We can pretend this is driven by budget cuts and a loosening of regulations, but we know the changes to this model are long overdue in financial services. Firms in other industries (including manufacturing) never adopted the three lines of defense model, because they never needed it.
In 2020, financial services firms will reconsider their approach to non-financial risks, managing them more like financial risks. Risk metrics will be created in transaction systems, while risk systems will aggregate, apply correlations and produce analytics. Qualitative risk factors will continue to rely on expert judgement, supported by quantitative metrics.
Second-line-of-defense functions, such as risk management and compliance, will continue to thrive and prosper, with a focus on framework, policy, methodology and analytics. Their expertise will help the business reimagine resilient customer fulfillment.
What's more, sustainability, cybersecurity and third-party management will be built into business processes. Risk assessments will be unwittingly completed by people closest to the risk, using assessment questionnaires triggered by thresholds, incidents and events (see diagram, below).
Internal audit assurance will remain vital, but will become a thin layer responsible for reviewing continuous monitoring of controls; advising business on key controls; and monitoring the efficacy of functional group (e.g, risk and compliance) activities. Business will be better, because the focus will be on the critical economic functions and how customers are fulfilled within an acceptable level of risk.
A combination of automation, robotics and AI will be further embedded in risk management. To digitize and sustainably provide services and goods for the achievement of both societal and customer objectives, resources will be redeployed.
Digital interaction will incite collaboration and work fulfillment, and, through layering into transaction systems, standalone risk management software applications will eventually “disappear.” Moreover, data lineage software will be used to locate existing intelligence across multiple internal systems, and risk appetite statements for the degree of process digitization will become common.
Relationships between internal issues and incidents and customer complaints streaming through Twitter will be recognized, and this intelligence will assist in ranking the most critical actions.
There will also be a variety of platform approaches to integrate technologies, whether through the cloud or internal infrastructure. Artificial intelligence, for example, will become a common tool for regulatory change management. Natural language processing will establish firms' risk and compliance taxonomies, building the relationships between the taxonomy data objects such as risks and controls.
What's more, managed services through consortiums or third-party services will be more common. This will include third-party management, regulatory changes, cyber threat monitoring and AML bad-guy profiling through cross-industry consortiums. Firms will near-shore outsource authentication, as well as software asset management and regulatory reporting.
Stress testing will become more focused on operational resilience, including internal and external factors such as climate change. Firms, of course, will want to understand the effects of these factors on revenues, earnings and capital – but regulators and customers will want to comprehend the impact of mishaps on customer outcomes.
Firms will also set thresholds for what customer service inconveniences and disruptionw they expect, while regulators will set tolerances based on what is acceptable. Customers and third-parties should expect this information to be more readily disclosed, as firms more carefully manage their reputation and sustainability.
Our understanding of this risk is in its infancy. Like cybersecurity risk, it will depend greatly on a firm's ability to respond to events out of their control.
The outcome of sustainability is directly connected to how long an organization survives, and is largely dependent on a firm's ability to manage geo-political events, third-parties and disruptions to its business processes.
A sustainability risk taxonomy should be developed to evaluate not only a firm's environmental risks but also its operational resilience and reputation.
Coming full circle from the first prediction about the disappearance of lines of defense, financial and nonfinancial risks will be tied to the critical, customer-centric economic function. Tolerable levels of potential failure, or risk, will be measured by thresholds aligned to growth, risk appetite and operational resilience objectives.
Whether a firm's risks are primarily financial or nonfinancial, they will have effects on both short-term earnings and long-term reputation and survival.
As the key consiglieri to the CEO about what factors will impact the present, the emerging and the strategic, the CRO will grow stronger and stronger. But he or she cannot be strictly focused on, say, the interest rate option vega position or the absolute size of operational losses.
Instead, the CRO must be about evaluating how a new digital mortgage loan underwriting and fulfillment process increases financial and nonfinancial risk exposures in unexpected ways. Or how airplane assembly supply chain could be impacted by an unexpected production halt. Or how car production is impacted by a new round of tariffs.
The scenarios go on and on.
In 2020, we'll likely see significant changes in risk models, processes and functions. The CRO storyteller must focus the firm on what is most critical, while guiding the discussions about the impacts of digitization and third-party dependencies on the business process for the good of the firm, the customer and society.
Brenda Boultwood是德勤的风险咨询合伙人。她曾担任Constellation Energy的高级副总裁和首席风险官，并曾担任首席风险官委员会(CCRO)和GARP的董事会成员。在加入德勤之前，她曾担任MetricStream的行业解决方案高级副总裁，负责一系列关键行业垂直领域的投资组合，包括能源和公用事业、联邦机构、战略银行和金融服务。在此之前，她曾在摩根大通(J.P. Morgan Chase)担任另类投资服务策略全球主管，负责公司的对冲基金服务、私募股权基金服务、杠杆贷款服务和全球衍生品服务。