Global Risk 2019: Creating a More Digital, Resilient Bank

Related Expertise: Risk Management and Compliance, Financial Institutions, Wealth Management

Global Risk 2019: Creating a More Digital, Resilient Bank

By Gerold GrasshoffMatteo CoppolaThomas PfuhlerNorbert GittfriedStefan BochtlerVolker Vonhoff, and Carsten Wiegand

Microsoft founder Bill Gates once said, “We always overestimate the change that will occur in the next two years and underestimate the change that will occur in the next ten.” His words apply especially to technology. Digital disruption seems like an abstraction until it is thrust upon one’s business and industry.

It’s safe to say that in banking, disruption is now here. Innovations that were bleeding edge just a decade ago—such as robotic process automation, machine learning, artificial intelligence, and cloud computing—are joining the mainstream. Likewise, fintechs, bigtechs, and digital leaders that emerged during the past decade have already begun to form strategic banking partnerships and to carve out specialized niches. As transformation accelerates, open banking, instant payments, and other advances will create enormous value for fast-moving institutions while disintermediating those that move too slowly.

BCG’s ninth annual survey of the health and performance of the global banking industry reveals that digitization is becoming more than just a smart competitive move: it will likely determine which banks survive through the next decade. Our data reveals that economic profit (EP) is on the wane for banks in all major markets, falling to levels not seen since 2013. Market forces have contributed to the falloff, especially in Europe. However, they’re not the only—or even the primary factors—at play. In North America, for instance, banks enjoyed healthy economic growth and rising interest rates, yet EP declined slightly by 2 basis points from 2016 through 2017. Stronger income was not enough to overcome what has become the most significant encumbrances for banks across all regions: soaring risk and operating costs. In Europe, risk costs have reached their highest level since 2013. And in Asia-Pacific, an across-the-board spike in costs has eroded EP for most banks. Addressing these issues is not easy, but digitization as a lever to increase efficiency, speed processing, and improve decision making are necessary elements of the solution.

For regulators, instilling trust in the strength and resilience of financial markets has become a dominant focus. Banks must improve the quality and efficiency of regulatory compliance to meet their ongoing financial-stability, prudent-operations, and resolution obligations. Achieving this will require finding leaner and smarter ways to manage the high volume of regulatory revisions, as well as experimenting with new technologies and partnerships to drive down the cost of know-your-customer documentation and to improve anti-money-laundering processes. Keen to protect financial markets from future shocks, regulators are trying to anticipate the ways that technology will reshape the banking ecosystem and, with it, their own role in establishing guidance.

Our report examines the profound ways in which banks’ risk and treasury functions will change over the coming years. Both functions face a broader mandate with a larger slate of risks to manage, a growing need for integrated steering to protect banks’ interests, and an equally growing need to make the most strategic use of banks’ balance sheet resources. Delivering on this mandate will require risk and treasury to operate faster and more incisively, backed by real-time data, predictive analytics, and end-to-end automation. Risk and treasury functions that commit to “going digital” in these ways will become not only more efficient operators but also more effective strategic partners in delivering value to banks.

This report indicates that banks are reaching an inflection point. While outside forces may have dictated the path in the post-recessionary period, banks now have an opportunity to lead the way.

It’s a Three-Speed World for Economic Profitability

The momentum that lifted the banking sector’s performance through the first half of the decade has slowed in all major markets. While banking remains profitable on an absolute basis, total economic profit (EP), which adjusts for risk and capital costs, softened again in 2017, in the second straight year of decline. 1 1 A bank’s EP equals its gross income minus refinancing and operating costs, loan loss provisions (LLPs), and capital charges (common equity multiplied by the cost of capital). LLPs and capital charges are barometers of macroeconomic and regulatory conditions that, taken together, represent the risk costs that banks incur. Notes: 1 A bank’s EP equals its gross income minus refinancing and operating costs, loan loss provisions (LLPs), and capital charges (common equity multiplied by the cost of capital). LLPs and capital charges are barometers of macroeconomic and regulatory conditions that, taken together, represent the risk costs that banks incur. Since reaching a global-average high of 16 basis points in 2015, EP has slumped, falling to just 8 basis points in 2017. (See Exhibit 1.) With that slide, average banking performance is now on a par with that of 2013, when the banking industry started to regain its footing after the global recession.

