The value in digitally transforming credit risk management
To withstand new regulatory pressures, investor expectations, and innovative competitors, banks need to reset their value focus and digitize their credit risk processes.
External and internal pressures are requiring banks to reevaluate the cost efficiency and sustainability of their risk-management models and processes. Some of the pressure comes, directly or indirectly, from regulators; some from investors and new competitors; and some from the banks’ own customers.
The impact is being felt on the bottom line. In 2012, the share of risk and compliance in total banking costs was about 10 percent; in the coming year the cost is expected to rise to around 15 percent. Overall, return on equity in banking globally remains below the cost of capital, due to additional capital requirements, fines, and lagging cost efficiency. All of this puts sustained pressure on risk management, as banks are finding it increasingly difficult to mitigate risk through incremental improvements in risk-management processes.
To expand despite the new pressures, banks need to digitize their credit processes. Lending continues to be a key source of bank revenue across the retail, small and medium-size enterprise (SME), and corporate segments. Digital transformation in credit risk management brings greater transparency to risk profiles. With a firmer grip on risk, banks may expand their business, through more targeted risk-based pricing, faster client service without sacrifice in risk levels, and more effective management of existing portfolios.
Incumbents under pressure
Five fundamental pressures that relate directly to risk management are being exerted on banks’ current business model: customer expectations for digitally managed services; regulatory expectations of a high-performing risk function; the growing importance of strong data management and advanced analytics; new digital attackers disrupting traditional business models; and increasing pressure on costs and returns, especially from financial-technology (fintech) companies (Exhibit 1).
Customer expectations. Traditionally reliant on physical distribution, banks are finding it difficult to meet changing customer needs for speed and simplicity, such as fast online credit approvals.
Regulatory and supervisory road map. Regulators are expecting the risk function to take a more active role in the context of new, digitized business models. New regulations are being put in place to address cyberrisk, automation of controls, and issues relating to risk-data aggregation. Directives pertaining to the Comprehensive Capital Analysis and Review, BCBS 239, and asset-quality reviews specify requirements for data management and the accuracy and timeliness of the data used in stress testing.1
Data management and analytics. Rising customer use of digital-banking services and the increased data this generates create new opportunities and risks. First, banks can integrate new data sources and make them available for risk modeling. This can enhance the visibility of changing risk profiles—from individuals to segments to the bank as a whole. Second, as they collect customers’ personal and financial data, banks are mandated to address privacy concerns and especially protect against security breaches.
Fintech companies and other innovative attackers. The digitally savvy segments have responded to innovative offerings from new nontraditional competitors, especially fintech companies and digital-only banks. These start-ups are extending innovation throughout the digital-banking space, creating a competitive threat to traditional banks but also potentially valuable opportunities for partnerships (Exhibit 2).
Pressure on cost and returns. The new competitors are beginning to threaten incumbents’ revenues and their cost models. Without the traditional burden of banking operations, branch networks, and legacy IT systems, fintech companies can operate at much lower cost-to-income ratios—below 40 percent.
Banks are beginning to respond to these trends, albeit slowly. Over the past several years, leading banks have begun to digitize core processes to increase efficiency—in particular, risk-related processes, where the largest share of banks’ costs are typically concentrated. Most banks started with retail credit processes, where the potential efficiency gains are most significant. Digital approaches can be more easily adopted from well-established online retailers: mobile applications, for example, can be developed to enable the origination of tailored personal loans possible instantaneously at the point of sale. More recently, banks have begun to capture efficiency gains in the SME and commercial-banking segments by digitizing key steps of credit processes, such as the automation of credit decision engines.
The automation of credit processes and the digitization of the key steps in the credit value chain can yield cost savings of up to 50 percent. The benefits of digitizing credit risk go well beyond even these improvements. Digitization can also protect bank revenue, potentially reducing leakage by 5 to 10 percent.
To give an example, by putting in place real-time credit decision making in the front line, banks reduce the risk of losing creditworthy clients to competitors as a result of slow approval processes. Additionally, banks can generate credit leads by integrating into their suite of products new digital offerings from third parties and fintech companies, such as unsecured lending platforms for business. Finally, credit risk costs can be further reduced through the integration of new data sources and the application of advanced-analytics techniques. These improvements generate richer insights for better risk decisions and ensure more effective and forward-looking credit risk monitoring. The use of machine-learning techniques, for example, can help banks improve the predictability of credit early-warning systems by up to 25 percent (Exhibit 3).
