Artificial Intelligence (AI) and the Board Risk Committee

The purpose of risk management in financial services is usually defined as to ‘protect and enable’.  The ‘protect’ dimension can refer to the franchise value of the business but is mainly about protecting from regulatory intervention. ‘Enable’ has a perspective of value (however defined) and achievement of company objectives. (Click here to read more about ‘protect and enable’.)

AI-based solutions, leveraging on vast amounts of data, are already a reality in the world of financial services, and these solutions are only likely to become more prevalent in the next ten years. What are the implications of AI developments for a Board Risk Committee? 

The simple ‘protect and enable’ approach suggests a number of points for discussion:

• How would your company evidence that AI systems comply with relevant legislation, e.g. non-discriminatory laws?

• How would the wider data needs of AI system cope with data protection legislation? What about the so-called ‘right of explanation’? What would be the impact of these wider data needs on cyber-security?

• What is the business purpose of introducing an AI system? Does the business seek to enhance operational efficiencies? Does it aim to enhance business performance? How would you ensure that this purpose is achieved?  

• What would be the operational impact of the deployment of specific AI tools in the business? Would it also alter the overall risk profile of the business? The profile of certain risks?

• What are the implications for risk governance, the risk management function and other oversight functions?

These are not simple questions that can be covered in a meeting of the Risk Committee. In some cases, the answer to the questions may not be clear-cut.  For example, an AI-based underwriting system can be deployed to enhance business performance or to seek operational efficiencies. In other cases, addressing some of the issues would require the development of appropriate monitoring systems rather than a point-in-time consideration.

However, it is also worth bearing in mind that unless you operate in a start-up business, there would be a fair amount of technology available which would not necessarily be based on AI, and can be applied to improve existing business processes and reflect a (more) customer-centric perspective.  So perhaps the main question about AI systems is really whether there is an adequate understanding of technology in the business to ensure that AI is the appropriate technology.

So where should a Risk Committee start?  It may be useful to think about this as discussions outside the usual calendar of the Risk Committee meetings and develop a programme that consider these over time.

If you found this post of interest, you may want to subscribe and receive further posts by email – see box on the right hand side of the screen or click here. 

Lessons from Bank Recovery and Resolution

The latest issue of the Central Banking Journal includes my review of a book about the Euro Crisis in Cyprus written by Panicos Demetriades, who was Governor of the Central Bank of Cyprus at the time.   It is an fascinating book with insights about the challenge of bank recovery.   You can read the review here or below.

Book Review: A Diary of the Euro Crisis in Cyprus: Lessons for Bank Recovery and Resolution by Panicos Demetriades, Palgrave McMillan, 2017

This book is about Panicos Demetriades’ tenure as Governor of the Central Bank of Cyprus between May 2012 and April 2014. It covers the banking crisis that hit Cyprus, the banks’ resolution and the wider lessons learned from the event. Reading this book felt in some ways like a simultaneous reading of Gabriel Garcia Marquez’s novel, Chronicle of a Death Foretold, and an economics-based thriller like Murder at the Margin by Marshall Jevons.

The book begins with Demetriades’ appointment as Governor of the Central Bank of Cyprus. You know from the beginning how it ends: Demetriades resigns as Governor. This is a manifestation of the challenge that Central Bank independence represents; banking resolution is the specific context in which the Central Bank’s independence is tested. In fact, writing this sentence already reveals one of the underlying issues: the only feature of Central Banks’s independence enshrined in European treaties is the independence of the Governor of the Central Bank.

As Demetriades discovered, there are ways to limit the practical independence of the Governor such as appointing (or firing) Deputy Governor(s), creating new Executive Directors with a seat on the Board whose roles are determined by the Board rather than the Governor, and requiring Board approval for bank licensing and amendments to existing licenses. These might look like arcane corporate governance issues, but they do matter, especially when independence is most needed, i.e. in times of financial crisis. Interestingly, the European Central Bank (ECB) and the Commission witnessed these changes but had limited powers to intervene other than expressing concerns through legal opinions.

Demetriades also plays a detective role and explains how the crisis in Cyprus came about. It is interesting that the origin of the crisis is traced back to the country’s business model – an offshore financial centre for wealthy Russians and Eastern Europeans, supported by a network of lawyers and introducers to banks. Like many of you, I have seen the term business model applied to companies, but this is first time I have seen it applied to describe a country. This suggests to me that avoiding the crisis would have required a very tough regulatory stance, and that it would have happened sooner or later, regardless of the Euro crisis.