An inability to shake off nagging risk and operating costs kept growth in check for most banks, but there were sharp regional differences. In Europe, banks have remained mired in negative growth, hemmed in by low interest rates and nonperforming loans (NPLs). By contrast, banks in North America have benefited from increasing interest rates, but rising costs edged total EP down for the second straight year. In Asia-Pacific, banks experienced the third consecutive year of declining EP. The developing markets were bright spots on the global banking landscape. Although escalating costs rippled across the region, robust income growth drove average EP higher in 2017, raising EP in the Middle East and Africa to a decade high. South America’s EP, though still strong at 91, was down slightly from 94 basis points the year before.

These are among the findings of Boston Consulting Group’s ninth annual study of the overall health and performance of the global banking industry. BCG’s study assessed the EP generated from 2013 through 2017 by more than 350 retail, commercial, and investment banks, covering more than 80% of the global banking market. Because EP weighs refinancing and operating and risk costs against income, it provides a comprehensive measure of a bank’s financial health and serves as a useful gauge in determining the impact of ongoing regulatory, technological, and competitive pressures on bank performance.

Regional Performance: A Mixed Picture

The major markets—Europe, North America, and Asia-Pacific—continue to run at different rates, hobbled or aided in turn by the strength of the economic recovery in each region, the ongoing impact of NPLs, and stubbornly high cost structures. As a result, EP varied considerably by region. (See Exhibit 2.)

In Europe, NPL rates have sent risk costs soaring to their highest level since 2013. Banks notched slight improvements in refinancing and operating costs, but the combination of flat income growth and rising risk costs means that, on average, banks couldn’t cover their cost of capital. Although overall EP recovered 4 basis points from 2016’s low of –26, on the back of slight increases in fee and trading income, low interest and dividend income kept EP in negative territory throughout the decade. The weight of the financial challenges has caused the ground to shift for banks that were already underperforming. Continued deterioration in their results has widened the EP gap between them and the rest of the field.

It’s a different story in North America, where strong economic growth combined with rising interest rates led to an increase in total bank income. Much of that growth came from rising net interest and dividend income, which rose from 191 basis points in 2016 to 215 in 2017. Taking the edge off this growth, however, was a sharp rise in operating and risk costs, which saw material increases of more than 24 basis points. Those costs contributed to the second straight year of total EP declines. Compared with other regions, however, the falloff has been slight: EP gave up just 2 basis points—going from 27 in 2016 to 25 in 2017—and only 6 basis points in all since the peak of the banking sector’s economic recovery in 2015. In North America, unlike in Europe, cooling performance among top banks played a bigger role in weakening average EP across the region while the bottom of the market remained largely stable.

On the other side of the world, banks in Asia-Pacific faced the third straight year of significant declines. Since 2014, EP has more than halved, falling from 52 basis points to 19 basis points in 2017. Over that period, income has remained largely stable, but costs have risen. Risk costs jumped by 23 basis points, and operating costs by 14. Higher NPL provisioning in Indian banks in response to stricter local regulatory requirements accounted for many of the region’s EP challenges. There was less EP variability among banks in Asia-Pacific, as weaker results at the top end narrowed the gap.

In contrast to these three major markets, the smaller ones of South America and the Middle East and Africa turned in largely healthy results. In South America, EP fell from the 2016 high of 94 basis points, still landing at a respectable 91—close to 60 basis points higher than in 2015 and above the five-year running EP average of 69.

The Middle East and Africa region was the only one to deliver positive year-on-year EP growth—sharply positive growth at that—with EP surging 15 basis points to a total of 62 in 2017. Both fee and trading income posted gains, although a 45-basis-point rise in net interest and dividend income accounted for the bulk of banks’ growth. Costs also rose, but the impact was not enough to dampen EP performance overall.

