Every year, financial crime becomes more sophisticated, new malware emerges and fraud losses rise. Top that problem up with continuously evolving regulations and hefty non-compliance penalties, and financial institutions are facing an increasingly complex risk landscape.
To compete in the new environment, banks, insurance companies, asset managers and other industry players need to rethink how they approach financial risk management. That’s where artificial intelligence can lend a helping hand. With advanced analytical capabilities, AI can augment human-led risk management activities to drive better outcomes much faster. It is estimated that through better decision-making and improved risk management, AI could generate more than $250 billion in the banking industry.
Insurance companies, banks and fintech startups alike are starting to integrate AI-driven analytics into their financial risk management software. Here’s a roundup of three practical use cases to give you the idea of AI potential.
Accurate fraud detection
The complexity and visibility into multi-channel fraud prevention is a major challenge for financial institutions. Scammers are getting more sophisticated and quickly find creative ways to steal from banks and their customers. Each year, fraud costs over $5 trillion, a sum more than 80% greater than the U.K.’s entire GDP.
To stay agile and quickly respond to threats, banks are augmenting their fraud detection toolkit with machine learning capabilities. The idea behind ML-driven fraud analytics is that fraudulent transactions have telltale signs that algorithms can uncover much more effectively than rule-based monitoring systems. By processing customer, transactional and even geospatial data, they can even spot patterns that seem unrelated and simply go unnoticed by human data analytics.
As a rule, ML algorithms leverage supervised or unsupervised learning techniques for fraud detection. The difference between these two types is that supervised learning-based algorithms heavily rely on explicit labels, meaning that machines need to be repeatedly trained on what a legitimate versus fraudulent transaction is. Unsupervised learning models, in contrast, do not need prior labeling to recognize abnormal activity, so they can continuously update their datasets and detect even previously unknown fraud and abuses.
Credit risk prediction
In simple terms, credit risk refers to the risk of financial loss when a borrower fails to meet financial commitments. And as these non-performing assets continue to grow, it has become imperative for banks to find better and more robust mechanisms to manage default risks.
Advanced ML-driven analytics can do just that. By analyzing a vast amount of financial and non-financial data, trained machine learning algorithms can model credit risk and predict default with a much higher degree of accuracy than traditional methods.
There is no shortage in up-and-coming startups that work on AI-powered credit scoring solutions to help the financial industry fight high delinquency rates. One such example is British startup SPIN Analytics, which has developed its RiskRobot to optimize credit decisions. The solution leverages advanced analytics to forecast credit behavior and credit losses of individual customers and entire credit portfolios.
Effective regulatory compliance
Over the years, the number of rules and regulations that banks and financial organizations need to adhere to has multiplied — EMIR, SFTR, MiFID II/MiFIR, MMF, GDPR. With this raft of regulatory bodies, updates are issued every seven minutes. And, with hefty fines and penalties, non-compliance is not an option.
Handling the overwhelming volume of regulatory change is no easy feat. But recent advancements in natural language processing (NLP), an AI subfield, are bringing us closer to effectively solving the compliance puzzle. With the ability to understand the human language, NLP-based solutions can scan and analyze millions of lines in regulatory content, including legal documents, commentary, guidance, legal cases, to spot applicable requirements much faster — that’s what London-based Waymark offers its corporate clients.
Another prominent regtech player is IBM, which offers its cognitive computing platform Watson to drive down regulatory compliance costs. Trained with the help of Promontory, Watson identifies and tags obligations, guides and controls to facilitate regulatory change management.
The bottom line
The financial risk landscape is changing fast. Staying on top of emerging fraud threats, credit risk and rapid regulatory changes requires a superhuman effort.
AI can augment human intelligence with rich analytics and pattern prediction capabilities to drive fraud and credit risk detection with higher accuracy and at a larger scale. In the regtech space, AI-fueled analytics solutions can significantly accelerate compliance procedures while reducing the costs.
