“Many, if not most, financial institutions have been shifting to more cloud-based and modularised Banking-as-a-Service (BaaS) models and these trends will only accelerate as we need to manage risks inherent in conducting financial services via remote working environments. For example, critical capabilities such as Advisor to Client communications need to be verifiable and auditable whether they are happening inside or outside of the office and I predict regulators will be pushing financial institutions to ensure these standards become the norm rather than the exception.”
Singapore Addresses Risk in the Financial Industry
The paper seeks to create awareness amongst financial institutions on key remote working risks in the domains of technology, operations, security, fraud, staff misconduct, legal and regulatory risks. MAS encourages them to take pre-emptive measures to adopt good practices on managing risks.
Mackenzie adds, “Of course, some of the issues are difficult to solve. For example, staff accessing client data from their homes creates inherent vulnerabilities and the ways to ensure staff have suitable ‘in-home’ working environments to effectively manage these risks can be challenging and expensive. There are great opportunities for innovators to adapt solutions to solve these problems in what will undoubtedly be a growing investment area for many Financial Institutions.” The paper also examines various controls on the people and culture leveraging examples drawn from the experiences of ABS member banks to address evolving risks. For instance, FIs can implement security controls on staff infrastructure including their personal devices, verify in-person meetings against original documents, timely response strategies for recovery teams, legal risks and more.
To keep pace with the changing trends in technology deployment, risk management, and cybersecurity, MAS has been regularly working and engaging with experts to introduce guidelines, principles and best practices for financial institutions. In February, MAS issued a consultation paper proposing revisions to enhance the current requirements for enterprise risk management, investment risk management and public disclosure practices for insurers. Similarly, in January, MAS issued risk management best practice and standards to guide financial institutions in managing technology risk and maintain IT and cyber resilience.
Get insights on the technology areas in the Financial services industry that will see continued investments, as organisations get into the recovery phase.
A recent study of asset managers by the investment arm of Institutional Shareholder Services (ISS) showed that more than 12% of respondents reported heightened importance of ESG considerations in their investment decisions or stewardship activities compared to before the pandemic.
In the area of hedge funds, there has been an increased demand for ESG-integrated investments since the start of COVID-19, according to 50% of all respondents of a hedge fund survey conducted by BNP Paribas Corporate and Institutional Banking of 53 firms with combined assets under management (AUM) of at least USD 500B.
ESG criteria may have a practical purpose beyond any ethical concerns, as these criteria may be able to help avoidance of companies whose practices could signal risk. As ESG gets more traction, investment firms such as JPMorgan Chase, Wells Fargo, and Goldman Sachs have published annual reports that highlight and review their ESG approaches and the bottom-line results.
But even with more options, the need for clarity and standards on ESG has never been so important. In my opinion, there must be an enhanced effort to standardise and harmonise ESG rating metrics.
How are ESG ratings made?
ESG ratings need both quantitative and qualitative/narrative disclosures by companies in order to be calculated. And if no data is disclosed or available, companies then move to estimations.
No global standard has been defined for what is included in a given company’s ESG rating. Attempts at standardising the list of ESG topics to consider include the materiality map developed by the Sustainable Accounting Standard Board (SASB) or the reporting standards created by the Global Reporting Initiative (GRI). But most ESG rating providers have been defining their own materiality matrices to calculate their scores.
Can ESG scoring be automatically integrated?
Just this month, Morningstar equity research analysts announced they will employ a globally consistent framework to capture ESG risk across over 1,500 stocks. Analysts will identify valuation-relevant risks for each company using Sustainalytics’ ESG Risk Ratings, which measure a company’s exposure to material ESG risks, then evaluate the probability those risks materialise and the associated valuation impact. ESG rating firms such as MSCI, Sustainalytics, RepRisk, and ISS use a rules-based methodology to identify industry leaders and laggards according to their exposure to ESG risks, as well as how well they manage those risks relative to peers.
Their ESG Risk Ratings measure a company’s exposure to industry-specific material ESG risks and how well a company is managing those risks. This approach to measuring ESG risk combines the concepts of management and exposure to arrive at an assessment of ESG risk – the ESG Risk Rating – which should be comparable across all industries. But some critics of this form of approach feel it is still too subjective and too industry-specific to be relevant. This criticism is relevant when you understand that the use of the ESG ratings and underlying scores may in future inform asset allocation. How might this better automated and controlled? Perhaps adding some AI might be useful to address this?
