Digital Banking is growing fast, with some banks self-declaring themselves as technology companies and new digital banks significantly growing customer numbers. I have been working at the intersection of Technology and Risk within teams in Financial Services for the last few years, at both established firms and startups. During this time I have met very few people who understand both risk and technology well, particularly to the extent that they can make sense of both languages.

Even Senior Executives who are responsible for making important decisions relating to technology and risk often do not understand these in detail. Under the Senior Management Regime, individuals in banks have personal accountability for risk being taken in different areas of the business. This means people can have enforcement action taken against them if they do not act responsibly. So as it becomes harder to make sense of the risk from technology, it is more important to do so.

In the past, when most of the technology which banks used was backend systems, the responsibility for technology risk was typically delegated to IT teams. Risk was managed by defining processes and controls which all teams had to follow — architecture review, security testing, performance testing — giving rise the to ‘tick box’ mentality where teams see their objective as jumping through all hoops required to go live rather than understanding and taking ownership for the risk in the technology they are releasing.

With the rise of agile technology delivery and teams wanting to work more autonomously, this model breaks. It also makes it very difficult for Senior Managers to take informed risk when it relates to technology as it becomes virtually impossible to understand the implication of going live without a particular tick-box checked. They can either play it safe by not going live with anything which has not been through all waterfall controls and governance, potentially losing time to market, or they take accountability for risks they do not properly understand.

Fixing the confusion and ambiguities between technology, risk and business teams is one of the things we are working on at Smarter Human. We want to make it really easy for people to immediately understand the risk and business impacts of technology changes.

If this pain point is one you have experienced we would really like to hear from you and get your input. Contact me on Medium or at hello@smarter-human.com.

“Never impose your language on people you wish to reach.” — Abbie Hoffman, U.S. social and political activist

There are undoubtably still a number of challenges to address outside of the ‘recurring processes’ which are more easily automated.

Banks adopting new approaches not only have to tackle internal cultural change but also with the regulators, who not only set the rules but are accustomed to seeing these met in certain ways. Even reconciling the language between technology teams and compliance can be a challenge. For example, to make sure that products are suitable for customers, Compliance would generally be looking for a ‘target market’ to be defined. However, technology teams would have covered off this risk using personas and measuring actual customer usage. I’ve seen teams struggles to reconcile these perspectives and actually understand each other.

Other risk and compliance topics which are not so easily automated are interesting ones as they relate to a company’s ethics and human nature. For example, defining ethics for data use which would ultimately feed into data analytics platforms and machine learning applications, take some deep thinking and debate. Figuring out how to prevent employee misconduct without a command and control environment takes an understanding of human psychology and behaviour. A great example of this is how Starling use Automated Privilege Management via Slack for releases to Production.

This mix of major opportunities to improve with technology and human behavioural considerations is why I find risk and compliance a great area to be working in at the moment. It’s also why I decided to found Smarter Human with my co-founder, Sebastien, to change things here. Despite the common conception that Risk and Compliance is ‘boring’, done the right way it doesn’t have to be.

The full video of the Revolut and ClauseMatch event is here.

What to look for when hiring Risk and Compliance in Fintech

Based on my experience, these are the four things I would prioritise when hiring Risk and Compliance in Fintech.

1. Understands agile software development. If you are at heart a technology company this is the production process for your business. It is very important that your production line is not disrupted by teams outside of this. If the agile manifesto is at the heart of your software team’s approach to work, other teams such as Risk and Compliance should also subscribe to this and develop their processes in a way which takes this into account.
2. Understands technology. As fintech company, a lot of your risks and controls will be technology based. If someone doesn’t have a basic understanding of the technologies you are using, it will be hard for them to make sense of the materiality of different security and resilience risks against other operational risks. Beware of generalist risk and compliance people who claim it’s not necessary to understand the technology to assess the risks — I’ve never seen this to be the case.
3. Continuously learns and experiments. When someone joins your company they will be designing ways of doing risk and compliance based on what they have seen done previously. Most of the approaches currently used for risk and compliance have not been designed with technology companies in mind so need some critical review and redesign. While this is a tricky task, hiring someone who at least appreciates that current methods need changing and wants to explore new approaches is a good start. Beware of anyone who comes armed with policies or processes from a previous company — this may sound like a time saver but is more likely to be a case of trying to fit a square peg into a round hole.
4. Does not misuse PowerPoint and Word. Hours of time are wasted everyday in risk and compliance teams creating slides in PowerPoint full of information which likely not be read and will immediately be out of date. Someone who is open to ditching PowerPoint in favour of collaboration and data driven tools will help create a lean, forward looking team.

