Andrew Gilder
Welcome to the next episode of the EY NextWave Banking in Asia-Pacific Podcast. Despite the recent news and developments that have impacted a number of financial institutions in the US and Europe, there is no denying that banks in general have made substantial progress in enhancing risk management practices across the major risk classes during the last decade. However, the next decade necessitates building on that foundation, deeper insights, and faster response time supported by more advanced technology and new talent. For today's episode, I'd like to introduce Clare Sporle, our EY Financial Services Partner based in Sydney, who will be leading today's conversation with our two special guests. Over to you, Clare.
Clare Sporle
Thanks for the introduction, Andrew. Our special guests today are seated with me here in Sydney. First, Ryan Zanin, Chief Risk Officer for Westpac, who's also joined by Doug Nixon, our EY Banking and Capital Markets Leader for Oceania. So, hi. Thanks for joining me, both of you.
Ryan Zanin
Thanks for being here, Clare. I really appreciate you having us.
Douglas Nixon
Thanks for having me.
Sporle
We're recording this episode in early April 2023. So, some of our listeners are no doubt experiencing firsthand the increased volatility we're experiencing in the financial system due to recent events, and also due to geopolitical tensions, macroeconomic uncertainty, and an uncertain business environment. With many of the measures put in place for banks post the GFC around the globe currently being tested, the 2023 EY/IIF Global Risk Management Survey Report - which is now available for download on ey.com - has highlighted that banks are increasingly facing into multiple interconnected risks in this very fast changing external environment. All of these macro challenges are putting the cChief rRisk oOfficer role in the spotlight creating urgency for them to respond to many complex and overlapping risks and making it arguably one of the most difficult jobs in the banking C-suite. So, with that backdrop, Ryan, it would be great to get your reflections. You've been a CRO in multiple organizations in multiple countries, how would you describe how that role has evolved over the last decade?
Zanin
A lot happened over the last decade, and with that has been the evolution of the role of the chief risk officer. I would say taking a step back, one of the most challenging and, in some respects, most pleasing aspects of that is that the breadth of the role has really increased at an amazing pace. And that's great because it lets you be involved in all the important things that are going on across an organization. It's challenging because it's a lot to cover. And the other issue, I think, that we've noticed is the velocity of change out there and the risks that are coming at us. That velocity and that speed have picked up tremendously, which means that you have to be across all the risks all the time, you have to get a lot of help from a lot of subject matter experts, and you have to keep the dialogue going thinking forward about what could change and how it could impact the bank.
Sporle
Wonderful. So, a lot to be thinking about there. And as we've heard, this is a very interesting environment at the moment. So, Doug, what are you seeing as some of the biggest risks that are facing the industry at the moment and how are they changing?
Nixon
I first like to start by pointing out the survey data that we collected was prior to the Silicon Valley Bank and Credit Suisse issues that we're seeing playing out over the last few weeks. And in our survey results, we saw a lot of the typical things that you would expect to see: cyber, ranking number one and continuing to be very prevalent in the minds of cChief rRisk oOfficers; credit risk, a perennial top player in our risk categories; environmental risk, regulatory risk, operational resilience, digital and geopolitical. I just want to touch on cyber quickly. It does continue to be a very important category, even in the face of that, what we're faced into over the last four weeks, and one that the industry has been struggling with substantially.
Nixon
The other thing that we've also seen is credit assets come back up. A lot of cChief rRisk oOfficers are looking at their credit functions and saying, "What do I need to have in place, given the environment we're facing into, particularly the environment that we've seen evolve over the last few weeks? Do we have a depth of talent? It's been 10-15 years since, really, we've had a lot of action in credit risk as risk category. Do we still have the talent in place? And 15 years in this space is a long time, do we still have people that have experienced a particular rate and a downturn in the credit portfolio, like we're starting to see emerge at the moment?" Last, I would be very remiss not to point out that liquidity risk appeared on the survey results for the first time in many years may be somewhat predictive of the situation we're now facing into.