In one example, Deutsche Börse has recently led a USD 15 million funding round in Clarity AI, a Spanish FinTech firm that uses machine learning and big data to help investors understand the societal impact of their investment portfolios. Clarity AI’s proprietary tech platform performs sustainability assessments covering more than 30,000 companies,198 countries,187 local governments and over 200,000 funds. Where companies like Cooler Future are working on an impact investment app for everyday individual users, Clarity AI has attracted a client network representing over $3 trillion of assets and funding from investors such as Kibo Ventures, Founders Fund, Seaya Ventures and Matthew Freud.
What about ESG Indices? What do they tell us about risk?
Core ESG indexing is the use of indices designed to apply ESG screening and ESG scores to recognised indices such as the S&P 500®, S&P/ASX 200, or S&P/TSX Composite. SAM, part of S&P Global, annually conducts a Corporate Sustainability Assessment, an ESG analysis of over 7,300 companies. Core ESG indices can then become actionable components of asset allocation when a fund or separately managed accounts (SMAs) provider tracks the index.
Back in 2017, the Swiss Federal Office for the Environment (FOEN) and the State Secretariat for International Finance (SIF) made it possible for all Swiss pension funds and insurance firms to measure the environmental impact of their stocks and portfolios for free. Currently, these federal bodies are testing use case with banks and asset managers. Its initial activities will be recorded in an action plan, which is due to be published in Spring 2021.
How can having a body of sustainable firms help create ESG metrics?
Creating ESG standard metrics and methodologies will be aided when there is a network of sustainable companies to analyse, which leads us to green fintech networks (GFN) of companies interested in exploring how their own technology investments can be supportive of ESG objectives. Switzerland is setting up a Green Fintech Network to help the country take advantage of the “great opportunity” presented by sustainable finance. The network has been launched by SIF alongside industry players, including green FinTech companies, universities, and consulting and law firms. Stockholm also has a Green Fintech Network that allows collaboration towards sustainability goals.
We should be curious about how ESG can provide decision-oriented information about intangible assets and non-financial risks and opportunities. More information and data from ESG data providers like SAM, combined with automation or AI tools can potentially provide a more complete picture of how to measure the long-term sustainable performance of equity and fixed income asset classes.
Singapore FinTech Festival 2020: Investor Summit
For more insights, attend the Singapore FinTech Festival 2020: Investor Summit which will cover topics tied to 2021 Investor Priorities, and Fundraising and exit strategies
Why should a CEO get involved in and have visibility into an organisation’s Cloud investments? There are a few important reasons.
#1 Cloud is not a cost-saving measure – it will enable you to transform
Organisations have matured in their Cloud adoption and no longer evaluate the benefits of Cloud only in terms of shifting CapEx to OpEx. If we look at the benefits of Cloud adoption, reduction of IT costs is not even in the top 3 benefits that organisations are seeking from Cloud anymore. Operational efficiency and collaboration emerge as key benefits (Figure 1) – while some companies still move to the Cloud for the savings, they stay there for other benefits.
This requires organisations to think of Cloud as a technology empowering their infrastructure and services. Cloud acts as an enabler for ease of doing business, real-time data access for productivity increase, and process automation. This impacts the entire organisation. It also involves prioritising the needs of certain functions over others – definitely not what a CIO should have to do.
If we look at just Cloud storage as an example, organisations can no longer have individual functions and their associated shadow IT teams having their own Cloud storage (and collaboration). This often turns out to be more expensive and there is a lack of consolidated view and management. While organisations forge ahead with the dream of having real-time information sharing across functions, a CIO has to consider the entire organisation’s technological and business needs – a CEO is the best person to guide the CIO in translating the organisation’s vision into IT priorities.
#2 In fact Cloud adoption may not cut costs at all!
Organisations are also re-evaluating the cost benefits of Cloud. Investing in a Cloud infrastructure with a short-term view on the investments involved has led to instances of Cloud solutions being brought back in-house because of rising costs. While security, data privacy and integration remain the key challenges of Cloud adoption (Figure 2), over a third of the organisations find Cloud more expensive than traditional licensing or owning the hardware.
Organisations find that the cost considerations do not stop after the adoption or migration. As businesses use Cloud to scale, there are several aspects that require constant re-evaluation and often further investments – cybersecurity measures, continuous data protection (CDP), disaster recovery management, rightsizing capacity, software and database licenses and day-to-day maintenance, to name a few. In addition to this, the cost of finding and recruiting a team of professionals to manage and maintain the Cloud environment also adds up to the OpEx.
