Digital risk: Transforming risk management for the 2020s

By Saptarshi Ganguly, Holger Harreis, Ben Margolis, and Kayvaun Rowshankish

Significant improvements in risk management can be gained quickly through selective digitization—but capabilities must be test hardened before release.

Digitization has become deeply embedded in banking strategy, as nearly all businesses and activities have been slated for digital transformations. The significant advantages of digitization, with respect to customer experience, revenue, and cost, have become increasingly compelling. The momentum to adopt the new technologies and operating models needed to capture these benefits continues to build. The risk function, which has seen significant growth in costs over the past decade, should be no exception. Indeed, we are starting to see digital transformations in risk create real business value by improving efficiency and the quality of risk decisions. A digitized risk function also provides better monitoring and control and more effective regulatory compliance.

Experience shows that the structural changes needed to bring costs down and improve effectiveness in risk can be accomplished much like digital transformations in other parts of the bank. The distinguishing context of the risk environment, however, has important implications. First, risk practitioners in most regulatory jurisdictions have been under extreme pressure to meet evolving regulatory requirements and have had little time for much else. Second, chief risk officers have been wary of the test-and-learn approaches characteristic of digital transformation, as the cost of errors in the risk environment can be unacceptably high. As a result, progress in digitizing risk processes has been particularly slow.

This status quo may be about to change, however, as global banking leaders begin to recognize how substantial value can be unlocked with a targeted digital agenda for risk featuring fit-for-purpose modular approaches. In addition to the objective of capturing value, this agenda incorporates risk-specific goals. These include ensuring the ongoing effectiveness of the control environment and helping the risk function apply technology to better address regulatory expectations in key areas—like risk measurement, aggregation, and reporting.

What is digital risk?

Digital risk is a term encompassing all digital enablements that improve risk effectiveness and efficiency—especially process automation, decision automation, and digitized monitoring and early warning. The approach uses work-flow automation, optical-character recognition, advanced analytics (including machine learning and artificial intelligence), and new data sources, as well as the application of robotics to processes and interfaces. Essentially, digital risk implies a concerted adjustment of processes, data, analytics and IT, and the overall organizational setup, including talent and culture.

Three dimensions of change: Processes, data, organization

To realize the full benefits of process and decision automation, banks need to ensure that systems, processes, and behaviors are appropriately fitted for their intended purpose. In the risk environment, prioritized use cases are isolated in such areas as credit underwriting, stress testing, operational risk, compliance, and control. In most banks, current processes have developed organically, without a clearly designed end state, so process flows are not always rational and efficient. Operational structures will need to be redesigned before automation and decision support can be accordingly enabled.

Data, analytics, and IT architecture are the key enablers for digital risk management. Highly fragmented IT and data architectures cannot provide an efficient or effective framework for digital risk. A clear institutional commitment is thus required to define a data vision, upgrade risk data, establish robust data governance, enhance data quality and metadata, and build the right data architecture. Fortunately, processes and analytics techniques can now support these goals with modern technology in several key areas, including big data platforms, the cloud, machine learning, artificial intelligence, and natural-language processing.

The organization and operating model will require new capabilities to drive rapid digitization. Although risk innovation takes place in a very specific, highly sensitive area, risk practitioners still need to create a robust culture of innovation. This means putting in place the right talent and nurturing an innovative “test and learn” mind-set. Governance processes must enable nimble responses to a fast-moving technological and regulatory environment. Managing this culture of innovation in a way that is appropriate for risk constitutes a key challenge for the digitized risk function.

Adapting digital change to the risk context

Most institutions are digitizing their risk functions at a relatively slow pace, taking modular approaches to targeted areas. A few have undertaken large-scale transformation, achieving significant and sustainable advances in both efficiency and effectiveness. Either way, in the risk context, care must be taken when adapting test-and-learn pilots commonly used in digital transformations in other parts of the bank. Robust controls must be applied to such pilots, as the tolerance for bugs and errors in risk is necessarily very low. When digitizing processes relating to comprehensive capital analysis and review (CCAR), for example, solutions cannot be introduced into production before thorough testing has convinced designers and practitioners of their complete reliability and effectiveness. In certain other risk areas—such as monitoring and early-warning systems in commercial credit risk—banks can use test-and-learn approaches effectively.

Sizing the opportunity

Our experience suggests that by improving the efficiency and effectiveness of current risk- management approaches, digital risk initiatives can reduce operating costs for risk activities by 20 to 30 percent. The state of risk management at most global, multiregional, and regional banks is abundant with opportunity. Current processes are resource intensive and insufficiently effective, as indicated by average annual fines above $400 million for compliance risk activities alone (Exhibit 1).

Digital risk management can significantly reduce losses and fines in core risk areas.

