Top Risks Challenging the Financial Services Industry

Presented by Nancy Foster, President & CEO, The Risk Management Association, to the RMA Richmond Chapter
September 2019

As you go about your days worrying about the multitude of risks we need to prepare for—well, actually, probably not just your days, but your nights and weekends, too—it’s easy to feel overwhelmed. Or confused. With so much to monitor, how do you focus on what’s most important? What IS most important?

Wouldn’t it help to have a guide to the most important risks to focus on right now? 

This summer, our RMA National Board and staff discussed and debated the many risks facing our industry and decided on seven that, we felt, were most pressing at this time. We didn’t rank them in terms of importance, so here they are in alphabetical order: cyber risk, downturn risk, geopolitical risk,  Libor transition risk, strategic risk/disruption, talent risk, and third party risk. I thought the board did a great job of crystallizing the complex risk landscape and devising a list that is easy to understand and focus on. We did NOT do such a great job of coming up with a jazzy name for this collection of THE SEVEN TOP RISKS, which is currently titled, and I quote, “The Seven Top Risks.” It’s a little blah, I’ll admit. If anyone has an idea for something a little snappier, let us know.  

We could call them the Seven Deadly Risks. That would definitely be snappier. But it’s not quite right.  Sure, these risks can literally be deadly to a financial institution. Think of all the damage to a firm’s assets, systems, and reputation that could result from a Cyber 911 scenario: State sponsored terrorists target major banks and virtually shut them down. Or what if one or more of the so-called FAANG companies-Facebook, Apple, Amazon, Netflix, and Google-dedicate their vast resources to siphoning customers from traditional banks. That would be deadly.

But like with all risks, these seven top risks also have upside. Yes, technology firms can poach bank customers. But more and more, fintechs are just as likely to be bank partners as they are bank poachers. And as partners, they create apps and online services and products that help banks gain customers. And yes, a recession could put our borrowers who sell luxury items in peril. But it could also be a boon to our borrowers connected to discount stores.

Now that we have identified these risks, RMA is making sure they are represented in our programming and content. Thing like round tables, conferences, RMA Journal articles, and webinars. For example, we recently published a Libor transition guide that went to hundreds of banks and is posted on our website. We also published several articles on Libor in the RMA Journal, held round tables, podcasts, and had chapter events on this important development to make sure our members are informed and ready.     

Identifying these top risks does not mean we put less effort towards the many other important risks financial institutions face. Credit risk is still paramount, for example. So are the various operational risks that are not third party or cyber. RMA’s mission will always be to promote sound risk management practices in the financial services industry, no matter what the risk.

One way to explain the top risks approach is, to use a basketball analogy—it is a full-court press. It is a recognition that, with the way the game is going right now, the proper move is to run faster and be more alert when it comes to these particular risks. This is not always how we will approach these risks. But for right now, we want to be aggressive and proactive about them, and we think all financial institutions should be too. We should not sit back and play zone defense, treating things like business as usual, and wait for the action to come to us. We have to play the ball and go wherever that takes us. There will come a day when these risks will subside in importance or cease to be an issue at all. That’s the case with the Libor transition, which should be completed by early 2022. When that happens, we will put our intense focus elsewhere. But for now, these seven risks I am about to describe are key.  

Top Risks

Downturn

Regarding a possible economic downturn, some economists say we are definitely headed for one soon, and others say not so fast. The same goes for many of the most-watched statistics, and not many have been watched recently more than the yield curve. Yes, it has inverted and short-term interest rates rose above long-term interest rates. That’s a classic indicator that a recession is on the way. But some economists say the yield curve may not be the surefire indicator it once was.

Meanwhile, GDP growth outperformed expectations in the second quarter, so that’s another argument against a recession. Unemployment is historically low. And consumer confidence is still looking good. So it would be foolish to predict that a recession will happen in, say, the next 18 months. However, it would be more foolish to disregard the possibility. You must be prepared for one to occur.

There are going to be several valuable sessions on positioning for a downturn at our Annual Risk Management Conference in New Orleans October 27–29. I highly recommend that you attend if you are not already registered. In fact, I will not be the least offended if you register right now on your mobile devices at rmahq.org. If you go, you will hear best practices on things like protecting yourself with shorter loan durations, so that a credit is, hopefully, paid off before the borrower runs hits a rough patch. Or assessing your concentrations, especially in industries and lines of business that are usually vulnerable to downturns-like the luxury goods I mentioned earlier. And remember that concentrations can also vary by region, not just industry. Are you too heavily invested in an area or town that will feel the downturn worse than most—for example, the way Arizona, Florida, Nevada, and California’s real estate crash was considerably worse than most of the country?