Time to Prepare for Economic and Technical Change

Banking remains a three-speed world in which European banks continue to struggle, North American and Asia-Pacific banks strive to stay the course, and the developing markets of South America and the Middle East and Africa continue to show high profitability. Yet systemic issues hound each region. One challenge is the yawning gap between laggard banks and a small, but aggressive, tier of determined incumbents seeking to forge fintech and open-banking partnerships that can provide customers with the mix of institutional resources and digital savvy that will increasingly define how banking services are delivered.

Another challenge is resource strength. The economic recovery has benefited some markets more than others, but the severity of the financial crisis has left a stratum of wounded banks. Only a small number of banks will have the balance sheet resources to serve the entire financial services value chain as new players with digitally enhanced capabilities carve out niche positions. Other banks will need to reassess where and how they want to compete—whether to go for specialization or for scale. No matter which of these paths a bank chooses, it will have to significantly enhance its existing organization to improve agility and digital maturity.

The third major issue is the NPL burden. (See Exhibit 3.) While banks in the US have steadily lowered their NPL ratio from a high of 5.0% in 2009 to 1.1% in 2017, Europe’s story was different. Across the euro area, the NPL ratio continued to climb, rising from 5.2% in 2009 to 8.1% in 2012 before decreasing to 3.2% in 2017—still nearly three times the US level. Along with geopolitical uncertainty and cybercrime, the NPL problem has been designated one of the European Central Bank’s three critical supervisory priorities for 2019. The ECB notes that even though many banks have been able to reduce legacy NPLs, the ongoing ratio remains high. While market conditions are still depressed, the danger is that banks’ search for yield could give way to excessive risk taking, possibly pushing NPL ratios even higher.

Mindful that banks’ financial stability is essential to global economic stability, regulators in Europe and elsewhere are keeping a close eye on these issues.

Setting the Regulatory Stage for the Future of Banking

In the US and Europe, the past year’s predominant regulatory themes have focused on trust and technological change. To reinforce the credibility of banks’ internal risk models, regulators in the EU continue to advance their targeted review of internal models (TRIM). TRIM now requires banks to use the floors established in Basel IV capital calculations as backstops. In the US, meanwhile, stress testing is well established, and major banks are required to report annually. However, recent changes to the Dodd-Frank Act now exempt small US institutions as well as most foreign banks from this requirement.

In the areas of prudent operations, regulators have sought to inject trust: increasing enforcement, giving customers greater control over their data, and expanding participation in the banking industry. Regulators have pushed to advance resolution frameworks that could prevent the systemic disruption and bank bailouts that occurred during the financial crisis. Until recently, the EU had lagged behind the US in formalizing its guidance on this issue and building up the necessary resources. More attention, coordination, and resources in the past year have helped close the gap.

Facilitating technological change within a clear regulatory framework has been another overriding theme. The second Payment Services Directive (PSD2) aims to harmonize customer protections across the payments landscape and foster collaboration among third parties such as banks and fintechs. The rules, which lower switching costs, could unleash a wave of innovation across the financial services ecosystem, creating new sources of customer value.

Finally, regulators are considering the impact of technological change on their own work. A study by the German regulator BaFin found that as big data and artificial intelligence (BDAI) reshape the financial services ecosystem, BDAI innovations will increase the disaggregation of the banking value chain. 2 2 “Big data meets artificial intelligence: Challenges and implications for the supervision and regulation of financial services,” BaFin Federal Financial Supervisory Authority, July 16, 2018. Notes: 2 “Big data meets artificial intelligence: Challenges and implications for the supervision and regulation of financial services,” BaFin Federal Financial Supervisory Authority, July 16, 2018.

To illustrate the direction and logic behind those changes, we examine the three pillars of the regulatory landscape: financial stability, prudent operations, and resolution.

Financial Stability

Rules pertaining to banks’ financial stability represent the most mature area of regulatory reform: final revisions to Basel III are now complete and other measures, such as the International Financial Reporting Standards (IFRS) 9 in Europe, have been formally introduced. Although many significant pieces of financial regulation are now in place, banks continue to see those rules as subject to significant ongoing revision.