Zanin
The way we talk about all these risks that can present themselves, there's a whole array of risks out there. We have to be mindful of all of them. We can't take comfort that any one of them is going to recede in the background and stay in the background forever. So, I think that's one of the learnings from what we've seen and what some people have called a polycrisis. And what’s presenting us is that there is a lot out there, we've got to be mindful of all of those risks. And in some cases, it's some of the non-traditional risk classes that present themselves. It's also the combination of when multiple risks hit. At the same time, we saw a liquidity crisis play out in a number of banks around the world. And that made the system nervous. At the same time, we've seen other financial institutions at that exact moment have a cyber-attack, which made people question the safety and soundness of those institutions. So, when these two types of instances can combine, it really presents a heightened risk profile.
Sporle
That nervousness that you've talked about really plays into the big picture around trust, and perhaps that's where we can take the conversation next. A big role that you have within the organization as CRO is working towards that building up of trust with your customers and stakeholders, and all of these complex risks makes that even more complex than ever. So, what would be some of your recommendations on how the banks in the Asia- Pacific region can build and maintain that trust?
Zanin
I think it starts with being really transparent about the risks that we own as financial institutions and the risks that we have to face into. Make sure that we are prepared, that we're unafraid to talk about them. Because the risks that we face into as institutions are very often similar risks that our customers are facing into. So, it's understanding what the risks are out there, do a lot of stress testing to understand not only what might go wrong, but what the tail risks are associated with that so that you can prepare your institutions, and then make sure that the products and services that we offer our clients are suitable for them and that they understand the risk associated with them. And I think that maybe one of the most important things we can do in this kind of uncertain world is to be there and be prepared to help our customers navigate through that uncertainty. I think that's a duty that we owe to all of our customers. And as we think about why we're here, we're here to serve our customers. So, preparing ourselves for that inevitability to help navigate through tough times for our customers is a really critical risk that we need to manage.
Nixon
And perhaps I'll just double-click on that point, right, because I do think it's particularly important given the right environment that we've seen evolve over the last 18 months. We're hearing from across the market that now product innovation actually is critical, particularly in the context of distressed customers, not only for the retail business but also for corporate and SME markets as well. And allowing your customers to engage in an open dialogue earlier in the cycle and thinking about products that are going to suit their needs as liquidity dries up out of the market is going to become critical as we face into the next 12 to 24 months. For example, restructuring debt payments, finding ways to provide liquidity into businesses that might be desperate for it right now, banks are really starting to lean in before these defaults happen, and rapid product innovation to enable that will be critical.
Sporle
We saw an interesting time for COVID-19, didn't we, in terms of how we supported our customers and how that really came to life in terms of helping to build that trust when people needed it the most. But we also saw that the regulators have a really important role to play when it comes to supporting that trust, and there are a number of regulatory challenges and opportunities facing the banks within the Asia-Pacific region. So, perhaps we'll start with you, Doug, on this one. How can banks navigate these challenges with the regulators to ensure compliance while still delivering value to their customers?
Nixon
This is a great question. My answer has probably evolved a little bit since I first started thinking about this question to the actual podcast itself. It has been a really busy decade of regulation and heightened scrutiny, not only for banks in Asia-Pacific but also globally. And there has been a real push to maintain progress and momentum against the regulatory agenda and demonstrate that. Now, a month or two ago, we were talking to clients and they're facing into this issue with less funding, less resources available to execute than they have had historically, and that's really driven by the cost imperative that we've seen play out at many financial institutions. So how do you face into that with less resources for middle and back-office functions?
Nixon
And then we have SVB and the crisis that unfolded over the past really four weeks. The early messaging coming out on that is that we can expect further scrutiny on stress testing, liquidity stress testing, recovery and resolution plans, and particularly how often you're testing crisis management plans. There's been noise around executive accountability regimes and a review for that. And then there hasn't really been a lot of mainstream media channels yet, but we're expecting a review of the credit default swap markets and how they operate. And for those that have experience with the US markets, essentially the application of the Dodd-Frank… the Dodd-Frank OTC reforms. And then the other interesting piece that we saw play out in the US markets, which I think will play out to a certain extent in the APAC markets, is the application of… the threshold of application of a lot of these requirements to institutions up and down the Asia-Pacific region.
