Introduction
Bouncing back from the initial shocks of 2023, banks and financial services (BFS) institutions now face fresh challenges and opportunities in the new year. The International Monetary Fund (IMF) predicts a sluggish global economy, with global growth expected to stay at 3.1% in 2024 and marginally rise to 3.2% in 2025.The BFS sector will also face new levels of regulatory scrutiny in 2024. A recent KPMG report on the sector highlights that regulators will demand a more comprehensive and expeditious resolution of compliance deficiencies compared to previous years. The sector will also need to factor in disruptive forces such as elevated interest rates, diminished money supply, climate change, and geopolitical tensions.
2024 presents BFS institutions with several new opportunities as well. The banking sector is among those most likely to experience the biggest impact from generative AI. On an annual basis, generative AI could add between $200 billion and $340 billion in value (9%-15% of banks’ operating profits) if the use cases are fully implemented, according to a 2023 report by McKinsey. Bank-fintech partnerships which have been the linchpin for success in the digital transformation wave will continue to grow stronger. 70% of banks found such partnerships integral to building new business models and their overall strategy.
Navigating this dynamic landscape requires a proactive approach, with a greater emphasis on robust governance, risk management, and compliance (GRC) strategies. Being future-ready and resilient in the face of disruptions or risk events is crucial. This eBook outlines critical GRC predictions for the banking and financial services sector in 2024.
Better and Faster Risk Assessments with Simplified RCSA
The Risk and Control Self-Assessment (RCSA) process is a highly valuable tool in the risk management process for BFS organizations. RCSA yields significant benefits when implemented effectively, including heightened awareness, proactive risk management, identification of top risks with consistent prioritization, enhanced risk response strategies, and well-informed decision-making. However, according to a study by ORX, current RCSA processes often do not “sufficiently influence business decisions” and “do not allow institutions to be as proactive in risk management as intended.” One reason could be due to the complicated nature of the RCSA process, where the methodology has become too prescriptive, and the effort invested in the process has surpassed the value it brings.
As operational risk management embeds and matures within companies, risk practitioners at BFS organizations are increasingly seeking simplified RCSA processes to manage their risk profile more efficiently and support management to make timely, informed, risk-based decisions.
Increased Focus on Continuous Compliance
BFS organizations are now facing increased regulations such as the Digital Operational Resilience Act (DORA), the Securities and Exchange Commission’s (SEC) Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Rules, and several others. Additionally, as per the 2024 Banking Regulatory Outlook published by Deloitte, “supervisory scrutiny of financial institutions is expected to increase materially in 2024” and will extend to not just larger banks but mid-sized regional banks as well.
In this landscape, BFS organizations will increasingly make it a business priority to shift from a reactive to a proactive compliance function. Institutions will need to build compliance agility with a unified view of compliance powered by a centralized platform that continuously scans the horizon with regulatory change tracking technologies and automated feeds from trusted content sources; integrates compliance management systems with other enterprise systems; and applies AI and automation for automated recommendations. Furthermore, given the multitude of regulatory requirements, BFS organizations will need to move to continuous compliance by implementing tools that help them automate control testing and evidence collection for all their enterprise controls. This will help them proactively assess the operational effectiveness of controls, address any identified issues, and gain a consolidated view of their compliance posture, serving as a bedrock for financial stability, reputation management, and stakeholder trust.
Rising Significance of Operational Risk and Resilience Management
With new risks introduced by digitization, an interconnected ecosystem, and a global customer base, operational risk has emerged as a critical concern within the BFS sector. To thrive, organizations will need to continue to strengthen resilience and business continuity programs– the ability to predict, anticipate, and manage risks before they manifest and bounce back quickly if impacted.
The global regulatory discussion around operational resilience is evolving as well. In March 2021, the Basel Committee issued Principles for Operational Resilience. In the UK, new rules and guidance on operational resilience issued by the PRA and the Bank of England came into force on March 31, 2022. In the EU, DORA, which aims to strengthen the digital operational resiliency of the financial sector, came into force this year and will apply from 17 January 2025. In the US, the most recent Exam Priorities issued by the SEC Division of Examinations and the US Federal Reserve’s Sound Practices to Strengthen Operational Resilience, continue to prioritize operational resilience. BFS organizations will increasingly adopt resilient operational risk management strategies that are adaptable, forward-looking, and connected across all levels of the business.
Enhancing GRC Efficiency with AI and Automation
To prioritize efficiency and accuracy in handling the scale and complexity of various GRC requirements, the industry is increasingly leveraging use cases based on technologies like AI, Automation, Natural Language Processing, Machine Learning, Large Language Models (LLM), and Generative AI.