The potential benefits of digital risk initiatives include efficiency and productivity gains, enhanced risk effectiveness, and revenue gains. The benefits of greater efficiency and productivity include possible cost reductions of 25 percent or more in end-to-end credit processes and operational risk, through deeper automation and analytics. Risk effectiveness can be strengthened with superior transparency, gained through better management and regulatory reporting and the greater accuracy of model outputs due to better data. Revenue lift can be achieved through better pricing or an enhanced customer and frontline experience—for example, by reducing the know-your-customer (KYC) cycle time from one week to under one day, or the mortgage-application process to under 30 minutes, from 10 to 12 days. Improved employee satisfaction can also be achieved through focusing talent on high-value activities.

Target risk processes: Credit risk, stress testing, and operational risk and compliance

The possible action areas for digital risk are extensive, but in our view three specific areas are optimal for near-term efforts: credit risk, stress testing, and operational risk and compliance. Alhough no one bank has fully digitized all three of these areas, we are seeing leading banks prioritize digital initiatives to realize discrete parts of the total savings available. The following discussion is based on actual digital risk initiatives across risk types and processes.

Credit risk

Credit delivery is hampered by manual processes for data collection, underwriting, and documentation, as well as data issues affecting risk performance and slow cycle times affecting the customer experience. Digital credit risk management uses automation, connectivity, and digital delivery and decision making to alleviate these pain points. Value is created in three ways: by protecting revenue, improving risk assessments, and reducing operational costs.

To protect revenue in consumer credit, digital risk strengthens customer retention. It improves the customer experience with real-time decisions, self-service credit applications, and instant credit approvals. The improvements are enabled through integration with third parties for credit adjudication and the use of dynamic risk-adjusted pricing and limit setting. One European bank is exploring the potential for digital risk to expand revenue in consumer credit within the same risk appetite. Digitized credit processes will permit faster decision making than the competition while the bank maintains its superior risk assessment.

Value is also created by improving risk assessment. Advanced analytics and machine-learning tools can increase the accuracy of credit risk models used for credit approvals, portfolio monitoring, and workouts. It can also reduce the frequency of judgment-based errors. The integration of new data sources enables better insights for credit decisions, while real-time data processing, reporting, and monitoring further improve overall risk-management capabilities. Operational costs are also reduced as credit processes are digitized. A greater share of time and resources can be dedicated to value-added activities, as inputs and outputs become standardized and paperless.

In addition to improving default predictions, we have seen credit risk improvements in these areas creating a revenue lift of 5 to 10 percent and lowering costs by 15 to 20 percent (Exhibit 2).

An integrated digital risk program for consumer credit can improve risk assessments.

Stress testing, including CCAR

Banks find that significant value can be captured through a targeted digitization effort for stress testing, including CCAR. The current approach is highly manual, fragmented, and sequential, presenting challenges with data quality, aggregation, and reporting time frames and capacity. The processes are prime candidates for digital automation and work-flow tools.

The underlying stress-testing process is the starting point. The improvement program will aim at optimizing resources. Dedication of resources will be prioritized based on materiality of risk. Institutions can achieve additional efficiency through parallel processing, centralization, and cross-training of staff, as well as better calendaring. Templates and outputs are standardized, and “golden” sources for data are designated. The resulting process becomes increasingly transparent and effective. Process optimization is supported by digital-automation initiatives for data loading, overlays, Y­14A reports, and the end-to-end review and challenge process. Real-time visualization and sensitivity analysis are digitally enabled as part of the transformation. In addition to optimizing stress testing directly, banks are also looking for opportunities to harmonize the data, processes, and decision-making models with business planning.

We have seen digitization in CCAR and stress testing bring significant cost improvements and—even more important—free up capacity so that experts can apply more insight and improve the quality and use of outputs (Exhibit 3).

Digitization can improve efficiency and effectiveness of CCAR and stress testing.

Operational risk and compliance

At many global banks, manual processes and fragmented systems have proliferated across operational risk and compliance controls and activities. In anti-money laundering (AML), for example, processes and data have become unwieldy, costs have skyrocketed, and efforts have become ineffective. Significant opportunities to increase the effectiveness and efficiency of AML operations lie in thorough end-to-end streamlining of the alert-generation and case-investigation processes.

In alert generation, digital risk improvements ensure that reference data available for use in the analytic engine is of high quality. Advanced-analytics tools such as machine learning are used to test and refine the case-segmentation variables and support “auto-adjudication” where possible. In addition, digitization and work-flow tools can support smart investigations and automated filing of suspicious-activity reports, an improvement that enhances the productivity of the investigation units.

Our experience of digital risk initiatives in AML is that they invariably improve effectiveness and efficiency, typically in the range of 20 to 25 percent. The overall impact of such improvement is even greater, however, given the large cost base of this function across institutions and the risk of not identifying bad actors.