Some banks are shoring up their recession readiness plans and making sure they have access to talent that has worked during previous recessions. Many are stress testing their credits based on various downturn scenarios, and using risk ratings that project probabilities of default spanning many years. And regardless of what the economic indicators say, there might be evidence staring you in the face from your own institution. If you see an increase in tracked policy exceptions or loans with risk grade reductions, act accordingly. You should get strong debt service coverage and risk pre­miums when lending to volatile industries. If you are not already, start underwriting with a thought for how a possible recession would affect borrowers.  

Geopolitical Risk

Let’s move to geopolitical risk. It’s rising, and it’s scary. You have the still-uncertain outcomes of the trade wars and Brexit to fear. Populist movements and internal dissension are roiling nations across the globe. Hong Kong is a geopolitical and financial hot spot. A Harvard economist recently said a violent crackdown by China in that that economic hub—so important to our global economic system—could be a tipping point for a worldwide recession. And then there’s North Korea.

If you like quantitative evidence, consider the geopolitical risk index, pioneered by a couple of Fed researchers. It takes into account the number of news articles regarding things like threats of war, trade disputes, terror attacks, and nuclear fears. It has been trending upward steadily up since 2012. For the month of August, it was at 182, compared to its historical benchmark of 100.  

Geopolitical threats are particularly overwhelming and frightening because they are not just about business. They jeopardize our very lives, the lives of loved ones, and our cherished ways of life. But we have to think clearly about them and be prepared. I recently had a conversation with our RMA chair, Mick Ankrom of Bank of America, on this subject. He said, yes, it’s very difficult for risk management to factor in the uncertainty of geopolitical risks. But at the end of the day, he said, risk management doesn’t change. You should only take on risk exposures that are clearly defined and understood, and which your organization has the capacity to manage on an ongoing basis. In that way, geopolitical risks are like other risks. The trick is to clearly define and understand them in terms of your business lines. A recent RMA Journal interview with Paul Sassieni, head of Capital Markets Risk at Northern Trust, was instructive. He said that Northern Trust has found that integrating risk disciplines is a good way to approach geopolitical risk. He has a regular video conference that includes Northern Trust personnel from market, credit, and operational risk who are based in offices around the world. During the call, they talk about the latest news—a shocking election result, a natural disaster—and how that might affect Northern Trust. You, of course, will have your own methods of tracking and reacting to geopolitical risk at your institution. But as an RMA member, with access to the RMA Journal, round tables, and other peer sharing events, you will learn about approaches that have helped others and can inform your own strategies. Because regardless of how you manage geopolitical risk, you must do it.

Libor Transition

Strategic Risk

Now let’s turn to strategic risk/disintermediation, a term we use to describe how rapid advances in technology are radically changing the way banks do business and how they compete with each other and nontraditional competitors. This is an area where there is a real dichotomy of potential outcomes. The threats are so great, but so are the opportunities. As I noted earlier, there has been a clear trend lately of fintechs cooperating with traditional banks. Banks provide the trusted relationships with—and access to—customers.  Fintechs provide the know-how. That’s crucial because many banks lack the resources and expertise to develop apps and other online products in-house. They need fintechs to keep up with the growing list of conveniences expected by customers. Things like banking apps that are compatible with the Apple watch, apps that use fingerprint logins, apps that provide access to updated credit scores and automated tellers. Technology is bringing about a hypercompetitive banking environment that is only getting more fierce. Think about open banking, which is in its early stages in Europe, and is likely on its way to the U.S. Open banking can include banks sharing customer account information with competing banks in a way that enables customers to compare bank fees and interest rates more easily—and switch banks more easily. With this state of affairs, banks must constantly think about what they can do to attract and preserve customers. 

Third-party Risk

And while partnering with fintechs is part of the answer, a downside is the increase in third-party risk and cyber risk it creates. Third parties can provide a gateway for hackers to enter your systems. Or they can allow your data to be stolen from their own systems. Target was famously breached through an HVAC contractor. Banks need to perform their due diligence on third parties before contracting with them. I’m about to give a very clear example of due diligence that suggested to NOT get involved with a third-party provider. It’s from a book RMA recently published on third-party risk management. In the book, a bank executive tells a story about when he knew an outside company was not sophisticated enough to be trusted with his bank’s data. This executive asked the contractor where the data would be stored, and the contractor said, and I quote, “on Larry’s laptop.” Well, at least the contractor was honest about it. Unfortunately, red flags are seldom so obvious.

You have to be sure third parties guard your data and treat your customers the same way you would. Because as far as customers and regulators are concerned, YOU are responsible when your third parties make a mistake. This applies not only to first-line activities, but also third-party services that assist risk management and compliance. For example, third parties provide software and systems that are a big help for banks struggling to meet growing regulatory reporting requirements. But in some cases, this so-called regtech can be flawed and not deliver what was required by regulators. An SEC official at recent RMA regulators round table stressed the reality that even though it may not seem fair, the bank is responsible if a third party falls short.

