediate bank failure. Remember the point above – banking is the business of managing financial risk on other people’s behalf. Avoiding risk simply means receiving no revenue.

Then what is it?

Risk management is most of all about understanding risk. Understanding of risk is ideally quantitative. This is generally in terms of the financial impact. At least understanding must be directional (“this” is more likely to happen than “that”).

Risk management is about making measured and rational strategic and operational decisions, based upon understanding of risk. For example, how much should we spend to prevent a 20% possibility of an event occurring that could cost us $1,000. On the other hand, what would we spend to prevent a one in a thousand event that would cost millions?

Note that making the wrong decision can be extremely expensive. Failure to implement appropriate controls can result in massive fines. Obvious examples are money laundering, identity theft, and misleading public statements. But going overboard with controls against these threats can be extraordinarily expensive. JP Morgan Chase, according to CEO Jamie Dimon,  employs over 8,000 people in AML alone. Even allowing for a little Dimon hyperbole, this may or may not be too conservative, but it is certainly too expensive!

Risk management in banks is an enterprise-wide concern, and impacts the entire bank. This includes its culture, organization, processes, technologies, people and physical infrastructure. The following picture from my friend Dr. Robert Mark of Black Diamond Risk this well. Risk management is a multi-dimensional undertaking.

Dimensions of Risk

What makes for high risk? There are several dimensions to be considered.

Likelihood: we need to understand how likely it is that an unwelcome event will occur. This is generally expressed in probabilities (e.g. 5% likely to happen in the next year) or, less satisfactorily, as a relative measure (High, Medium, Low).

Severity: how serious will the event be if it does occur? When possible this is presented as a project “loss distribution”. It could cost anywhere between $X and $Y, and there is a series of probabilities at each level in between. Again, with operational risk this measurement can be very difficult. Far too often it is expressed as high, medium or low.

Timely Detection: if an event occurs, how quickly will it be detected? This again may be a statistical distribution. What is the likelihood that the impact can be mitigated because of timely detection? For example, with sophisticated technology, cyber-attacks may detected quickly. This allow the bank to block the attack, or to shut down paths to a bank’s computer networks, before extensive damage can be completed.

Vulnerability: what weaknesses could possibly be exploited by “bad” or incompetent parties? This approach is often used (paired with threats below) to analyze cyber-security risk.

Threat: for a given vulnerability, what potential threats (actions by other parties) could intentionally or inadvertently exploit it? This would be linked with severity to determine how important it would be to implement controls or close the vulnerability.

Options for Managing Risk

There are essentially four ways to address known risks. They are all applicable tools in the risk manager’s toolkit.

Remediate: this simply means making the risk go away, or reducing the likelihood of occurrence to close to zero. When the combination of likelihood and severity are unacceptably high, this is often the right approach. It may mean introducing new controls, or changing a web development methodology. It could mean improving employee pre-screening. Remediation takes many forms, but in essence it is risk avoidance (what I said earlier risk management is not – but OK sometimes it is!) Remediation may not be total, however, and the goal may simply be to reduce the likelihood to an acceptable level.

Mitigate: if it isn’t cost-effective to remove a risk through remediation, then another option is to reduce the severity. Then if the unwanted event does occur, it doesn’t cost anything like as much. Mitigation usually takes the form of controls as well, but they are somewhat differently focused. The end result is the same – the expected value of loss (likelihood times severity) goes down to an acceptable level.

Transfer: or buying insurance. When we take out an insurance policy, we transfer the risk to somebody else. We have car insurance because we may not be able to afford the total economic impact of an accident, especially if there are injuries. Like any company, banks transfer certain corporate risks through D&O, E&O, title, health care, and various other kinds of insurance. At the same time, in their core businesses, banks are more an insurer than an insured. That is, we transfer our risks to the banks. A good example is a foreign exchange transaction. If I import some goods that need to be paid for on delivery in three months time in a foreign currency, I may want to be sure I know how much I’m paying. I will buy a future FX contract at current FX rates, so that currency fluctuations will be covered by the bank, not me. (Of course fluctuations in currency work both ways, so I may be missing an opportunity. But FX trading is not my core business, so prudent risk management says I will forego the opportunity in order to avoid the risk of loss).