Since the revival of the modern Games in 1896, the Olympics have had to cope with a range of risks, from financial, security, sporting and reputational risks to diplomatic incidents and war. In 2020, that list expanded when the Tokyo Games was postponed due to COVID-19.
Any catastrophe affecting the Olympic Games could result in high-impact, long-term consequences for the cities that host them. People, infrastructure and entire supply chains are at stake. Forcing the Tokyo Olympics to be postponed by a year, the COVID-19 pandemic has stolen the risk limelight, but it remains as vital as ever to remember the wider risk landscape.
Olympic Games typically involve a large population influx from various countries to a city, in this case Tokyo, already one of the largest cities in the world. How will this work in a COVID-19 world, where physical distancing is set to be recommended for a long time?
A recent government survey showed only 0.1% of Tokyo residents have coronavirus antibodies. That is much lower than 14% in the state of New York in April, and 7% in Stockholm. The citizens of Tokyo may not want to accept the risk of an influx of people on top of managing their own national situation. The pandemic has also reduced the enthusiasm of residents to host the event, with a recent pollshowing that only 24% in Japan look forward to the Olympics.
There are other people risks to consider. Ever since the 1972 Munich Olympics, where terrorists kidnapped and killed Israeli athletes, crowded spaces like sporting and entertainment venues have become targets for international and domestic terrorists. In the latest Cambridge Centre for Risk Studies City Risk index, Tokyo comes out on top by risk exposure, with interstate conflict listed as the top potential loss driver.
The multiple layers of security (including police, military and private security) will rely heavily on technology, not least to coordinate their activities. These will be the first Olympics to make use of facial recognition technology to assist with risk management and identification.
With such a high-profile event, security must be ultra-tight, and cybersecurity in particular is a major concern. Due to their operational requirements, scale and scope, Olympic events have the potential to trigger complex second-order effects, and cyber-attackers have grown increasingly ambitious as organizers have embraced digitalization. At the 2018 Pyeongchang Winter Olympics, suspected state-sponsored hackers carried out extensive campaigns, with TV signals disrupted, the games website crashing and ticket sales disrupted. Russia was thought to be involved in those attacks, and earlier this year Japan’s National Intelligence Agency issued a stark warning on the possibilities of state-sponsored attack at the Summer Games.
Earthquake risk is a top concern for Tokyo. The region sits at the intersection of the Pacific and Philippine Sea tectonic plates being pushed under Eurasia and forming the Itoigawa-Shizuoka Tectonic Line (ISTL). Given the structural dynamics, megathrust earthquakes along these boundaries are a common driver of risk discussions for the region. However, recent swarm activity in the Tokyo area can be interpreted in two ways. A simple view is that an increase in smaller earthquake activity leads to higher chances of a big one. However, a seismic creep could also be an indication that fault stress is being reduced in the region. Whatever the impact, the immediate response strategy remains the same.
Japan already has strict building codes governing construction and engineering and many Olympic venues will sport earthquake-ready designs aimed at decreasing damage by spreading the shock to a building across seismic isolation bearings. Drills and evacuation exercises aimed at supporting fast and efficient emergency plans have been held, and extra time should allow organizers to identify further improvements in response strategies.
The first Olympics to experience heat stress issues were the 1912 Stockholm Games, where temperatures reached 32 degrees Celsius (90 degrees Fahrenheit) in the shade and resulted in half the marathon runners failing to complete the race. Only two years ago, record-breaking summer heatwaves led to the deaths of over 1,000 people in Japan. Similar heatwaves from that year have been studied in the U.K., with research suggesting that record-breaking temperatures are now increasingly likely due to human-induced global warming.
Japan’s average temperatures are virtually certain to be rising at a rate of 1.21 degrees Celsius per century, compared with the global rate of 0.73 degrees Celsius per century (calculated by the Japan Meteorological Agency). While fine and sunny weather will help the Games run smoothly, this increased risk of serious and deadly heatwaves is an important consideration to add to other weather and climate risks such as typhoons and extreme rainfall. Whether contingency plans must be enacted due to heatwaves, or whether extreme weather leads to damage to infrastructure or venues, there could be a substantial financial impact, and risk transfer options will have been considered.
