Skip to main content
  • Compliance & Regulation

Managing risks during a digital makeover

  • Keith Pearson, head of financial services at ServiceNow, joins us on the BAI Banking Strategies podcast to share how banks can improve security by digitalizing risk management.

Share


Because banking institutions are in the money business – their customers’ and their own – they are also in the risk business.

Keith Pearson, head of financial services at ServiceNow, joins us to discuss how banks and credit unions can improve their security by digitalizing their risk management.

A few takeaways from the conversation:

  • Non-financial risks are not particularly new for banks and credit unions, but addressing them is timely because of increased scrutiny from regulators.
  • Getting true visibility into internal process risks is impeded by operational siloing – it’s up to an institution’s top management to dismantle the silos.
  • Banks seeking to digitalize their approach to managing non-financial risk should start small in an area where the stakes are high, so success is crucial.

INTERVIEW TRANSCRIPT 

So Keith Pearson, head of Financial Services for ServiceNow. Welcome to the BAI, Banking Strategies podcast.

Thanks, Terry. Good to be with you.

So Keith, we’re going to be talking about how banks should be thinking about risk and how to better manage those risks as they progress with their digital transformation. Let’s start at a high level with that basic question. I mean, how are banks thinking about risk and how should they be thinking about it differently than they do now?

I think one of the biggest challenges is if you’re a bank, you operate, your entire business operates on risk. If you look at an annual report of a large global bank, you could see that anywhere up to 30% of that annual report is given over to the discussion around financial and non-financial risk. So, the notion of managing risk in banking is as old as banking, particularly financial risk because you don’t want to be lending money to people that aren’t going to pay you back. But when it comes to non-financial risk, the model that has been used for a long time now is a model that’s referred to as “three lines of defense.” And the analogy is around the idea that the first line of defense is the business, is the people working day to day in the business. That could be in a branch, in a contact center, in IT, in the security department, in the lending operations center – that’s first line. Second line is the professional, if you like, risk community. They’re there to provide that second line of defense, oversight over the first line to make sure the first line are doing things well and properly and compliantly. And then, the third line of defense is internal audit, and they really have a role to look down upon their second line function and the first line business and make sure everybody’s operating correctly, and identify areas where there are potentially problems. So, there’s a very hierarchical and structured and standardized approach to managing non-financial risk that’s been in place for a long time. The challenge with that is an awful lot of it is done manually, and as we start to digitally transform and as technology becomes ubiquitous in the way that people in banks do their job in any part of the organization, for risk to be managed manually or tracked manually is really beyond the capability of the people who have to do it. It’s too complex. And so, we probably have now an outdated risk, if you like, operating model in financial services organizations to truly get on top of real-time risk, real-time threats, the level of complexity that we have in big financial services organizations.

You’re talking about a distinction between financial risk and non-financial risk here. And certainly, there’s a number of risk areas within a bank that are distinct from the credit and the financial-related risk areas that are really at the core of their business. On the non-financial risk side, what are some of the key risks that you’re most focused on there?

So, I think that there are a number of different areas, as you would expect. There’s IT and insecurity. So, there are cyber threats and cyber risks and so on that need to be managed. Again, given the level of ubiquity of technology in a bank’s operating environment and the technology itself, the likelihood of technology breaking or part of it breaking that leads to other parts breaking that starts to bring down operating systems and so on. But there’s also things like conduct risk. So, conduct risk is “Are agents of the bank behaving properly and appropriately in the way that they offer services to customers?” Are they following the right rules and procedures when they offer a loan or they offer a mortgage or they offer an investment option or whatever else it might happen to be. So, a whole range of elements of risk that range from very, very technical traditionally, to actually really much more customer-facing.

These risks that you’re talking about, none of them sound particularly new. So, what has changed or what is in the process of changing that is putting them front and center now?