Zanin
I think that's right. Where regulatory landscape is complex, it's actually difficult to navigate for a number of banks because of the complexity. But it's generally headed in the right direction, and we are better and stronger for the good regulation that we are under. We have had a learning through this last situation with SVB and others that good regulation shouldn't have size limits and time bars on it. Good regulation is good regulation and people need to be mindful of what best and better practices are and deploy them across the industry for the safety and the sake of the entire industry. I think the most recent situation that banks have been through makes us step back and think about what systemic really means, and where - if dominoes start falling - do they actually impact the system? I think that's a learning that will come from this last session as well.
Zanin
But I think in order to navigate that complex, regulatory environment, one of the things with restrictions on funding and people being mindful of expenses, it's making sure that simplicity here is our friend. Understanding our products, understanding our systems, understanding our customers, and making sure that we take complexity out of systems wherever we can, is a much easier route to ensure that you're compliant with all the regulatory expectations.
Sporle
We've talked a lot around there around essentially what could be bannered under resilience, and we know that the regulators here are very much focused on that as they are around the world. So, that probably leads us to a question around how we better manage resilience, operational risks, and cyber -risks. What strategies would you be recommending on how these risks are mitigated?
Zanin
I think it starts with actually understanding how things work at a granular level, end-to-end. We call it value chain work. Other people call it process mapping. But for institutions to have a detailed understanding of how their processes and their systems work end-to-end is the way that we find out what the weaknesses are, what the stress points are, and what the types of controls that we need to put in place. And if we do that and if we simplify those processes, they will become more resilient. And at the end of the day, we want them to be resilient because we're here to serve customers and we're here to serve our communities. And if they aren't resilient, we put that at risk. So, it's an evolution of continuous improvement. We have to put remediation plans in place around systems and processes that have identified weaknesses. And if they are robust and have resiliency plans, then we can build up our cyber capabilities to protect them accordingly.
Zanin
And when we sit back and we think about what some of the cyber risks are, we don't just think about protecting them against, you know, if there might ever be a cyber-attack. We play that out just to assume that a cyber-attack has happened and then how do you protect good customer information and the safety of the bank's records in the event of an attack. People will likely attack various institutions. There have definitely been successful attacks and in the past and we want to make sure that we can withstand attacks and protect our customers and also make sure the system stays resilient.
Nixon
While you're talking about cyber, Ryan, we're also seeing - a lot of firms exploring how you quantify and measure cyber risk in the context of risk appetite, so you can better understand what the exposure is and then also understand whether or not you've got the right resources, the amount of resources, and capital allocated against it. I also just want to jump back to that point on value chain mapping that you touched on as well. Very important understanding the process and ensuring that it is working as intended. It’s very, very hard to control, measure and remediate what you don't intend in these organizations. And they are … people sometimes forget how large and complex they are and how many areas of the bank a value chain can pass through before it gets up to management reporting.
Nixon
And then lastly, be remiss in this environment not to just offer a gentle reminder about revisiting crisis management and recovery planning as well. Having a well-tested, well-oiled crisis management and recovery plan and scenarios and scenarios that you put through stress tests are critical. It helps develop muscle memory for the institution, it helps you react. And importantly, given what we learned over the last four weeks, it helps you react at speed, which is incredibly important given how quickly things can unravel now.
Zanin
The way I'll sum it up, I think about in: How does it work? Can it break? What are the consequences if it breaks? How do I fix it? How do I fix it fast?
Nixon
Fantastic.
Sporle
That's a great framework to apply in those playbooks that we're all now used to talking about that may well have seen as painful in terms of that level of detail, but we know in reality, it's complex and that detail can help us to be much fit in those types of situations. We've talked a bit about technology in terms of the risks that it presents, but perhaps we'll now switch focus to the opportunity that it presents within risk management as a function. So, the use of digitization and technology can have a context of resolving some of these issues and the challenges that we've spoken about before. So, perhaps we'll talk about that. What do you see as some of the opportunities and any examples to bring that to life would be great.