If the CIO is talking about a Cloud migration for cost benefits only, the CEO and the CFO need to step in to evaluate that all factors have been taken into consideration. Moreover, the CIO may not have full visibility of how and where the organisation is looking to scale up or down. It is the CEO’s responsibility to share that vision with the CIO to guide Cloud investments.
#3 Cloud will increasingly be part of all tech adoption considerations
In this disruptive world, CEOs should explore possibilities and understand the technical capabilities which can give organisations an edge over their competitors. It is then up to the CIOs to implement that vision with this larger context in mind. As organisations look to leverage emerging technologies, organisations will adopt Cloud to optimise their resources and workloads.
AI is changing the way organisations need to store, process and analyse the data to derive useful insights and decision-making practices. This is pushing the adoption of Cloud, even in the most conservative organisations. Cloud is no longer only required for infrastructure and back-up – but actually improving business processes, by enabling real-time data and systems access. Similarly, IoT devices will grow exponentially. Today, data is already going into the Cloud and data centres on a real-time basis from sensors and automated devices. However, as these devices become bi-directional, decisions will need to be made in real-time as well. Edge Computing will be essential in this intelligent and automated world. Cloud platform vendors are building on their edge solutions and tech buyers are increasingly getting interested in the Edge allowing better decision-making through machine learning and AI.
In view of the recent global crisis, we will see a sharp uptake of Cloud solutions across tech areas. IaaS will remain the key area of focus in the near future, especially Desktop-as-as-Service. Organisations will also look to evaluate more SaaS solutions, in order to empower a mobile and remote workforce. This will allow the workforce of the future to stay connected, informed and make more decisions. More than ever, CEOs have to drive business growth with innovative products and services – not understanding the capabilities and challenges of Cloud adoption and the advancements in the technology can be a serious handicap for CEOs.
#4 Your IT Team may be more complacent about Cloud security than you think
Another domain that requires the CEO’s attention is cybersecurity. The Cloud is used for computing operations and to store data including, intellectual property rights, financial information, employee details and other sensitive data. Cybersecurity breaches have immense financial and reputational implications and IT Teams cannot solely be responsible for it. Cybersecurity has become a Board-level conversation and many organisations are employing a Chief Information Security Officer (CISO) who reports directly into the CEO. Cybersecurity is an aspect of an organisation’s risk management program.
Evaluating the security features of the Cloud offerings, therefore, becomes an important aspect of an IT decision-maker’s job. While security remains a key concern when it comes to Cloud adoption, Cloud is often regarded as a more secure option than on-premise. Cloud providers have dedicated security focus, constantly upgrade their security capabilities in response to newer threats and evolve their partner ecosystem. There is also better traceability with the Cloud as every virtual activity can be tracked, monitored, and logged. Ecosystm research finds that more than 40% of IT decision-makers think the Public Cloud has enough security measures and does not need complementing (Figure 3).
However, the Cloud is as secure as an organisation makes it. The perception that there is no need to supplement Public Cloud security features can have disastrous outcomes. It is important to supplement the Cloud provider’s security with event-driven security measures within an organisation’s applications and cloud interface.
It is the job of the CEO – through the CISO – to evaluate how cyber ready the IT Team really is. Do they know enough about shared responsibility? Do they have full cognizance of the SLAs of their Cloud providers? Do they have sufficient internal cybersecurity skills? Do they understand that data breaches can have cost and reputational impacts? As cybersecurity breaches begin to have more financial implications than ever and can derail an organisation, a CEO should have visibility of the risks of the organisation’s Cloud adoption.
Cloud is no longer just a technological decision – it is a business decision and takes into account the organisation’s vision. A full visibility of the Cloud roadmap – including the pitfalls, the risks and the immense potential – will empower a CEO immensely.
For more insights from our Cloud Research, click below
4/5 (2) A report published by PWC last year states that “While CIOs and CISOs can take care of the technological aspects and in some cases compliance, the business risk, which is now apparent after the emergence of endless breaches in large conglomerates, can best be understood and managed in the boardroom.”
While I agree that cybersecurity is both an operational and business risk, the question of understanding the threat landscape and the risk exposure/risk position of the company falls on both parts of the business. The Board is responsible for the exposure and financial remediation of cyber risk, whereas the IT management is more operationally responsible for prioritisation of actions and remedies. But they need to be able to communicate on this topic together from both sides of the equation. Ecosystm research finds that 98% of global organisations involve the Board to drive their cybersecurity vision, while 88% of organisations look to their IT teams for operational management.