Third party or not, any kind of tech can be problematic. Artificial intelligence can be a time and labor-saving boon to risk management. For example, AI can be used to monitor employee communications for keywords that suggest rogue trading. And it can be used to help uncover money laundering and better assess credit risk. But it can also be programmed in a way that magnifies human bias—and leads to regulatory action, lawsuits, and reputational damage.

So proceed with caution.

Cyber Risk

As I mentioned earlier, we expect risks to drop out of the top risk category. We hope so anyway. But in the case of cyber risk, I think we are in it for the long haul. There is just too much money and valuable information at stake for hackers to lose interest. This is a full-court press that will go into overtime. Our industry will keep running up and down the court with the bad guys, blocking as many attempts as possible. I saw a headline in Inc. magazine that puts the criticality of cyber risk in perspective. It said, “If you have to ask how much a data breach costs, you can’t afford it.” Of course, no one can afford a breach. Not really. After all, the best-case scenario is it takes money and attention from other important areas. In case you’re wondering what a breach costs, an IBM study this year put it at an average of $3.9 million per incident, or $150 per compromised record. Capital One said the first-year cost of its recent breach would be at least $100 million.

The cat and mouse game of cybersecurity will continue. We will enhance our defenses while hackers scheme new exploits. RMA will continue to be a thought leader on this topic, presenting the latest in best practices. If you don’t want to feel too depressed, a recent Journal article presented a hopeful cybersecurity framework that allows institutions to get value from their cybersecurity programs far beyond mere defensive efforts.

Talent Risk

So we’ve covered six of the seven top risks: cyber risk, strategic risk/disintermediation, downturn risk, geopolitical risk, the Libor transition, and third party risk. What is the area that ties all of these risks together, which will be needed to meet all these challenges?

Talent.

As baby boomers retire, banks need to replace them with new leaders with experience and expertise equal to their stature. At the same time, just like the world is changing, the skill sets needed are changing too. Banks need to augment their traditional recruiting methods by considering candidates with diverse backgrounds. That means more hires with the quantitative and technological know-how to construct and manage models and to employ AI and machine learning in the context of financial services. It means going toe-to-toe with tech firms in college recruiting efforts, and selling students on the many benefits of working in our industry. As for risk management, in particular, technical expertise is needed there too. But another quality that is mentioned often is the ability to see across risks, to see the big picture. One way to instill that is to make sure risk personnel works in different areas of risk and even does stints in the first line before rising to risk leadership.  

Making sure the financial services industry has the talent it needs to thrive has long been a priority at RMA. RMA has offered training for all levels of banking experience, from credit analysis courses to programs geared to executives like the RMA/Wharton Risk Management Program Recently, RMA has taken its dedication to education to another level. To help usher the best and brightest into the financial services industry, it has launched the RMA Foundation and funded it with 7 million dollars. So far, the RMA Foundation has awarded $867,000 in scholarships to 331 college students who are pursuing careers in financial services. These scholarships range from $2,000 to $8,000 per year. We are currently accepting scholarship applications. The window closes on October 21. If you know anyone pursuing a financial-related degree, please encourage them to apply for an RMA Scholarship.

In the past few years, RMA has also offered credit analysis courses at a growing number of colleges and universities. And we are excited about our recently announced partnership with Texas A&M’s Mays Business School. With a $1 million donation, RMA is helping the university pilot innovative new courses that will ultimately be available nationwide to prepare our industry’s future leaders.

Finally, while I am on the subject of talent, I wanted to mention RMA’s new Principles of Ethical Conduct. Because while we want a talented workforce in this industry, we also need an ethical one. So much good is accomplished by banks, which help businesses achieve their goals and people achieve their dreams. But sometimes all it takes is a few high profile incidents to cause lasting reputational damage in the eyes of our customers. I invite you to go to our website, read the Principles of Ethical Conduct, and click the button that says you agree to live by them.

Go to Principles of Ethical Conduct.

Thank you for your attention. RMA is offering its list of top risks to focus industry attention on what we believe the top risks are. But we also encourage you to debate and discuss what you think the top risks are at your own institution. At RMA, we have had some enlightening and even fun debates. If you have a different take on top risks, I would love for you to contact me to discuss it. Regardless of your opinion on what the top risks are, it can only help to have these types of conversations. The more we put our heads together and talk about risk, the better job we will do of managing it. Good luck. And remember that RMA is always there for you, offering programming including round tables, conference sessions, articles, training, webinars, and more on today’s top risks and all of the risks your institution faces.