Risk management trends in the digital age

Season 1 Episode 05

Transcript

Juan José Ríos (Host): Hello, everyone. How are you? I'm Juan José Ríos. Welcome to this new episode.
Today we will discuss changes and trends in Latin American regulations and other risk management standards, including new industries and areas that previously did not have this responsibility.

The most widely accepted definition of risk tells us that it is the possibility of companies suffering economic losses due to failures in their processes, technological factors, human resources, or external events, such as the current pandemic. Organizations must assess the probability of occurrence and the impact—usually economic—that these risks may cause if they materialize.

All organizations carry out activities to achieve their objectives, and these always involve risks. In the digital age, these risks have increased beyond traditional processes, including technological risks, fraud, money laundering, and many more.

That is why it is vital for all organizations to have adequate risk management that integrates all threats that jeopardize their objectives. Timely management not only creates value in risk prevention, but also helps protect profits and the effort it has taken to achieve them.

Juan José Ríos: Hello, how are you? Welcome to this new podcast.
This time, I'm joined by:

• Jorge Diéguez, Risk Product Manager,
• Raúl Castellanos, AML Product Manager, and
• Ilian Vasco, VP of Marketing and Product.

Thank you for joining us. And to all of you who tune in and join this conversation, thank you very much.

Jorge, thank you for joining us. Let's start with you: what is the current approach to risk management in such important and nearby regions as South America?

Jorge Diéguez: Thank you, Juan José. In this regard, we have observed that the trend coming from South America mainly responds to a greater regulatory presence in risk management. This is because this discipline is expanding into new areas and departments within institutions that were not previously involved.

Regulations covering operational and comprehensive risk management have been in place for several years. Countries such as Argentina, Uruguay, and Chile already have regulatory frameworks in this area. What is new now is that departments such as compliance are actively incorporating risk management, taking a more qualitative approach.

Traditionally, these areas focused on transactional evaluations, often in a postmortem manner: first the operation took place, and then it was analyzed. Today, the trend is to be more proactive, anticipate risk, and act before it materializes.

For example, in Ecuador, starting in the second half of 2020, a new regulation known as ARLA was issued, with similarities to Colombia's SARLAFT. This standard combines transactional analysis with qualitative risk management, which took many compliance areas by surprise, as it exceeded their traditional expertise.

Now they must define risk matrices, identify risks that have not yet occurred, measure and classify them, with the aim of mitigating them and avoiding future surprises. This is very valuable even for non-financial sectors, because it allows them to anticipate potential losses.

In summary, the new regulations are pushing organizations to take a step forward, anticipate risk, and adopt a more strategic and preventive management approach.

Juan José Ríos: Thank you, Jorge.
Raúl, according to what Jorge shared with us, risks vary by region, especially due to regulatory differences. From your perspective, what are the main trends in this context?

Raúl Castellanos: Thank you, Juan José. In addition to what Jorge mentioned, I would like to highlight the focus of the COSO 2017 framework, which emphasizes strategic risk.

This approach stems from an analysis of the last 15 years of risk management in financial institutions. It was determined that credit, market, operational, and financial risks have been largely mitigated, and that institutions have robust mitigation mechanisms in place. However, where they have failed is in strategic risk.

Why is this important? Because during this stage of the pandemic, we have seen drastic changes in the markets. Some economies and sectors entered into depression, while others remained active, especially those related to food, fitness, and medical supplies. This has reshaped the market.

Strategic risk must focus on how we sustain the business, how we ensure long-term profitability, and, above all, on the survival of the organization. The financial relief measures enacted by governments also forced us to readjust cash flows and strategic plans.

That is why today it is essential to redefine indicators that enable timely decision-making, strategic plan adjustments, and maintaining a medium- and long-term vision.

I would also like to highlight that ISO standards recently published the first draft of good practices for institutional governance, which is currently under review, with the aim of establishing an international standard.

In Guatemala, there is also a draft bill promoting good governance in public institutions, aimed at strengthening administration and mitigating risks of corruption and illicit enrichment, in line with international commitments to transparency.

In summary, in addition to traditional risks, strategic risk has taken on fundamental importance in times of pandemic.

Juan José Ríos: Welcome to this conversation, Ilian.
Let's talk now about new guidelines. How do experts view the integration of risk management in the financial industry within the new Basel framework?

Ilian Vasco: Thank you, Juan José. Basel has been updating its regulatory framework for several years. This includes improvements in capital quality, liquidity buffers, and due diligence requirements, as well as additional guidelines from the Basel Committee on Banking Supervision related to the prevention of money laundering, terrorist financing, and risk management in general.