The book identifies the trigger event for the crisis.  Interestingly for me, someone who works in risk management, the trigger is the decisions of Cyprus’ two main banks to invest most of their equity capital in Greek debt in the spring 2010, when Greece was being downgraded. This resulted in losses in excess of €4 billion.  As Demetriades notes, this decision ignored the fundamental relationship between yields and risk, and diversification of investments.

There were also challenges for international institutions in the troika. There are a number of references to the IMF analysis of debt sustainability and the assumptions underpinning it. A debt to GDP ratio of 100% was assumed to be sustainable for Cyprus, compared to 120% for Greece. In Demetriades’ view, this made the bail-in for Cyprus larger than might have been necessary. 

Demetriades’ tenure as a Governor of the Central Bank spanned a right-wing and a left-wing government. You might have preconceptions about which government would find the notion of an independent Central Bank more challenging. In fact, both governments found it equally challenging because of national pride and voting considerations. These challenges weigh heavily on Demetriades who concludes the book with a stark warning about the future of the Euro, which is in fact relevant to all the members of the Eurosystem: ‘[P]opulism, if left unchecked, can shake the foundations of the monetary union beyond the point of repair’.

While the book is entitled ‘a diary’, don’t let that word put you off. It is much more than a personal diary.

Just as I did when reading Chronicle of a Death Foretold, I wondered if Demetriades could have done something to maintain the independence of the Central Bank and avoid the clash that led to his resignation. I could not identify anything.

If you found this post of interest, you may want to subscribe and receive further posts by email – see box on the right hand side of the screen or click here. 

Conflicts of Interest: Connecting Enforcement and Supervision

The FCA announced enforcement action against a commercial broker and a fine of £4 million in late 2017 as a result of failures associated with the broker’s management of conflicts of interest. The details of the case are here.

Conflicts of interest can be anywhere, and firms are well aware of that. However, there is a qualitative difference between the conflict of interest that an individual might have with, say, a supplier, and what the FCA identifies as an ‘inherent conflict of interest’ in the business model or ownership structure. This is the risk that commercial intermediaries must manage.[1] It is not static, and it changes as intermediaries take up other activities where they act as an agent of the insurer.

The FCA has also undertaken a thematic review of commercial insurance intermediaries focusing on this issue. (It published the results in 2014 here.) The FCA evidence included a survey of small and medium enterprises (SMEs).[2] This suggests that many SME customers do not fully understand the intermediary’s role and how it may have changed in recent years. For example, four of five SME customers expect an intermediary to get quotes from two insurers, which is not consistent with how intermediaries operate, in particular for micro SME customers (fewer than nine employees).

There are wider messages from this enforcement action for the practical management of inherent conflicts of interest. To begin with, there should be a regular process to identify conflicts of interest.  This might be challenging but following the sources of revenue would enable a robust identification of conflicts and of the impact of changes in the business model.

While a policy on conflict of interest is a regulatory requirement, it needs to be comprehensive enough to enable staff in the business to actually manage conflicts of interest. This would require specific guidance articulating how to deal with customers, including what information to collect, what checks to undertake, and the production of meaningful management information.

Business arrangements such as ‘preferred facilities’ are not ruled out but must be managed and monitored carefully, taking into account links to brokers’ remuneration, how the firm presents itself to SMEs, the existence of ‘Chinese walls’ and customers’ (probably limited) understanding of the intermediary’s role.

Any quality reviews by the first line should be designed with a view to oversee how inherent conflicts of interest have been identified, managed and mitigated. The process should be risk based, i.e. always applying the same degree of checks to all brokers is unlikely to be appropriate.

Last but not least, as ever, culture is a factor. If statements from senior management do not recognise and support the need to manage inherent conflicts of interests, don’t expect much of the above to be in place.

The FCA will usually say something about how the case was discovered, by either supervisory activity or internal review. I was puzzled that the FCA was rather vague on this occasion. On reflection, I suspect (but cannot be certain) that there may be a dependency with the FCA’s thematic review on conflicts of interest mentioned earlier. If that’s the case, it is useful for firms to understand the potential consequences of being unprepared for a thematic review when invited to participate.

---

[1] This risk is not exclusive to commercial intermediaries. It exists in other parts of financial services and has also been covered in other FCA enforcement activities.

[2] Businesses with fewer than 250 employees.

Taking Risks: Lessons from a Politician

In my spare time, I like to read about current affairs. I have an interest in Brexit and its resulting economic impact which I covered well before the referendum here.  My current reading list is here.  My interests include the Middle East, and it was with that in mind that I picked up a book by the late Shimon Peres, former President of the State of Israel, which he completed just before he passed away in September 2016.  He also served as Finance Minister when hyperinflation was one of the main features of the economy and initiated a bold programme that tamed inflation successfully.