Regionally, regulatory priorities differ, especially with respect to the measuring and steering of risk. In the EU, the ECB expects to conclude its TRIM review by the end of 2019. The goals of that review are the reduction of unwarranted variability in the way banks calculate risk-weighted assets and improved comparability and reliability of results across banks. TRIM also requires institutions to maintain capital buffers that correspond to their specific capital exposure.

Taking a different approach to ensuring financial stability, regulators in the US are focusing more on stress testing and less on internal model standardization. To gauge capital adequacy, banking regulators require institutions operating in the US to submit an annual comprehensive capital analysis and review (CCAR) report. In the US, however, unlike in Europe, capital buffers are mandatory only for globally “systemically important banks” rather than the banking sector more broadly.

Accounting concepts on the two sides of the Atlantic differ. In the US, under generally accepted accounting principles, commonly known as GAAP, for instance, the new current expected credit loss standard will require banks to apply the lifetime expected loss for all loans, while in Europe, IFRS 9 provisions require banks to use lifetime expected loss only for loans that either are in default or are showing significant rating deterioration.

In the US, beyond these changes, a relaxation in some Dodd-Frank Act provisions means that bank holding companies with less than $100 billion in total assets are no longer obliged to submit a CCAR. The increase in thresholds is not yet available for foreign banks with global assets of more than $100 billion, but discussions are ongoing possibly to adjust Regulation YY accordingly. Given these regulatory and accounting differences, multinational banks are increasingly opting to organize into various regional subgroups.

Prudent Operations

Since 2009, banks worldwide have paid $372 billion in penalties. (See Exhibit 4.) 

Regulators assessed $27 billion in penalties on European and North American banks in 2018, an increase of $5 billion from the year before. Mortgage-related misconduct in the US, money laundering, and interbank-offered-rate-related market manipulation across regions are among the factors sparking regulatory ire. Following the London Inter-bank Offered Rate (LIBOR) price-fixing scandal, reliance on expert judgment has become a point of concern for regulators, who have responded by introducing new quality and independence standards for financial benchmarks. (See the sidebar “Getting Ahead of the Curve in Reference Rates.”)

Getting Ahead of the Curve in Reference Rates

The Euro Overnight Index Average (EONIA) and Euro Interbank Offer Rate (EURIBOR), the reference rates for financial contracts whose nominal value exceeds €150 trillion, are about to be replaced. The volume of unsecured interbank lending has collapsed, and—following the London Inter-bank Offered Rate (LIBOR) price-manipulation scandal—regulators are working to enhance transparency and objectivity in setting reference rates. Recent developments have pushed the timeline for adoption of new reference rates to December 2021.

By January 2022, EONIA will have to be replaced by an entirely new short-term (overnight) reference rate, and the derivation of the EURIBOR term rate will have been revised significantly. (See the exhibit below.) Because EONIA and EURIBOR are ubiquitous in contracts among banks and their counterparties and are commonly used in valuation modeling and internal transfer pricing within banks, nearly every part of the balance sheet and nearly all front-to-back processes will be affected. The shift, thus, presents banks with transition costs and significant risk. Should the old rates no longer be published, existing contracts that reference them will need to be renegotiated, presenting not only direct financial risk but also the legal, conduct, and reputational risks that attend such sensitive processes. The redesign of products, hedges, and valuation models for use starting in 2022 presents the same risks. If a bank gets things wrong, its balance sheet, legal position, and reputation could all be damaged.


For many banks, on a standalone basis, the cost of implementation will be comparable to that of IFRS 9 implementation—from €50 million to €100 million for small banks and as much as €350 million for the globally systemically important banks that are known as G-SIBs. To make the most of this expenditure, banks should use the enforced reference rate transition as an opportunity to create synergies with other regulatory or operating-model initiatives—upgrading their pricing and risk management frameworks in the process—and should move to more agile and cost-efficient model landscapes, data platforms, and IT infrastructures. Taking advantage of such synergies could reduce the cost of the combined project by as much as 20%.

