Cyber risk has been voted the top concern by the RiskMinds Chief Risk Officers for the second year in a row, and now at RiskMinds International, the CROs debated the rising challenges of managing cyber risk within their organisations.
A few years ago, cyber risk was only emerging and the management of it focussed on external threats.
Today, cyber risk is present in everything a business does.
One of the main reasons delegates come to RiskMinds International every year is to hear the latest thoughts on risk and to consider whether their views are up to date.
Tuesday morning’s panel at the CRO forum in Amsterdam delved into how best to mitigate cyber risk, and more specifically, how to align it with enterprise risk management as well as more broadly into an organisation.
How to deal with cyber-risk
The nature of cyber risk had changed, said Trevor Adams, Chief Risk Officer at Nedbank Group.
“The big focus has been on IT and within that, the threat of an external attack. While that remains significant, you are actually more at risk internally with your staff. It’s through them that others might gain access to your organisation. Having to manage the entire organisation and staff base is a bigger challenge than managing the external threat.
“Then there is third party risk, that has become a much bigger deal – the penetration of third party vendors has led to some big firms suffering data breaches.”
The panel agreed that aligning cyber risk to the ERM was an important part of managing it. However, this was still a work in progress, as Ebbe Negenman, Chief Risk Officer at Aegon Bank explained:
“In reality, it’s one of the most difficult risks to manage because it is so detailed. When I have looked at the incidents we have encountered in the last few years, some of them have been really small but with a large reputational aspect. That is really difficult to grab into a model or report. Yes, you should manage this risk within ERM, but how to do that is still being worked on.”
According to Colin Church, Chief Risk Officer at Citigroup, EMEA, it was the absence of a cross-border risk framework that made managing cyber risk difficult: “It is very debilitating for institutions if everyone is speaking a different language,” he stated.
Paulo Henrique Angelo, Chief Risk Officer at CAIXA concurred, adding that collaboration across the board was the key to fighting cyber risk. In Brazil, Caixa is part of a banking association, FEBRABAN, where banks can share information and discuss the topic, he said, and this was really helpful.
Moreover, Paulo argued that public organisations, private companies and federal government should all be taking part in the discussion together.
This extended to looking outside of the financial services industry for inspiration, added Ebbe: “Energy companies face a lot of this type of risk, and I’m sure there is plenty we could learn from them.”
But one of the obstacles to collaboration, said Trevor, was that, while banks need to collaborate, they are also competitors. In South Africa in particular, a robust competition commission meant that any whiff of collaboration between banks could be swiftly extinguished.
Watch this interview with Trevor Adams on the difficulties combating cyber risk
Internal lines of defence
Collaboration was also critical within the firms themselves. The panel agreed that, while the three lines of defence was a necessary approach to cyber risk management, it was actually a function of the entire business.
“Cyber risk is no longer a specific function of the IT department,” said Paulo. “Everyone in the company should engage in and help manage this important risk, especially business units. They should be trained and sensitised to manage this kind of risk.”
Trevor agreed, saying that they had appointed business information security officers for exactly this reason. Each officer worked in their own business unit and reported directly to the Chief Risk Officer.
Paulo added that the most important thing they were doing was engaging the board. “We speak to them every month because without the board it’s an impossible task.”
There has been progress
But there had been plenty of progress in how the industry was managing cyber risk, argued Colin.
The G7 were working on a common framework, and talking about penetration testing, while the FSB was working on defining a common cyber lexicon. “I think that, ironically, it’s the industry that is pushing the regulators to come up with a global framework,” he said.
Conversations at board level were a real boost, he added: “If cyber risk is being discussed there, then it’s going to be discussed everywhere. The other thing is that you are starting to see real expertise in these areas. People have been at it for a while now and the second line is starting to have real credibility with the first line.”
Trevor agreed that tremendous progress had been made, but there was still a long way to go: “There is probably no other risk type escalating at the same rate. You think you are getting close, but if you stand still, you’ll find yourself far behind.”
How can new technology help?
Another of the day’s sessions discussed how new technology could help firms manage cyber risk.
According to a snap poll of the audience, 92% planned on using artificial intelligence as an aid to risk decision making.
Daniel Moore, Chief Risk Officer at Scotiabank said that there were three ways to think about AI. Firstly, as a way to optimise daily activity, secondly, as a way of improving current processes and thirdly, and most significantly, as a way of making structural changes to the business. “This is what the fourth industrial revolution will do for banking, it will change the industry in the same way that electricity changed the way a factory was designed,” he stated.
How to integrate AI into business needed careful consideration, the panel thought. All agreed that a sandbox approach was not the most effective. Rather, businesses should gather data scientists, business units and risk managers to work on the solutions together.
Lewis O'Donald, Global Chief Risk Officer at Nomura Holdings, added that it was important to encourage those interested in technology within the firm to augment their skills in this area and allow them to test technology like machine learning out on a small scale.
Tackling financial crime
Fighting financial crime was one of the most promising uses of AI, agreed the panel.
Jacques Beyssade, Deputy Chief Executive Officer In Charge Of Risk, Compliance & Permanent Control at BPCE said that he had already seen improved fraud detection in their day-to-day transactions as well as improved AML detection.
Interestingly, they had published their algorithm in the open market, “in order for people to challenge and improve it.”
You will see a lot more of this kind of consortium, said Vivek Bajaj, Global Vice President at Watson Financial Services Solutions, “not only AI but with blockchain, or whenever there is a lot of value in banks and financial institutions coming together to solve a problem.”
The key to their use of AI, said the panel, was as augmented intelligence, in other words, the idea that the decision is not really taken by the machine but helps a human make a better decision.
According to moderator Vivek, central bankers were also very much on board with this idea. “They absolutely believe in the concept of augmented intelligence – what they are wary of is black box AI where you don’t understand on what basis the AI is making the decision.
This was also of huge concern to all of the risk officers on the panel.
Lewis said that algorithmic trading was a good example. While it was worth investigating how sophisticated algorithms could drive better trading, hedging and market access decisions, the problem was how to manage algorithmic risk.
“We are having to think about how we control and understand the conduct of the AI algorithm, you have to understand the black box and the controls around it,” he said.
The key question was who was accountable for the decisions AI makes.
Daniel had the answer: “We take the position that every AI you deploy is an intern – it has to have a boss, a person that takes accountability, and if they are not equipped to understand that you had better find someone who is.”
But Lewis argued that, in practice, humans are also black boxes and that from a technical standpoint people were overestimating how uncontrollable augmented decision making could be.
The key way to approach this, said Vivek, was not treating AI as the starting point: “Begin with the business area and look at AI in conjunction with other technology,” he said.
Kanwardeep Ahluwalia, Head of Global Markets Risk (EMEA) & Deputy Chief Risk Officer (EMEA) at Bank of America Merrill Lynch said that undertaking the use of AI involved a strategic approach:
“I put technology transformation in the context of looking at your processes – do you understand the process you are running, are you creating operational excellence – there are very many fragmented processes and behaviour patterns. If you take a clear look at what your risk managers are conducting in day-to-day activity you can then introduce advanced technology as another tool to reengineer your processes.”
But above all, said Lewis, when using AI, we had to be willing to accept failure – and be willing to learn.