The power of cognitive AI to turn data into real-time decisions is immense. Over the years, banks and financial service organizations have amassed vast volumes of data. AI presents an opportunity to consolidate, harmonize, and rationalize this data to provide preventive, predictive and diagnostic processes. By incorporating LLM models and Generative AI into GRC processes, for example chatbots integrated with ChatGPT, BFS organizations can enhance frontline adoption and engagement. Offering a smooth experience can incentivize employees to actively report anomalies or issues, such as non-compliance or suspicious transactions, leading to better risk management. Additionally, GRC processes augmented with AI can provide guidance in everyday decision-making including AI-powered threat intelligence, automated planning and scoping of risk assessments, continuous monitoring of regulations, and AI-powered fraud detection capabilities.
Another powerful GRC use case for banks and financial institutions is to rationalize controls and automate control tests with cognitive AI. Cognitive AI can be used to identify missing controls and related details and control testing discrepancies, leading to improving control test planning and remediating patterns of under or over-testing of controls. The result can be significant cost reduction along with the increased efficiency of the operational risk program.
Leveraging Risk Quantification for Non-Financial Risks (NFRs)
Non-financial risks (NFRs) continue to pose a significant threat as they can be as destructive as financial risks. Ranging from misconduct and compliance lapses to cybersecurity breaches and operational disruptions, NFRs can result in not only direct financial losses but also reputational damage, system downtime, regulatory fines, and more. According to the ORX Annual Loss Report 2023, the total gross loss from the banking loss data of 83 contributing banking members in 2022 was 17.8 billion euros.
To truly understand the impact of NFRs, such as operational and strategic risks, and better understand their organization's loss exposure, BFS organizations will increasingly employ risk quantification in the coming year to interpret these risks in monetary terms when possible. By calculating the expected monetary value of a risk, organizations are empowered to better understand their company's loss exposure, communicate it clearly, and make better-informed risk decisions. Quantitative methods, including the statistical analysis of historical data collection, econometric models, back-testing, Monte Carlo simulations, and stress-testing, are important risk modeling methods that will be leveraged to calculate investments and capital allocations
Empowering the Frontline to Report and Own Risks
The three lines of defense (3LOD) model has been one of the mainstays of a robust operational risk management strategy in banking and financial services, where three distinct functions within an organization play unique but interlinked roles in managing risk. Most BFS organizations are now shifting their focus to the first line of defense. They are entrusting the frontline with more risk management responsibilities and equipping them with proper training and tools to enhance risk awareness and bring about powerful collaboration across the enterprise. Better risk communication and strategy plans across the three lines are being built to minimize risk reporting and communication gaps. By leveraging intuitive features like conversational interfaces and chatbots, BFS organizations are making it easy for the frontline to capture risks and anomalies – be it in the field or on the go. AI/ML is also being used to automatically triage frontline observations, correlate them to other issues, and recommend action plans.
Elevating Risk Oversight in the Extended Enterprise
The 2023 EY Global Third-Party Risk Management Survey found that 27% of financial services organizations — including banking and capital markets, insurance, and wealth and asset management — have a multiyear third-party risk management (TPRM) plan with defined milestones and goals. While this number was higher when compared to other sectors, the report also highlighted that “(financial) organizations with mature TPRM programs must not get complacent and should be sure to examine the complete picture around all facets of risk.”
To own risk in the extended enterprise and construct a more resilient third-party ecosystem, BFS organizations will need to take a connected approach to risk identification and monitoring across functions such as sourcing, procurement, risk management, IT and cyber, legal, ESG, and business continuity management. This will facilitate efficient collaboration, risk mitigation and a single source of truth across the entire third-party lifecycle. BFS organizations will need to switch to automated end-to-end processes for information gathering, onboarding, real-time monitoring, risk assessments, compliance, and control assessments to ensure real-time processing, greater transparency, and facilitate faster decision-making.
Stay Ahead of the Curve with MetricStream
MetricStream’s ConnectedGRC products, powered by Cognitive, Continuous, and Cloud capabilities, is built to enable organizations to thrive in a rapidly evolving risk and regulatory landscape. We are the world’s largest independent GRC software provider with extensive experience working with banking and financial institutions around the globe.
