The banking industry is experiencing systemic change from all sides—volatile markets, increasing dependence and influence of technology, and both shifting consumer and corporate banking demands—and it feels like any moment there could be another shoe that drops.
There’s also heightened awareness and scrutiny around risk and whether organizations are equipped to protect their systems and customers. To see the impact of this intersection of technology and risk management on risk governance in banking, West Monroe conducted a survey of 200 bank executives to gauge strengths, obstacles, and ongoing challenges.
The results from Q1 2023 showed common pain points and highlighted areas of improvement in having a truly nimble, digital operating model that mitigates and resolves risks leveraging the right controls by having the right people, processes, and technologies in place.
Challenges from legacy systems are just one piece of the puzzle. Only 53% of respondents feel that their program management is strategic and nimble enough to adopt risk-related improvements, leaving room for many to differentiate and add value through technology risk management as it becomes table stakes for banks.
The survey showed that navigating a world where banking and technology are increasingly interdependent is difficult when there are legacy systems in place that may not be able to hold up against today’s challenges and regulatory shifts. The survey’s findings confirm the belief that banks need to continuously improve their technology to avoid lagging behind competitors.
Only one-in-three banks are widely using proactive measures and best-in-class tools to manage risk, highlighting an increasing need to shift away from a reactive approach.
It’s no secret that banks need to shift how they address technology security, compliance, and risk management: 92% of respondents said their organization places a high priority on enhancing this, noting it’s a frequent topic of conversation during C-suite and board-level discussions. But companies are slower to act than they should be—which ultimately hampers streamlining efforts. Teams are left addressing issues and framework gaps, unable to focus on the priorities that will help achieve desired business outcomes and reduce costs. Further, banks with $50-200 billion and $200 billion-1 trillion in assets are still finding their stride in implementing automation and best-in class tools to manage risk, whereas large organizations ($1 trillion+) are widely using these in day-to-day operations.
The top roadblock to getting new products to market is control applicability and rationalization to adhere to security and compliance, with 60% of respondents finding this their greatest hurdle.
Banks identified that they all also face at least one of the following challenges:
This is echoed when respondents identified their greatest opportunities for improvement within risk management functions: enhanced design, implementation, and oversight of security, compliance, and risk management controls.
When it comes to roadblocks to implementation, there was a clear differentiator among mid-size banks ($200 billion to $1 trillion): 90% of respondents in this category indicated their top roadblock was not having the right controls in place to achieve their desired speed to market for updates, implementations, and/or new products. This is much higher than the 64% of smaller banks ($50-200 billion) and 50% of larger banks ($1 trillion+). Instead, the top roadblock for larger banks was a lack of in-house expertise to quickly address security, compliance, and risk concerns surrounding a speedier go-to-market pace.
Survey respondents indicated that failure of controls and regulatory change are the two areas that would have the largest potential impact on their organizations.
Deployment of new technologies (like migration to public cloud) was a top response when respondents were asked to identify what may have the greatest impact on their organizations. But the inherent concern around controls preventing forward progress shows a clear value proposition for bolstering infrastructure and processes.
Nearly half of respondents (48%) felt effective design and implementation controls, along with better embedding of security personnel into product teams and development processes, would have the biggest impact on their organization’s technology risk management functions. This continues to show the role a flexible operating model can play in navigating risk through optimized teams.
On the path toward balancing opportunities and strengths, banks must lean into existing capabilities and identify areas to build up. Addressing gaps in capabilities is critical for maintaining differentiation, working toward a proactive risk management posture, and ultimately mitigating risk.
Additional survey findings include the following:
Just 31% of respondents said their security, compliance, and risk management team is embedded in the development process and works directly with product teams to design with security in mind. By not bringing them into the picture until later in the process, banks risk limiting their effectiveness and perpetuating issues getting the right controls and frameworks in place.
This also creates a conflict between teams, duplicating work between groups that are likely balancing different priorities and incentives. Building an embedded internal team plays a huge role in alleviating these concerns, as constrained development of solutions largely hinges on lack of stakeholder alignment and lack of consensus on issues and solutions (according to 44% of respondents).
With just 8% of banks who said budget availability is a constraint for investing in enhancements to the risk and controls program, the vast majority (92%) are navigating a people-and-operating model challenge at their core. This all ladders up to the challenge of competing organizational priorities and initiatives (identified by 63% of respondents). Having the right people in place at the right time to showcase value and create buy-in can prevent the 4-to-8-week derailment half of companies are experiencing to close out an issue. Control framework management and rationalization may feel like basic parts of this, but they’re critical to business continuity and being able to support other value-creating initiatives across the organization.
Banks need to bridge the gap between effective controls, having the right knowledge embedded in the right places, and developing sustainable compliance frameworks. These steps will be necessary in order to reduce time spent on resolving issues, streamlining processes, and implementing a proactive risk management approach without sacrificing go-to-market speed and revenue returns.