Step 1: Identify what your company needs to protect

The first step of doing a risk assessment is identifying what needs protecting. In risk speak these are called impact categories. For Smarter Theatre I chose:

👫 Customers (without these I have no business)

💰 Money (always critical for a startup)

🏛 Regulator/ FCA (as I need regulatory permission to access Open Banking)

😳 Reputation (key to building trust as a new business)

Step 2: Figure out what could go wrong to put these at risk

Depending on the level of detail you need to go and the complexity of your business into this can get quite complicated. For a thorough approach you would want to create a list of things that could go wrong first from brainstorming, then go through an industry standard list (‘risk taxonomy’). For this example I’m just going to look at things which could go wrong for my Customers 👫.

📴 The app is unavailable due to a technical issue (‘Systems availability’)

🤔 Poor recommendations made to customer (‘Conduct risk’)

🍯 Employee is tricked into giving logon details to someone (‘External fraud’)

😈 Hacker steals customer data from our systems (‘Information Security’)

😤 Unhappy employee steals customer data to sell. (‘Internal fraud’)

Step 3: Decide how much of a problem these are

To decide how much of a problem these are you first need to work out a rating system so you can compare different risks later (‘risk rating’). Ratings are normally based on the impact and likelihood of something happening.

For my impact rating scale I have used the face of the CEO if it happens.

😕 — downcast CEO, mildly annoying to customers

😠— ruffled CEO, annoying enough for customers to complain about

😡 —angry CEO, bad enough to stop customers using my app

🤬— fuming CEO, major disruption to customers or their financial well-being

For now I won’t base it on the numbers of customers impacted but as I grew my customer base this is something I would want to add.

For rating how likely something is to happen I will use a scale based on my chances of seeing the following animals in the next 24 hours.

🦄 Unlikely <10% chance

🦉Not very likely 10–50% chance

🐰 Fairly likely 50–90% chance

🐈 Highly likely >90% chance

(This scale is obviously 🇬🇧 specific, in other countries you may see 🦄 every day!)

Using this scale I can now rate my risks to decide how much of a problem they are. For simplicity I’ll just take the last example to look at, my unhappy employee 😤 stealing and selling customer data.

I think this would be a major issue for my customers as someone might use their data to access other accounts they have and cause them a lot of disruption. That’s a 🤬 or fuming CEO for impact.

Given I only have a couple of employees I don’t think this is very likely. That said, they are only taking equity at the moment so may be desperate for money and I have only known them for a short amount of time. That gets an 🦉or not very likely.

Normally you would now combine these two together to get an overall rating (‘inherent risk”). I’m going to leave this for the time being to avoid getting too complicated.

Step 4: Decide if you want to take any action to do anything about them

Now I have rated my risk I can decide what I want to do about it (‘risk treatment’). My options would be:

👊 Make it less of a problem (“reduce”)

👌 Do nothing (“accept”)

👉 Make it someone else’s problem (“transfer”)

👋 Stop doing whatever makes this possible (“avoid”)

Based on the fact employees stealing data would have a very high impact 🤬 on my customers, I decide I want to make it less of a problem. 👊

Step 5: Design ways of stopping the events happening or fixing them if they do happen

So now I have to think of ways I can make this less of a problem. For a thorough approach I’d look at tried and tested ways how other people tackle this problem (‘controls library’). For now I’m just going to use my common sense to think how I can:

🛑 Stop it happening (“Preventive controls”)

🔍 Figure out if it has happened (“Detective controls”)

🎁 Put it right if it has happened (“Corrective controls”)

To stop it happening, I could restrict who can access the customer data by setting up access controls. If this isn’t an option as I need all my 3 staff to access this to service customers for example, then I could log every time the customer data is accessed and set up alerts for any behaviour which looks suspicious. 🔍

To help stop it happening 🛑, I could also talk regularly with my employees to understand if they are unhappy about anything and prioritise being able to pay salaries so they are less likely to be in a situation where they are desperate for money.

My reflections on emoji in risk assessment 🤔

• Emoji work very well for identifying the impact categories (things I want to protect) and the risk ratings (how much of a problem it is).
• Emoji are a lot more engaging than risk language and they can make you smile just using them.
• It’s hard to find emoji for the risk types (things that can go wrong), doing this for a whole risk taxonomy would really be a big job. Simple language would work better for this.
• The emoji library needs some additions. Why is there no robber emoji? Or a plug being pulled?