While most of Europe still struggles with non-performing loans, there are some good news emerging from developing economies and the US. Since the 2008 financial crisis, regulators have been aiming to restore the balance in the world of banking, and to a certain extent, they have. But what does that mean for the future of risk management and how will the role of CRO change as this industry becomes more digitalised? We speak to Gerold Grasshoff, Senior Partner & Managing Director, Boston Consulting Group (BCG), to find out.
Can you give us an overview of banking’s global economic profitability?
In a nutshell, we continue to live in a three-speed world, as we call it.
If we look back over the last 10 years, and especially in the last 5 years, we have a situation where the banks in developing economies, especially in Asia, are doing very well. They are operating well above the cost of equity and are creating a lot of value. If we think back to the financial crisis, they almost didn’t feel that.
Since 2008, North American banks have acted quickly and decisively on recovering from the financial crash by fast recapitalisation which, in hindsight, was much more effective than state guarantees. It helped them to clean up the balance sheets; it reduced dramatically the non-performing loans (NPLs) to a sustainable level; it recapitalised the financial system; and it conquered the challenges of regulatory spend; and nowadays, they spend more and more in digitalisation and IT area.
Europe, in contrast to that, has actually been operating well below the cost of equity for the whole period of past 5 years. Our data looked back further, and this has been the case for the last 10 years. The reaction to the financial crisis only managed to capture 50% of the recapitalisation levels that we have seen in North America, and it was done through guarantees.
We are in the middle of a transformation regarding regulatory compliance.
As a result, the reduction of NPLs was not as dramatic, and Europe does not have the same levels of recapitalised banks that are financially strong. Europe also lacks a unified banking market or banking union, and there has been far less consolidation in the national banking markets compared to the scale seen in the US. Actually, the national economies, regulatory expectations and legislations vary, so this makes it pretty hard to consolidate within Europe, and has meant that banks on the continent have been struggling with economic growth for many years now.
What was the role of regulations in the past ten years that lead to today’s state of economic profitability?
After the 2008 financial crisis, regulators had three major intents; to create financially stable banks, to enforce regulatory compliant behaviour, and for banks to be resolvable.
The first two goals, to a large extent, have been achieved, especially in the US and partially with mixed results in Europe. A lot has happened on the capital side, and also on the liquidity side which made banks much more stable.
Becoming an organisation with the operational capability to assess the impact of regulations in a structured way is a main challenge you need to deal with as a global bank.
We are in the middle of a transformation regarding regulatory compliance. Banks have made a lot of effort in covering and managing financial risks, credit risks, market risks, and liquidity risk very diligently. We see a lot of challenges evolving from operational risk, and in a broader sense non-financial risk, which is everything around issues like money laundering prevention, sanction circumvention, managing and dealing with the risk of fraud and misconduct. These are all evolving and will be a challenge in the years to come.
The level of understanding of non-financial risk is not too advanced at the moment. How do we define the risk? How would you then test, allocate and build the organisational capabilities of your bank to manage these risks? Having an organisational structure and an operating model that factors in non-financial risk efficiently is a big challenge, but we see a lot of banks working on it.
The third aim is something that regulators are still working on. We see a lot of progress, especially in the instruments that are eligible in case global banks need to be resolved. So there has been a lot of advance on the equity side, but also on the global loss-absorbing capacity, the so-called TLAC. We’ve seen the simplification of structures that banks are running but that is still something that needs more clarity from the regulatory side on how to deal with banks being soluble.
These were the main 3 areas, but of course we can go further back. We are at the stage where we had 200 regulatory changes that a bank operating on a global level needs to digest every day. Becoming an organisation with the operational capability to assess the impact of regulations in a structured way is a main challenge you need to deal with as a global bank.
As the regulators somewhat achieved their first two goals, what does this say about the future of this industry?
The number of changes to regulations is stabilising. We’re not done yet, however, and based on what we observe, it is very clear that being aware of regulatory changes and able to adapt to evolving standards is an organisational capability that will be needed in the future in financial services. We see this happening in other industries as well, such as in airlines and pharmaceuticals.