If you look at conduct, then what has become increasingly new, if you like, over the course of the last 10 or 15 years, it is scrutiny from regulators. So, things like the financial crisis and mis-selling subprime mortgages, all those sorts of things that happened in the early 2000s. That led to significant tightening up of regulatory control, and therefore the management of the risk associated with those types of things has become significantly more important at a bank’s board level than it maybe might have been if you go back to the year 2000. On the technology side, there’s a major migration from on-premise technologies to cloud technologies at the moment. So, managing risk in that space when you’ve got an aging on-premise state – maybe a bank’s mainframe or something like that – is really, really important as you invest in the future and move to cloud. And then, actually, the moving to cloud itself introduces new risks that wouldn’t necessarily have been in place in the past. And then finally, the entire technology, whether that is inside the bank, in the bank’s core technology or outsource to third-party vendors or fourth parties or fifth parties in some cases, the entire perimeter of that is subject to cyber-attack, potentially. And of course, cyber attackers are particularly advanced in this day and age. It can be rogue nation states, it can be heavily financed attackers who are looking to break into banks’ firewalls or through banks’ firewalls. And of course, sometimes those firewalls are not actually the bank. So, that increase in perimeter and the increased amount of cyber threats is something that means that there’s a far bigger focus now on the management of cyber and security risk than there would’ve been historically also.

Now that we’ve set the stage, I want to start shifting the conversation from how banks should be thinking about the risks to how they should be addressing them. So, I’d imagine that technology may be a big part of that answer, but do internal processes, do other business related elements, do these things also have a role to play?

Well, fundamentally, disconnected and fragmented processes, whether they are technology enabled or not, introduce risk into the overall system. So, if you have a business process that hands off from a branch to an operations center, to some back office function, so-and-so forth, if that process itself is fragmented, every single one of those handoffs in the process introduces new risk. Each process in its own right, each step in its own right, has inherent risk within it. And then, what typically happens is over the course of the last 10 or 15 years, we have had to digitize those processes. And so, digitizing them truly would mean unifying the process from the place where it starts to the place where it finishes and is executed. And that would ideally be done a single coherent, if you like, technology so that you could track data and activity all the way along the process. That would be a great state because that would allow you at least to look at the process in technology end-to-end and be able to identify where potential weaknesses sat from a risk perspective. But, of course, that’s not the way that banks have traditionally built these processes. They have different technologies doing different bits along the steps. So, you’ve got a process that’s fragmented, you’ve got technology that’s fragmented. And what that means when you’re running high transaction volumes around things like securities trading or you’re running high transaction volumes on one application, any of those types of things, new account opening and so on, the likelihood of risk as a consequence of the fragmentation of the process itself and the technology that underpins it is very, very high. Then, of course, add into that the thing that we talked about where risk is being manually tracked after the fact on a sample basis. So, if you’ve got, let’s say, 10,000 transactions a day running, it’s impossible to trace every single one of those unless there is coherent technology in place in that process. And so, what you need to do is after the fact, you need to sample test a number of those processes, and let’s say you’re able to do five of those 10,000, you’re using that as the sample and then you’re extrapolating that out as the risk position for that process overall. So clearly, on an unlucky day, you could pick five that aren’t affected and the next five that you would’ve picked would actually have been the ones that exposed the nature of the risk. So, it’s important to be able to look at every single transaction when you’re doing effective risk management.

I can see how what you’re talking about ties into the need for true visibility into these internal process risks, but how does an institution get that true visibility, given the tendency for different operations to focus on the particular tasks they have right in front of them and really not to think so much about the bank as a whole?

That’s one of the big problems and that really is, before it becomes a technology issue, is a cultural challenge. So, the size and scale of a large global bank is such that I would challenge anyone, even with the best intentions, not to end up with silos of activity, silos of operation and so on. But that ultimately is what the board executives in a large bank are there to do, is to take responsibility for looking at risk across those cultural divides. That could be countries, that could be different operating models in different territories, they could be subject to different regulation in every one of those territories. So yeah, it’s hard. I think that the complexity of these types of environments now are well beyond the capability of humans really to be able to be on top of.

We talked here just now about siloing. You mentioned earlier about manual processes and the risks that are inherent in that. But what are some of the other operational challenges that banks and credit unions are dealing with that can also raise their risk profile? Things that may not be front of mind for them?