During the 2012 London Olympics, the tube link to Stratford in east London was closed after a water main flooded the tracks of the Central line, which connects the West End and City to the Olympic Park, raising concerns about the resilience of London’s transport network. Flooding issues were also seen in Russia in the run-up to the Sochi Winter Olympics, when flash floods caused massive disruption to the preparations. An estimated 2,000 workers were required to clean up the mess.
Japan has committed to large infrastructure projects, hoping that the Tokyo Olympic Games leave a long-lasting legacy. The first time Japan hosted the Olympics, in 1964, prompted the operations of the first Japanese bullet trains. The government has built several state-of-the art flood control structures in the Greater Tokyo Metropolitan area, home to more than 37 million people and the most populated megacity in the world. Super levees around the Arakawa River provide protection against major floods, and the massive underground storm water storage facility that forms part of the Metropolitan Area Outer Underground Discharge Channel is the biggest in the world.
Stakeholders across the board are going to need to challenge their thinking and decision-making styles as these Games break from the regulated cycle of audits and check-ins. The reputation risks for all involved have never been higher, and, while organizers are already looking at options to simplify the Games, there may come a point where the risks exceed the appetite.
It is still unclear whether the Tokyo Olympics will indeed happen in 2021. The current climate has reminded us that we should always expect the unexpected.
Taking extreme events and stress-testing them, whether through quantitative modeling or qualitative scenarios, is one way to build resilience to global, complex risks and decide what to do next. As COVID-19 has demonstrated, society has developed in such a way that the impacts of past events are no longer a certain guide for the future, and this event presents an opportunity for all to make changes beyond the organization of these Games and leverage insights from science to increase their resilience.
When only a few employees know how to solve a specific problem or perform a task, the company becomes disproportionately reliant on them to function properly. Too often, when those employees leave, retire or get laid off, the company is left to figure things out on its own.
For instance, many companies have recently laid off employees due to COVID-19. While these decisions might make sense from a short-term financial perspective, risk managers should consider their long-term operational impacts. What if the people being let go are the only ones at the company who can do what they do? Can the company operate normally without them?
Risk managers should always be looking to identify and address these bottlenecks, also known as single points of failure (SPOF). Doing so will prevent critical business continuity issues in the future and help employees and organizations operate more efficiently. Here is why single points of failure are a company’s biggest unrecognized risk, and what risk managers can do to address them.
Background: What Is a Single Point of Failure?
A single point of failure is part of a system that, if it fails, will stop the entire system from working. While traditionally seen in an IT context, SPOFs can take the form of an employee, as well.
Imagine if one employee was asked to design code for a company’s proprietary software. Then, after the employee leaves the company, the software runs into problems. Because no one knows how to manage the code, the company loses time, money and effort trying to address one issue.
This scenario shows three reasons why single points of failure are so detrimental:
Complicated processes: Employees tend to work in a way that makes sense to them but not to others, which makes it difficult to transfer work.
Reduced collaboration: Relying on specific employees to fix problems or pursue certain projects means less teamwork and prevents others from learning relevant skills.
Disrupted operations: If an important employee leaves or retires, it can take a lot of effort and time from others to pick up where that employee left off.
SPOFs don’t present a problem until they do. Because many companies tend to operate in short-term decisions, risk managers should prioritize rooting SPOFs out of their company and taking measures to prevent them. Here’s how.
Step 1: Identify Single Points of Failure by Asking the Right Questions
At Saggezza, the first question we ask clients to help isolate SPOFs is, “What keeps you up at night?” Maybe it’s an IT system going down or payroll not working properly. Are there enough employees who can work to resolve these issues if they occur?
The second question is, “If X person went on vacation for more than a week, would the business be okay?” If not, this could be an indicator that the business is too reliant on that employee to function.
Adjacent to asking this second question is looking for the “superhero complex,” which is when a company consistently relies on certain employees to save it from emergencies. If an organization has lots of emergencies that constantly need superheroes, there are fundamental flaws to the business that risk managers should look to address.