Banks’ response to regulations is becoming more of a daily routine and the challenges are not becoming less significant. If you think about stress testing, that is a continued exercise. If you look at the validation of projects, they need your compliance officer. If you look at the continued effort around BCBS 239 and IFRS 9, or IFRS 17 for the insurance industry, the regulatory rule book is not fixed. It is further evolving.
Your recent report strongly suggests that banks should digitalise. How digital is the banking sector currently?
If we compare the banking sector with other industries like media or retail, banking still has a way to go to become fully digitalised. I would differentiate between three different players here.
- Traditional banks are finding ways to digitalise parts of banking, which is one of the biggest challenges, if not the biggest challenge, that they are working on at the moment.
- FinTechs, RegTechs, InsurTechs – the startups – are using a green field approach to come up with banking services. They operate on a fully digitalised platform already.
- And then we have the big tech companies who already have the competence to provide banking services in a digitalised way.
By digitalisation, banks can become much more efficient; they can develop much more interesting products for customers. They can also become much more effective, especially when looking at regulatory spend. They can also cooperate with FinTech companies as a partner or integrate them into the value chain.
With startups, is there a trend towards outsourcing or are banks looking to develop digital capabilities in-house?
That is unclear at the moment. However, what we see is that the traditional value chain in banks is breaking up in some places, and there will be more players focusing on certain parts of the value chain. There has been a lot of innovation on the customer interface and their journeys because customers expect the same experience in banking as in media or retail. Customers expect to be able to access services digitally and to make banking decisions on their mobile phones.
However, the modernisation of customer journeys would only impact on average about 10% of banks’ operations. That’s why it’s also important to look at the corporate journey and experience. You need to go into the processes of banks and digitalise them to benefit fully from the cost-saving potential.
Of course, a lot depends on the banking services that you provide and the operations that are needed to run these services when deciding to develop in-house, partner up, or outsource. The startups and digital banks might argue that building your own digital capabilities and producing your own software is essential because that system would become your core competitive advantage. So we see a trend towards microservices where you build your own software in the cloud and operate on a whole different level. But from a corporate perspective, what parts of the bank’s value chain will get digitalised in-house and what parts will be outsourced? That is currently in a dynamic development.
Is this the way to become profitable again?
Digitalisation would be a big contributor. As an example, to understand the efficiency potential that is in there, we can look at the cost of producing a microprocessor over the last 10 years. We see big efficiency gains in the software development world, therefore the potential to reduce costs in banking is enormous, and consequently, it is something that banks need to address, and yes, it can add to increased profitability.
There is a prerequisite for capturing the cost-saving potential; they’re what we call digital enablers.
- You need to be digital ready on the IT side, meaning that your hardware, your software, and the way you store data need to embrace the new technology.
- You also need a second enabler, which is on the HR side. You need to attract and retain the talent that is able to carry out the digitalisation process. We have a shift towards talents in programming and new tech, which is different from talents that banks have attracted before.
- There’s also a need to introduce new ways of working like being agile, team restructuring, and solution development.
So the front-of-house for banks is digitalised for the customers’ benefit. But behind all of that, in the risk management function, what are the biggest drivers for change and digitalisation?
Although digitalisation started first in the customer interface area of banks, it is now moving more into operations and addressing the cost-saving potential for the Chief Risk Officer and Chief Compliance Officer roles.
In every single operation in the risk department, especially credit and market risk, the CRO gets involved because addressing these operations is only meaningful when you do it end-to-end. If you take credit risk and make decisions via digitalisation, there needs to be an equally good customer experience and interface for the credit risk approval, credit services, collection departments, and credit administration. That’s what’s being addressed now, especially in retail, but also in corporate banking.
There is a big potential for efficiency by simplifying processes and automating with digital technologies. Then we can start moving towards true digitalisation depending on your data model and data availability in your structure. True digitalisation can make some processes unnecessary and would offer an even better cost saving efficiency.