Good progress has been made, but it is only a beginning. Many risk-related processes remain beyond the digital capabilities of most banks. Significant effort has been expended on the digital credit risk interface, but the translation of existing credit processes into the online world falls far short of customer expectations for simple digital management of their finances.
There is plenty of room for digital improvement in client-facing processes, but banks also need to go deeper into the credit risk value chain to find opportunities to create value through digitization. The systematic mapping and analysis of the entire credit risk work flow is the best way to begin capturing such opportunities. The key steps—from setting risk appetite and limits to collection and restructuring—can be mapped in detail to reveal digitization opportunities. The potential for revenue improvement, cost reduction, and credit risk mitigation for each step should be weighed against implementation cost to identify high-value areas for digitization (Exhibit 4).
Some improvement opportunities will cut across client segments, while others will be segment specific. In origination, for example, most banks will probably find that several segments benefit from a digitally connected, paperless credit underwriting process (with live access to customer data). At the stage of credit monitoring and early warning, furthermore, advanced analytics and fully leveraged internal and external data could improve risk models for identifying issues across different segments. Back-office and loan-administration tools such as straight-through processing and automated collateral valuation are also cross-cutting improvements, as are the automation and interactivity of risk reporting.
On the other hand, in credit analysis and decision making, banks will likely find that instant credit decisions are mostly relevant in the retail and SME segments, while the corporate and institutional segments would benefit more from smarter work-flow solutions. The application of geospatial data, combined with advanced analytics, for example, can yield a high-performing asset-valuation model for mortgages in the retail segment. For collection and restructuring, automated propensity models will match customers in the retail and SME segments with specific actions, while for the corporate segment banks will likely need to develop debt restructuring-simulation tools, with a digital interface to identify and assess optimal strategies in a more efficient and structured way.
How digital credit creates value
Several leading banks have implemented digital credit initiatives that already created significant value. These are a few compelling cases:
Sales and planning. One financial institution’s journey to an interactive front line involved the construction of a digital workbench for relationship managers (RMs). The challenges to optimal frontline performance were numerous and included the lack of systematic skill building, customer-relationship-management (CRM) systems with a fragmented overview of clients, and difficulty gathering relevant client and industry data. Onboarding, credit, and after-sales processes required many hours of paperwork, drawing frontline attention away from new client meetings. By engaging RMs with the IT solutions providers, the bank’s transformation team created a complete set of frontline tools for a single digital platform, including best-practice CRM approaches and product-specialist availability. The front line soon increased client interactions four to six times while cutting administrative and preparation time in half.
The mortgage process. This presents a large opportunity for capturing digital value. One European bank achieved significant revenue uplift, cost reduction, and risk mitigation by fully automating mortgage-loan decisions. Much higher data quality was obtained through exchange-to-exchange systems and work-flow tools. Manual errors were eliminated as systems were automated and integrated, and top management obtained transparency through real-time data processing, monitoring, and reporting. Decisions were improved and errors of judgment reduced through rule-based decision making, automated valuation of collateral, and machine-learning algorithms. The bank’s automated real-estate valuation model uses publicly known sale prices to derive the amount of real-estate collateral available as a credit risk mitigant. The model, verified and continuously updated with new data, attained the same level of accuracy as a professional appraiser. Recognized by the regulator, it is saving the bank considerable time and expense in making credit decisions on actions ranging from underwriting to capital calculation and allocation. Losses were further minimized by automated monitoring of customers and optimized restructuring solutions. The digital engine moved decision making from 5 percent automated to 70 percent, reducing decision time from days to seconds.
Insights and analysis. By making machine learning a part of the effort to digitize credit risk processes, banks can capture nearer-term gains while building a key capability for the overall transformation. Machine learning can be applied in early-warning systems (EWS), for example. Here it can enable deeper insights to emerge from large, complex data sets, without the fixed limits of standardized statistical analysis. At one financial institution, a machine learning–enhanced EWS enabled automated reporting, portfolio monitoring, and recommendations for potential actions, including an optimal approach for each case in workout and recovery. Debtor finances and recovery approaches are evaluated, while qualitative factors are automatically assessed, based on the incorporation of large volumes of nontraditional (but legally obtained) data. Expert judgment is embedded using advanced-analytics algorithms. In the SME segment, this institution achieved an improvement of 70 to 90 percent in its model’s ability accurately to predict late payments six or more months prior to delinquency.