Our products for BFS organizations including, Operational Risk, Compliance, Audit, IT and Cybersecurity, Business Continuity, and Third-Party Risk Management, are designed with comprehensive capabilities that power your operational risk and resilience programs to drive risk-intelligent, real-time business decisions that accelerate business performance and reduce losses. MetricStream empowers you to streamline your operational risk and resilience programs with:
Interested to learn more? Request a demo now.
Bouncing back from the initial shocks of 2023, banks and financial services (BFS) institutions now face fresh challenges and opportunities in the new year. The International Monetary Fund (IMF) predicts a sluggish global economy, with global growth expected to stay at 3.1% in 2024 and marginally rise to 3.2% in 2025.The BFS sector will also face new levels of regulatory scrutiny in 2024. A recent KPMG report on the sector highlights that regulators will demand a more comprehensive and expeditious resolution of compliance deficiencies compared to previous years. The sector will also need to factor in disruptive forces such as elevated interest rates, diminished money supply, climate change, and geopolitical tensions.
2024 presents BFS institutions with several new opportunities as well. The banking sector is among those most likely to experience the biggest impact from generative AI. On an annual basis, generative AI could add between $200 billion and $340 billion in value (9%-15% of banks’ operating profits) if the use cases are fully implemented, according to a 2023 report by McKinsey. Bank-fintech partnerships which have been the linchpin for success in the digital transformation wave will continue to grow stronger. 70% of banks found such partnerships integral to building new business models and their overall strategy.
Navigating this dynamic landscape requires a proactive approach, with a greater emphasis on robust governance, risk management, and compliance (GRC) strategies. Being future-ready and resilient in the face of disruptions or risk events is crucial. This eBook outlines critical GRC predictions for the banking and financial services sector in 2024.
The Risk and Control Self-Assessment (RCSA) process is a highly valuable tool in the risk management process for BFS organizations. RCSA yields significant benefits when implemented effectively, including heightened awareness, proactive risk management, identification of top risks with consistent prioritization, enhanced risk response strategies, and well-informed decision-making. However, according to a study by ORX, current RCSA processes often do not “sufficiently influence business decisions” and “do not allow institutions to be as proactive in risk management as intended.” One reason could be due to the complicated nature of the RCSA process, where the methodology has become too prescriptive, and the effort invested in the process has surpassed the value it brings.
As operational risk management embeds and matures within companies, risk practitioners at BFS organizations are increasingly seeking simplified RCSA processes to manage their risk profile more efficiently and support management to make timely, informed, risk-based decisions.
BFS organizations are now facing increased regulations such as the Digital Operational Resilience Act (DORA), the Securities and Exchange Commission’s (SEC) Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Rules, and several others. Additionally, as per the 2024 Banking Regulatory Outlook published by Deloitte, “supervisory scrutiny of financial institutions is expected to increase materially in 2024” and will extend to not just larger banks but mid-sized regional banks as well.
In this landscape, BFS organizations will increasingly make it a business priority to shift from a reactive to a proactive compliance function. Institutions will need to build compliance agility with a unified view of compliance powered by a centralized platform that continuously scans the horizon with regulatory change tracking technologies and automated feeds from trusted content sources; integrates compliance management systems with other enterprise systems; and applies AI and automation for automated recommendations. Furthermore, given the multitude of regulatory requirements, BFS organizations will need to move to continuous compliance by implementing tools that help them automate control testing and evidence collection for all their enterprise controls. This will help them proactively assess the operational effectiveness of controls, address any identified issues, and gain a consolidated view of their compliance posture, serving as a bedrock for financial stability, reputation management, and stakeholder trust.
With new risks introduced by digitization, an interconnected ecosystem, and a global customer base, operational risk has emerged as a critical concern within the BFS sector. To thrive, organizations will need to continue to strengthen resilience and business continuity programs– the ability to predict, anticipate, and manage risks before they manifest and bounce back quickly if impacted.
The global regulatory discussion around operational resilience is evolving as well. In March 2021, the Basel Committee issued Principles for Operational Resilience. In the UK, new rules and guidance on operational resilience issued by the PRA and the Bank of England came into force on March 31, 2022. In the EU, DORA, which aims to strengthen the digital operational resiliency of the financial sector, came into force this year and will apply from 17 January 2025. In the US, the most recent Exam Priorities issued by the SEC Division of Examinations and the US Federal Reserve’s Sound Practices to Strengthen Operational Resilience, continue to prioritize operational resilience. BFS organizations will increasingly adopt resilient operational risk management strategies that are adaptable, forward-looking, and connected across all levels of the business.