Nixon
Great question, Clare. We talked before just quickly about some of the cost and resource constraints, risk functions are now facing into and we think we'll increasingly face into just given the way that the cost of capital is moving. This is an important area to allow you to free up and make better use of your existing resource. And really, particularly where you've got very repetitive, mundane processes within risk and compliance functions, you can actually free up resources if you invest in the right way and allocate those resources to the value add that really a second one risk function is there for — that is analytics, evaluation, probing, answering questions ahead of an event occurring for the institution.
Nixon
So, I'd also be very remiss if I didn't touch on generative AI, ChatGPT. There has been a tremendous amount of this in the press over the past few weeks. And when we first started thinking about this podcast, I perhaps didn't think about the application of this in the way that we're now seeing explode across the world. There is no doubt that there's a Nexus of AI and good-quality data, and this is actually a next generational leap for risk functions. Real-time analytics, being able to just ask a question and get a response. And we're already seeing in application in risk functions on things such as policy monitoring and reporting, you can go to ChatGPT and plug in, "Write me a model risk management policy," it now spits out something that will need a lot of revision, but actually gives you a good starting framework to work on. And that just means that your resources aren't wasting cycles doing first drafts of quite mundane pieces of the risk framework that you have in play in the institution.
Zanin
As we move to a more digitized world, I'm excited about the opportunity to simplify our processes and make sure that we reduce the operational risk inherent in everything we do. So, having that digital-first mindset is really going to drive better risk outcomes. But one caution you can't or at least you shouldn't digitize are bad processes. So, one piece of work that needs to be done for institutions is to make sure that we aren't simply digitizing things that don't work very well or that are overly complex. So, that's a body of work that needs to be done to make sure that our processes are good and they're strong, and they're as simple as they can be, so that we can digitize them in order to take risk out of the process and drive down our operational risk landscape. And then I think, yes, the ability to derive better insights from all that we know based on the vast amounts of data we have through the use of machine learning and AI is really going to be a way for us to leapfrog the next generation of risk management. So, we're at an exciting frontier and we've got some really interesting tools to deploy to make us better risk managers.
Sporle
Well, that backdrop of opportunity to digitize, simplify, go around the way that we're managing risk better still, in our survey, the vast majority of CROs viewed that talent was critical to future success. And that's no doubt not a surprise to you, Ryan, in terms of the role that you play. But can you perhaps discuss this in a bit more detail for us? What do you see is important and how are you going about thinking on this aspect?
Zanin
One thing that's absolutely true, and I mentioned that these CRO roles, their risk management roles have taken on a breadth that they've never had before and that the world is moving at a very fast pace. And the only way that you can do that is with a team of really talented people, including strong generalists, as well as a number of subject matter experts who can give you guidance and deep technical expertise in some of these fields that none of us can be an expert on. For a long time, I've sort of set seven high-level expectations for the teams that I've had the privilege to manage. And I think the expectations survive the test of time, even in this more digital and rapid-paced world. And I've always said to my teams that I expect them to be technically competent. I want them to be team players, that they need to be good communicators. I want them to be thought leaders. I want them to take an approach as a problem solver. I want them to be fast, and I want them to take ownership around what they do.
Zanin
And I think those are still expectations that we can set for teams even in this sort of volatile, complex, and ambiguous world that we live in. And we're introducing new subject areas that risk people have to have high degrees of competence. Climate risk is an area that we need to be able to understand as risk managers. Risk culture and conduct and behaviors are areas that we need to develop skill sets. And aligning the skill sets that we recruit or the training and reinforcement that we have to have as risk teams. So, the landscape is changing, but it makes for really interesting career. And I think if we line up setting those expectations, giving people good help with training and guiding them through careers, we're going to develop a lot of really good risk people. And then we can export them into the business, and we can import people from business and first line to bolster our risk capabilities as well.
