“In this job, you can’t ever allow yourself to be satisfied,” says Andrea Pozzi as we sit down in her office in Madrid to talk about non-financial risks. “The risk landscape is continuously changing and that means you need to constantly be thinking about what you can be doing to improve your program. There’s never a dull day when you are managing these
types of risks.”
As the Global Head of Grupo Santander’s Non-Financial Risk unit, Andrea has a unique view into the growing complexity of managing risk in an increasingly globalized financial services marketplace. Santander is, after all, one of the world’s largest banking groups with a solid presence in 10 markets across Europe and the Americas, serving 144 million customers.
While the sheer size and scale of the organization creates some obvious risks, what Andrea is most worried about is how the organization will handle its current shift towards digitization. Not surprisingly, perhaps, cyber risk is high on her agenda.
“We need to help the organization ensure that whatever we do is robust and protects our clients. The reality is that our competitive advantage lies in the trust and confidence of our clients. As we progress through our digital transformation, my team helps ensure that we’re really thinking through all of the different potential unintended consequences of the new technology.” The list of potential risks that accompany a large-scale digital transformation is long. Among other things, Santander’s Non-Financial Risk unit is looking for possible increased risk of fraud through digital technologies, as well as the range of third-party risks that come with the development of new banking models.
“The big challenge is how to maintain our robust control framework when the organization is trying to transform in an environment that is trying to be disrupted,” she notes. “Frankly, I’m less worried about specific technologies than I am about the sheer pace of innovation. As an organization, we have a deep desire to move quickly to meet the evolving needs of our clients. But we need to do that in a controlled way.”
It’s a challenge that regulators also seem to be worried about. “After the financial crisis, the regulators were very focused on credit and market risks. But now they are starting to shift their focus towards non-financial risks — cyber and data security, in particular,” Andrea notes.
However, while regulation may be the driving force behind many banks’ nonfinancial risk programs, that is not the case for Santander. “I’m not building the program to meet the regulatory requirements; I’m building a program that solely positions the bank correctly and ensures it is managing its risks appropriately. At the end of the day, that’s also what the regulator wants.”
To create a solid second line of defense, you need a strong first line. And Santander has been very active in developing and strengthening their first line, particularly in fast-moving areas like cyber. In fact, Andrea spends much of her time focused on ensuring that non-financial risk becomes better integrated into the business. In part, that means creating the right tools and processes to drive a continuous feedback loop for nonfinancial risks. “We need the business to constantly be identifying risks, evaluating them, measuring them, controlling them and then using that knowledge to start again,” Andrea adds.
It also means making sure that nonfinancial risk is factored into the organization’s long-term strategic planning process. Andrea’s focus is on working with leadership to integrate it even further. “I think we’re just starting to get really good at thinking about the riskreturns of non-financial risk and using that information to help make decisions and better inform our future investments,” she adds.
With a strong first line in place, Andrea’s team is able to form a robust second line of defense around that. “We really focus on helping to define the Groupwide framework, programs, policies and procedures that help the lines of business in each country mitigate and manage
risks,” she noted. “But we also need to recognize that there is no ‘one-size-fitsall’ answer to on-financial risk. So we want to create programs that are also flexible enough to meet the unique needs of the lines of business and countries.” Given the complexity of the organization’s risk matrix, one of the key roles for Andrea’s team is in helping the Group
aggregate, define and measure all of the various non-financial risks in their spheres of operations (and some that lie well beyond their current sphere but still pose potential long-term risks). “It’s really the only way to maintain a reliable yet holistic view of the risks facing the organization,” she admits.
Through my discussion with Andrea, it is also clear that the organization’s leadership is highly involved and invested into the way non-financial risks are being managed. “Our technology and cyber committee is chaired by our Group CEO, José Antonio Alvarez. And he’s not just a figurehead on the committee — he is actively engaged, asking great questions, offering up smart challenges and really helping the organization think through the risk implications of our digital agenda,” she notes.
Andrea does see opportunity for new technologies and tools to improve the way the bank manages non-financial risk. “We’re working with our internal analytics teams to see if we can find better ways to proactively identify and monitor potential signals of future risk. I’m hoping to build towards a form of automation that continuously monitors for early warning signs and lets me know when certain risks have increased. It’s all possible with today’s technology. And we are working towards that.” However, she also notes that technology is just one part of the equation. “We are certainly looking at, and using, digital processes and tools. But there will never be one tool — digital or otherwise — that will manage everything for us. And that means we need to keep thinking about how we integrate different tools as we move through our own evolution,” she notes.
Ultimately, Andrea’s view is that the management of non-financial risk must be a continuously evolving practice to deliver the flexibility financial services firms need in the current environment. “With non-financial risk, you are never really done. You need to be constantly thinking about how to evolve — not just by looking ahead at things on the horizon — but also by looking behind to understand how you can do better the next time.”
“In this job, you can’t ever allow yourself to be satisfied,” she reminds me.
Andrea is the Global Head of Non-Financial Risk at Grupo Santander where she oversees a unit that includes operational risk, technology risk and cyber risk for the Group worldwide. Andrea has extensive risk management experience and has worked with leading financial services firms such as Merrill Lynch, Munich Re and Citigroup.