Step 2: Offer Resources to Close Knowledge Gaps
Having a single point of failure means there are processes that many employees don’t know about or knowledge they don’t have access to. Consistent documentation and collaboration can help close these gaps.
Whenever anybody at Saggezza encounters specialized activities or receives information valuable for the entire team, they record a Google Hangout to share their findings. These videos are then transcribed into demos, turned into white papers or written out into step-by-step guides for others.
There are many other ways for keeping employees on the same page, including specialized training and education workshops. The main purpose is to make every employee responsible for documenting knowledge for others to use as a potential resource.
Step 3: Develop an Environment of Extreme Ownership
Single points of failure are a top-down issue. Many managers believe that having one point of contact or one subject matter expert for certain responsibilities is more efficient than having multiple options.
But that can create more problems than it solves.
Instead, companies should establish a culture of extreme ownership. In this environment, every employee understands what’s required, not just of them, but of the entire team, to succeed. These conversations instill personal accountability and reduce the chances of a single point of failure developing.
The Importance of Working as a Team
The word “team” gets thrown around a lot. Ideally, a company should act like a football team, where everyone collaborates and understands the game plan, including both the starters and bench players. This is why eliminating single points of failure is so important. There needs to be a “next man up” mentality so that the company can keep moving forward, no matter what happens.
Eliminating single points of failure is a long-term process. It requires reflection and time to educate employees on processes and skills that are critical for a business’s success. Taking steps to address these vulnerabilities now minimizes the risk of expensive setbacks later and fosters a culture of extreme ownership.
If you are still trying to identify all the risks you are exposed to within the context of your business or spend endless hours converting historic data into useless risk reports in an effort to mitigate as much risk as possible for a green light on the road to taking less risk (for less reward); if you are spending a fortune on controls and the digging of trenches for your lines of defense… fear no more!
The Radical Risk Management process is here, and the future is bright for those who choose to go through the disruption of dumping the outdated thinking, concepts, models and processes — things like the risk management “process” that is based on the assumption that it is possible to identify all the risks you are exposed to and then follow a dedicated process of mitigating all those risks as well as ideas like “Green is Good” and the three, four or, even worse, five “lines of defense.”
The management of risk is a mental process, not a technical process of data gathering, evaluation and reporting at consistent intervals with an expectation of a different outcome, or even improvement. Those who do nothing will just be exploited by those who change and get better at the management of risk.
This radical process involves only four components: Situational Awareness, Mental Simulation, Naturalistic Decision-Making and, finally, Response Execution.
These are built around key elements of an effective risk culture, namely: Risk Intelligence gathered from everywhere (not just last quarter’s outdated risk report), a Risk Nervous system through which this information can flow everywhere in the business (not a process of sanctification where reporting gets better the higher it goes) and all employees having the Competencies and skills to manage the risks associated with their jobs on a daily basis to ultimately build sustainable competitive advantage for the organization (no levels of assurance, squadrons of policemen or lines of defense; there is nothing to defend against).
“Information is anything that can be known, regardless of how it is discovered. Intelligence refers to information that meets the stated or understood needs of [the users] and has been collected, processed and narrowed to meet those needs. Intelligence is a subset of the broader category of information. Intelligence and the entire process by which it is identified, obtained, and analyzed respond to the needs of [users]. All intelligence is information; not all information is intelligence” –Mark M. Lowenthal, Intelligence: From Secrets to Policy (from Special Warfare Bulletin, JFK Special Warfare Center and School, Fort Bragg.)
In an effective risk culture, people care enough to think about the risks associated with their jobs before they make decisions on a daily basis.
In the ultimate risk culture, every person acts as a risk manager and will constantly evaluate, control and optimize risks to make informed decisions and build sustainable competitive advantage for the organization.
Success depends on the levels of accountability you drive in your organization and the time and effort you put into building an effective risk culture. Do not even attempt this if you are going to keep a process of making risk decisions in committees where these decisions are “syndicated” without anybody taking any accountability. That will not work in the Radical Risk Management process!