I found the title of the book, No Room for Small Dreams, a bit puzzling. I guess I did not expect a book title that reflects on someone’s achievements to start with ‘no’.  In any case, the book was quite interesting, articulating Peres’s role in some of the policy challenges of the State of Israel.  However, I can never stray too far from my professional interests, and I found that the book included a good many observations relevant to the practice of risk management.

The first observation is that often, not taking a risk is a risk in itself.

So many times in our lives, we struggle to confidently leap forward, averse to the possibility that we will fall flat. Yet this fear of taking risks can be the greatest risk of all.

People in risk and compliance functions should bear this in mind when they advise against a course of action.  However, if you want to take risks or are implementing regulatory risk requirements, you will need to consider meaningful options:  

I’d come to believe that when you have two alternatives, the first thing you must do is look for a third—the one you did not think of, that doesn’t yet exist.

I learned about the virtue of imagination and the power of creative decision making. ... We were quick and creative, and boldly ambitious, and in that we found our reward.

The challenge is really about options being meaningful.  That is not straightforward and requires consistent support from leadership:

“We have to use our imagination and examine any idea, as crazy as it may seem,” I insisted to those assembled. “I want to hear the plans you have.”  “We have no plans,” responded one. “Then I want to hear the plans you don’t have,” I replied.

If leaders demand allegiance without encouraging creativity and outside inspiration, the odds of failure vastly increase. … [W]ithout emboldening people to envisage the unlikely, we increase risk rather than diminish it.

Interestingly, it is Peres’ view that leadership also has an obligation to understand the technical details of the subject matter. 

I felt it essential to gain a degree of mastery in the science that would be driving the project. In previous endeavours, I have come to understand that in addition to a clear vision and strategy, true leadership requires intricate knowledge—a facility with the granular details of every aspect of the mission.

And finally, a word of caution about learning too much from failures:

It is only after we see failure that we can know if we misjudged the risk. ... But one must avoid the temptation to overlearn specific tactical lessons born out of failure or success. … This is one of the hardest things for some leaders to understand: a decision can be right even if it leads to failure.  

This is something that I have covered here. It is not an easy perspective for politicians and business leaders, though I’d like to think that this is where governance might prove itself valuable.

  

If you found this post of interest, you may want to subscribe and receive further posts by email – see box on the right hand side of the screen or click here. 

Risk Assurance: The Challenge Ahead

I wrote about risk assurance a while ago (here). More recently, I have had a chance to talk with a few people in banking and consulting about it, and to reflect further on the subject.

By way of background, my working definition of risk assurance is a structured activity undertaken by the risk function (second line) which is aimed at evidencing that risk management is embedded in the business. Feel free to comment on this definition.

The important thing about risk assurance is that it matters because it contributes to shifting (or to maintaining, if you wish) the appropriate risk culture in the business. What do I mean by this? I hope we can all agree that the appropriate risk culture in financial services is one that includes the following:

• the business takes into account risks in decision making and can evidence that, including compliance with regulatory requirements; and
• the risk function provides the parameters for taking into account risk in decision making (risk appetite framework, stress testing, etc) and aggregate risks.

Truly achieving that is a challenging journey that takes time. Many insurers and banks started the risk management journey as a result of regulatory requirements—Solvency 2 or Basel. In practice, this has meant that sometimes risk functions have taken up activities like approvals that belong to business functions. Risk assurance will generate evidence about how risk management operates in practice. It will also help to shift the focus of the risk function—and, in turn, the business—in the appropriate direction.

I have worked with a number of clients to implement programmes of risk assurance. Interestingly, these engagements have turned out to be rather different because they must reflect the starting point for the business. In one case, the risk function was well resourced, and the focus was planning. In another case, the focus was a combination of up-skilling and evidencing through pilot risk reviews that the activity can add value.

Leaving aside the considerations associated with implementation, it is important that there be a shared perspective about the overall aim of risk assurance, i.e. ‘integrated assurance’. This reflects two simple observations:

• internal audit functions already provide assurance about the overall control environment;
• from a Board perspective, assurance is assurance, regardless of which team/line of defence provides it.

In other words, the aim would be to develop a risk-based assurance plan which covers deliverables by 2LOD and 3LOD in such a way that the Board can understand where independent assurance has been provided.

I would be interested to hear your thoughts.

If you found this post useful, you may want to subscribe and receive further posts by email – see box on the right hand side of the screen or click here. 

Artificial Intelligence and Machine Learning in Financial Services: Implications for Credit Risk Management

A recent paper from the Financial Stability Board[1] considers the implications for artificial intelligence (AI) and machine learning in a number of financial services sectors, including credit risk.

