from defense - exl service, digital intelligence, …...company culture. cro 3.0: the forecaster...
TRANSCRIPT
AN EXL WHITE PAPER
From Defense to Offense:The Evolution of the Digital Chief Risk Officer
Written by:
Jagmeet Singh
Vice President and Global Partner, EXL Consulting
Vikas Sharma
Vice President, EXL Analytics
Siddharth BhatiaAssistant Vice President, EXL Consulting [email protected]
A recent CRO survey indicated that
only 42 percent of bank CROs consider
their institutions to be extremely or very
effective in managing cybersecurity risk1.
Yet that risk type is ranked among the top
three that will increase in importance in
the next two years. And, we know, future
risks will be different.
The accelerating cycle of digital
business innovation is forcing CROs to
take a new look at enterprise risk. As
companies integrate technology into
more business processes, they open
themselves to greater security threats.
CROs must develop more sophisticated
responses and take advantage of all the
technology and analytic tools at their
disposal, many more than they needed to
manage traditional risks. The viral nature
of cyber-risk demands that they identify
early-warning mechanisms to flag where
problems may emerge before the risks
materialize. They will also need to evolve
from their current technical, IT-centric
roles of implementing and overseeing
controls to collaborating across business
units and corporate functions to influence
executive policy.
Underlying it all, the CRO will be forced to
look for more efficient practices to keep up
with the speed of innovation. Companies
still require their executives to do more
with less, even as market events increase
the number of risks.
Who is this next-generation CRO—the
CRO 3.0—the one who understands
the importance of digital technology
and analytics to enable the company’s
ongoing pursuit of new markets, products
and best-in-class performance? The
modern CRO is a mix of business acumen
and technical knowledge who can assess
A Threatening New World: The chief risk officer (CRO) has always walked a fine line to balance
the need to protect the business with the need to run it, but these are challenging times. Managing
risk and meeting regulatory requirements are difficult, and emerging risks are exacerbating
an already complex task. Cyber-risk, in particular, brings a new set of threats that are global
and internet-based and proliferate quickly.
From Defense to Offense:The Evolution of the Digital Chief Risk Officer
EXLservice.com | 2
risk in digital environments and make
recommendations to improve company
resilience without overly compromising
business performance. Today’s CRO is also
a strong communicator who can serve
up data in frameworks that easily lead to
decisions. Simply said, the CRO must
be adept at right-brain as well as left-
brain thinking.
Evolution of the CRO CRO 1.0: The Technician
In earlier risk-management functions,
the CRO was responsible for building
risk models and creating frameworks to
quantify risk and ensure organizational
compliance. The role was technically
focused, with additional scope to create
systems and processes. S/he was not
required to forecast future risks and assess
asset liability; nor did s/he have a seat at
the executive table, where risk remained
under the control of business unit leaders.
Much changed with the emergence of
the digital enterprise, which refocused risk
management priorities on strategic, market,
cybersecurity and geopolitical risk.
CRO 2.0: The Strategist
As risk functions became subject to
business pressures, such as productivity
targets and cost saving, CROs assumed
greater frontline roles and helped
communicate the value of risk management
to the board. With their growing influence,
CROs were responsible for the company’s
second line of defense, behind the first-
line business owners, and contributed
to decisions affecting business strategy,
market risk, product development and
asset-liability management. They were also
tasked with setting up core enterprise risk
management processes and ensuring that
good risk habits were embedded in the
company culture.
CRO 3.0: The Forecaster
Today’s CRO is becoming the eyes and
ears of the business, enabled by big data
insights to mitigate emerging risks. With
the benefit of predictive analytics, CROs
From Defense to Offense:The Evolution of the Digital Chief Risk Officer
EXLservice.com | 3
The modern CRO is a culmination of at least three “generations” of an evolving roleTo understand the significance of what might be required of CRO 3.0, here is a perspective on CRO’s role transition since mid-1990s.