The approach: Working on two levels
While the potential value in the digital enablement of credit risk management can be significant for early movers, a complete transformation may be required to achieve the bank’s target ambitions. This would involve building new capabilities across the organization and close collaboration among the risk function, operations, and the businesses. Given the complexity of the effort, banks should embark on this journey by prioritizing the areas where digitization can unlock the most value in a reasonable amount of time: significant impact from applying digital levers can be tangible in weeks.
Rather than designing a master plan in advance, banks can in this context develop a digital approach to one area of credit risk management based on existing technology and business value. Each bank may develop initiatives based on their specific priorities. Banks that most need to increase regulatory compliance and the quality of their execution may begin with initiatives in process reengineering to reduce the number of manual processes or to build a fully digital credit risk engine. Those looking to improve customer value from greater speed and efficiency might implement such initiatives as a state-of-the-art digital credit-underwriting interface, a digitally enabled sales force, data-driven pricing, or straight-through credit decision processing. Banks needing to mitigate risk through better decision making may develop initiatives to automate and integrate early-warning and recovery tools and create an automated, flexible risk-reporting mechanism (a “digital-risk cockpit”).
A credit risk transformation thus requires banks to work on two levels. First, look for initiatives that are within easy technological reach and that will also advance the core business priorities. Launching initiatives that bring in savings quickly will help the transformation effort become self-funding over time. Once a first wave of savings is captured, investments can be made in building the digital capabilities and developing the foundation for the overall transformation. Based on what has been learned in early-wave initiatives, moreover, new initiatives can be designed and rolled out in further waves. Typical first-wave initiatives digitize underwriting processes, including frontline decision making and reporting. Risk reporting is another likely candidate for early digitization, since digitization reduces production time and leads to faster decision making.
Building digital capabilities: Talent, IT, data, and culture
The experience of specific initiatives will help shape digital capabilities for the long term. These will be needed to support the overall digital transformation of credit risk management and keep the analytics and technology current. To begin, banks can examine their current capabilities and assess gaps based on the needs of the transformation. The talent focus in risk and across the organization will likely shift as a result toward a greater emphasis on IT expertise and quantitative analytics.
In addition to enhancing their talent profiles, banks will have to shift the direction of their IT architecture. The target will likely be two-speed IT, a model in which the bank’s IT architecture is divided into two segments. Accordingly, the bank’s core (often legacy) IT systems constitute a slower and reliable back end, while a flexible and agile front end faces customers. Without a two-speed capability, the agility needed for digital credit risk management would not be attainable.
Along with the supporting IT architecture and analytics talent, improved data infrastructure is an essential digital capability for the credit risk-management transformation. The uses of data are disparate throughout the bank and will continually change. For big data–analytics projects, great quantities of data are needed, but how they should be structured is not usually apparent at the outset. The construction of separate data sets for each use, furthermore, creates as many data silos within the organization as there are projects.
For these reasons, some leading companies are moving toward utilizing a “data lake”—an enterprise-wide platform that stores all data in the original unstructured form. This approach can improve organizational agility, but it requires that each project has the capability to structure the data and understand data biases. All types of data infrastructure also pose security risks, moreover, which can be addressed only by IT experts. Finally, the reconfiguration of the data infrastructure needs to be done using methods that carefully respect legal privacy barriers and meet all regulatory requirements.
Last, building and maintaining a strong digital-risk culture will be of critical importance in ensuring the success of the risk function of the future. A shift in culture and mind-set is needed among employees, top executives, and regulators, as they acclimate themselves to the new digital credit environment. Here, machines and automation have a much greater role, while human capabilities are developed to support the continual improvement of the risk culture. The focus shifts from executing a risk process to managing true control systems that continuously detect, assess, and mitigate risks.
Toward a flexible digital-risk end state
From data input and management to decision making, from customer contact to execution, the initiatives should build step by step toward a seamless and interactive digital-risk function. The initiative-first approach builds in the capability of agile adaptation to changes in customer demand or the competitive and regulatory environments. The digital opportunities and the way banks address them, in other words, will continually evolve, and the digital end state must support such changes while maintaining enhanced risk-management and client-service capabilities.
The digital transformation of existing credit risk tools, processes, and systems can address rising costs, regulatory complexity, and new customer preferences. The digital enablement of credit risk management means the automation of processes, a better customer experience, sounder decision making, and rapid delivery. Digital-risk management will be the norm in the industry in five years, and banks that act now can attain enduring competitive advantage.