Furthermore, there are more policemen on the beat. For most of the past decade, the US led the bulk of enforcement activity, but European regulators have stepped up their engagement considerably over the past 12 months. During 2018, European authorities began enforcement actions. Among other consequences of these actions were the resignations of several high-level bank managers—in some cases, even the CEO stepped down. Regulators also included formal monitorships as part of many bank settlement agreements, giving regulators oversight of bank remediation efforts.

Anti-money-laundering (AML) provisions in Europe are now stricter. The fifth AML directive, which will come into force at the end of 2019, lays out tougher minimum requirements for the enhanced due diligence measures banks must take for customers from high-risk countries. It also requires all EU member states to introduce official lists of politically exposed persons and to become more transparent in naming beneficial owners and providing account holder data. This is common in most—but not all—EU countries. Along with harmonizing AML rules, EU authorities are working to align AML supervision across the region with stepwise migration to a centralized oversight function planned over the next two to three years.

Regulatory governance has become more challenging in the current era of rapid technological change. As the financial services value chain expands to include fintechs, regtechs, and other service providers, regulators have had to balance the need to develop minimum standards and clarity for emerging offerings, simultaneously ensuring that the new rules don’t get in the way of innovation or unduly advantage one set of players over others. It can be difficult to manage that fine line while ensuring that regulatory guidelines keep pace with technological advances.

Still, regulators have begun to act in key areas. With the fifth AML directive, for instance, regulators have introduced duties for cryptocurrency suppliers—the first regulations to hit the digital currency field. Under the directive, all cryptocurrency exchanges must comply with AML minimum standards. The issuance of these guidelines means that banks can now play in the cryptocurrency markets: banks are bound to operate only in those areas in which AML rules exist. In crafting the standards, regulators had to take care not to make the provisions too strict lest they handicap small players.

Banks are interested in exploring ways that technology can help streamline regulatory compliance. Given the significant costs associated with know-your-customer (KYC) documentation, several institutions have expressed interest in partnering with peer banks to create a KYC utility. However, progress has been hindered by a lack of agreement on standards and the fact that the benefit for some banks with high KYC volumes may be negligible. There are regulatory hurdles to contend with as well. While regulators in regions such as the US and Europe generally permit occasional KYC partnerships, most prohibit banks from outsourcing the function outright. However, regulators in the US are evaluating a framework that would allow small banks to join together to establish a KYC utility.

Data protection has become an increasingly important issue now that Europe’s General Data Protection Regulation (GDPR) has taken effect. Banks have put basic customer privacy elements in place, but, given the complexities of enabling a customer’s “right to be forgotten” and other requirements, full implementation is likely to take some time. Although the US has no GDPR equivalent at the federal level, some states have begun to take action on their own. In California, for instance, the California Consumer Privacy Act, which prescribes rules comparable to GDPR, goes into effect January 1, 2020, and enforcement is slated to begin by July 1, 2020.


In an effort to prevent the heavy taxpayer bailouts and systemic disruption that accompanied the 2008 financial crisis, US regulators have taken the lead, mandating that banks develop detailed resolution plans that lay out orderly restructuring plans that go into effect for banks that experience material financial distress or failure. The Federal Reserve System now has a well-established resolution regime in place, and major banks operating in the US must submit their plans annually. Those with significant retail deposits must also file resolution plans with the Federal Deposit Insurance Corporation.

Under revised Dodd-Frank requirements, however, bank holding companies with less than $100 billion in total assets are no longer required to file resolution plans with the Federal Reserve. Along with lower CCAR requirements, easing the resolution compliance burden could encourage some foreign banks to rethink their US business models and reduce their nonbranch bookings in the US in case Regulation YY is adjusted accordingly.

Elsewhere, resolution frameworks remain less developed. That, however, has begun to change, especially in the EU. The Single Resolution Board (SRB), which serves as the EU’s governing authority on bank resolution, has, for the past several years, followed a stepwise approach: banks first defined their critical economic functions and then detailed their liability structure to prove that they have sufficient “bail-in-able” debt. Currently, the SRB is overseeing the third, and final, stage, which requires banks to lay out their resolution strategies and implementation plans. In the course of the past year, the SRB has added new resources aimed at improving supervision and performance. Despite this progress, there are still questions about the overall effectiveness of the resolution mechanism. Within most jurisdictions, for instance, direct or indirect retail money losses can still occur in the event of a bank bail-in, since bail-in-able debt can be held by retail customers, insurance companies, and asset managers.