..since the CRO’s primary responsibility was to quantify risks and ensuring organizational compliance, the role was technically focused…
Source: (1), (2)
Developing enterprise risk management frameworks
Develop the risk function
Build risk models
Enhance systems and processes
Establish policies, governance and reporting structures
CRO 1.0 The Technician
..since risk functions will be subject to business pressures such as productivity targets and cost-saving CROs need to assume frontline role and communicate value of risk management to the board
Contribute in decisions such as business strategy, reinsurance cover, new products and asset liability management (ALM)
Successfully embed risk management in the organization
Set up core ERM processes
CRO 2.0 The Strategist
..in future, big data will be a key enabler for CROs to mitigate emerging risks via scenario and trend impact planning to deliver accurate predictions
Foresee future scenarios, identify threats and opportunities
Be a business partner whose performance will be measured by missed opportunities
Oversee operational and cyber risk
Use predictive analytics to plan long-term risk management strategies
CRO 3.0The Forecaster
and their data-savvy teams use scenario
and trend-impact planning to deliver more
accurate predictions. They are valuable
business partners who help identify
threats and opportunities and develop
long-term strategies that balance risk and
reward. Most importantly, they are leading
the company’s efforts to build a resilient
defense to emerging operational and
cybersecurity risks.
Digital Capability Priorities Companies that are actively integrating
digital technologies and tools into their
business processes are seeing benefits
from their agility, competitiveness and
overall effectiveness. CROs have important
roles to play in leading that digital
transformation, whether it’s on a modest or
more comprehensive scale. They must align
risk priorities and ensure that controls and
metrics are in place to scale risk initiatives
to meet market and transaction dynamics
while achieving an optimal level of business
performance.
To move these initiatives forward, CROs
will require an investment strategy that
prioritizes the adoption of technology,
process and tools that improve accuracy
and process, efficiency and reporting.
The modern CRO is culmination of at least three “generations” of an evolving role
To understand the significance of what might be required of CRO 3.0, here is a perspective on CRO’s role transition since mid-1990s.
The modern CRO is a culmination of at least three “generations” of an evolving roleTo understand the significance of what might be required of CRO 3.0, here is a perspective on CRO’s role transition since mid-1990s.
..since the CRO’s primary responsibility was to quantify risks and ensuring organizational compliance, the role was technically focused…
Source: (1), (2)
Developing enterprise risk management frameworks
Develop the risk function
Build risk models
Enhance systems and processes
Establish policies, governance and reporting structures
CRO 1.0 The Technician
..since risk functions will be subject to business pressures such as productivity targets and cost-saving CROs need to assume frontline role and communicate value of risk management to the board
Contribute in decisions such as business strategy, reinsurance cover, new products and asset liability management (ALM)
Successfully embed risk management in the organization
Set up core ERM processes
CRO 2.0 The Strategist
..in future, big data will be a key enabler for CROs to mitigate emerging risks via scenario and trend impact planning to deliver accurate predictions
Foresee future scenarios, identify threats and opportunities
Be a business partner whose performance will be measured by missed opportunities
Oversee operational and cyber risk
Use predictive analytics to plan long-term risk management strategies
CRO 3.0The Forecaster
The modern CRO is a culmination of at least three “generations” of an evolving roleTo understand the significance of what might be required of CRO 3.0, here is a perspective on CRO’s role transition since mid-1990s.
..since the CRO’s primary responsibility was to quantify risks and ensuring organizational compliance, the role was technically focused…
Source: (1), (2)
Developing enterprise risk management frameworks
Develop the risk function
Build risk models
Enhance systems and processes
Establish policies, governance and reporting structures
CRO 1.0 The Technician
..since risk functions will be subject to business pressures such as productivity targets and cost-saving CROs need to assume frontline role and communicate value of risk management to the board
Contribute in decisions such as business strategy, reinsurance cover, new products and asset liability management (ALM)
Successfully embed risk management in the organization
Set up core ERM processes
CRO 2.0 The Strategist
..in future, big data will be a key enabler for CROs to mitigate emerging risks via scenario and trend impact planning to deliver accurate predictions
Foresee future scenarios, identify threats and opportunities
Be a business partner whose performance will be measured by missed opportunities
Oversee operational and cyber risk
Use predictive analytics to plan long-term risk management strategies
CRO 3.0The Forecaster
The modern CRO is a culmination of at least three “generations” of an evolving roleTo understand the significance of what might be required of CRO 3.0, here is a perspective on CRO’s role transition since mid-1990s.
