The future of risk management in the digital era

| Report

The facts about the digital era are becoming familiar but remain astonishing. Computing power has doubled annually since the 1970s,1 and costs have fallen at about the same rate. With every human activity now digitally recorded (even sleep, in Apple’s new health app), more data have been generated over the past two years than in all of previous recorded history. The number of interactive devices is also increasing fast. Four billion smartphones were active in 2016,2 with two billion more to come. And all those smartphones (and laptops, tablets, sensors, cameras, and so on) are busily creating torrents of yet more data—2.5 exabytes every day.

Data, analytics, and the digital tools to harness them are transforming all aspects of life, including business and industry.3 Banking is undergoing its own digital revolution (see sidebar “What is digital?”), with significant implications for risk management. In the 2017 IIF/McKinsey digital risk survey,4 we find that 70 percent of banks have digital risk prominently on the radar, with a middling level of management attention, and 10 percent have it on the high-priority list. Correspondingly, respondents indicate that 22 percent of banks—nearly 30 percent in Europe and the rest of world—have invested more than 25 percent of the annual risk budget to digitize risk management. Six main trends are behind this transformation, either directly or because they build a case for change.

Front and center are customers and their ever-rising expectations. Today’s consumers and businesses are accustomed to personalization through social media and to rapid fulfillment through e-commerce. They expect the same kind of near-instantaneous service and customized products from their banks.

A second force is greater competitive pressure: aggressive fintechs, some prominent nonbank lenders, and early-adopting incumbents have enhanced their customer offerings, largely automated their processes, and made their risk models more precise. As a result, they can undercut traditional banks on price (our research has shown that digital attackers’ cost/income ratio is 33 percent, compared with 55 percent at incumbent banks).

Third, cost pressures come from another direction too: regulatory constraints and low interest rates have, in many cases, brought the average return on equity below or close to the cost of capital. While these cycles may turn, the pressure is likely to remain, especially as banks have added substantial staff to manage risk and enforce compliance.

The fourth trend is related to emerging and evolving risk types that arise from new business models. For instance, digital channels present new kinds of risk (including the greater exposure of digital assets). The rise of analytics requires risk managers to pay close attention to model risk, and the greater level of interconnectedness among businesses requires vigilance on contagion risk.

A fifth trend, regulation, may surprise some people who think that banking has reached “peak regulation.” Thirty percent of the respondents in our survey say regulatory cost for risk increased by more than 50 percent over the last five years. Moreover, 46 percent predict costs will continue to increase somewhat over the next five years. Though some aspects may begin to be deregulated slightly, banks can expect an overall increase in regulatory constraints on topics including supervision (for instance, TRIM and SREP), systemic risk (such as stress tests and Basel III), data protection (like GDPR), and customer protection (for instance, PSD II). While many participants in the working groups (and many of the chief risk officers in a forum that McKinsey recently convened) said that regulation “has become a stable element of our new business as usual” this means that regulation is driving parts of the digitization agenda. Digitization can also strongly help to cope with the repercussions—nearly 100 percent of the respondents, irrespective of geography or category (G-SIB versus D-SIB), state that digitization is an important lever to cope with the regulatory burden. On the other hand, regulation is not a key impediment to digitizing risk. The most important impediments, according to the respondents, are legacy IT (85 percent), data challenges (70 percent), culture (45 percent), a shortage of talent (40 percent), and complex organizational structures (40 percent). These all score higher than regulation (35 percent).

Would you like to learn more about our Risk Practice?

Finally, a sixth trend concerns a banking-services ecosystem that is now springing up, offering new ways to undertake vital functions. For example, banks have used fintechs in credit risk underwriting partnerships, fraud detection, and (through industry utilities) regulatory compliance or supervisory reporting. Overall, 70 percent of survey respondents believe that fintechs will help to digitize the risk function. The most important topics here are mitigating losses from operational risk, managing ALM liquidity, risk stress testing, identifying emerging risks, and monitoring and managing risk portfolios. Also, 30 percent of the respondents (60 percent in North America) plan to use utilities and partnerships to cope with regulation.

The digitization of risk

Digitization in banks has so far concentrated mostly on customer-facing “journeys” (such as online marketing) and the operations that support those journeys (customer onboarding, customer servicing). Only recently have banks expanded their transformations into other parts of the organization, including the risk function. Banks note the importance of digitizing risk. Seventy percent of respondents reported that senior managers are paying moderate attention to risk-digitization efforts; 10 percent say that senior managers have made these efforts a top priority. Risk digitization is clearly an established topic in the executive suite.