Accept: there are many situations in which the cost of addressing a risk would be greater than the likely losses due to the risk. In these cases, bankers will choose to accept the risk. They will acknowledge that an unwanted event may occur, and that it may result in losses, but accept that this is a reasonable cost of doing business. Intelligent risk acceptance requires having the necessary data on which to make an informed decision. Far too often, like all of us, bankers will decide to accept a risk without really understanding what they are accepting.

Hybrids: there are combination options of course. For example when you take out car insurance, you also agree to a deductible. In effect you are accepting the first $500 (or whatever) of severity, but transferring everything beyond that. There are many examples in banking that are similar to this. They include partial remediation to reduce likelihood, or partial mitigation to reduce severity.

Categories of Risk

Bankers typically recognize a number of types of risk. Some are pretty universally agreed. Others have semantic differences depending on the perspective from which they are viewed. But the following lists the major types of risk that would be relevant to FinTech CEOs.

Credit Risk: this is the easiest to understand in principle. It is the risk that a borrower will not repay a lender, will repay late, or will not repay in full. In practice there are many aspects to credit risk. This is complicated further by packaging and reselling of loan assets and obligations. But the underlying principle still applies. At the core of banking business is the intelligent, well-informed acceptance of credit risk at the right price. Pricing builds in anticipated losses. Therefore it depends upon how likely it is that a borrower will default. Traditional pricing models take into account credit scores, borrower financials, and valuations of collateral.

FinTech companies are adding considerable additional intelligence to underwriting models. Several alternative or additional methods are used. They include social media behavioral analysis; spending history (e.g. mobile phone records); and reputational assessments.

But the risk manager’s job is still the same. (S)he needs to understand the risk. A measured decision must be made on whether or not to accept it. Then comes the decision on how to price it (i.e. what fees and interest rates should be applied).

Market Risk: as its name suggests, market risk arises because of the unpredictability of markets of all kinds. When the value of an asset or liability is subject to market fluctuations, then there is market risk. This includes currency exchange rates, interest rates, securities prices, commodities, bonds. In fact, anything that is traded publicly, whether on a formal exchange or in an informal setting.

As with Credit Risk, a core part of a bank’s business proposition to customers is the management of market risk on their behalf. There is a tremendous variety of market risk products. This includes swaps, options, futures, hedge funds,  and every combination and variation you could think of plus lots you’d never be able to imagine! Provided the bank has a good understanding of the risks they are taking on, they will make money. Extreme events, such as the financial crisis of the late 2000’s may create massive losses however. In general banks are in the business of managing this kind of risk, but consumers and non-financial companies are not.

Operational Risk: this is a very broad category that results from the kind of business banks are in. Typically it is not something banks make money from. Banks have always had operational risk, and have always invested in a wide range of controls to remediate or mitigate this risk. New technologies have added new kinds of risk over the past several decades. Emerging technologies deployed by FinTech companies also create new kinds of risk. FinTech CEOs do well to understand them. In fact banks will insist on working through them before buying. This is one of the reasons banks are experimenting internally today with emerging technologies. Many experiments are underway on AI, blockchain, predictive data analytics, and cloud computing. Many of these are intended to support understanding of operational risk.