Coming back to the conduct element of things. You’re always dependent on the integrity of the individual. If you go back to the early 1980s, banking probably shifted in its emphasis from being a service industry to being a sales-driven industry, and that was pervasive throughout the ’80s, ’90s and into the 2000s. And that all culminated that selling culture in financial services and in banking – selling first. And as a consequence of that, I think that banks culturally, in particular, have focused more going forward on the customer, on service to the customer, on ensuring that they’re doing the right thing by the customer always. And so, I think that could be one thing that still with unscrupulous individuals or individuals who are under pressure to hit particular targets from local management or even regional management, I think that is a big threat to the effective management of conduct risk and the reputation of the organization. So, I would say that it still comes down to you can guide humans as much as you like to be able to behave and act appropriately at every step in the process, but you still are going to be dependent on people’s natural instinct to overstep that tension point between sales and service.

So Keith, our conversation so far has been somewhat broad brush, so let’s get a little more concrete here. Can you give us an example of a bank that has embraced your thinking on risk framework and where technology fits into that risk framework? And maybe how they’ve gone about dealing with their particular situation, their proprietary issues that they’re trying to handle.

We’ve got a few, actually. And in order to think about this in a next generation way, you need to think about how, as you digitize the processes that you’re talking about, whether they be front office processes or front into middle into back office processes, the initial digitization of those needs to unify and bring together the fragmented systems that, if you like, underpin the process. So, that’s the first step. There’s a large global bank at the moment who we’re working with who are doing some work around their trade operations activity and they’re looking to use ServiceNow to unify a number of fragmented systems and coherent process that is going to work in a much, much more effective and joined-up way for internal employees of the bank. So, how do you, in the digitized, end-to-end business process, introduce technical control points and implement things like continuous controls monitoring that allow figures to be set in the process that would be looking out for a control being breached or a risk manifesting? We’ve got global banks who are looking at those types of solutions and we’ve also got smaller regional banks. And the regional banks are quite interesting because they are looking at control population, that while still in the thousands across their processes, or maybe tens of thousands across their processes, they’re not in the hundreds of thousands or millions. And so, there’s one bank in particular in the UK that is looking at a complete re-mapping of their first line, second line, third line of defense, their entire control environment across all processes in the bank. So that, for me, is real next-generation thinking. I think the tendency in any organization is to try to iterate on what’s there today. But in the case I just described, that bank is stopping again and they’re accepting that they’re going to have to go greenfield in order to really reset their control environment, their compliant environments for the future.

Keith, a lot here to think about both in terms of what you’ve been sharing with us and also what’s at stake for banks in terms of how they need to think about and approach dealing with risk. So, to wrap us up, what are a couple of key questions that banks, particularly those in the small to mid-size range that you mentioned earlier, what should they be asking themselves now if they want to get deeper visibility into these non-financial business risks that they are facing?

My advice would be start small, find an area of your organization that you feel you just have to get this right in. Often, that’s IT or security because in IT or in cybersecurity, a lack of management patching risk on software applications or firewall or whatever it might end up being can lead to a cyber-attack that can bring the entire bank down – you’ve got to get that stuff right. And that stuff is very complex. Same with management of IT risk, something breaking in an innocuous part of your mainframe… And I’ve seen that personally from own experience working in banks, can actually have a very, very rapid knock-on effect that can bring down very core services for customers. Start somewhere where you know you’ve got to get it right, start to experiment on things that move the dial and get things fixed quickly, that you can see value from and you can then scale. And certainly, we are seeing that. And then, start to think of it, “Okay, where else could we use this? Could we take this into a payments environment? Could we take it into lending environment? Trading environment? Or anywhere else?” That would be certainly my recommendation.

So Keith Pearson, head of financial services at ServiceNow, many thanks again for joining us on the BAI Banking Strategies podcast.

Very welcome. Thanks, Terry. Great to speak to you.

Related Articles
2026 State of U.S. Deposits Quarterly Series
2026 State of U.S. Deposits Quarterly Series
  • Growth & Innovation
How ‘Failure Analysis’ Can Help in Banking
How ‘Failure Analysis’ Can Help in Banking
  • Risk
The Expansion of State-Level Regulation—and What It Means for Compliance
The Expansion of State-Level Regulation—and What It Means for Compliance
  • Compliance & Regulation

Login to view this content

 

Become a member to unlock exclusive content, connect with industry experts, and gain access to valuable resources

If your employer is an institutional member, activate your ProSight membership benefits with a simple email address.