This is not yet reflected in banks’ investment, however. Only about 10 percent of risk groups have allocated more than half of their budget to digitization; another 15 percent have allocated between a quarter and a half of their budget. Risk teams in Europe are investing more in Europe than in North America.

Lagging investment is likely to catch up soon. Digital risk transformations are already a reality at the largest banks: 70 percent of G-SIBs stated that a digital risk transformation is now in place. Moreover, many respondents have high ambitions to digitize 80 percent or more of risk process in the next five years. Furthermore, senior management’s mandate is now to drive such transformations; only 9 percent of respondents view a lack of senior management attention as a key challenge to digitizing risk.

Given the trends we have laid out, it is imperative for the risk function to accelerate its digitization efforts, since it will be increasingly hard to stay analog while customer-facing activities and operations race ahead into digital. As one risk executive noted, “the risk function should not be the bottleneck to a highly digital [bank].” Another said that “there is no way channels can be truly digital without working with risk.” However, only 39 percent of respondents considered their risk function to be a significant contributor to the bank’s overall transformation.

A digital transformation for risk would mean a number of changes. Chief among them, risk would capture and manage information from a broader and richer set of data, looking into nontraditional sources like business-review ratings online. It would automate processes it controls, and work with others to do the same for decision-heavy processes. It would use advanced analytics to further improve the accuracy and consistency of its models, in part by greatly reducing the biases. Risk would embed its solutions in a bank’s website, its mobile trading app, and its corporate-banking platform, while deploying a flexible risk data architecture. Inside the bank, leaders would consult self-serve dashboards informed by risk analyses—and thus act on risk-driven strategic advice. Risk would review and reshape its mandate and role to capitalize on its ability to provide faster, more forward-looking, and deeper insights and advice. It would alter its organizational setup, as well as its culture, talent, and ways of working.

But to get there, risk must overcome a set of challenges. First, risk systems have significant IT and data constraints. IT systems are often patchwork, which means that data quality is often poor. Eighty-six percent and 63 percent of risk managers viewed legacy IT systems and a lack of easily accessible high-quality data, respectively, as the main challenges to digitizing risk. The working group noted the contradiction involved in encouraging people to seek additional and creative data sources while not mining fully trusted internal data as a result of the challenges of legacy IT systems.

Second, risk leaders are inherently and appropriately conservative, given their mandate. They will need to adopt and adapt concepts like iterative design, “fail fast,” and multivendor teams. Forty-six percent of risk managers viewed culture as a main challenge in digitizing. Risk staff often lack the most up-to-date knowledge of analytics and next-generation technologies that will be needed in a more digital state. Forty-three percent of risk managers saw talent as a key challenge in digitizing. The working group actively debated how to attract and retain talent both proficient in risk and comfortable with digital technologies.

Third, risk has bankwide interdependencies. The risk function is highly involved in thousands of daily decisions across the entire bank. It requires considerable collaboration from others to deliver a digital risk solution. Thirty-seven percent of risk managers viewed a complex organizational structure as a main challenge in digitizing. As one risk manager stated, “strategic alignment is needed between different groups ahead of time [to drive the risk] digitization.”

Regulation is another challenge. As 34 percent of the respondents noted, regulatory requirements for transparency, auditability, and completeness could limit the depth and speed of the technology’s adoption. The working group consequently observed that “black box” machine-learning techniques have had a slow rate of adoption in regulatory-reviewed models. Finally, digital transformation in risk is a special case. Not unlike open-heart surgery, everyone must know the playbook to the last detail, and a range of safety measures and fallback options must be in place to safeguard the bank and its customers and keep operations running at the highest possible levels.

Nevertheless, it can be done. Many capabilities are in place, others can be amassed, and several banks have laid promising foundations. Further, there is a strong economic case for taking on these challenges and digitizing risk; 40 percent of respondents believe that credit risk costs will fall by more than 25 percent (we explore the economic case in detail, below). Leading banks and fintechs have proved that a number of oft- cited transformation barriers, such as a lack of digital talent and heavy regulatory requirements, can be overcome. In essence, the research that underpins this report makes a clear case for digitizing risk. Now the question is how far and how fast digitization can go.