As Banks Digitize, So Must Risk and Treasury

Across the expanding financial services ecosystem, business models, innovation models, and cost structures are changing, with digital capabilities and rising customer expectations being the prime movers in each case. These shifts will have sweeping implications for banks—and, consequently, for core functions such as risk and treasury.

As digitization opens the financial services ecosystem to new and niche players, we expect to see fewer full-stack banks. Instead, banks will likely pursue a mix of strategies, such as becoming platform leaders, being specialist providers, and promoting infrastructure-as-a-service offerings. The cost basis will also change. Banks will need to be leaner and more efficient if they are to compete effectively against digitally mature peers and fintechs, many of which have much lower run rates.

Given the crucial role that data plays in risk and treasury, the criticality of decision timing, and the need for swift and accurate forecasting, it is especially important that these functions “go digital.” End-to-end automation of standard processes, big data, AI, and robotics will facilitate straight-through processing of routine tasks, freeing risk and treasury personnel to focus on higher-value activities. Cloud solutions and service-based IT systems will provide a flexible modular engine that can accelerate and support frequent product innovation and enhance risk-steering applications. The efficiency-generated savings should be significant, and performance gains—fewer credit defaults and higher treasury returns—could be even more substantial.

To achieve such benefits, however, risk and treasury must adapt their operating models, methods, and roles in the wider organization. In partnership with finance, they’ll also need to adopt an integrated balance sheet management approach to improve visibility and decision making.

By digitizing the risk and treasury functions and integrating balance sheet management in these ways, banks will benefit from much stronger risk and liquidity oversight and more incisive and agile steering.

Digital Risk

Given the skills and data resident within the risk function, a digital chief risk officer (CRO) can become both a nucleus and a force multiplier for bankwide digital transformation. 3 3 “The Digital CRO,” Yearbook 2019, Frankfurter Institut für Risikomanagement und Regulierung, March 2019. Notes: 3 “The Digital CRO,” Yearbook 2019, Frankfurter Institut für Risikomanagement und Regulierung, March 2019.

Big data analytics, machine learning, AI, service-based IT architectures, and centralized data storage will provide the risk control function with the ability to process reams of structured and unstructured data, gain transparency into the banking and trading book in real time, and anticipate changes in the broader markets. Productivity will improve as digitally redesigned processes automate work cycles, improve compliance, cut manually induced errors, and free resource capacity. Sophisticated real-time modeling will lower risk and give managers the confidence-weighted insights they need to protect the bank’s interests, improve performance, and generate value. This will have implications for the digital CRO’s strategy and mandate and for the types of activities and capabilities that the risk function will be responsible for managing and acquiring.

Realization of that potential will require risk leaders to develop a well-aligned digital strategy. That strategy should be based on a comprehensive assessment of the market and competitors, the bank’s strategic objectives, its overall digital maturity, and its major operational and customer pain points. The CRO can use those insights to digitize its core functions, expand digital capabilities to other parts of the bank, and make sure that all critical enablers are in place. (See Exhibit 5.)

Digitizing the Core. In digitizing core risk processes, the CRO will improve the quality and speed of decision making, free capacity, reduce errors, and foster forward-looking quantitative discussions. Reporting processes will be automated, steering integrated, and decisions managed by a small, highly skilled team with specialist expertise. In addition, risk models will be more precise, predictive, and granular, aided by data visualization, big data analytics, and AI. Automated model development that uses fintech solutions allows teams to run source data through concurrent simulations, select the most accurate, and use the time saved to address other important business questions. Regulatory affairs will also be simplified, thanks to AI-supported smart workflow tools that consolidate contact points, route queries to responsible experts, and increase transparency and access.