In the risk control department, there are many issues with data availability, consistency, quality, and cleansing. This is where a lot of the resources are used up these days in order to produce reliable information for the supervision of the necessary credit and market risk decisions. Here, we don’t usually see end-to-end processes because they are shorter and more fragmented. It’s more about building a high-performing platform to deal with data issues and to capture the benefit that big data is providing. Once these platforms are set up, there is a lot of efficiency potential within the risk control function. You can be much more effective and flexible in your reporting to the decision-makers.
Traditional skills developed over the past decades in risk management, for example analytical skills for understanding data, building systems, modelling, are still needed, and they are in bigger demand than ever.
And finally, we see a lot of efficiency potential in compliance operations, especially customer onboarding and relevant processes. This is comparable to credit risk operations, however, the standards are not so clear yet, so the processes are not easy to simplify. Right now, this is more of an effectiveness issue rather than efficiency. Part of this is what we call transaction monitoring, which is supervising all transactions that have the potential of money laundering, sanction circumventions, and fraud issues. We see a big use case for machine learning and AI here.
It seems that the role of the CRO is developing rapidly as the risk management function of banks start to digitalise. What skillsets do CROs need to become successful at this new role?
Banks are moving on to digitalising core operations, and of course the CRO is at the core of this. The risk department and CRO needs to get involved a lot, otherwise these cost-saving potentials are not easy to address.
But from a control function perspective, the CRO, the head of compliance, and also the CFO need to be involved in digitalising the bank to be able to control it and ensure regulatory compliance. This guarantees that those in the control function can still do their job and able to report back to the regulators on the new value chain.
With regards to skills, traditional skills developed over the past decades in risk management, for example analytical skills for understanding data, building systems, modelling, are still needed, and they are in bigger demand than ever.
Regulatory and compliance skills developed over the past 10 years in the aftermath of the financial crisis are still highly relevant as I said before. We believe this is a significant organisational capability and a very important one in order to define, understand, assess, and be aware of the new requirements coming up and how to fulfil them.
The potential is huge, so technology developments need to be documented.
There are also new skillsets required – new to everyone in a bank – for the digital capabilities. Risk managers need to understand what kind of hardware is available to them and how to cooperate with the IT department. Along with digital capabilities, tester development capabilities can also be important, especially if you believe that microservices play a role in your bank.
It’s also a skill to find new ways of working. If you apply an agile way of working in the risk department, for example in model development, things move along much faster in a much more effective and efficient way. From development to the calibration and validation of models, agile working makes everything easier to access.
To what extent are regulators the drivers of innovation and change in this sector?
From what we observed so far, not very much.
Usually regulators take the approach that in a pre-market economy there needs to be a reason to regulate the industry. If there are innovations coming our way, regulators would observe the new technologies and trends. Only after observation would they step in if needed. So regulators are not drivers.
However, we see a lot of banks reaching out to regulators to discuss how much potential is there in using new technology whether it’s blockchain, cloud computing, or microservices. The potential is huge, so technology developments need to be documented. Digesting big data and applying AI to it holds enormous potential, so regulators are approached by banks to discuss and seek guidance in some cases. But we would like for regulators to take on a more proactive role to help and clarify best use cases.
There has been talk about the next financial crisis. Do you think there is a reason to be worried?
Our view is that when crises occur in the free market economy it is not necessarily only a bad thing. It’s also an opportunity for some players because a crisis is less about an overall downturn, it’s more about differentiating between players who emerge from the crisis even stronger. A large number of players’ economic performance has been deteriorating and there are only a few players who are nowhere near trouble. Crises are natural and not singular in a market economy.
For a long time now, in some parts of the world, we have seen very low interest rates and high liquidity in the market, but also very high volatility and political and economical risks. We are ten years in a cycle that has been very positive in developments.
Also, there’s a lot of attention from management, politics, and central banks on this issue. So there are a lot of mitigation actions that can be evaluated and applied in case something does happen. We cannot know how and where the next crisis will occur, but what we can do – and this is very different from a decade ago – is to run scenario designs and stress testing in a very sophisticated way. We have a lot of data and dependencies which we didn’t have ten years ago.
For us, it’s less important to be worried about the next financial crisis. It’s more important to assess products, client records, regions, portfolio exposures, financial stability and sensitivity based on the available data.