The paper includes a useful section on background and definitions, and provides a clear reminder that these tools identify patterns and correlations rather than causality. I suspect that we will need to be reminded of this distinction more and more, as these tools are being used to explore complex relationships. 

When it comes to credit risk scoring, the FSB is clear that AI may help to make lending decisions quicker. However, regulators are not persuaded that AI credit scoring models outperform traditional models – or at least, “it has not been proved”. For example, a recent paper from Moody’s[2] compares the performance of their own credit scoring model for corporates against three machine learning approaches. Moody’s finds that, on average, the accuracy levels of the four models are comparable, and notes that the key to enhancing credit scoring models is data.  

The FSB notes that the deployment of these AI tools would also allow access to credit to people or businesses whose creditworthiness cannot be reliably assessed through traditional credit scoring models. The FSB believes that this would be a positive development for countries with shallow credit markets (emerging markets?), though less positive for countries with deep credit markets (developed markets?). You have been warned…

Regulators are also concerned with the overall auditability of artificial intelligence models used for credit scoring and the wider impact on credit risk governance. There is an important dimension here about how the model is used in business. Is it operating with some human oversight? This is an important issue for business culture as it forces a consideration of who is ultimately in control. I suspect that the distinction between retail and commercial lending in terms of volume of transactions may become important; the volume of retail transactions might make human oversight more challenging. 

Where does that leave the CEO, CFO or CRO of a bank contemplating the use of AI tools? Here are a few suggestions: 

1.  Have a shared view of the expected business outcomes from deploying AI tools.

2.  Keep monitoring credit risk exposures and alignment with risk appetite even more intensively, as the AI tool might have unintended effects.

3.  Focus on the auditability of the AI tool and its impact on credit risk governance.

If you found this post useful, you may want to subscribe and receive further posts by email – see box on the right hand side of the screen or click here. 

---

[1] Financial Stability Board, “Artificial intelligence and machine learning in financial services. Market developments and financial stability implications”, Nov 2017.

[2] Bacham, D and J. Y. Zhao, “Machine Learning: Challenges Lessons and Opportunities in Credit Risk Modelling”, Moody’s Analytics Risk Perspectives, July 2017.

Brexit - implications for insurers

The European Commission has issued today a note setting out the practical implications for insurers as a result for Brexit.  There are specific impacts for group internal models, branches, intermediaries and reinsurers.  For the full document, follow this link.  

I would be happy to discuss further the implications for your company.

If you found this post useful, you may want to subscribe and receive further posts by email – see box on the right hand side of the screen or click here. 

Five Risk Management Lessons From Pixar

I read an interview in McKinsey Quarterly with Ed Catmull, one of the co-founders of Pixar, about his management approach for keeping the business innovative (here; registration may be required).  I hoped this article would provide an interesting window into a different sector.  When I finished reading the article, I had found something very different instead.  I had learned a number of useful lessons about the design and implementation of risk management:   

1.  That clear business objectives inform risk taking.  Are there clear business objectives?  How do they relate to risk management?

2.  The impossibility of delivering absolute clarity. Is risk management striking a balance between providing clarity and enabling staff at all levels to respond to challenges as they arise?   

3.       The importance of running experiments.  How do/can we experiment with risk management?  Is this about testing risk metrics?  Product features and claims?  Changes to underwriting criteria? 

4.       Articulating business culture to make it less dependent on key individuals and ensure it resonates beyond senior management.  How do we ensure that the ‘tone from the top’ is echoed by middle management?  

5.       The important distinction between assuming and spreading risks and their focus on the former.  How close is the risk management oversight to product development and risk taking? 

So the next time you watch a Pixar movie, remember that there is a fair amount of risk management behind the scenes. 

This post is part of the series "Aspects of Risk Management".  Other articles are available here.  

If you found this post useful, you may want to subscribe and receive further posts by email – see box on the right hand side of the screen or click here.  My target is to post on a regular basis (no more than weekly) and I will not be flooding your inbox. 

‘Nudging’ Meets Enterprise Risk Management?

It is no exaggeration to say that behavioural economics has become mainstream.  With hindsight, this is not really surprising because the assumptions underpinning economic theory have always been regarded as just that: assumptions. 

The key innovation of behavioural economics are the identification of specific circumstances where there are systematic departures from rational decision making and the development of context-specific predictions of behaviour.  Broadly speaking, departures from rational decision making are referred to as ‘biases’ because outcomes are poorer than the optimal outcomes under rational conditions.  These biases may affect preferences, beliefs or decision making.   Box 1 below shows some common types of biases.