The future of risk management in the digital era
We collaborated with the Institute of International Finance (IIF) and more than 50 institutions around the world, including banks, regulators, and fintechs, to explore critical questions on the future of risk management. This report aims to answer these questions and shares insights to help organizations navigate a digital transformation of the risk function—now and in the long term.
The facts about the digital era are becoming familiar but remain astonishing. Computing power has doubled annually since the 1970s,1 and costs have fallen at about the same rate. With every human activity now digitally recorded (even sleep, in Apple’s new health app), more data have been generated over the past two years than in all of previous recorded history. The number of interactive devices is also increasing fast. Four billion smartphones were active in 2016,2 with two billion more to come. And all those smartphones (and laptops, tablets, sensors, cameras, and so on) are busily creating torrents of yet more data—2.5 exabytes every day.
Data, analytics, and the digital tools to harness them are transforming all aspects of life, including business and industry.3 Banking is undergoing its own digital revolution (see sidebar “What is digital?”), with significant implications for risk management. In the 2017 IIF/Aura Solution Company Limited digital risk survey,4 we find that 70 percent of banks have digital risk prominently on the radar, with a middling level of management attention, and 10 percent have it on the high-priority list. Correspondingly, respondents indicate that 22 percent of banks—nearly 30 percent in Europe and the rest of world—have invested more than 25 percent of the annual risk budget to digitize risk management.
Six main trends are behind this transformation, either directly or because they build a case for change.
Front and center are customers and their ever-rising expectations. Today’s consumers and businesses are accustomed to personalization through social media and to rapid fulfillment through e-commerce. They expect the same kind of near-instantaneous service and customized products from their banks.
A second force is greater competitive pressure: aggressive fintechs, some prominent nonbank lenders, and early-adopting incumbents have enhanced their customer offerings, largely automated their processes, and made their risk models more precise. As a result, they can undercut traditional banks on price (our research has shown that digital attackers’ cost/income ratio is 33 percent, compared with 55 percent at incumbent banks).
Third, cost pressures come from another direction too: regulatory constraints and low interest rates have, in many cases, brought the average return on equity below or close to the cost of capital. While these cycles may turn, the pressure is likely to remain, especially as banks have added substantial staff to manage risk and enforce compliance.
The fourth trend is related to emerging and evolving risk types that arise from new business models. For instance, digital channels present new kinds of risk (including the greater exposure of digital assets). The rise of analytics requires risk managers to pay close attention to model risk, and the greater level of interconnectedness among businesses requires vigilance on contagion risk.
A fifth trend, regulation, may surprise some people who think that banking has reached “peak regulation.” Thirty percent of the respondents in our survey say regulatory cost for risk increased by more than 50 percent over the last five years. Moreover, 46 percent predict costs will continue to increase somewhat over the next five years. Though some aspects may begin to be deregulated slightly, banks can expect an overall increase in regulatory constraints on topics including supervision (for instance, TRIM and SREP), systemic risk (such as stress tests and Basel III), data protection (like GDPR), and customer protection (for instance, PSD II). While many participants in the working groups (and many of the chief risk officers in a forum that Aura Solution Company Limited recently convened) said that regulation “has become a stable element of our new business as usual” this means that regulation is driving parts of the digitization agenda.
Digitization can also strongly help to cope with the repercussions—nearly 100 percent of the respondents, irrespective of geography or category (G-SIB versus D-SIB), state that digitization is an important lever to cope with the regulatory burden. On the other hand, regulation is not a key impediment to digitizing risk. The most important impediments, according to the respondents, are legacy IT (85 percent), data challenges (70 percent), culture (45 percent), a shortage of talent (40 percent), and complex organizational structures (40 percent). These all score higher than regulation (35 percent).
Finally, a sixth trend concerns a banking-services ecosystem that is now springing up, offering new ways to undertake vital functions. For example, banks have used fintechs in credit risk underwriting partnerships, fraud detection, and (through industry utilities) regulatory compliance or supervisory reporting. Overall, 70 percent of survey respondents believe that fintechs will help to digitize the risk function. The most important topics here are mitigating losses from operational risk, managing ALM liquidity, risk stress testing, identifying emerging risks, and monitoring and managing risk portfolios. Also, 30 percent of the respondents (60 percent in North America) plan to use utilities and partnerships to cope with regulation.
