The Boards of Directors of banks continue to face increasing accountability for ensuring their banks are effectively managing risk. Yet, despite improvements in risk identification, reporting, and strategic risk management initiatives, regulators still question whether banks are truly engaging in the right ways on the top risks that could bring down an individual bank or have a broader systemic impact.
Banks and banking rely on trust; and while it takes years to establish that with the public, it can be lost in a moment through failures caused by break-downs in ethics, values, and bad behaviors. Banks and banking today stand in disrepute. Poor cultural fundamentals and significant people risk failures were major drivers of the financial crisis, and continue to be factors in the scandals since then, aggravated by staff with questionable conduct and values.
Huge fines imposed by regulators make spectacular newspaper headlines, but we have recently seen that this will not always be the case as the Monetary Authority of Singapore (MAS) closed down a bank for "serious breaches of anti-money laundering requirements, poor management oversight of the bank's operations, and gross misconduct by some of the bank's staff" (1) MAS also referred the names of some senior management and staff to the Public Prosecutor to evaluate whether they have committed criminal offences.
“Pursue a straightforward, upright, legitimate banking business. Never be tempted by the prospect of large returns to do anything but what may be properly done under the National Currency Act. ‘Splendid financiering’ is not legitimate banking, and ‘splendid financiers’ in banking are generally rascals or humbugs” (2) – Letter of guidance to bankers from the U.S. Comptroller of the Currency, December 1863
The Banking Industry continues to feel the pressure. Increased regulatory attention, a sharper focus of shareholder value and better customer service expectations. Add to this, an ever more competitive and closely scrutinized market place where those who are not good at risk management are being exploited by those who are better in a race for much needed transformational change and often a rush for profits.
Cyber Security has never been higher on the executive agenda; and the appetite for Information Technology Risk is decreasing rapidly; in this day and age systems should reduce risk, not increase the exposure to it. Putting IT risks into the context of business risks has historically not been strength in banks and it is time to harness all available information to build growing capabilities through proactive training, awareness and forward-looking risk assessments.
Recent high profile and large financial losses due to excessive risk taking and material failures have centered on traditional IT risks such as business continuity, data loss, change management, third party suppliers and lack of adequate fraud detection mechanisms. Despite the hype around the risks of social media and bring your own device (BYOD), focus is still on detection rather than prevention and efforts to be more effective often completely ignores the human factors. Roque employees, inadequate risk skills on the front-line and other insider threats are mostly overlooked in Cyber Security programs.
Cyber criminals are moving on from just trying to make a point through disruption to gain visibility or make propaganda, the new reality is carefully orchestrated attacks for financial benefit and maximum damage, often stopping short of destroying banks completely. Long gone are the days when a network boundary firewall and a “live” anti-virus program could be seen as sufficient security.
These attackers continue to advance and use sophisticated techniques to infiltrate banks and other organisations and they have also become more targeted in their approach. We see a move away from “smash & grab-style” attacks to well-planned and perfectly executed “dig-in & wait, battlefield-style” attacks. Cyber criminals spend significant time and resources performing reconnaissance activities to learn about financial institutions and develop malware to specifically bypass traditional security technologies and exploit internal system vulnerabilities.
Most banks have a false sense of security provided by fire-walls and other preventative, signature-based tools to try to keep threats out. Without the ability to rapidly detect compromises, quickly confirm infections and take immediate action; banks are constantly behind the attackers and the risk of loss of data increases significantly.
The Human Factor is the weakest link in cyber security and as banks continue to push through their own cultural change programs aimed at instilling better behaviours, something that many risk practitioners attribute to the failings that led to the financial crisis, the role of operational risk in helping to embed the right approaches within the business seems to be gaining traction.
"Our people need to understand that, okay, so you can't go and do that in your personal life, right? You can't do that against family, against friends, against neighbors. You've got to still be a model citizen in cyberspace" (3) -Steven LaFountain, Centers of Academic Excellence in Information Assurance/Cyber Defense
There will always be people risk and some bad outcomes, but it's got to be controlled and managed to within a risk appetite level that you're comfortable with; and that is consistent with the performance and reputation that the bank would like to achieve.
We know that any firm’s risk culture evolves over a long period of time. You can’t just flick a switch to make it go from one culture to another. “Carrots and sticks” also have limited success and often any of these just add to a bad situation of mistrust and frustration. Operational risk managers should avoid “one-size-fits-all “thinking and solutions and use their experience and foresight to exercise judgement as to which areas they should be focusing their attention.
All employees should learn basic operational risk management skills and the relevant operational risk competencies must be built into the bank’s competency framework. Skills gaps must be identified and structured training programs implemented to upskill staff.
Employees could also be provided with internal and external case studies as operational risk touches literally every process and system in the bank. The key is to choose a range of examples that are both relevant to the bank and to different groups of employees at different levels within the bank. Generally bankers have a good understanding of Operational Risks internal to the organisation, except maybe the people risks; but it is the external Operational Risks that can put you out of business very quickly.
Building an effective Risk Culture will support executives to deal effectively with uncertainty and associated risk and opportunity. Risk Management does not operate in isolation but rather is an enabler of the management process. Over the past decade, risk management became more about quantitative models and less about behavioral models. Unfortunately, as we discovered during the global financial crisis, even the best quantitative models cannot predict the result of misguided behavior and when external operational risks materialize, it can kill your business.
- Monetary Authority in Singapore, official press release, May 24th, 2016.
- Father of safe banking creed to be honored, Horward Wood, Chicago Tribune, February 28th, 1938
- Meet the NSA’s hacker recruiter, Eamon Javers, CNBC, Oct 1st, 2014
Originally published by the Risk Culture Builder on Zawya.com