Moving Beyond the Core. With core functions modernized, the CRO should leverage acquired digital capabilities to bring specialized risk management expertise to other parts of the organization. Because regulatory reporting will be largely automated, the CRO will be able to focus on economic and risk-based steering, providing predictive insights to guide C-suite-level discussions and assisting other stakeholders. By examining the needs of key stakeholders across the bank, risk control can pave the way for broader digitization. Using advanced modeling techniques, for example, the CRO will be able to create or contribute to an early-warning system. Pattern analysis tools could comb customer transaction data and external information, such as online ratings or satellite data, looking for signals and triggers that would allow risk managers to take effective countermeasures. Our project experience shows that a fully automated system can accurately predict a negative event in time to send warning signals as much as 18 months in advance.

Key Enablers. To turn this future into reality, the risk function will need to alter its organization structure and processes. Governance mechanisms, metrics, incentives, and reporting practices must be adjusted to support greater collaboration among risk control, finance, and treasury while maintaining appropriate separation. In addition, the risk function has to proactively cope with a bank’s agile transformation and adjust its risk management practices accordingly. (See the sidebar “Agile in Risk.”) Different skills and talent profiles will also be required. Risk teams will need business intelligence specialists, data scientists, and business “translators” to convey the function’s needs and priorities to IT and other stakeholders. Risk IT’s role will expand to serve as a full-service provider for the entire risk stack.

Agile in Risk

Banks that adopt agile ways of working can enjoy dramatic gains in productivity, development speed, collaboration, and innovation. However, some banks have run afoul of regulatory authorities and their own compliance functions because they failed to adjust their risk management practices to keep pace with the more rapid and iterative development approach that agile methods employ. One large US financial institution received negative regulatory feedback because its agile program’s risk management oversight was judged inadequate. The internal compliance function of another bank blocked the release of a new IT application because of risk management concerns. Having to address those concerns at such a late stage meant having to delay the application’s release by several weeks.

To avoid negative regulatory findings and allow agile programs to achieve scale, banks need to develop their risk management and monitoring practices in three ways.

First, banks need to shift from using sequential, or waterfall, approaches and apply more dynamic and adaptive oversight methods. Second, they need to implement a risk-based and resource-efficient coverage model for individual agile teams. Under this coverage model, risk resources are assigned on the basis of the risk intensity of the agile team’s tasks. It allows a bank to demonstrate to regulators that risk oversight is embedded in its agile approach, simultaneously improving the quality of risk oversight more generally. Third, banks need to make their own risk management processes more agile, especially those that involve significant manual labor, such as model development.

In terms of data and technology, the risk control function needs to inventory existing data sources, determine where the gaps are, and consider how additional data can be accessed and stored. Working with IT, risk leaders then need to lay out the optimal IT architecture. Instead of monolithic legacy systems, they will require a flexible, service-based architecture that enables application autonomy, cloud computing, and real-time processing to manage ongoing regulatory changes and support fintech interfaces. The underlying data platform will need to serve as a single source of truth, capable of pooling structured and unstructured data from multiple sources, including commercial data providers, publicly available repositories, and internal sources.

To speed and eliminate risk from the transformation, the CRO has to determine which parts of the digital value chain the function should make or buy. Identifying best-of-breed providers and forming strategic partnerships with promising fintechs and “risktechs” can provide the risk function with needed talent and fast-track important innovation. BCG’s RiskTech database has identified 1,300 risktechs from a total sample of 13,000 fintechs that have the capabilities to support the digitization of the CRO function. Managing the evolving fintech ecosystem will require risk leaders to develop formal processes for overseeing outsourcing and logistics from a governance standpoint.

Digital Treasury

As leaders of one of banks’ core functions, treasurers have to ask themselves how they will manage digital disruption. While no one can know exactly what the future will bring, some signposts of change seem unequivocal.

First, in terms of data infrastructure, the easy availability of inexpensive storage and processing will lead to the overhaul of legacy IT systems. Second, as fintechs attack high-value services, as ecosystem players including Alipay expand into banking, and as big techs like Google and Apple enter the payments business, banks will be forced to adapt their go-to-market models to digital channels and platforms. Banks will continue to perform their core mission—as trusted sources of funds, risk transfer agents, and financial intermediaries—but they will no longer “own” the client interface. Third, in terms of operations, competitive and cost pressures will force banks to mimic the lean style of technology companies—with straight-through processing, instant payments, smart automation, the use of a single cloud- and service-based software backbone, and real-time data and analytics.