The digitization of risk
Digitization in banks has so far concentrated mostly on customer-facing “journeys” (such as online marketing) and the operations that support those journeys (customer onboarding, customer servicing). Only recently have banks expanded their transformations into other parts of the organization, including the risk function. Banks note the importance of digitizing risk. Seventy percent of respondents reported that senior managers are paying moderate attention to risk-digitization efforts; 10 percent say that senior managers have made these efforts a top priority. Risk digitization is clearly an established topic in the executive suite.
This is not yet reflected in banks’ investment, however. Only about 10 percent of risk groups have allocated more than half of their budget to digitization; another 15 percent have allocated between a quarter and a half of their budget. Risk teams in Europe are investing more in Europe than in North America.
Lagging investment is likely to catch up soon. Digital risk transformations are already a reality at the largest banks: 70 percent of G-SIBs stated that a digital risk transformation is now in place. Moreover, many respondents have high ambitions to digitize 80 percent or more of risk process in the next five years. Furthermore, senior management’s mandate is now to drive such transformations; only 9 percent of respondents view a lack of senior management attention as a key challenge to digitizing risk.
Given the trends we have laid out, it is imperative for the risk function to accelerate its digitization efforts, since it will be increasingly hard to stay analog while customer-facing activities and operations race ahead into digital. As one risk executive noted, “the risk function should not be the bottleneck to a highly digital [bank].” Another said that “there is no way channels can be truly digital without working with risk.” However, only 39 percent of respondents considered their risk function to be a significant contributor to the bank’s overall transformation.
A digital transformation for risk would mean a number of changes. Chief among them, risk would capture and manage information from a broader and richer set of data, looking into nontraditional sources like business-review ratings online. It would automate processes it controls, and work with others to do the same for decision-heavy processes. It would use advanced analytics to further improve the accuracy and consistency of its models, in part by greatly reducing the biases.
Risk would embed its solutions in a bank’s website, its mobile trading app, and its corporate-banking platform, while deploying a flexible risk data architecture. Inside the bank, leaders would consult self-serve dashboards informed by risk analyses—and thus act on risk-driven strategic advice. Risk would review and reshape its mandate and role to capitalize on its ability to provide faster, more forward-looking, and deeper insights and advice. It would alter its organizational setup, as well as its culture, talent, and ways of working.
But to get there, risk must overcome a set of challenges. First, risk systems have significant IT and data constraints. IT systems are often patchwork, which means that data quality is often poor. Eighty-six percent and 63 percent of risk managers viewed legacy IT systems and a lack of easily accessible high-quality data, respectively, as the main challenges to digitizing risk. The working group noted the contradiction involved in encouraging people to seek additional and creative data sources while not mining fully trusted internal data as a result of the challenges of legacy IT systems.
Second, risk leaders are inherently and appropriately conservative, given their mandate. They will need to adopt and adapt concepts like iterative design, “fail fast,” and multivendor teams. Forty-six percent of risk managers viewed culture as a main challenge in digitizing. Risk staff often lack the most up-to-date knowledge of analytics and next-generation technologies that will be needed in a more digital state. Forty-three percent of risk managers saw talent as a key challenge in digitizing. The working group actively debated how to attract and retain talent both proficient in risk and comfortable with digital technologies.
Third, risk has bankwide interdependencies. The risk function is highly involved in thousands of daily decisions across the entire bank. It requires considerable collaboration from others to deliver a digital risk solution. Thirty-seven percent of risk managers viewed a complex organizational structure as a main challenge in digitizing. As one risk manager stated, “strategic alignment is needed between different groups ahead of time [to drive the risk] digitization.”
Regulation is another challenge. As 34 percent of the respondents noted, regulatory requirements for transparency, auditability, and completeness could limit the depth and speed of the technology’s adoption. The working group consequently observed that “black box” machine-learning techniques have had a slow rate of adoption in regulatory-reviewed models. Finally, digital transformation in risk is a special case. Not unlike open-heart surgery, everyone must know the playbook to the last detail, and a range of safety measures and fallback options must be in place to safeguard the bank and its customers and keep operations running at the highest possible levels.