This model also applies the three lines of defense, adequate monitoring of risk management, and continuous assessment of the risk profile.

Returning to what Raúl mentioned, these trends seek to encourage organizations to analyze their strategies and decisions based on expected returns, truly understanding their strategic risk profile.

This involves having a comprehensive framework that brings together organizational, compliance, process, and objective risks, along with mitigating controls and key players, all under the same management model. It is, in essence, having an integrated risk management system that consolidates all perspectives under a single structure.

Juan José Ríos: Raúl, to provide some context: the Basel Accords are a series of guidelines developed by the Basel Committee since 1974 to prevent systemic risks.
From your point of view, which of these agreements should we pay most attention to in this new normal?

Raúl Castellanos: There are two particularly relevant agreements. The first, published at the end of 2015, concerns corporate governance and good governance in financial institutions. The second, issued in July 2020, reformulates recommendations for risk management in money laundering prevention.

Both the Basel Committee and the Financial Action Task Force published updates in 2020 related to COVID-19. Both agree on the need to return to basics: analyzing the current risks arising from macroeconomic and behavioral changes, and how they should be managed.

Some sectors went into depression, others kept going, and cash flow changed a lot. Plus, face-to-face interaction was replaced by video calls, tablets, and smartphones, which meant we had to reallocate resources and adopt new remote working arrangements.

Basel emphasizes that we must reanalyze our risks, identify emerging risks, and define measures to ensure business continuity in this new normal.

Juan José Ríos: Ilian, how does technology influence comprehensive risk management in the financial sector? And, in that sense, what is the role of cryptocurrencies and ATMs?

Ilian Vasco: Thank you, Juan José. With all these emerging technologies and digital transformation processes in banking, it is essential to rethink the influence of technology within the risk management framework.

When we talk about cryptoassets, we are referring to new business models that include transactions between individuals and companies, fintech platforms, mobile banking, big data, predictive models, crowdfunding, automated currency management, process robotization, and peer-to-peer lending, among others.

All of this transforms the way operations are processed and requires risk management to incorporate these new scenarios.

We must also consider macroeconomic factors, such as possible recessions, changes in consumption patterns, resource acquisition, and process optimization. At the same time, financial crime has increased, especially cybercrime, synthetic identities, and front companies.

These phenomena generate direct financial impacts, such as reduced profits and operating losses. Therefore, technological influence requires rethinking methodologies and integrating all these factors into the financial sector's risk management model.

Institutional voiceover: Monitor Plus® GRC-RM is the ideal solution for automating comprehensive risk management. It is designed to high quality standards, based on a web environment and highly customizable, allowing all types of institutions to perform qualitative and quantitative management tasks with ease.

With Monitor Plus® GRC-RM, your organization can achieve efficient risk management, encourage decentralized participation, mitigate threats, and reduce losses, improving results and creating greater value.

The solution allows for the analysis of multiple types of risks, based on best practices, international standards, and expert recommendations, simplifying corporate governance, technology, and regulatory compliance processes, among others.

Juan José Ríos: We continue with Mundo Financiero Seguro.
Raúl, business models have changed rapidly due to technology. What other technological influences are impacting financial risks today?

Raúl Castellanos: One of the main factors was the massive migration to digital channels since the beginning of social distancing. Institutions had to accelerate processes to offer cloud services and strengthen their applications and portals.

At the same time, cybercrime grew significantly. Interpol reported increases of over 500% in cyberattacks, including corporate website spoofing,phishing, denial-of-service attacks, and server hijacking for extortion.

Many institutions were unprepared to absorb this digital demand, especially in remote working, which opened up new security gaps.

This increased risks such as identity theft, synthetic identity fraud, and other financial crimes. Cybercriminals have shown great adaptability, reacting faster than many institutions.

Furthermore, phenomena such as fintech, crowdfunding, and cryptoassets introduce additional risks, such as anonymity and lack of regulation in some models. In the case of crowdfunding, for example, it is possible to legitimize capital by claiming collective financing without major controls.

Therefore, regulations must evolve from face-to-face approaches to digital schemes, incorporating cybersecurity, virtual assets, and digital identities as key elements of this fourth industrial revolution accelerated by COVID-19.

Juan José Ríos: Thank you, Raúl.
Jorge, what recommendations should financial institutions in Latin America particularly consider with regard to comprehensive risk management, starting with operational risk? I would also like you to address the relationship with standards such as ISO 9001:2015.

Jorge Diéguez: Thank you, Juan José. I would make three main recommendations.