There is also no need to employ consultants to help you with this. I could never anyway understand why organizations would pay outsiders to come in and gather ideas from their staff and convert these into PowerPoint presentations they sell back to the organization. There is no blueprint of one-size-fits-all for the Radical Risk Management process; you have to build the unique process in your organization, based on the underlying corporate culture and organizational structure and focusing on driving both the behaviors you want to encourage and the behaviors you want to avoid.
You need to take each of the four components and develop these within the context of your business strategy, goals and objectives. If a risk will not prevent you from reaching your business goals, don’t worry about it; you can never identify all the risks you are exposed to, the key factor is how your employees will respond to a situation of risk in real time. Business is not a game, and business decisions based on last quarter’s risk report are not such a good idea in real life, there is no reset button!
“The perception of the elements in the environment within a volume of time and space, the comprehension of their meaning and the projection of their status in the near future,” as defined in Endsley’s model of Situational Awareness.
“Skilled behavior that encompasses the processes by which task-relevant information is extracted, integrated, assessed and acted upon” (Kass, Herschler, & Companion, 1991).
“Continuous extraction of environmental information, integration of this information with previous knowledge to form a coherent mental picture and the use of that picture in directing further perception and anticipating future events” (Dominguez, 1994).
Situational awareness is having an accurate understanding of our surroundings — where we are, what happened, what is happening, what is changing and what could happen; knowing what’s going on so you can figure out what to do, collecting information from your surroundings and situation to improve your decision making and circumstances by:
Using your senses (sight, smell, sound, taste and touch)
Monitoring the messages that others are providing through their behavior and communications
Being attentive to environmental circumstances that may indicate challenges, opportunity or danger
Reticular Activating System
A pathway in your brain that:
Filters incoming information
Turns on the “pay attention” button
Expands your intuition
Improves the message system between your subconscious brain and your conscious brain
Levels of awareness
Mental Simulation is our mind’s ability to imagine taking a specific action and simulating the probable result before acting. Anticipating the results of our actions improves our ability to solve new problems. Mental Simulation relies on our memory, learned via perception and experience. (Josh Kaufman, The Personal MBA)
There are a number of things you can do to minimize the perceptual analysis. The first is doing exactly what you are doing at this moment. You are thinking! Become aware of the possibilities and think about them. Sudden situations of risk and the likely adrenaline dump are not things we are used to or comfortable with. By thinking about our reactions, by cognitively dealing with the possibilities of outcomes, we take the first step in managing the risk response.
Mental Simulation includes running imagery of the situation and the actions to achieve outcomes. Imagery is the set of mental visual pictures of oneself proceeding through a series of actions. Imagery can go beyond just pictures and incorporate the other senses, as well. Research into the use of imagery indicates that it has positive effects, including improving self-confidence, task completion, concentration and coping. Effective use of the imagery technique has seven elements: physical, environment, task, timing, learning, emotion and perspective (PETTLEP: Dave Smith, Caroline Wright, Amy Allsopp, and Hayley Westhead, “It’s All in the Mind: PETTLEP-based Imagery and Sports Performance,” Journal of Applied Sport Psychology 19/1 (2007)
Naturalistic Decision Making
Decision making involves assessment and choosing a course of action. Decision making requires an understanding of the situation and controlled thinking. The situation determines the urgency of the decision, risks and limits of action.
The naturalistic decision making (NDM) framework emerged as a means of studying how people make decisions and perform cognitively complex functions in demanding, real-world situations. These include situations marked by limited time, uncertainty, high stakes, team and organizational constraints, unstable conditions and varying amounts of experience. Every business in today’s marketplace operates under these conditions, and practicing this based on last month’s risk report can be futile.