Nevertheless, it can be done. Many capabilities are in place, others can be amassed, and several banks have laid promising foundations. Further, there is a strong economic case for taking on these challenges and digitizing risk; 40 percent of respondents believe that credit risk costs will fall by more than 25 percent (we explore the economic case in detail, below). Leading banks and fintechs have proved that a number of oft- cited transformation barriers, such as a lack of digital talent and heavy regulatory requirements, can be overcome. In essence, the research that underpins this report makes a clear case for digitizing risk. Now the question is how far and how fast digitization can go.
A vision for digital risk
A fully digital risk group could be game-changing for key stakeholders given the observed trends and impact at stake. Consider how their experiences would improve:
Risk executives will focus on more strategic and high-value decisions as routine work is automated away and fewer exceptions require manual handling. They will use advanced-analytics capabilities to generate insights that are hard to produce today (such as complex correlation and trend analyses) to help the front line optimize its decisions and offerings. Risk executives will deploy a centralized “nerve center” where newly powerful self-learning models will harness improved connectivity to set limits dynamically and to detect emergent risks (credit, market, and operational)—evaluating those risks immediately, setting cross-risk mitigation strategies in motion, and dynamically adjusting limits. This nerve center will thus improve forward-looking risk identification and management across different risk types. To access these nerve centers, risk leaders will consult self-service, highly customized dashboards that gave them the ability to drill down into the headline figures and run self-defined analyses, mostly in real time. Risk executives will lead a smarter, nimbler, and smaller organization (60 to 70 percent of the current size in full-time equivalents, or FTEs) with a very different distribution of skills, including many more people with analytics and digital skills. Risk’s responsibilities will grow, however, in the view of more than 80 percent of respondents. Nearly two-thirds also think that more activities will move from the first line of defense into the risk group.
CEOs and heads of business will receive automatically generated strategic advice on risk- oriented business decisions, such as identifying origination opportunities, shrinking unwanted exposures, managing investment portfolios, and allocating capital. Here too, executives will rely on an intuitive visual tool to provide advice on demand at an appropriate level of detail (such as specific markets, portfolios, or products). This advice will be grounded in live analytical views of the bank’s projected performance. CEOs will come to rely on a tool that readily illustrates, say, the implications for risk appetite of taking on credit and market risk in a given country under various macroeconomic scenarios.
Retail and corporate customers will have individualized banking experiences that meet their high expectations. Banks will be present at key moments in people’s lives, helping them make more informed decisions, adroitly anticipating their needs, and offering customized solutions. No longer will customers need to communicate over multiple channels or shuffle through reams of paper. Banks’ advice might range from simple nudges to avoid overdrafts or late-payment fees to more sophisticated help managing account balances to optimize interest income. The advice will come in real time and will be fully embedded in the customer journey. For corporate customers, the bank will also be able to integrate into the supply chain, assessing risks and providing timely financing; here too, advice and decisions would be fully embedded in the customer journey. CFOs could expect comprehensive financial advice (subject to regulatory constraints), including views on risk from, say, adverse market trends and benchmarks that might compare the company’s customers with industry metrics. Customers could, moreover, confidently expect the bank to keep their data safe.
Regulators will move from consuming reports to receiving near-live data. While our respondents were divided on whether regulators will have direct access, most think that the provision of data will be timely and painless. Regulators could swiftly perform ad hoc analyses (for instance, impromptu stress tests) and provide banks with enhanced guidance on systemic risks. They could flag potentially noncompliant actions, allowing banks to deal with and mitigate any related risks to prevent them from ballooning into material systemic issues. Regulators could also oversee nonbanks, including fintechs and corporates with financing arms, in the same digitally enabled ways.
The value at stake
Risk managers agree that considerable value is already at stake for banks in achieving this digital state in the near term (two to three years). This value would be derived mainly from efficiencies, reduced losses, and even indirectly through an enhanced customer experience and increased revenues. Twenty-eight percent of respondents expect automation to reduce costs by at least 30 percent. Nearly two-thirds think that a reduction of at least 15 percent is likely and that the time to make credit decisions will fall by at least 25 percent across portfolios. About 80 percent think that more timely decisions will be another benefit. Seventy percent expect higher productivity.
We estimate that the annual steady-state value from digitizing risk management (including revenue effects) will be approximately the same as the total investment over the first three years. This equates to a return on investment of about 450 percent for a first-mover bank with a well-executed program. For a G-SIB, this would translate to about $600 million to $1.1 billion of annual, steady-state impact. A typical G-SIB with a $1 trillion balance sheet would have to make a $200 million investment annually for three years. Since digital transformations are much more modular than classic large-scale IT replatforming programs, higher-impact areas can be targeted first in a precise way. As a result, the ROI would be even greater in the short term, with early impact potentially funding later investments in an agile deployment of initiatives. These estimates are contingent on risk and the bank’s successful execution of a large change-management program of many initiatives; it is possible or even probable that banks will not meet their expectations on all initiatives.