So, where do these two parties meet? How does the risk position of the company get communicated to both parties in such a way that they can both take the necessary actions and prioritise the resource allocation?
Dashboards for Discussion
This is where the discussion on cyber risk dashboards comes up. It is not a new topic, but some of the more recent solutions introduced in the market move beyond penetration testing to really highlighting the risk posture of the business and where resources should be allocated, as well as where the business compares to others in their industry. I will give a specific example of one such approach a bit later in this blog post.
I find the gamification aspect (e.g. industry comparison) a real driver for the Boardroom, as it allows them to position their risk profile against others to the relevant stakeholders and regulators of the business. Actionable metrics that can also be compared to others gives a feeling of control over a situation that frequently lacks control boundaries.
Maturity models vs. risk profiles
In the PwC article I mentioned earlier [written last year by Sivarama Krishnan], the focus was on actions the Board can take, which include the usual discussions of cyber insurance, data handling policies, reporting structures and a tie into the strategy of the business overall. But at a top-level, setting these kinds of priorities can only work when you have some form of metric checking to assess how operationally these kinds of strategic decisions are working for the business.
Figure 1: Barometric Reporting Scale
Source: PwC, March 2019
Having a reporting scale that is not only relevant and measurable but also actionable is key to tying the strategic decisions to the operational activities and overall resource and time allocations. You could use a cyber risk strategy framework, such as this one shown in Figure 1, but it needs to be fed with real-time information on the risk position of the business.
Creating actionable metrics
I mentioned previously that there is a need for solutions that create a communication point between the Board and the operational IT teams as to what risk position exists for the business, and how they compare to others in their industry.
Dashboards that create an overview of the risk portfolio exist, but they do not always tie to specific financial impacts to the business. Integrated risk management platforms, such as the one from CyberSaint Security, prioritise cybersecurity as a business risk and give access to the Board to have the ability to drill down into their compliance and risk posture across business units, asset types, projects and regions.
But one of the more concerning aspects of cybersecurity recently is ransomware, which locks up operations until a ransom is paid. One such solution that focuses specifically on the financial impact on the bottom line of ransomware comes from RiskSense and was launched last month. As a background, the RiskSense Platform utilises machine learning, risk-based scoring and analytics combined with technology-accelerated penetration testing, and then identifies and prioritises remediation of critical vulnerabilities that place organisations at risk.
Given the concern at the Board level on Ransomware, RiskSense decided to focus on the very vulnerabilities that make ransomware attacks possible. They recently announced their RiskSense Ransomware Dashboard which reveals all assets within the IT structure that are at risk to active exploits used by ransomware in the wild. This Dashboard examines the vulnerabilities used by ransomware based on risk factors including the presence of dangerous remote code execution (RCE) and privilege escalation (PE) capabilities, as well as vulnerabilities that are “trending” to narrow and identify which should be prioritised for immediate remediation.
Figure 2: RiskSense Executive Dashboard
Source: RiskSense, January 2020
In my opinion, this specific example highlights the two unique features of the RiskSense Ransomware Dashboard. For IT management, it is its ability to contextualise the threat landscape to highlight priorities and position the current security posture of the company. And for the Board, it is to compare the situation of the company to others in their industry to benchmark within the industry domain how effectively their cybersecurity efforts have been deployed. It puts the security team in more of an offensive (vs. defensive) mode towards its cybersecurity efforts and outcomes. And it allows the IT team to be able to communicate the risk position of the business to the Board with a series of actionable steps to address the vulnerability.
So from a communications aspect, and that of a shared resource to view vulnerabilities and actions, the introduction of the RiskSense Ransomware Dashboard makes financial risk sense, if you will pardon the pun.
For both regulatory and financial reasons, Board-level executives need to have cyber risk information for business decisions. This means having access to drill-down capabilities that show gap analyses from the category to the control level for various frameworks or standards. This might include either the NIST Cybersecurity Framework, CIS Critical Security Controls, ISO27002 or various privacy standards such as the NIST Privacy Framework and emerging California Consumer Privacy Act (CCPA).
Dashboards that tie to these frameworks do exist, but they need to be able to be used for communication of actionable activities and resource allocation, not just as a reporting mechanism for regulatory bodies and shareholders. The RiskSense Ransomware Dashboard discussed above is one good example of making transparency actionable and comparable. We need more of those in the industry to keep the communication flowing.