A vision for digital risk

A fully digital risk group could be game-changing for key stakeholders given the observed trends and impact at stake. Consider how their experiences would improve:

  • Risk executives will focus on more strategic and high-value decisions as routine work is automated away and fewer exceptions require manual handling. They will use advanced-analytics capabilities to generate insights that are hard to produce today (such as complex correlation and trend analyses) to help the front line optimize its decisions and offerings. Risk executives will deploy a centralized “nerve center” where newly powerful self-learning models will harness improved connectivity to set limits dynamically and to detect emergent risks (credit, market, and operational)—evaluating those risks immediately, setting cross-risk mitigation strategies in motion, and dynamically adjusting limits. This nerve center will thus improve forward-looking risk identification and management across different risk types. To access these nerve centers, risk leaders will consult self-service, highly customized dashboards that gave them the ability to drill down into the headline figures and run self-defined analyses, mostly in real time. Risk executives will lead a smarter, nimbler, and smaller organization (60 to 70 percent of the current size in full-time equivalents, or FTEs) with a very different distribution of skills, including many more people with analytics and digital skills. Risk’s responsibilities will grow, however, in the view of more than 80 percent of respondents. Nearly two-thirds also think that more activities will move from the first line of defense into the risk group.
  • CEOs and heads of business will receive automatically generated strategic advice on risk- oriented business decisions, such as identifying origination opportunities, shrinking unwanted exposures, managing investment portfolios, and allocating capital. Here too, executives will rely on an intuitive visual tool to provide advice on demand at an appropriate level of detail (such as specific markets, portfolios, or products). This advice will be grounded in live analytical views of the bank’s projected performance. CEOs will come to rely on a tool that readily illustrates, say, the implications for risk appetite of taking on credit and market risk in a given country under various macroeconomic scenarios.
  • Retail and corporate customers will have individualized banking experiences that meet their high expectations. Banks will be present at key moments in people’s lives, helping them make more informed decisions, adroitly anticipating their needs, and offering customized solutions. No longer will customers need to communicate over multiple channels or shuffle through reams of paper. Banks’ advice might range from simple nudges to avoid overdrafts or late-payment fees to more sophisticated help managing account balances to optimize interest income. The advice will come in real time and will be fully embedded in the customer journey. For corporate customers, the bank will also be able to integrate into the supply chain, assessing risks and providing timely financing; here too, advice and decisions would be fully embedded in the customer journey. CFOs could expect comprehensive financial advice (subject to regulatory constraints), including views on risk from, say, adverse market trends and benchmarks that might compare the company’s customers with industry metrics. Customers could, moreover, confidently expect the bank to keep their data safe.
  • Regulators will move from consuming reports to receiving near-live data. While our respondents were divided on whether regulators will have direct access, most think that the provision of data will be timely and painless. Regulators could swiftly perform ad hoc analyses (for instance, impromptu stress tests) and provide banks with enhanced guidance on systemic risks. They could flag potentially noncompliant actions, allowing banks to deal with and mitigate any related risks to prevent them from ballooning into material systemic issues. Regulators could also oversee nonbanks, including fintechs and corporates with financing arms, in the same digitally enabled ways.

The value at stake

Risk managers agree that considerable value is already at stake for banks in achieving this digital state in the near term (two to three years). This value would be derived mainly from efficiencies, reduced losses, and even indirectly through an enhanced customer experience and increased revenues. Twenty-eight percent of respondents expect automation to reduce costs by at least 30 percent. Nearly two-thirds think that a reduction of at least 15 percent is likely and that the time to make credit decisions will fall by at least 25 percent across portfolios. About 80 percent think that more timely decisions will be another benefit. Seventy percent expect higher productivity.

We estimate that the annual steady-state value from digitizing risk management (including revenue effects) will be approximately the same as the total investment over the first three years. This equates to a return on investment of about 450 percent for a first-mover bank with a well-executed program. For a G-SIB, this would translate to about $600 million to $1.1 billion of annual, steady-state impact. A typical G-SIB with a $1 trillion balance sheet would have to make a $200 million investment annually for three years. Since digital transformations are much more modular than classic large-scale IT replatforming programs, higher-impact areas can be targeted first in a precise way. As a result, the ROI would be even greater in the short term, with early impact potentially funding later investments in an agile deployment of initiatives. These estimates are contingent on risk and the bank’s successful execution of a large change-management program of many initiatives; it is possible or even probable that banks will not meet their expectations on all initiatives.