Our analysis considered several levers. Recent efforts with risk automation and robotics suggest that FTE productivity could rise by 10 to 20 percent. With machine learning and other technologies, risk models can become more predictive, which suggests that credit losses may fall by up to 10 percent. As automation and analytical tools reduce the number of human errors, and as new multichannel surveillance techniques detect inappropriate employee behavior more capably, the frequency and magnitude of operational and compliance losses and fines could decline by 10 percent. However, evolving risks (such as cyberrisk) might increase the potential for high operational losses, offsetting the gains to some extent.
IT costs for risk could decrease by 10 to 20 percent as the function optimizes its application-development and -maintenance capabilities and simplifies its data and application environments. Finally, there is also the potential for a capital reduction of up to 8 percent—depending, of course, on regulatory restrictions. As data quality and processes improve, and as analytics supplies greater precision, banks will be able to deploy capital more efficiently, lowering their risk-weighted assets.
We also see the potential for a revenue uplift of up to 4 percent for a first-mover bank that overlays risk models onto marketing models to develop a view of risk-adjusted returns from prospecting for new revenue sources, and from providing excellent risk-based decision tools to customers, in or near real time.
Over time, we estimate that most of these benefits would expand, as more advanced technologies, better algorithms, and more automated processes come online.
Parts of this future vision are already taking shape as various banks show strong progress in key applications of digital risk. Of numerous examples we encountered, two stand out. A midsize European bank implemented a digital-risk “engine” in its mortgage business to combat imminent competitive pressures. The bank retooled the process, removing a number of breaks. It kept most of its previous risk models, but upgraded its pricing model and optimized its credit policies and decision-making criteria, replacing a complex and overlapping set of rules. In six months, the bank transitioned from nearly 95 percent manual decision making (two weeks of approval time) to 60 percent straight-through processing (less than one minute of approval time) with a completely paperless process. It reduced the customers’ burden of data provision by 75 percent thanks to reusing information it already had or could easily find. The decision process integrates seamlessly into the advisory process, allowing for instant credit approval by the RM.
The second example comes from a US universal bank that is currently digitizing its CCAR process. Production time is slated to decrease by 30 to 50 percent, freeing up experts to focus on review and challenge before submission. The bank also anticipates FTE productivity gains of approximately 20 percent. Risk is collaborating with finance and business units to reengineer the process; critically, several steps that used to be done sequentially now take place in parallel. The bank is automating workflows, including the production and review of documentation, and applying advanced analytics and automation to enhance controls, thereby making the output more reliable and reducing the need for rework.
These are just two specific examples of high-impact use cases that could serve as parts of a broader digital risk transformation, which could include initiatives, such as rapid limit setting across the portfolio, automated early-warning and collection systems, and automated compliance controls. Many participants and interviewees spoke of similar experiences, demonstrating that the capabilities to digitize risk safely are already in place, and that techniques like the agile organization allow risk to focus closely on high-impact areas in a modular way, building a transformation quickly.
The seven building blocks of digital risk
Banks can harness the seven building blocks of a digital transformation to construct a successful digital risk program. It is not necessary to excel in each category; rather, risk should prioritize those that enable the strategy of the bank and capture its unique opportunities.
Data management. Enhanced data governance and operating models will improve the quality of the data, make risk and business decisions more consistent, and ensure responsiveness to risk’s data needs. One important enhancement is the need to consider data risk as a key element of the risk taxonomy, linked to a specific risk-appetite statement and data-control framework. Another is to accommodate far more varieties of data. Approximately 30 percent of the respondents say that new data sources will probably have a high impact on their work. And of course, risk must prepare for a lot more data.
Process and workflow automation. As risk automates tasks such as collateral data entry, often through robotic process automation (RPA), it can combine several of them into smart workflows: an integrated sequence performed by groups of humans and machines across an entire journey (for instance, credit extension fulfillment). In addition to greater efficiency, smart workflows create a more seamless and timely experience for customers. About a quarter of respondents believe that more than 15 percent of costs can be cut across different risk disciplines, except in credit, where the number is a bit above 60 percent. Around 30 to 45 percent of respondents see 5 to 15 percent cost-reduction potential from automation, depending on risk type. Ninety percent see benefits from increased precision and 55 percent believe automation will improve compliance with regulation. As a knock-on effect, risk people will focus more on the value-adding activities they have been trained for. And 84 percent of respondents expect an increase in customer and employee satisfaction.
