Risks have become increasingly connected. And that makes the consequences much more difficult to predict and manage. It is no longer possible to do so applying only traditional risk management tools. Financial services firms as well as all other sectors of the economy will need to take a more dynamic approach if they aspire to manage the new world of risk.
Risk managers and oversight committees learnt a lot from the pandemic. Perhaps the most important lesson was that, again, risks are more interconnected than previously accepted. And that means the implications of individual risks are often more far reaching in terms of what they can trigger than current risk management approaches portend.
The pandemic was just one example of this at a global scale. Prior to 2020, most risk managers considered a pandemic to be a ‘high disruption, low probability’ risk. Planning for this risk (when it ranked high enough on the agenda) was often focused on the health and safety of employees. Few went on to consider how national lockdowns would impact the economy and fundamentals of the financial markets nor how it would drive digital disruption, an increase in cyber attacks and a return to territorialism.
Yet when you look down the list of risks at the top of the financial services agenda, each one contains a level of interconnected risk. Cyber risk, for example, is deeply connected to operational risk, reputational risk, regulatory risk and financial risk. Cyber risk is essentially at the center of a ‘cluster’ of risks that are expected to have a contagion effect on the others. And, ultimately, that can make an event substantially more severe than risk managers would anticipate when looking at each risk in isolation.
A useful way to think about these types of risks is in terms of networks – including the very networks that financial institutions rely on to operate efficiently and effectively. One obvious network that surrounds us are people networks. Consider this: in the early 1980s, fewer than 330 million airline tickets were sold in a year; by 2019, more than 4.2 billion were sold1. As we have seen, disrupting that network can have a catastrophic effect on national economies, business growth, consumer spending, Foreign Direct Investment and so on.
Apply this network disruption to financial networks – Foreign Direct Investment: it too is a global network that has seen dramatic growth since the 1980s. And that network could be hobbled by a wide range of potential risks including trade wars, geopolitical changes, sovereign debt risks, currency risks and so on. Exports and supply chains are another network that could be seriously disrupted by any level of fragmentation across the chain. Technology and financial instruments can be viewed as more networks that can amplify discrete risks. Once you start looking, networks appear everywhere.
As if that wasn’t enough interconnectedness – financial institutions also need to consider the concentration risks that may be created by the failure or fragmentation of one or more networks. COVID-19 provides a current example: people networks have to be forcibly fragmented by lockdowns, travel bans, social distancing and the limitation of gatherings. In its place the world has doubled down by pivoting to digital networks. This more than doubles the risks inherent to a breakdown in digital networks. Disruption to the people network has, therefore, changed the risk equation of the digital network.
A useful way to think about these types of risks is in terms of networks – including the very networks that financial institutions rely on to operate efficiently and effectively.
KPMG firms spend a lot of time helping financial services executives identify and assess their network risks. Without exception, our conversations suggest banks, insurers and asset managers are keen to start including this view into their risk management approach.
The appetite for networked risk modelling is increasing with the recent discovery that macro-economic data underpinning current risk profiles is non-stationary: it does not revert to a mean. Moreover, domestic risk data and economic risk profiles exhibit similar characteristics. This raises serious questions about the ability to put statistical distributions around risk modelling – for example Enterprise Risk Modelling and Operational Risk Modelling – unless there is an abundance of data pertaining to a milieu that is characterised by slow and manageable change: motor vehicle claims for example. However, modelling Probability of Default depends on economic cycles, and these are non-stationary. This has profound consequences for the accuracy of statistical tools (including VaR) in modelling potential future exposures. Common wisdom has always held that the pattern of variability in risk can be predicted. That is not the case; risks continue to evolve in unprecedented ways.
What that means is that financial institutions will need to start going beyond the traditional statistically probabilistic methodologies used in the past, to instead start incorporating new risk models that – albeit ‘less statistical’ – provide a more accurate view of future risks and their expected combinations.
The appetite for networked risk modelling is increasing with the recent discovery that macro-economic data underpinning current risk profiles is non-stationary: it does not revert to a mean.
At the same time, executives and risk managers will need to be constantly re-assessing and adjusting their risk management approaches to ensure they are being proactive on issues that normally wouldn’t be on the risk register. Technology can help (KPMG firms have a platform that allows financial services firms to dynamically map their network risks). But even with technology, the shift to more dynamic risk assessment models will take some work.
And that, perhaps, is the greatest barrier to financial services firms improving their risk management perspective: time and resources. The reality is that financial services organizations are already dealing with a massive range of regulatory requirements around risk management; finding the headspace and bandwidth to address the network dimension of risk can be difficult when you are already drinking from the firehose of current, mandatory risk requirements.
Yet this is no time for inertia. As the COVID-19 pandemic has taught us, networks can be quickly disrupted, and the implications can be far-reaching. Ignoring them or their interconnectedness doesn’t make them less of a risk.
To be clear, we are not suggesting that financial services risk managers upend the way they currently do their risk assessments. What we are advocating, however, is a more dynamic projection of those risks to include unprecedented ones and then to model their interdependencies and network relationships. The latter should include combinations beyond statistical correlations, which tend to underplay future risk permutations.
The first step is to acknowledge the need for network thinking in risk management. Then it comes down to identifying the risks, including future, unparalleled ones. This is to be followed by networking the risks and their expected contagion and questioning what the organization can do to respond to the most severe combinations to emerge. Just going through that process as a table-top exercise with executives can be a very helpful and eye-opening place to start.
What is clear is that today’s risk environment is interconnected.