These changes will have massive implications for treasury. Over the next decade, we’re likely to see the following shifts:

  • The treasury mandate will extend beyond balance sheet optimization to encompass a broader intermediation management role, allowing treasurers to oversee platforms that include everything from origination to distribution.
  • Real-time trade execution and reporting processes will be automated.
  • Funding execution for deposits and wholesale transactions will occur mainly over platforms.
  • Steering will be managed by a small, highly skilled team.
  • Team composition and talent needs will change drastically, emphasizing analytics and strategic steering capabilities.

Furthermore, advanced technologies will allow bank treasuries to create new sources of value, and bank treasuries have already started digital diagnostics to define use cases. These include machine-learning-enabled business forecasting that allows treasuries to improve the timing and execution of long-term funding transactions. Likewise, cash management optimization, backed by better analytics and smarter modeling, can help treasuries reduce the size of costly liquidity buffers.

Integrated Balance Sheet Management

Banks need to move from their traditional P&L focus toward holistic balance sheet management. Better steering of the balance sheet can improve profitability while helping banks satisfy stress tests and other regulatory risk management measures. The benefits for banks are threefold:

  • They can achieve regulatory incentives from the development and use of internal pre-provision net revenue (PPNR) models. Under the European Banking Authority’s stress test, for instance, banks that use PPNR can save significant capital.
  • It will be possible to quantify the combined risk-and-return impact of commercial initiatives with multiscenario sensitivity analysis to support managerial decision making.
  • Bank management will be positioned to support resource allocation discussions with business units and subsidiaries.

Risk, treasury, and the business units have, broadly speaking, tended to operate in silos. That structure makes it hard for banks to satisfy regulatory demands efficiently, given the cross-cutting nature of most compliance metrics, such as Common Equity Tier 1 (CET1), the liquidity coverage ratio (LCR), and the net stable funding ratio, commonly known as NSFR. Traditionally, overall balance sheet management has been led by the CFO function (treasury, planning, and capital management), but risk management can contribute by applying its rich information capital and rigorous modeling methodologies and by employing strong analytics to quantify the impact of managerial actions.

To implement an integrated balance sheet management approach, the risk function leaders should start by identifying key regulatory and steering metrics, such as CET1, LCR, and net interest income. They should then conduct a deeper analysis of the composition of these performance indicators to determine which parameters ultimately drive performance.

Following that, they need to design the target model. Thorough data mapping across existing “satellite” models that are usually managed by risk (for example, internal ratings-based models for credit risk and the liquidity risk engine), in addition to robust PPNR models for the P&L, will help establish a balance sheet baseline.

Leaders need to determine the desired level of granularity, normalize the various data feeds accordingly, and then consolidate the results into a static balance sheet and P&L. Parameters for each input—including, for example, loan portfolio and government securities—should be designed to adjust automatically over time to reflect changing macroeconomic variables such as GDP, unemployment, interest rates, and share prices.

These analytics help banks run multiyear simulations of their entire financial position under a variety of macroeconomic scenarios. They can enable banks to react proactively to changes in market conditions by evaluating the impact of ad hoc managerial actions on the prioritized KPIs. For example, should government bond spreads tighten and new lending flows increase dramatically over the fourth quarter, the usual countermeasures, in light of the underfunded balance sheet, would be to increase funding targets for the following year. However, such rebalancing takes time and considerable effort. With an integrated balance sheet management approach, banks can identify impacts earlier and proactively optimize resources by, for example, financing growth with short-term instruments such as repos.

Once the balance sheet management tool has been piloted and refined to produce consistently reliable results, banks should define the target architecture and implement the changes. The architecture should be robust enough to handle fast computations related to hundreds of scenarios and to allow for a probabilistic interpretation of results. With that architecture in place, banks can focus on bringing the forecasting capabilities of the tool to scale and developing additional modules such as IFRS 9, as well as exploring advanced credit risk simulations and capital planning.

Subscribe to our Financial Institutions E-Alert.