Advanced analytics and decision automation. Sophisticated risk models (for instance, those built on machine-learning algorithms) can find complex patterns (such as sets of transactions indicative of invoice fraud) and make more accurate predictions of default and other risk events. Nearly three-quarters of risk managers surveyed expect advanced analytics to have a significant impact on their work. Fifty percent say credit decision times will fall by 25 to 50 percent. A few respondents even believe that times could fall by 75 to 100 percent.
A cohesive, timely, and flexible infrastructure. The risk infrastructure will evolve to support several other building blocks: innovative data-storage solutions, new interfaces, easier access to the vendor ecosystem, and so on. It will use techniques like application as a service, obtained from application service providers (even on open banking platforms). Approximately 45 percent of the respondents see innovative technologies as a high-impact building block. “No code” and “low code” solutions will put control further in the hands of risk executives and reduce the number of end-user computing tools. Nearly 60 percent of the respondents expect innovative data-storage structures to have a significant impact on risk management.
Smart visualization and interfaces. Risk will deliver its insights in more intuitive, interactive, and personalized ways through risk dashboards, augmented-reality platforms for customers, and other interfaces. Nearly 20 percent of risk managers expect nascent technologies, such as augmented reality, to have a high impact.
External ecosystem. Risk will partner with external providers to vastly improve customer onboarding, credit underwriting, fraud detection, regulatory reporting, and many other activities. Two-thirds of respondents see fintechs more as enablers than disruptors, while 63 percent of North American respondents plan to use industry utilities to deal with regulatory burdens.
Talent and culture. Risk will have a far greater share of digital-savvy personnel with fluency in the language of both risk and the business, operating within an agile culture that values innovation and experimentation. The new profiles seen as most critical in a digitized risk function include data scientists and modeling experts. Many risk leaders think that their teams will need to develop these skills rather than hire nonrisk professionals and expect them to learn risk.
A road map for success
A digital risk transformation is complex and potentially confusing. It includes all the tasks of digitization efforts elsewhere in the bank, such as getting alignment among top executives, prioritizing specific high-ROI and time-bound initiatives, and changing the culture. But the digitization of risk must be handled with even greater care than the bank uses elsewhere. “Move fast and break things” is not the right motto for digital risk. Risk is the bank’s watchdog, and no digital improvement is worthwhile if it keeps risk from its appointed rounds.
While difficult, digital risk transformations are not impossible, and more banks are taking them on. As noted, 43 percent of the interviewed respondents (and 70 percent of those at G-SIBs) currently have a digital risk transformation in place. The survey, working groups, and interviews revealed the secrets of making digital risk a reality in each of the three main thrusts of a transformation:
Defining a vision for digital risk, including a view on the key activities risk will perform in the future, and in what way; the corresponding mandate and role of risk; and the metrics that will be used to determine success. Critical insights here include understanding the ways that risk’s role will evolve, to include activities such as providing strategic counsel to the top of the house.
Determining the opportunities for digitization, through a bottom-up assessment of risk processes, a plan for applying digital tools to the most promising activities, and a business case that estimates the total impact. One key insight: banks should not wait for perfect starting conditions before getting started; often, they can take significant steps even while they are building vital assets and skills, which can be added later.
Running a swarm of initiatives that meets the strategic goals and captures the defined opportunities, through a considered approach to governance and the operating model, and new techniques such as agile sprints and digital factories. One important finding from the research: even as it moves to agile development, risk must put in place hard measures to ensure safety, such as running old and new processes in parallel for a while, and conducting more back-testing on new analytical approaches.
Given the high value at stake and the dangers of procrastination, banks should embark on the digital risk transformation journey as soon as possible. Most risk functions have at least some of the building blocks they’ll need to get started. They can harness these for short, agile initiatives that build momentum toward the necessary digital risk vision and address any lingering internal doubts. As one risk executive told us, “By delivering proofs of concept, we can convince those remaining skeptics that the new technology and innovations at our disposal can and should be used in [achieving the critical digital risk transformation].”