There are several categories of operational risk, and also several definitions. The simplest regulatory definition dates back to Basel II. "The risk of loss resulting from inadequate or failed internal processes, people and systems or from external events." Regulators are now very concerned about operational risk, and include in their definition such things as:

  • Errors in regulatory, financial or customer reporting that result from inadequate operational and financial controls
  • Instances of cyber-crime (largely in the categories of fraud, privacy violations, money laundering or terrorist financing) allowed because of inadequate technology and operations controls

Basel II provided a list of operational risk categories that gives a slightly different take:

  1. Internal Fraud - misappropriation of assets, tax evasion, intentional mismarking of positions, bribery
  2. External Fraud - theft of information, hacking damage, third-party theft and forgery
  3. Employment Practices and Workplace Safety - discrimination, workers compensation, employee health and safety
  4. Clients, Products, and Business Practice - market manipulation, antitrust, improper trade, product defects, fiduciary breaches, account churning
  5. Damage to Physical Assets - natural disasters, terrorism, vandalism
  6. Business Disruption and Systems Failures - utility disruptions, software failures, hardware failures
  7. Execution, Delivery, and Process Management - data entry errors, accounting errors, failed mandatory reporting, negligent loss of client assets

This is quite a range of sources of risk. From the perspective of banks, it can be pretty daunting. For the most part this is risk that cannot be transferred, and that generates no revenue. Implementing adequate controls in all of these areas is enormously expensive. This is perhaps the biggest “hidden” cost factor for banks that drives up banking prices.

 The infrastructure required by a bank to manage operational risk is also many-faceted. This is well illustrated by this diagram from the Risk Management Association:

When a bank engages a new FinTech provider, particularly a relatively unknown one, a number of recognized areas of operational risk arise, including some subset of the following:

  • Third party vendor risk – entrusting certain processing (automated, manual or both) to a third party. This is because the bank has no direct control, but still has full legal responsibility.
  • Cyber-security risk – ensuring that any new vulnerabilities or threats are explicitly addressed. This applies even if risks are accepted.
  • Regulatory risk – reviewing the new product features and functions to look for regulatory impact. This is to ensure that no new regulation has come into play, and that existing regulatory compliance is not compromised. This is, of course, a very complex area and may also require hiring of external counsel. Believe me, this doesn’t happen quickly!
  • Operations risk – a subset of operational risk, focused on processes in bank operations. This review will ensure that new processes don’t have material control weaknesses. Such weaknesses might introduce opportunities for internal wrong-doing or incorrect financial reporting
  • Project risk – the bank will create a comprehensive project plan. This will focus on timely, low-error and in-budget delivery of the overall project of which the FinTech is a part. Bear in mind that there are very, very few projects in which the FinTech solution stands alone. Many risk subsets fall within this, and it can also take a frustratingly long time.
  • Business recovery – business resumption plans must be updated. They address risks of short- or long-term unavailability of FinTech's the technology or services.

From a FinTech’s perspective, operational risk has a number of implications:

  1. A bank will appear to view a FinTech with some suspicion. Actually they are (or should be) attempting to understand their new operational risk. They will apply due diligence that is (ideally) quantifiable and (always) demonstrable to regulators.
  2. The successful FinTech will think through what operational risks their solution might introduce to the bank. They will ask themselves what they can do to mitigate or remediate the risk. This might involve addition of functionality to enable dual control processes. It could mean evidence of cyber-security certification. It might mean strong authentication for sensitive internal activities. Or clearly articulated controls around cloud processing and storage.
  3. The various operational risk implications will result in delays in closing deals with banks. You will need to be patient, supportive, and consistent in communications and information during this time. Just what an agile FinTech excels in, right?

Conclusion

There is of course much more that could be written on this topic, but if you’ve read this far, you’ve probably seen enough for now.

The bottom line is this.

For a FinTech company to partner successfully with a bank, it must appreciate the breadth and depth of banking risk management.

In particular, the FinTech must understand the operational risk considerations that a bank will need to go through before engaging them. This affects presentation of value proposition, expectations of time to revenue, product design, and cultural engagement.

I hope this has helped. By all means contact me if you’d like to discuss.

Graham Seel, a 30 year banking veteran, runs BankTech Consulting. He is an expert in commercial banking, and provides strategic insight and internal business cases to banks. He works as a fractional Customer Success Executive to Fintech firms, facilitating their partnership with banks. This blog was originally published on LinkedIn.