Accounting for technology risk

This article originally appeared on Workflow.

Risk runs deep in banking. It’s the language banks speak and the air they breathe. It’s woven into the industry’s DNA—core to its very existence.

Perhaps the greatest risks banks must navigate today relate to technology. Whether it’s an established bank undergoing a digital transformation or a born-in-the-cloud fintech, the way an institution handles technology risks affects its ability to compete in the marketplace.

My team at ServiceNow and I set out to determine how banks are faring in managing technology-related risks. We wanted to dig into topics like compliance, resilience and preparedness for the future. So, we surveyed 750 banking executives from around the world on this topic, and we recently released a report of the findings.

I’m no stranger to the immense and growing pressures faced by banks, having spent 25 years as a technology leader in financial services. But after reviewing the results of our survey, I was both surprised and reassured.

Great minds are thinking alike

The survey indicates that banks are addressing technology risks in similar ways. They’re prioritising being able to trust their data. Many have made considerable progress with data management, governance and technology, and plan to continue investing in these areas for at least the next couple of years.

This should give us all confidence. The banking industry is highly interdependent, with the largest banks critical parts of national infrastructures. Banks need to speak the same language and operate in similar ways to avoid creating ripple-effect problems.

At the same time, those banks that are less mature in technology risk management collectively have a good deal of catching up to do. The majority of those categorised as “beginners” in our survey are focused on cybersecurity, as well as compliance, IT operations, and cloud migration. Meanwhile, “leaders” have graduated to priorities like adopting innovative and safer business models and products and services. It will become increasingly difficult for beginners to close the gap with banking leaders as the pace of innovation accelerates. Which brings me to my next point: It’s time to roll our sleeves up for some heavy lifting.

The past few years have been defined by the pressing demands of a global pandemic, which forced longer-term risk planning to the back burner. Now we have the capacity to prioritise it once again, particularly as financial regulatory bodies around the world become increasingly active.

And banks face proliferating risks, not least of all new technologies such as cryptocurrency and AI that are radically changing the dynamics and landscape of the industry.

Yet only 64% of bank execs surveyed agreed that accelerated digital innovation is driving the need to improve tech risk management and resilience. This figure is far lower than it should be. When banks digitise and transform, the way data flows changes, as does the way people interact with technology and data. All of this necessitates a shift in how risk is assessed and managed.

At the same time, only 45% agreed that effective tech risk management requires IT, risk and cybersecurity functions to work well together. I’ve seen firsthand—both in my days in banking and in my work with ServiceNow customers—the incredible benefits that accrue when you break down cross-departmental silos and adopt processes and tools that enable collaboration and democratisation of information.

Time to take action

I would urge bank executives to reconsider their positions in these areas. From my vantage point, executives must get ahead of what is coming from regulatory bodies and focus on maturing fundamental risk management capabilities. This means taking action in these areas:

• Organisation and culture: Embrace strong risk identification and management across the enterprise so that everyone considers themselves a risk officer. Shared stewardship engenders a better risk posture and helps employees feel more engaged and empowered.
• Process and integration: Take a consistent approach to risk, everywhere. Use integration to codify risk frameworks and simplify adoption. These practices also make it easier to scale and extend frameworks as needed.
• Governance: Ensure that technology risk is a board-level conversation, not left solely to the CIO to manage, and that it is integrated with your broader business-risk view. Explore how new approaches to data sharing and internal reporting can support these efforts.
• Data: Speaking of data and reporting, it’s key to identify sources of truth for your risk positions and build trust in them. It’s hard to have strategic, effective conversations about technology risk if you don’t have common interfaces for accessing vital data.
• A single risk platform: Underneath those interfaces, there should be a unified platform that can host policies, risks, and controls, and aggregate enterprisewide data sources to enable real-time intelligent views of the risk and resilience of your organisation.
   

Risk has always been a central driver of change in the banking industry. Yet in this moment of transformative technological change, risk is not being addressed as assertively as it must be for the industry to stay ahead of threats and regulatory requirements.

However, as our research shows, even though there is substantial work that individual banks must do, the banking community as a whole must be tightly aligned to ensure that the system remains resilient and trusted by the public.

Find out how banks can transform risk into advantage in our ebook: Futurise banking risk and compliance operations.

© 2023 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now and other ServiceNow marks are trademarks and/or registered trademarks of ServiceNow, Inc. in the United States and/or other countries. Other company names, product names and logos may be trademarks of the respective companies with which they are associated.