Mindfulness is a key element in decision making. Mindfulness is the idea that one should be present in the moment and acknowledge his or her own feelings, thoughts and sensations. Arguably, mindfulness is linked to situational awareness. Research suggests that mindfulness decreases accidents and mistakes while increasing memory and creativity. Researchers also assert that mindfulness can decrease stress and even increase a person’s general health. Additionally, recent research into mindfulness showed that it could actually change the brain physically for the better. This research indicated that mindfulness could increase the density of brain matter in the anterior cingulate cortex and the hippocampus, resulting in better attention, self-regulation, thinking flexibility, reduced stress and increased memory.
Once these steps are complete and a response has been selected; the response, or action, must be executed. Correct and effective execution requires smooth and timely coordination to achieve the desired result of optimizing the risk to get maximum benefit for the organization. The availability of resources also affects a response, and inadequate attention results in ineffective execution.
Peak Response Execution is an action of optimal cognitive, emotional and physical functioning. Cognitively, people are at their peak when they have focused attention, ignoring unimportant things and allocating brain power to the task at hand. War fighters performing at their peak can better assess the situation, make decisions and perform the right tasks at the right time. Additionally, individuals performing at their peak are less likely to succumb to stress and choke when it counts.
That is it! You have to research each of these four components and apply your learning to your organization to build a Radical Risk Management process in your organization. With no blueprint, there is nothing to implement, and there is also no standard. (I hope somebody will not try to create a standard for Radical Risk Management and a whole industry of three-day certification courses to try and certify Radical Risk Management Practitioners).
The way forward: You can take the concept and go forward at your own pace and own target, as long as you use the process outline graphic with due reference. Alternatively, you can steal the concept and develop it further for your own commercial gain, but “chickens always come home.”
In this age of disruption, all those organizations that spent many years and lots of cash to dig beautiful trenches for their useless Three Lines of Defense are being seriously damaged. These organizations are now left needing even more effort, to fill up their trenches and get out on the battlefield of real business.
R.I.P., Three Lines of Defense model (the three being: operational managers; risk managers and compliance functions; and internal auditors). Your creators saw a tiny speck of light, but millions are left without defense, and the trenches are in shambles. Sadly, your ghost will haunt many for a long time. They still have three lines, but these are now so blurred that organizations must be extremely careful not to kill their own front-line fighters, a situation much worse than running around in the old trenches.
The model turned to a story of failed backward innovation — making something useless even more useless…… and that in the middle of the age of disruption.
As Michael Volkov recently said: “The IIA’s revised model [for the Three Lines of Defense] should be ignored and relegated to the ash heap of bad ideas.”
The elephant in the room is actually a grey rhino, not a black swan; it is time for risk practitioners to learn the lessons. Time to wake up to the reality that an outdated risk management process of steps to Identify, Analyze, Evaluate, Treat and Monitor the Risk, together with beautifully crafted RAG reports linked to a bunch of risk-mitigating responses, are of no use, and that following any standard or framework contributes nothing to the actual management of risk. The effective management of risk depends on the risk management skills of the front line and the decisions made by them in every situation of risk that they encounter.
It is time for auditors to get away from the management of risk, far away — and to stay away. By the time anything gets to their line, it is too late anyway; all they can do is to issue a finding, implying that they “found” something. I have never seen an auditor resuscitate a dead business. Lately, we see more cases where they actually contributed to the death of organizations through a lack of diligence and susceptibility to corruption.
What a pity that the hours of heated, heat map-driven debates in the risk committee meetings on whether something should have been red, amber or green at the end of last month (or, even worse, last quarter); came to …..nothing!
The dominant personalities glaring at risk reports created from historic data, with their thinking clouded by unconscious biases, also made the syndication of decisions in these meetings so much more difficult. The hear no evil, see no evil, do no evil committee members who were mostly dedicated to their mobile phones during these debates are still going with the flow. Just like dead fish.
We also learned that “tested” business continuity plans are of very little value; no disaster will follow your plan. Success lies in the way each and every employee will respond to the situation of risk on D-day.
It is time for risk practitioners to grab the bull by the horns and learn this elephant-size lesson that the only way forward is building an effective risk culture and teaching everyone in the company radical risk management skills.