..since the CRO’s primary responsibility was to quantify risks and ensuring organizational compliance, the role was technically focused…
Source: (1), (2)
Developing enterprise risk management frameworks
Develop the risk function
Build risk models
Enhance systems and processes
Establish policies, governance and reporting structures
CRO 1.0 The Technician
..since risk functions will be subject to business pressures such as productivity targets and cost-saving CROs need to assume frontline role and communicate value of risk management to the board
Contribute in decisions such as business strategy, reinsurance cover, new products and asset liability management (ALM)
Successfully embed risk management in the organization
Set up core ERM processes
CRO 2.0 The Strategist
..in future, big data will be a key enabler for CROs to mitigate emerging risks via scenario and trend impact planning to deliver accurate predictions
Foresee future scenarios, identify threats and opportunities
Be a business partner whose performance will be measured by missed opportunities
Oversee operational and cyber risk
Use predictive analytics to plan long-term risk management strategies
CRO 3.0The Forecaster
The modern CRO is a culmination of at least three “generations” of an evolving roleTo understand the significance of what might be required of CRO 3.0, here is a perspective on CRO’s role transition since mid-1990s.
..since the CRO’s primary responsibility was to quantify risks and ensuring organizational compliance, the role was technically focused…
Source: (1), (2)
Developing enterprise risk management frameworks
Develop the risk function
Build risk models
Enhance systems and processes
Establish policies, governance and reporting structures
CRO 1.0 The Technician
..since risk functions will be subject to business pressures such as productivity targets and cost-saving CROs need to assume frontline role and communicate value of risk management to the board
Contribute in decisions such as business strategy, reinsurance cover, new products and asset liability management (ALM)
Successfully embed risk management in the organization
Set up core ERM processes
CRO 2.0 The Strategist
..in future, big data will be a key enabler for CROs to mitigate emerging risks via scenario and trend impact planning to deliver accurate predictions
Foresee future scenarios, identify threats and opportunities
Be a business partner whose performance will be measured by missed opportunities
Oversee operational and cyber risk
Use predictive analytics to plan long-term risk management strategies
CRO 3.0The Forecaster
The modern CRO is a culmination of at least three “generations” of an evolving roleTo understand the significance of what might be required of CRO 3.0, here is a perspective on CRO’s role transition since mid-1990s.
..since the CRO’s primary responsibility was to quantify risks and ensuring organizational compliance, the role was technically focused…
Source: (1), (2)
Developing enterprise risk management frameworks
Develop the risk function
Build risk models
Enhance systems and processes
Establish policies, governance and reporting structures
CRO 1.0 The Technician
..since risk functions will be subject to business pressures such as productivity targets and cost-saving CROs need to assume frontline role and communicate value of risk management to the board
Contribute in decisions such as business strategy, reinsurance cover, new products and asset liability management (ALM)
Successfully embed risk management in the organization
Set up core ERM processes
CRO 2.0 The Strategist
..in future, big data will be a key enabler for CROs to mitigate emerging risks via scenario and trend impact planning to deliver accurate predictions
Foresee future scenarios, identify threats and opportunities
Be a business partner whose performance will be measured by missed opportunities
Oversee operational and cyber risk
Use predictive analytics to plan long-term risk management strategies
CRO 3.0The Forecaster
The modern CRO is a culmination of at least three “generations” of an evolving roleTo understand the significance of what might be required of CRO 3.0, here is a perspective on CRO’s role transition since mid-1990s.
..since the CRO’s primary responsibility was to quantify risks and ensuring organizational compliance, the role was technically focused…
Source: (1), (2)
Developing enterprise risk management frameworks
Develop the risk function
Build risk models
Enhance systems and processes
Establish policies, governance and reporting structures
CRO 1.0 The Technician
..since risk functions will be subject to business pressures such as productivity targets and cost-saving CROs need to assume frontline role and communicate value of risk management to the board
Contribute in decisions such as business strategy, reinsurance cover, new products and asset liability management (ALM)
Successfully embed risk management in the organization
Set up core ERM processes
CRO 2.0 The Strategist
..in future, big data will be a key enabler for CROs to mitigate emerging risks via scenario and trend impact planning to deliver accurate predictions
Foresee future scenarios, identify threats and opportunities
Be a business partner whose performance will be measured by missed opportunities
Oversee operational and cyber risk
Use predictive analytics to plan long-term risk management strategies
CRO 3.0The Forecaster
From Defense to Offense:The Evolution of the Digital Chief Risk Officer
EXLservice.com | 4
Key considerations should be given to
solutions that:
• Handle growing volumes of data with
greater efficiency
• Provide a single, firm-wide view of risk
and control
• Create consistent risk assessments
performed on similar processes across the
enterprise
• Provide assurance over a larger population
of transactions
• Consolidate multiple tools and
technologies and siloed reporting
standards that impede integrated
reporting
• Forecast and develop early-detection
mechanisms for cyber-risk and other
operational risks
As CROs align these priorities, they’ll likely
find inconsistent risk levels across the
organization and potential weaknesses in
the integrity of business processes and
service delivery. Where formerly security
practices and systems were segmented,
the digital model must have an integrated
approach.
