Non-Financial Risks are Increasingly Financial

Banks around the world are used to quantifying financial risks such as market, credit, and liquidity risks. We have known how to measure them for centuries. Because large numbers are involved, it is largely possible to predict the future based on the past. But in a digital finance world that is quickly advancing into uncharted territory, non-financial risks – operational risk, fraud prevention, IT risk, and cybersecurity – are increasingly critical to the business. While they often involve factors that we cannot yet predict, these risks can also be quantified.

At Banco de Credito de Peru, the largest bank in the country, we consider all non-financial risks together, as they are interrelated and require the same governance processes. For example, an earthquake can lead to an uptick in fraud. A cyberattack can not only result in an operational disruption, but also customer losses, an increase in insurance premiums, lawsuits or fines, credit downgrades, and reputational damage.

As digitization has sped up with the pandemic, we aggressively accelerated a digital transformation process that was already in motion across the institution. Several of the key “motors” of our transformation are drivers that impact non-financial risk: organization, data analytics, and digital channels. We are adapting how we manage risk based on the evolution of these aspects of our business.

Risk Management as a Lifestyle

We have shifted from waterfall to agile processes to re-orient our focus to business and client-driven outcomes. We assemble in self-contained tribes and squads, empowered to make decisions faster than traditional hierarchical department structures. At the most granular level, we have small teams of nine who work in two-week sprints towards specific outcomes, autonomously managing a business, product, or application. Cross-functional teams are far more effective than working in traditional silos, all the more so because of the scarcity of cybersecurity talent in Peru and Latin America more broadly.

The challenge with this approach is that in our previous waterfall process, there were defined “locks,” or check points where we looked at risk, such as before going into production. But those programs would last two years; now we have releases every two weeks. With sprints and continuous improvement, we give our people the training and tools to “wear the risk hat” to ensure ongoing consideration and risk management.

As our business relationships are digitized, we receive more and more customer data. Data allows us to make better decisions in terms of risk, product development, and sales. However, it also brings responsibility – we must secure and protect a constantly growing amount of data. So, one key area of managing non-financial risk is a diligent patching program for our infrastructure that stays on top of emerging vulnerabilities.

In addition, we must ensure that the data models supporting the decision-making are working correctly. This is an area of innovation that brings with it significant risk to the business.

With accelerated digitization, fraud in digital channels is a key non-financial risk that can obviously have significant financial consequences. Identification and authorization of transactions are key functions that we must secure and continuously manage. While there are several layers to authentication, we focus on getting the basics right, such as having strong biometrics and dynamic tokens, and then adding newer tools like device and behavioral monitoring.

Further, while Latin American institutions face many of the same cyber threats as elsewhere, there is a higher emphasis on insider threats, especially in low trust societies. As we move to an agile organizational model with decentralized power, at the same time we are instituting heavier controls of access to data, for example, through micro-segmenting our network so access is restricted to those that need it.

Solving the Puzzle of Third-Party Risk

While supply chain risk is a rising concern, it is not as high on our priority list as it may be elsewhere. Solar Winds was caused by nation-state hackers for cyber espionage purposes, but Peru is not a prime target for those types of attacks. However, we cannot ignore the value chain of cybercrime. These nation-state actors may sell the technology to cyber criminals that will use it for other purposes.

We are still on the journey for how best to manage supply chain risk. Currently, we segment suppliers in terms of the impact they could have on our operations, which determines the treatment. For the most part, suppliers do self-declarations of their policies and practices. High-risk suppliers are also verified by third parties. The problem is this verification only happens once a year. We have been experimenting with monitoring, to ensure if an incident occurs with a supplier, we know right away. We do that monitoring in three ways: intelligence sharing such as with FS-ISAC; a service that monitors how other companies look on the internet; and internal monitoring of the traffic between them and us.

Quantifying the Future

Given the growing importance of non-financial risks to our business, we hold ourselves to standards that go beyond local regulatory requirements and strive for maturity beyond what is typical in the region. We use the US’ FFIEC Cybersecurity Assessment Tool (CAT) to measure our cyber posture and the Factor Analysis of Information Risk (FAIR) risk management framework to not only understand accurate probabilities and impacts but to quantify our risks.

Historically, when cybersecurity reported into IT, the CISO’s focus was on technicalities – complying with various standards, updating to new software versions. No one, including the board, understood what was going on in cyber and incidents happened anyway. When we incorporated cyber into non-financial risk and began to apply FAIR, we adopted a risk mindset that measures costs and benefits to see which investments make financial sense. We might live with risks with low exposure and high costs to mitigate and focus on high exposure risks that can easily be mitigated. We quickly began to see that it was not always about upgrading technology; the risk might be mitigated by correlating two data sources, a manual report, or some other quick win. Some investments we decided to make; others that seemed obvious under the previous paradigm were now shown not to be cost effective.