Box 1: Sample of Common Types of Biases Affecting Decision Making

Type	Bias	Description	Example of bias in consumer decision making
Preferences	Reference dependence	Assessments are influenced by the reference point for the assessment ― typically the status quo ― or by a fear of losses.  Depending on the context, this can encourage either too much or too little risk taking.	Purchase decisions are driven by alternatives or product features which are irrelevant to the consumer.
Beliefs	Over-extrapolation	Predictions are made on the basis of few observations believed to be representative from which a real pattern or trend is inferred and, as a result, uncertainty is over- or under-estimated.	The quality of financial advice is assessed on the basis of few successful investments even if these could reflect pure luck.
Decision making	Rules of thumbs	Decision making is simplified by adopting specific rules of thumb such as choosing the most familiar and avoiding the most ambiguous.	Products at the top of a list or offered by large companies are selected.

Another innovation of behavioural economics is the notion that it is sometimes possible to address those biases, and thereby enhance outcomes, by making small changes to the environment ― hence the number of books about behavioural economics with the word ‘nudging’ in the title.  I have come across nudging considerations in terms of sales (e.g. how the default option affects customers’ choices) and in terms of public policy (e.g. the introduction of cooling-off periods in financial services). 

One of the key motivating aspects of enterprise risk management is its effectiveness.  This is not just a challenge concerning an outcome at a particular point in time.  The main aspect of the challenge is putting in place a process that drives enhanced effectiveness.  This is an aspect that has not escaped EU supervisors framing risk and capital requirements for banks and insurers in the EU, which require assessments of risk management effectiveness. 

So how could these two meet?  An assessment of risk management effectiveness could seek to identify behavioural biases that affect the management of risk across the business: for example, in terms of underwriting and investments.  Consider again the biases set out in Box 1: which ones could be relevant to risk management?  If we identify the biases that shape risk management, we can also assess their materiality and consider whether there are ways of addressing them through changes in the operating environment.  If you have any thoughts about how these biases, or others, could affect risk management, I would be very interested to hear them.

This post is part of the series "Aspects of Risk Management".  Other articles are available here.  

If you found this post useful, you may want to subscribe and receive further posts by email – see box on the right hand side of the screen or click here.  My target is to post on a regular basis (no more than weekly) and I will not be flooding your inbox. 

Risk Reviews: Not 'a Bridge Too Far'

The role of a Chief Risk Officer (CRO) and her team in the context of a three-lines-of-defence model in financial services can be best described, in my view, as ‘to protect and enable’ (click here for an earlier post on the subject).   Consistent with that, financial services supervisors in the UK and EU refer to the oversight role that the CRO's team provides. 

There are many issues and considerations in embedding effective risk management in financial services businesses.  At one level, oversight requires the CRO’s team to develop the appropriate engagement with the business to provide support, to challenge and to ensure that risk management features ultimately in decision making.  This may result in recommendations for senior management. 

On its own, this is unlikely to be adequate to evidence appropriate and effective oversight for two reasons.  Firstly, the rationale for covering certain business areas or aspects would not be evident.   Secondly, there may be overlaps with the areas reviewed by Internal Audit. 

The answer is not to restrict the engagement between businesses and the CRO’s team.  Instead, the CRO should put in place a programme of risk review which is coordinated with Internal Audit to avoid overlaps or underlaps.

A structured programme of risk reviews requires consideration of the risks to which the business is exposed and their materiality, as well as business cover.  For example, it would not be sensible to cover just one business area, even if that is the main source of risk. 

The key aspect of the development of a programme of risk reviews is identifying a number of potential reviews that map into a grid of risks, materiality and business areas.  The list of reviews is then whittled down in discussions with the CRO and the leadership team to a programme that is consistent with the scale of the business and the maturity of the CRO’s team.

The Board (or a Risk Committee) should review the proposed programme of risk reviews.  Some businesses require a combined submission from Internal Audit and the CRO to identify a complete assurance landscape.  The CRO’s team should then plan the reviews, including setting out terms of reference agreed upon with the business and delivering them throughout the year.  The CRO should also provide regular reports to the Board about the findings of the various reviews and management delivery of recommendations.

Overall, a programme of risk reviews complements Internal Audit’s activities because of the involvement of the CRO’s team on a real time basis in key business processes such as business planning and product development.  Experience suggests that overlaps with Internal Audit can be avoided and that performing these reviews enables the CRO team to get even closer to the business and embed risk management ― ‘to protect and enable’.   

If you found this post useful, you may want to subscribe and receive further posts by email – see box on the right hand side of the screen or click here.  My target is to post on a regular basis (no more than weekly) and I will not be flooding your inbox.