The first is to seek automation. Regardless of the size of the company, whether regulated or not, it is essential to have technological tools that prevent errors in data quality, information integration, and availability. We must leave behind spreadsheets and manual processes that limit efficiency and reduce internal adoption.

The second is to seek integration. Since COSO ERM 2017, risk management has been promoted as part of the "tone of the organization." This means that it should not reside in a single department, but rather that each area should have a representative or risk manager who feeds matrices, identifies existing and emerging risks, proposes mitigating controls, and continuously provides feedback on the process.

In this way, we move from centralized evaluation to decentralized self-evaluation, empowering process owners, who are most familiar with the risks and can propose effective solutions.

The third recommendation is to have clear leadership, a person who is responsible for coordinating comprehensive risk management. In many institutions, this role is filled by the CRO (Chief Risk Officer), who coordinates risks related to corporate governance, technology, regulatory compliance, projects, suppliers, and others.

Today, regulatory compliance is no longer solely the responsibility of the legal department, but part of a comprehensive management approach that seeks to protect the organization against regulatory, contractual, and internal commitments.

This coordination makes it possible to protect profits, avoid losses, and ensure that objectives are achieved, especially in an environment where strategic risk has become more relevant.

Juan José Ríos: Thank you, Jorge.
Ilian, as a follow-up, what recommendations would you add to what we just discussed?

Ilian Vasco: I completely agree with Jorge. Many other risks converge from operational risk: credit, liquidity, money laundering, strategic, and technological risks.

My recommendation is that there should be real integration between these risks, allowing for consolidated work. In addition, it is important to have a database of loss events that allows us to identify which types of risks are having the greatest impact and prioritize actions.

In summary, everything must converge in an integrated model that takes operational risk as its central axis.

Juan José Ríos: Let's move on to this episode of Mundo Financiero Seguro.
Raúl, how should financial and non-financial institutions approach non-financial risk management?

Raúl Castellanos: These are known as associated risks and include reputational, legal, contagion, and strategic risks, among others.

For example, legal risk is closely related to regulatory compliance. Institutions must identify all the regulations to which they are subject according to their market niche: environmental, labor, commercial, and sectoral, as well as international commitments, such as the US FCPA or the UK Bribery Act.

Non-compliance may result in administrative or financial penalties, or even fines amounting to millions of dollars for international companies.

When it comes to reputational risk, it is essential to be careful about who you do business with. During the pandemic, loopholes were opened up to legitimize capital, prompting many institutions to strengthen their processes for engaging with and evaluating third parties.

If an institution is associated with illegal operations, it faces two risks: damage to its brand and the risk of contagion, as it becomes indirectly involved in illegal activities.

I would also like to mention the impact of cyberattacks on reputation. When an institution is breached and customer data, such as credit card information, is leaked, the damage is immediate: customers lose confidence and correspondent institutions may sever ties to mitigate their own risks.

That is why non-financial risks are just as important as financial risks and must be managed comprehensively.

Juan José Ríos: Ilian, in line with this, what could you add about how institutions should approach non-financial risk management?

Ilian Vasco: Very much in line with what Raúl mentioned. These non-financial risks cannot be left out of the management model.

We have seen institutions suffer millions in losses due to legal risk, fraud, climate change, and reputational damage, the latter being particularly difficult to measure due to its intangible nature.

There are also strategic risks arising from expansion decisions, technological risks due to prolonged system outages, and cybersecurity risks that have had a significant impact in recent years.

Therefore, these risks must be integrated into the financial management model itself, using consistent methodologies with clear prioritization schemes, as many of them can have severe financial impacts.

Juan José Ríos: To conclude, what else can we add about risk management?

Raúl Castellanos: Risk management has always been fundamental to business continuity, and today it is even more important in times of change.

The pandemic taught us many lessons: the importance of solidarity, of leveraging technology, of adapting quickly, and of recognizing the value of human capital, which is the mainstay of institutions.

A 2020 PwC survey showed that human capital, regulatory risk, and cybersecurity are among the main factors for business sustainability.

Today, it is essential to have dynamic risk management, accompanied by organizational culture and automated systems. In internal control, for example, frameworks such as SOX 404 emphasize segregation of duties, comprehensive monitoring, and validation of decisions.

If we start with good risk management, we can drive the business toward greater long-term resilience. That is the true importance of integrating culture, processes, and technology into risk management.

Juan José Ríos: Thank you very much, Raúl.

This brings us to the end of this episode of Mundo Financiero Seguro, the Monitor Plus® podcast.
Thank you to Jorge Diéguez, Raúl Castellanos, and Ilian Vasco from Colombia for participating.

I'm Juan José Ríos. See you next time, and thank you for recommending us.