Mestchian: think carefully about outsourcing risk and compliance functions

Operational risk and cyber-security concerns are converging as a topic for risk managers, who also face a changing agenda resulting from the digital transformation of baking and financial services.

In its 10th annual RiskTech100 report, Chartis has partnered with Accenture and specialist risk management consultancy Parker Fitzgerald to examine how these trends are affecting the direction of a market that it estimates will be worth $100 billion in 2016.

In a joint paper, Accenture and Chartis note that while financial institutions are familiar with the basics of firewalls, malware and phishing, “they are struggling to connect the technical aspects of cyber security with the people and process risks that operational risk is designed to monitor and control”.

Digital banking provides a new set of risks with an “extremely challenging” profile, according to a paper co-authored with Parker Fitzgerald. Not least of these is that “when things go wrong in a digital context they usually go wrong quickly and at scale. Instead of affecting a single customer, issues can impact many or even all customers at once.”

The report says that the continuing pressure on budgets as an incentive for simplification and automation has led to increasing use of cloud-based technologies and managed services, which is resulting in “a number of innovative solutions and business models” including the idea of industry utilities for risk and compliance, says Peyman Mestchian managing partner at Chartis.

Mestchian sounds a note of caution about outsourcing risk and compliance processes and functions. “One of the key lessons learnt from the financial crisis was how poor risk culture and ownership can be a root cause of financial instability and misconduct,” he says. “We must think carefully about the kind of signals and messages that will be received by employees and customers if we outsource certain key risk management processes. If done right it will add value, but if done as a purely outsourced ‘tick box’ process then it may go against the spirit of risk ownership and accountability.”

The report, which is free to download, also includes a ranking of the top 100 risk management technology vendors.

  • Risk Culture Builder 19 December, 2015 at 0648

    Interesting to see this, no study was needed: by definition systems and people risks are both part of ORM. The biggest cyber-security risk is people, not systems and most organisations are trying to mitigate cyber-risk at the wrong source, by focussing on systems and not people.

  • Post a comment

    Threaded commenting powered by interconnect/it code.