Roadmap for Digital Risk ManagementAs strategic risks increase and the
marketplace innovates, CROs must have
a plan to innovate and quickly respond
to market events and emerging risks.
They should also gradually integrate
those technologies into the fabric of work,
building them into their operating model
and the work style of their people.
Create a center for excellence to
manage strategy, standardize execution
and reduce costs. CROs have learned
that they can achieve greater levels of
efficiency by centralizing risk processes for
reporting and transaction management.
Such centers help promote best-practice
adoption, competency development
and enterprise standardization. They also
enable other critical functions, such as the
rollout of early-warning mechanisms and
development of comprehensive risk reports
with consistent standards for board and
executive-management audiences.
From Defense to Offense:The Evolution of the Digital Chief Risk Officer
EXLservice.com | 5
Implement robotics and automation to
improve accuracy and speed of reporting,
and provide continuous monitoring.
Robotics have many applications that
support high transaction volumes,
enterprise-wide compliance processing
and identifying discrepancies in large data
sets. This wasn’t the case ten years ago
when CROs relied on manual processes
to test controls on a sample basis. But
current technology and automation have
significant data-management and detection
capabilities that allow them to cover a
larger group of transactions. For instance,
robotics help risk managers focused
on fraud ensure that active employees
follow authorization rules and departed
employees are removed from databases in
a timely way.
Accelerate adoption of analytics to assess
organizational risk and embed in all risk
management processes. The complex and
global nature of business and its growing
dependence on information technologies
are increasing a company’s exposure to
events that can deeply impact its operations
and those of its suppliers. While modeling
methods and tools exist, many do not fully
address the challenges arising from the
development of end-to-end, integrated
risk-management systems. Predictive
analytics help harness and assess
Establishing a Centralized Risk Center of ExcellenceBy consolidating key enabling operational risk processes into a centralized CoE, organizations can drive efficiencies through better utilization and best practices adoption, promote competency development and enable standardization.
Risk Program Components
Policies & Standards
Organization/ Roles & Responsibilities
Program Governance
Risk Prediction & Reporting
Risk Reporting
Validation & Verification
Documentation & Data Management
Risk Policy and Strategy
Management Information
and Reporting
Scenario Analysis and
Predictive Analytics
Risk Analytics
DocumentationOperational
Risk Systems Management
Risk Compliance
Quality Control & Process
ImprovementEnab
ling
Com
pet
enci
esC
ore
R
isk
Pro
cess
esP
rog
ram
St
ruct
ure
Execution Support
Owns
Owns
Owns
CEO/CFO Board of Directors
CRO
Risk Management Team> Group Leadership> Risk Managers> Functional Leads> Analysts
Risk CoE> CoE Leadership> Competency Group Leads> Data Scientists> Domain SMEs
From Defense to Offense:The Evolution of the Digital Chief Risk Officer
EXLservice.com | 6
enterprise risk. It allows CROs to pull data
from multiple systems to build long-term
policies and procedures. They also provide
a continuous feed of risk information to
facilitate real-time decision-making.
Leverage third party platforms to build
risk infrastructure. In order to reap the
full benefits of risk strategies, CROs need
to ensure that the risk infrastructure is
keeping pace with the increased complexity
of risk analytics. In the past, with little
innovation happening in the outside
markets, most of the companies ended up
building their own proprietary platforms.
Budgets hemorrhaged with cost overruns,
deadlines came and went, and it became
difficult to keep investing more money for
upgrades to keep in line with the changing
environment. The situation is drastically
different today. A variety of third-party
platforms have been developed that are
easy to use, integrate well with a variety
of data infrastructures, help spread the
platform development costs over a wider
number of users and provide a continuous
stream of upgrades and refinements over
time. Companies are finding it much more
economical to use third party solutions
for their data visualization and reporting,
data aggregation and analysis, big data
model development and implementation,
model scoring, model monitoring as well
as their risk decisioning platforms. Some
organizations are going even a step further
and creating sandboxes to experiment with
emerging technologies with third party
vendors. These third party solutions not
only help fast track major technological
augmentation, but also provide much-
needed, real time visibility into threats and
organizational readiness.