Digital risk is different

A digital risk program must be designed in recognition of those aspects of the risk function that distinguish it from other functions, such as frontline digital sales. For risk, regulators will not accept the characteristic approaches of traditional digital transformations. Live launches of “minimum viable products” to be tested and refined in production is not an appropriate path for most risk activities.

Most approaches to digitization focus on improving the customer experience. Digital risk will involve some actual external customers, such as in credit delivery, but in most areas the focus will be on internal customers, stakeholders, and regulators. Moreover, digital risk is never a self-contained effort—it will depend on data from all businesses and functions. Development thus proceeds at a pace limited by the careful management of these interdependencies. Innovative approaches such as agile and digital labs provide effective options to implement solutions incrementally.

Direct impact will be felt in cost and risk reduction

While digital risk offers clear opportunities for significant cost reduction, the impact on revenue is less obvious but implicitly understood by leaders. Frontline digital transformations are often aimed at direct revenue improvement; proof of this impact from digital risk programs is more elusive, since risk is an enabling function. Faster turnaround times for loan applications is a typical digital risk improvement. This will likely drive higher lending volumes and, consequently, increased revenue—even if the correlation cannot be precisely determined. Given the indirect impact on revenue, digital risk programs should focus primarily on reducing risk and cost. The exception is digital credit, where the case for revenue lift will be clearer.

Designing a program

An effective digital risk program begins with chief risk officers asking the right questions—those that point the institution toward specific initiatives for digital innovation. “Can we reduce the time needed for structured credit approvals to a few minutes?” “How can we increase straight-through processing rates?” “How can we improve the efficiency and streamlining of KYC activities to reduce pain points in the account-opening process?” “How can we make CCAR less sequential and resource intensive?” “How can we improve the timeliness of reporting to meet regulatory objectives?” “What value can we extract from better use of internal data?” “What is the incremental benefit of including new data sources?” The answers will help shape initiatives, which will be prioritized according to current resource-allocation levels, losses and regulatory fines, and implementation considerations, such as investment and time.

Digital risk programs can incorporate the familiar design features of digital transformations, such as zero-based process and interface redesign and an agile framework. The testing and refinement, however, takes place entirely within a controlled environment. The design approach, which can be modular, must also be comprehensive, based on a thorough review of risk activities, appetite, and policies.

The designs cannot be migrated into production until they have been thoroughly tested and syndicated, often with regulatory bodies. Because of its highly sensitive environment, risk is digitized end to end over a longer timeline than is seen in customer-service areas. Specific capabilities are developed to completion and released discretely, so that risk management across the enterprise is built incrementally, with short-term benefits.

The anatomy of a transformation

A digital risk program can get a running start by capturing high-value opportunities first. The anatomy of the transformation will resemble that of other digital transformations, with the usual three stages: 1) priority initiatives are identified according to the value at stake and the feasibility for near-term implementation, 2) digital solutions are designed to capture that value and tested and revised according to stakeholder input, and 3) the improvement is introduced into production, with continued capability building to embed the design, engineering, and change management into the operating model and invest in the right capabilities and mind-sets.

The opportunities identified in stage one are matched in stage two with digital and other solutions that will reduce waste and optimize resources while improving standardization and quality. These solutions will involve work-flow automation, digital interfaces, and the use of advanced analytics and machine learning. The technology design may use a “two speed” architecture to support fast innovation in IT while allowing the main IT infrastructure to operate normally. New functionality is rigorously tested prior to migration into production, to ensure a smooth, error-free transition for critical risk functions. Iterative test-and-learn processes take place within environments featuring higher control standards than typical elsewhere. Stakeholder feedback and often regulator syndication are obtained prior to production release.

In the third stage, where the innovation is introduced into production, the organization focuses on change management. In itself, this is no different from typical digitization programs in other business areas. The focus is on embedding the design into the operating model and continuing to invest in digital capabilities to build momentum for further launches. Having the right talent in place, whether drawn from internal or external sources, is the key to a successful transition to digital risk.

The path to digital risk will be a multiyear journey, but financial institutions can begin to capture significant value within a few months, launching tailored initiatives for high-value targets. As the risk function becomes progressively digitized, it will be able to achieve higher levels of efficiency, effectiveness, and accuracy. In the future, risk management will be a lean and agile discipline, relieving cost pressures, improving regulatory compliance, and contributing to the bank’s ability to meet escalating competitive challenges. The first steps toward that future can be made today.

More on Risk

The next-generation operating model for the digital world

Article - McKinsey Quarterly

What makes a CEO ‘exceptional’?

Article - McKinsey Quarterly

Three game changers for energy

Article - McKinsey Quarterly

How functional leaders become CEOs