Nixon
I might just add to that, because during this discussion, we've touched on so many different risk classes. We've touched on credit, cyber ESG, environmental risk, regulatory requirements, operational, resilience, digital, all of these are very different and very distinct skill sets. And so, it is critical within a risk function that you do have access to such a broad range of talent in order to execute the mandate. And this is very different now to the risk function of the 1990s, where it was credit market, and people were talking about this thing called operational risk as a broad concept.
Nixon
In sourcing this talent, risk functions need to be very, very hungry, and constantly looking for different talent. I personally think the best talent can come from either other institutions or from within people that really understand the products, the businesses, what's going on in the industry, what's going on in the market, what's going on within the institution, so they understand the end-to-end process, and therefore understand where the risk may lie across the various different risk classes.
Nixon
But also now that there's this huge need for new talent coming in in very rapidly developing areas, and we talked about generative AI and ChatGPT, for example before, this requires skills from not only within the institution but from outside the institution. And as we move into this next phase, it's going to become critical for the risk function to have this talent within. Just because you've got very, very good digital capabilities, it doesn't absolve you of the responsibility of understanding how they work. And being able to push the frontier of what they can do to serve the greater organization in future years.
Zanin
Makes it a great time to be a risk manager.
Nixon
Fantastic era.
Sporle
So, in wrapping up, I'd ask you both to think about the one piece of advice that you would give a CEO or a CRO listening to this podcast today.
Nixon
First of all, just to reiterate, surrounding yourself with great talent to challenge and provide insight as the world moves very quickly, that there is no doubt that you can have the best infrastructure in the world. But if you do not have a good suite of advisors supporting you in the role, it is going to be very difficult to be successful in the world that we're moving into. And then secondly, we haven't really talked about it too much during this podcast, but the geopolitical environment, the complexity that we're facing into this kind of fragmentation that we're facing into means that there is going to be more demand on infrastructure. And if the last few weeks taught us anything, you also need to have great talent in place to increase response times when events do occur, even if they're not affecting your institution, because there are going to be questions coming that you will need to be able to respond rapidly to.
Zanin
I like to say that even if you're on the right track, you're going to get run over if you just sit there. Things are going to evolve. It's a fast-moving world. And so, to deal with that, you've got to demand transparency around the risks that you see, surround yourself with people who will speak up and who will tell you about the risks, not only the ones that are present, but spend time thinking about the ones that are better around the corner, encourage teams to call out those risks. And we've been reminded in the last few weeks that all risks matter. It's the thing that you're not worrying about, that you should spend some time thinking about. And then I would say that take time to think. It's really important in this kind of volatile and complex world that we actually allow ourselves as risk managers, as senior leaders across organizations, to take time to think we've got to learn lessons from the past, but we actually have to be focused on the future.
Sporle
Wonderful. Thank you both so much for spending the time with me today. I've certainly learned a lot. And I'm sure that the listeners will have a lot to take away from this in terms of things to consider, and practical ways to move forward with them. I think as we wrap up, we need to recognize that in this digital world, where disruption is the new normal, that we need to think about how we simplify our businesses to de-risk them — how we make sure that we understand those end-to-end processes to really give us space to think around the risks that we're facing. Use what's available to us to be as effective as we can with the technology that's available and get that broad, diverse team of talent to make sure that we have that space to collectively consider what are we not thinking about at the moment. So, thank you so much. It's been a great episode.
Nixon
Thank you, Clare.
Zanin
Pleasure to be with you.
Gilder
You've listened to the EY NextWave Banking in Asia-Pacific podcast. To learn more about EY, our people, and our latest thinking, visit us at ey.com/banking. If you would like to have a further conversation on what you've just heard or learn more about joining our team at EY, please contact us via the details found in the description. If you liked this episode, please leave a review to help us bring you more insightful and relevant content. And finally, don't forget to subscribe to our podcast on Apple Podcast, Spotify, or wherever you listen.