Develop proprietary assessment
frameworks to determine readiness
and response time for cybersecurity
and critical operational risks. In most
organizations, cybersecurity is a board-
level issue. CROs must work across the
enterprise to assess preparedness and
fortify resilience. Building and testing
new frameworks are critical to proactively
identify remediation practices that enhance
security and minimize fraud, malware and
other operational threats.
Build new talent models with professionals
who use machine learning and analytics.
As work shifts from human beings to
centralized platforms and bots, there will
From Defense to Offense:The Evolution of the Digital Chief Risk Officer
EXLservice.com | 7
be a shift in the roles and talent profiles
required to do those jobs. CROs will need
to attract, retain and develop professionals
capable of taking big-data assets and
providing frameworks for quick business
decisions. In lieu of data collection and
reporting, digital risk managers will be
skilled in analytics and able to provide
insights into future risks and how to manage
them. They’ll also need to be savvy in
cybersecurity risk and effective approaches
to minimize threats.
Analytics: The CRO’s New WeaponAnalytics are providing CROs with powerful
tools to improve their ability to predict
and manage risks. With machine learning,
new modeling techniques and improved
profiling and reporting, CROs can take a
more strategic view of risk. They’re able
to better target growth with risk models
that work across the customer life cycle
on an ongoing basis; minimize the cost of
compliance with reporting strategies to
better analyze trends; improve the accuracy
of credit-risk testing; and effectively
balance the company’s growth goals and
risk appetite. Most importantly, they bring a
scientific approach to risk management with
models that align risk to a particular level of
performance.
Change in Expections from Risk Organizations
From Defense to Offense:The Evolution of the Digital Chief Risk Officer
EXLservice.com | 8
Finding the Path ForwardAs CROs shift from technician to forecaster,
they must shed their traditional approach
to risk management for one that balances
technical knowledge with business
acumen. CROs will need to be savvy in
digital technologies and business models
that assess risk in an integrated digital
enterprise. They must also proactively
identify emerging risks and establish
early-warning mechanisms to ward off
internet-based threats. To accelerate that
transformation, the CRO should focus on a
few key areas:
• Increasing risk-management efficiency
and accuracy through process
standardization across the enterprise
• Prioritizing emerging-risk solutions to
address cybersecurity, financial crime
and IoT. CROs must bring a scientific
approach to identify both threats and
opportunities.
• Strategic partnering with the business
units and corporate functions to jointly
develop risk management plans. CROs
will help lead the company through a
period of rapid digital innovation and new
emerging risks.
• Enabling and sustaining business growth
by balancing risk and performance as the
company takes on additional risk.
• Becoming a change agent and managing
transformation with new collaboration
models and pilots based on testing and
learning and scaling and deploying.
Like any large-scale, change initiatives, the
path will be a zig and a zag. Implementing
an enterprise ecosystem of integrated
technology, processes and predictive
analytics will require strong working
relationships across the organization to
effect policy and cultural change. Business
structures must be reengineered with
security priorities in mind. And the CRO
3.0 will need excellent communication
skills to work with the board and executive
and business unit leaders to embed new
risk practices. In an age of increasing
technological complexity, these are not
easy times. But CROs have never had
a better platform to influence business
strategy and growth than they have today.
End Note1 Global Risk Management Survey, Deloitte, 2017
From Defense to Offense:The Evolution of the Digital Chief Risk Officer
EXLservice.com | 9
GLOBAL HEADQUARTERS280 Park Avenue, 38th Floor, New York, NY 10017
T: +1.212.277.7100 • F: +1.212.277.7111
United States • United Kingdom • Czech Republic • Romania • Bulgaria • India • Philippines • Colombia • South Africa
Email us: [email protected] On the web: EXLservice.com
© 2017 ExlService Holdings, Inc. All Rights Reserved.
For more information, see www.exlservice.com/legal-disclaimer
EXL (NASDAQ: EXLS) is a leading operations management and analytics company that designs and enables
agile, customer-centric operating models to help clients improve their revenue growth and profitability. Our
delivery model provides market-leading business outcomes using EXL’s proprietary Business EXLerator
Framework®, cutting-edge analytics, digital transformation and domain expertise. At EXL, we look deeper to
help companies improve global operations, enhance data-driven insights, increase customer satisfaction,
and manage risk and compliance. EXL serves the insurance, healthcare, banking and financial services,
utilities, travel, transportation and logistics industries. Headquartered in New York, New York, EXL has
more than 26,000 professionals in locations throughout the United States, Europe, Asia (primarily India and
Philippines), South America, Australia and South Africa.