Our analysis considered several levers. Recent efforts with risk automation and robotics suggest that FTE productivity could rise by 10 to 20 percent. With machine learning and other technologies, risk models can become more predictive, which suggests that credit losses may fall by up to 10 percent. As automation and analytical tools reduce the number of human errors, and as new multichannel surveillance techniques detect inappropriate employee behavior more capably, the frequency and magnitude of operational and compliance losses and fines could decline by 10 percent. However, evolving risks (such as cyberrisk) might increase the potential for high operational losses, offsetting the gains to some extent.

IT costs for risk could decrease by 10 to 20 percent as the function optimizes its application-development and -maintenance capabilities and simplifies its data and application environments. Finally, there is also the potential for a capital reduction of up to 8 percent—depending, of course, on regulatory restrictions. As data quality and processes improve, and as analytics supplies greater precision, banks will be able to deploy capital more efficiently, lowering their risk-weighted assets.

We also see the potential for a revenue uplift of up to 4 percent for a first-mover bank that overlays risk models onto marketing models to develop a view of risk-adjusted returns from prospecting for new revenue sources, and from providing excellent risk-based decision tools to customers, in or near real time.

Over time, we estimate that most of these benefits would expand, as more advanced technologies, better algorithms, and more automated processes come online.

Real-world progress

Parts of this future vision are already taking shape as various banks show strong progress in key applications of digital risk. Of numerous examples we encountered, two stand out. A midsize European bank implemented a digital-risk “engine” in its mortgage business to combat imminent competitive pressures. The bank retooled the process, removing a number of breaks. It kept most of its previous risk models, but upgraded its pricing model and optimized its credit policies and decision-making criteria, replacing a complex and overlapping set of rules. In six months, the bank transitioned from nearly 95 percent manual decision making (two weeks of approval time) to 60 percent straight-through processing (less than one minute of approval time) with a completely paperless process. It reduced the customers’ burden of data provision by 75 percent thanks to reusing information it already had or could easily find. The decision process integrates seamlessly into the advisory process, allowing for instant credit approval by the RM.

Remaking the bank for an ecosystem world

Remaking the bank for an ecosystem world

The second example comes from a US universal bank that is currently digitizing its CCAR process. Production time is slated to decrease by 30 to 50 percent, freeing up experts to focus on review and challenge before submission. The bank also anticipates FTE productivity gains of approximately 20 percent. Risk is collaborating with finance and business units to reengineer the process; critically, several steps that used to be done sequentially now take place in parallel. The bank is automating workflows, including the production and review of documentation, and applying advanced analytics and automation to enhance controls, thereby making the output more reliable and reducing the need for rework.

These are just two specific examples of high-impact use cases that could serve as parts of a broader digital risk transformation, which could include initiatives, such as rapid limit setting across the portfolio, automated early-warning and collection systems, and automated compliance controls. Many participants and interviewees spoke of similar experiences, demonstrating that the capabilities to digitize risk safely are already in place, and that techniques like the agile organization allow risk to focus closely on high-impact areas in a modular way, building a transformation quickly.

The seven building blocks of digital risk

Banks can harness the seven building blocks of a digital transformation to construct a successful digital risk program. It is not necessary to excel in each category; rather, risk should prioritize those that enable the strategy of the bank and capture its unique opportunities.

