Risky business

Written by Leda Glyptis
3rd September 2020

The risk teams will set the tone for what comes next

I got some good traction with my “The revolution will be regulated” piece so watch me push my luck, now. Because I am not quite done making my point.

Banking.

I love it but god knows we make our own life difficult.

Don’t get me wrong.

I know why.

I “grew up” inside a custody bank: I get responsibility. I get the duty of care. I get – respect and cherish – the seriousness of purpose.

We play our part in keeping global trade moving, while enabling local business.

We help youngsters dream. I know, nobody thought of a student loan as a bridge to the stars but ask a working class kid what the second feeling they have is, after the heady joy of getting their A levels results and a confirmed place at the university of their choice. And that second feeling is, always and without fail: “we can’t afford this”. So yes I do think we do something meaningful.

A dignified retirement.

A home of your own.

Infrastructure builds. Dams and roads that enable agricultural communities to come out of penury. And you know what comes with penury? Bondage debt. Subsistence living. Avoidable disease and untimely death.

Do I think financial services single-handedly “save” humans? Of course not. But we have a role to play. And to flag that is to honour that. To speak of it is to remind all of us of what our purpose is. Of what our mission is. Of what our duty is.

Many years ago, in my first ever job, I sat with a USAID mission to Afghanistan. They were building roads in Helmand. Because that was the fastest, most direct and most durable way towards giving farmers a viable alternative to poppy cultivation.

It solves forward, it doesn’t solve everything, it is not enough. But it is our part and it is not nothing.

So what I am trying to say is the stuff we do is important. Not exciting. But systemically, profoundly important. And I am ok with us, as an industry, being really risk averse.

I know the cynics would say that the risk vector is about traders’ bonuses and shareholder returns. And I won’t argue with that.

That is also true.

But that is not the whole story. And it is not the main story. And the regulator is ahead of you here.

We are a risk averse industry and that is as it should be.

We are a cautious industry and that is as it should be. A lot more than “brand permission” or “user adoption” is at stake when we look at banking as a system rather than banks as enterprises.

Now within this context, humans have built careers and developed habits. And views. In fact, often the habits become “views” and people’s preferences or lived experience become a benchmark when it should just be an input. And yes that is both unhelpful and annoying but it is also understandable and not a reason to throw the baby out with the bathwater.

Banking is not about snazzy apps and gamification. Both of those have their place but they are not, never were and never will be the ball game.

Banking is about access to affordable credit. liquidity and a framework of investment instruments that make taking on the future (be it for business or infrastructure investment) possible.

We have a duty and our risk and compliance functions are there to keep us true to the cause. To keep us safe from our worst demons and bad apples. They are guardrails meant to keep us as safe as possible because what is at stake is huge.

If some of it looks like box ticking that’s because it is.

And herein lies the rub.

Hitherto, it would be fair to say that we knew what we were trying to achieve. And we devised ways of ensuring we stayed true to the course. Risk. Compliance. Audit. And to make sure the process was repeatable and transparent, a lot of box ticking came our way. A lot of “best avoid grey areas” became the norm. A lot of comfort came from going down a well-trodden path and, increasingly, a lot of reticence came with trying something new (‘cos if it ain’t broke… ) which, before you knew it, became a gag on innovation and creativity.

We know all this.

We have been fighting against all this (often alongside our compliance colleagues, not against them) for years.

What is different now, is that the combination of the digital era coming of age and the tensions COVID brought in its wake mean our course is true but our tools are not.

Whether we innovated successfully (or not) from hereon out matters little compared to this challenge. Because it’s time to revamp risk. Without losing sight of our duty of care, breaking anything or leaving any of our communities exposed.

The business prevention department

I don’t know about you kids, but back in my day, we used to call our CARL (compliance, audit, risk and legal) colleagues that to their faces. They knew we thought of them as the business prevention department. At odds with our creativity and almost parasitic in that they often stifled the business that paid their salaries.

Nobody looked forward to a meeting with the CARL team.

The people who say no.

The business prevention department.

If there is even the slightest unknown you are sent back to the drawing board and all that.

It was a joke.

It was true.

It was also manifestly not the full story. Because banks have always tried new things. Launched new products. Ventured into new geographies. Used new tech.

It was hard for everyone involved, CARL included. But we managed. Overall. Most of the time.

But today, in the post COVID (or mid-COVID) world, there is a true and present danger that the CARL functions may become a liability, not because their north star is wrong. But because their tools are. And I have not heard a single bank (yet) say that the one thing they will do post COVID is a massive re-think of all existing risk and compliance tools.

Let’s face up to some of the hard lessons COVID threw our way.

How many assumptions made around disaster recovery requirements, were tailored to a different kind of crisis and therefore fundamentally, wrong?

A disaster recovery (DR) site is not much good when nobody can meet another human or travel across town.

How many lending decisions balanced a book in a way that left banks over-indexed in exactly the sort of stable industries that stop being stable mid pandemic.

Suddenly shipping, hospitality, aviation, logistics, supply chain became hard things to have in your loan book, your portfolio of equity positions.

How many credit scorecards proved to be entirely unfit for the purpose of predicting who was credit worthy, in a crisis of this kind, duration and magnitude?

On a human and business level, the last few months have been full of surprises of the bad kind with high street giants and household names filing for bankruptcy or going into administration one after another while some smaller entities thrived and rallied.

How much of each bank’s offshoring strategy (a financial decision at the best of times) had to become part of a remote working preparedness and infrastructure assessment decisions for business continuity?

When hundreds of developers had to stay at home in Chennai or thousands of call centre staff went into lockdown in Manila, the cost saving of offshoring paled against the simple question nobody had asked when the contracts were signed: are your systems set up and your people equipped for remote working en masse?

How much of each bank’s geographic footprint was a commercial decision and now is an exposure factor?

How much of that pace and speed of change was a comfort and prioritisation decision and now is a survival trick?

All I am saying is.

Banking is a risk-averse business.

And the world is full of risk.

Now more than ever.

These changes won’t make us less risk averse, especially in the wake of a looming recession. Our duty to provide stability and protect access remains paramount.

So we need CARL. Now more than ever.

It’s just that the last few months taught us that the tests, checklists and models were if not wrong then woefully inadequate.

We need them. But we also need them to do a lot more, totally differently and much better.

The pandemic is not over.

And its impact is felt and yet has not reached its full expression.

This is not over.

We know what didn’t work, even if we don’t necessarily know exactly how to fix it.

We know where the change needs to start. It is infrastructure. It is agility. It is a bank’s systemic readiness, preparedness and ability to deal with unforeseen challenges with speed and efficiency.

Everyone will have a part to play, but the risk teams will set the tone for what comes next.

What will yours do?

Leda Glpytis