By Atul Vashistha, Supply Wisdom:
Fines resulting from poor risk management controls are becoming commonplace in the financial industry – and this new trend is just as expensive as it is avoidable. Recently JPMorgan was charged $250 million over inadequate risk management in its wealth management business. This follows the news that Citigroup was fined for major deficiencies with their risk program, and USAA faced a civil penalty for deficiencies as well.
These kinds of headlines are plentiful, but one thing is certain: risk management errors and mishaps are becoming too expensive to ignore.
The sad reality is that many banks appear to be considering these fines as a cost of doing business. This mindset, while commonplace across the regulatory environment, leaves banks even more exposed to cascading risk, catastrophic events and sudden market shifts. The resulting losses in reputation, trust and profitability multiply exponentially beyond the cost of the initial fine. This makes it crucial for financial institutions – and any organization facing strict regulations – to continue to reevaluate their risk management approach and related controls, and to reinforce a culture of continuous improvement.
The Common Failings Around Risk
If you take a look at many policies for risk management, you’ll notice one similarity: there’s a lack of detail. This isn’t because risk teams are overlooking obvious risk events – it’s due to the inability to plan for unforeseeable threats, which is often caused by a lack of visibility. Today, too many companies lack the tools, technology and processes to anticipate risk events and plan accordingly, which creates blind spots. This is especially true when it comes to third-party risks.
When monitoring supplier risk, most financial institutions overemphasize financial and cyber factors. Don’t get me wrong – these are two incredibly important indicators to monitor. But the risk aperture needs to widen to capture a broader array of risks, such as climate, diversity, governance, sanctions, people, geopolitical and more. How reliable is a financially stable supplier with strong cyber protocols if their operations are based in an area at high risk for natural disasters or political strife? Forces like this can disrupt even the most stable third parties. As a profession, we need to start thinking more holistically about the convergence of financial, location, political, social and people-based risk.
Another common weakness in traditional risk approaches is the siloed nature of information sharing. Some organizations are going beyond financial and cyber – but the intelligence is scattered across the organization. Without a single, integrated view of all risks on a continuous, real-time basis, banks have little ability to get ahead of risk-related issues before regulators spot the problem, or worse, it disrupts their business.
A Continuous Approach for an “Always-On” Risk Landscape
The need for agile, continuous risk monitoring strategies that go beyond traditional risk indicators is clear as day. And as we enter the new year, we’re starting to see more boards and senior executives demand that risk teams streamline and accelerate their point-in-time financial assessments and shift to continuous, always on risk monitoring and intelligence programs that can highlight risks attributed to location, governance, regulatory, people and more, in real-time, without all the noise. This is a critical shift that’s happening in the market – and for the good of everyone, it needs to accelerate.
The gaps in risk management practices today, while alarming, are not surprising. For far too long, the industry has taken a compliance-driven approach to risk, which increases vulnerability. If COVID-19 has taught risk professionals anything, it’s that you need to be able to proactively act and respond quickly. Success requires the market to identify faulty risk management practices and put measures in place to improve their defenses. Simply modernizing your internal approach – and closing a few gaps – can have an exponential trickle-down impact on your risk profile. We need to start relying less on point-in-time assessments and adding continuous monitoring with an expanded number of risk vectors that are monitored. Despite what we hear about broad and sweeping transformations, we don’t need to start over, we need to incrementally improve, one defense at a time.
Modernizing and enhancing your risk approach will also aid your compliance program, and even more critical, solidify your resilience. This is especially important as we approach 2021, because I anticipate that regulators will strengthen the regulatory and compliance playbook. Considering the increasing number of breaches, lapses and disruptions across the global supply chain, regulators are going to expect the industry to proactively, effectively and continuously monitor risk – starting with a major re-write of their requirements, guidance and policies for due-diligence and vendor lifecycle management.
The bottom line: Operating as if fines are a cost of doing business is a dangerous and potentially costly strategy. We need to move beyond checkbox compliance and commit to proactively and continuously improving how we evaluate, manage and mitigate risk across our business and supply chain. Continuous monitoring and risk forecasting has served the industry well for Market and Credit Risk, and it can be just as effective in Third-Party Risk.
About the Author: Atul Vashistha is recognized globally as a leading expert on globalization, governance, and risk. He has authored three best-selling books: The Offshore Nation, Globalization Wisdom and Outsourcing Wisdom. He pioneered the global sourcing advisory space in 1999 when he founded Neo Group. Vashistha is also founder and Chairman of Supply Wisdom. Founded in 2012 as an early warning service for business disruption risk, today, Supply Wisdom® is the market leading patented continuous risk intelligence and monitoring solution. He serves on boards on IAOP, Shared Assessments, and Zemoga and also recently served as Vice Chair for the US Department of Defense Business Board.