To prioritize efficiency and accuracy in handling the scale and complexity of various GRC requirements, the industry is increasingly leveraging use cases based on technologies like AI, Automation, Natural Language Processing, Machine Learning, Large Language Models (LLM), and Generative AI.
The power of cognitive AI to turn data into real-time decisions is immense. Over the years, banks and financial service organizations have amassed vast volumes of data. AI presents an opportunity to consolidate, harmonize, and rationalize this data to provide preventive, predictive and diagnostic processes. By incorporating LLM models and Generative AI into GRC processes, for example chatbots integrated with ChatGPT, BFS organizations can enhance frontline adoption and engagement. Offering a smooth experience can incentivize employees to actively report anomalies or issues, such as non-compliance or suspicious transactions, leading to better risk management. Additionally, GRC processes augmented with AI can provide guidance in everyday decision-making including AI-powered threat intelligence, automated planning and scoping of risk assessments, continuous monitoring of regulations, and AI-powered fraud detection capabilities.
Another powerful GRC use case for banks and financial institutions is to rationalize controls and automate control tests with cognitive AI. Cognitive AI can be used to identify missing controls and related details and control testing discrepancies, leading to improving control test planning and remediating patterns of under or over-testing of controls. The result can be significant cost reduction along with the increased efficiency of the operational risk program.
Non-financial risks (NFRs) continue to pose a significant threat as they can be as destructive as financial risks. Ranging from misconduct and compliance lapses to cybersecurity breaches and operational disruptions, NFRs can result in not only direct financial losses but also reputational damage, system downtime, regulatory fines, and more. According to the ORX Annual Loss Report 2023, the total gross loss from the banking loss data of 83 contributing banking members in 2022 was 17.8 billion euros.
To truly understand the impact of NFRs, such as operational and strategic risks, and better understand their organization's loss exposure, BFS organizations will increasingly employ risk quantification in the coming year to interpret these risks in monetary terms when possible. By calculating the expected monetary value of a risk, organizations are empowered to better understand their company's loss exposure, communicate it clearly, and make better-informed risk decisions. Quantitative methods, including the statistical analysis of historical data collection, econometric models, back-testing, Monte Carlo simulations, and stress-testing, are important risk modeling methods that will be leveraged to calculate investments and capital allocations
The three lines of defense (3LOD) model has been one of the mainstays of a robust operational risk management strategy in banking and financial services, where three distinct functions within an organization play unique but interlinked roles in managing risk. Most BFS organizations are now shifting their focus to the first line of defense. They are entrusting the frontline with more risk management responsibilities and equipping them with proper training and tools to enhance risk awareness and bring about powerful collaboration across the enterprise. Better risk communication and strategy plans across the three lines are being built to minimize risk reporting and communication gaps. By leveraging intuitive features like conversational interfaces and chatbots, BFS organizations are making it easy for the frontline to capture risks and anomalies – be it in the field or on the go. AI/ML is also being used to automatically triage frontline observations, correlate them to other issues, and recommend action plans.
The 2023 EY Global Third-Party Risk Management Survey found that 27% of financial services organizations — including banking and capital markets, insurance, and wealth and asset management — have a multiyear third-party risk management (TPRM) plan with defined milestones and goals. While this number was higher when compared to other sectors, the report also highlighted that “(financial) organizations with mature TPRM programs must not get complacent and should be sure to examine the complete picture around all facets of risk.”
To own risk in the extended enterprise and construct a more resilient third-party ecosystem, BFS organizations will need to take a connected approach to risk identification and monitoring across functions such as sourcing, procurement, risk management, IT and cyber, legal, ESG, and business continuity management. This will facilitate efficient collaboration, risk mitigation and a single source of truth across the entire third-party lifecycle. BFS organizations will need to switch to automated end-to-end processes for information gathering, onboarding, real-time monitoring, risk assessments, compliance, and control assessments to ensure real-time processing, greater transparency, and facilitate faster decision-making.
MetricStream’s ConnectedGRC products, powered by Cognitive, Continuous, and Cloud capabilities, is built to enable organizations to thrive in a rapidly evolving risk and regulatory landscape. We are the world’s largest independent GRC software provider with extensive experience working with banking and financial institutions around the globe.
Our products for BFS organizations including, Operational Risk, Compliance, Audit, IT and Cybersecurity, Business Continuity, and Third-Party Risk Management, are designed with comprehensive capabilities that power your operational risk and resilience programs to drive risk-intelligent, real-time business decisions that accelerate business performance and reduce losses. MetricStream empowers you to streamline your operational risk and resilience programs with:
Interested to learn more? Request a demo now.