The evolution of risk management with regtech

How to gain a competitive advantage by redefining the management of non-financial risks (NFRs)

 
Risk management is just one of those things everybody has to do, yet no one seems to want to. Why, though? Unfortunately, it’s usually seen as an added item on a bill with no additional business value. The tightening of regulations and the audits of both German and European supervisors have exacerbated this impression. Since initiatives were launched so suddenly in the wake of these audits, which, depending on the size of the institution concerned and the scope of the audit findings, consumed investments in the millions within one to three years.

So, was this the silver bullet needed to fix everything? Not at all. Because methods, processes, and, above all, technologies have been further developed. This is actually a race you can never win, which will be confirmed, at the very latest, by the next audit and corresponding report.

How can you escape this vicious cycle? When you get down to the basics, it’s actually quite simple – you just have to change the rules. There is a rule of thumb for radio communication: “As short as possible, but as extensive as necessary.” Which means: In order to manage risks in an entrepreneurially meaningful way, it is about doing what is necessary, not what is possible.

Changing the target reference – from regulatory compliance to corporate added value

But how can the question of what is actually necessary be answered in such a way that it also withstands the dialogue with the supervisory authority?

In order to approach the solution, we need to identify the reasons why this question has not been currently answered. The essential step here is to put the corporate added value in the foreground of risk management, not the regulation. It’s similar to driving a car. When you get in a car, you’re getting in to go somewhere else, not to just comply with road traffic regulations. Ideally, you reach your destination while complying with all road traffic rules. In risk management, compliance with regulatory requirements is the framework and not the end goal. If you follow this idea consistently, there are many suggestions for increasing the business added value of NFR. These are explained in the following examples:

Integration

All risk control functions (the so-called 2nd line of defense) have one thing in common: they control risks. This means that they determine damage potential, define preventative measures (target measures), identify deviations from these measures and ensure that they are managed as a risk. And, very often, all this as independent isolated solutions for different types of risk, such as information security management, business continuity management, central sourcing management, etc.

The integration of all risk types in a central framework with uniform methods avoids redundancy and duplicate work. It creates synergies across an entire organization and across all hierarchies. Interactions and dependencies are mapped without any additional effort (like transfer services). They allow for continuous fresh insight and a better understanding of the overall context. The result is improved ability to act on both a management and board level.

Method correction

In order to do what is necessary, the conditions to do so must be created. For example, a protection requirements analysis determines the amount of damage in the event that information is compromised. The higher the determined damage value, the higher the protection in the form of preventative measures, thus downstream investments. It’s essentially like car insurance. The more valuable the car, the higher the insurance policy and the higher the insurance premium.

The main problem in this case is that people often work with the worst-case scenario, or the so-called extreme damages. These are the highest possible damages, and are covered by downstream investments. Going back to the car insurance example, this means that it’s assumed that every accident causes the car to be totaled and causes extreme financial loss. Smaller accidents, such as scratches on the bumper or fender benders, with relatively low repair costs are hidden. If this were the case, car insurance premiums would increase exponentially.

On the other hand, there is potential here in that within the determination of protection requirements to level the downstream investments to an appropriate level, especially since these approaches are already being used in other contexts (like the field of operational risk) in institutions.

In addition to these examples mentioned, there are many other methods and ways that can be used regarding the corporate added value.

Once you have started to consider something unconventional, you quickly recognize the enormous potential that can be reached here. The chance to get non-financial risk management back to what it should be: a valuable tool for corporate management. However, the willingness to change is an indispensable prerequisite for this.

Fintech and risk management? Regtech as support for holistic change 

finleap connect stands for reshaping things. We are always entrepreneurial, digital and ready to break new ground. We bring together people who share these values and have been able to win well-known and established experts for our regtech product on the market. Our team is rethinking risk management and with the technical expertise of finleap connect we are creating a valuable tool for corporate management. The product exploits, in compliance with regulatory requirements, the potential for corporate added value.

With the new regtech software, we offer an integrated and data-oriented Software-as-a-Service solution that will map and utilize previously formulated added value. In a first step, the functions information security, business continuity and outsourcing will be mapped in an integrated NFR framework and successively expanded.

If you have any questions or are interested in our regtech product, please reach out.