The seven building blocks of digital risk
  1. Data management. Enhanced data governance and operating models will improve the quality of the data, make risk and business decisions more consistent, and ensure responsiveness to risk’s data needs. One important enhancement is the need to consider data risk as a key element of the risk taxonomy, linked to a specific risk-appetite statement and data-control framework. Another is to accommodate far more varieties of data. Approximately 30 percent of the respondents say that new data sources will probably have a high impact on their work. And of course, risk must prepare for a lot more data.
  2. Process and workflow automation. As risk automates tasks such as collateral data entry, often through robotic process automation (RPA), it can combine several of them into smart workflows: an integrated sequence performed by groups of humans and machines across an entire journey (for instance, credit extension fulfillment). In addition to greater efficiency, smart workflows create a more seamless and timely experience for customers. About a quarter of respondents believe that more than 15 percent of costs can be cut across different risk disciplines, except in credit, where the number is a bit above 60 percent. Around 30 to 45 percent of respondents see 5 to 15 percent cost-reduction potential from automation, depending on risk type. Ninety percent see benefits from increased precision and 55 percent believe automation will improve compliance with regulation. As a knock-on effect, risk people will focus more on the value-adding activities they have been trained for. And 84 percent of respondents expect an increase in customer and employee satisfaction.
  3. Advanced analytics and decision automation. Sophisticated risk models (for instance, those built on machine-learning algorithms) can find complex patterns (such as sets of transactions indicative of invoice fraud) and make more accurate predictions of default and other risk events. Nearly three-quarters of risk managers surveyed expect advanced analytics to have a significant impact on their work. Fifty percent say credit decision times will fall by 25 to 50 percent. A few respondents even believe that times could fall by 75 to 100 percent.
  4. A cohesive, timely, and flexible infrastructure. The risk infrastructure will evolve to support several other building blocks: innovative data-storage solutions, new interfaces, easier access to the vendor ecosystem, and so on. It will use techniques like application as a service, obtained from application service providers (even on open banking platforms). Approximately 45 percent of the respondents see innovative technologies as a high-impact building block. “No code” and “low code” solutions will put control further in the hands of risk executives and reduce the number of end-user computing tools. Nearly 60 percent of the respondents expect innovative data-storage structures to have a significant impact on risk management.
  5. Smart visualization and interfaces. Risk will deliver its insights in more intuitive, interactive, and personalized ways through risk dashboards, augmented-reality platforms for customers, and other interfaces. Nearly 20 percent of risk managers expect nascent technologies, such as augmented reality, to have a high impact.
  6. External ecosystem. Risk will partner with external providers to vastly improve customer onboarding, credit underwriting, fraud detection, regulatory reporting, and many other activities. Two-thirds of respondents see fintechs more as enablers than disruptors, while 63 percent of North American respondents plan to use industry utilities to deal with regulatory burdens.
  7. Talent and culture. Risk will have a far greater share of digital-savvy personnel with fluency in the language of both risk and the business, operating within an agile culture that values innovation and experimentation. The new profiles seen as most critical in a digitized risk function include data scientists and modeling experts. Many risk leaders think that their teams will need to develop these skills rather than hire nonrisk professionals and expect them to learn risk.

A road map for success

A digital risk transformation is complex and potentially confusing. It includes all the tasks of digitization efforts elsewhere in the bank, such as getting alignment among top executives, prioritizing specific high-ROI and time-bound initiatives, and changing the culture. But the digitization of risk must be handled with even greater care than the bank uses elsewhere. “Move fast and break things” is not the right motto for digital risk. Risk is the bank’s watchdog, and no digital improvement is worthwhile if it keeps risk from its appointed rounds.

While difficult, digital risk transformations are not impossible, and more banks are taking them on. As noted, 43 percent of the interviewed respondents (and 70 percent of those at G-SIBs) currently have a digital risk transformation in place. The survey, working groups, and interviews revealed the secrets of making digital risk a reality in each of the three main thrusts of a transformation:

  • Defining a vision for digital risk, including a view on the key activities risk will perform in the future, and in what way; the corresponding mandate and role of risk; and the metrics that will be used to determine success. Critical insights here include understanding the ways that risk’s role will evolve, to include activities such as providing strategic counsel to the top of the house.
  • Determining the opportunities for digitization, through a bottom-up assessment of risk processes, a plan for applying digital tools to the most promising activities, and a business case that estimates the total impact. One key insight: banks should not wait for perfect starting conditions before getting started; often, they can take significant steps even while they are building vital assets and skills, which can be added later.
  • Running a swarm of initiatives that meets the strategic goals and captures the defined opportunities, through a considered approach to governance and the operating model, and new techniques such as agile sprints and digital factories. One important finding from the research: even as it moves to agile development, risk must put in place hard measures to ensure safety, such as running old and new processes in parallel for a while, and conducting more back-testing on new analytical approaches.

Given the high value at stake and the dangers of procrastination, banks should embark on the digital risk transformation journey as soon as possible. Most risk functions have at least some of the building blocks they’ll need to get started. They can harness these for short, agile initiatives that build momentum toward the necessary digital risk vision and address any lingering internal doubts. As one risk executive told us, “By delivering proofs of concept, we can convince those remaining skeptics that the new technology and innovations at our disposal can and should be used in [achieving the critical digital risk transformation].”