From Defense - EXL Service, Digital Intelligence, …...company culture. CRO 3.0: The Forecaster...

AN EXL WHITE PAPER

From Defense to Offense:The Evolution of the Digital Chief Risk Officer

Written by:

Jagmeet Singh

Vice President and Global Partner, EXL Consulting

Vikas Sharma

Vice President, EXL Analytics

Siddharth BhatiaAssistant Vice President, EXL Consulting [email protected]

A recent CRO survey indicated that

only 42 percent of bank CROs consider

their institutions to be extremely or very

effective in managing cybersecurity risk1.

Yet that risk type is ranked among the top

three that will increase in importance in

the next two years. And, we know, future

risks will be different.

The accelerating cycle of digital

business innovation is forcing CROs to

take a new look at enterprise risk. As

companies integrate technology into

more business processes, they open

themselves to greater security threats.

CROs must develop more sophisticated

responses and take advantage of all the

technology and analytic tools at their

disposal, many more than they needed to

manage traditional risks. The viral nature

of cyber-risk demands that they identify

early-warning mechanisms to flag where

problems may emerge before the risks

materialize. They will also need to evolve

from their current technical, IT-centric

roles of implementing and overseeing

controls to collaborating across business

units and corporate functions to influence

executive policy.

Underlying it all, the CRO will be forced to

look for more efficient practices to keep up

with the speed of innovation. Companies

still require their executives to do more

with less, even as market events increase

the number of risks.

Who is this next-generation CRO—the

CRO 3.0—the one who understands

the importance of digital technology

and analytics to enable the company’s

ongoing pursuit of new markets, products

and best-in-class performance? The

modern CRO is a mix of business acumen

and technical knowledge who can assess

A Threatening New World: The chief risk officer (CRO) has always walked a fine line to balance

the need to protect the business with the need to run it, but these are challenging times. Managing

risk and meeting regulatory requirements are difficult, and emerging risks are exacerbating

an already complex task. Cyber-risk, in particular, brings a new set of threats that are global

and internet-based and proliferate quickly.


EXLservice.com | 2

risk in digital environments and make

recommendations to improve company

resilience without overly compromising

business performance. Today’s CRO is also

a strong communicator who can serve

up data in frameworks that easily lead to

decisions. Simply said, the CRO must

be adept at right-brain as well as left-

brain thinking.

Evolution of the CRO CRO 1.0: The Technician

In earlier risk-management functions,

the CRO was responsible for building

risk models and creating frameworks to

quantify risk and ensure organizational

compliance. The role was technically

focused, with additional scope to create

systems and processes. S/he was not

required to forecast future risks and assess

asset liability; nor did s/he have a seat at

the executive table, where risk remained

under the control of business unit leaders.

Much changed with the emergence of

the digital enterprise, which refocused risk

management priorities on strategic, market,

cybersecurity and geopolitical risk.

CRO 2.0: The Strategist

As risk functions became subject to

business pressures, such as productivity

targets and cost saving, CROs assumed

greater frontline roles and helped

communicate the value of risk management

to the board. With their growing influence,

CROs were responsible for the company’s

second line of defense, behind the first-

line business owners, and contributed

to decisions affecting business strategy,

market risk, product development and

asset-liability management. They were also

tasked with setting up core enterprise risk

management processes and ensuring that

good risk habits were embedded in the

company culture.

CRO 3.0: The Forecaster

Today’s CRO is becoming the eyes and

ears of the business, enabled by big data

insights to mitigate emerging risks. With

the benefit of predictive analytics, CROs


EXLservice.com | 3

The modern CRO is a culmination of at least three “generations” of an evolving roleTo understand the significance of what might be required of CRO 3.0, here is a perspective on CRO’s role transition since mid-1990s.

..since the CRO’s primary responsibility was to quantify risks and ensuring organizational compliance, the role was technically focused…

Source: (1), (2)

Developing enterprise risk management frameworks

Develop the risk function

Build risk models

Enhance systems and processes

Establish policies, governance and reporting structures

CRO 1.0 The Technician

..since risk functions will be subject to business pressures such as productivity targets and cost-saving CROs need to assume frontline role and communicate value of risk management to the board

Contribute in decisions such as business strategy, reinsurance cover, new products and asset liability management (ALM)

Successfully embed risk management in the organization

Set up core ERM processes

CRO 2.0 The Strategist

..in future, big data will be a key enabler for CROs to mitigate emerging risks via scenario and trend impact planning to deliver accurate predictions

Foresee future scenarios, identify threats and opportunities

Be a business partner whose performance will be measured by missed opportunities

Oversee operational and cyber risk

Use predictive analytics to plan long-term risk management strategies

CRO 3.0The Forecaster

and their data-savvy teams use scenario

and trend-impact planning to deliver more

accurate predictions. They are valuable

business partners who help identify

threats and opportunities and develop

long-term strategies that balance risk and

reward. Most importantly, they are leading

the company’s efforts to build a resilient

defense to emerging operational and

cybersecurity risks.

Digital Capability Priorities Companies that are actively integrating

digital technologies and tools into their

business processes are seeing benefits

from their agility, competitiveness and

overall effectiveness. CROs have important

roles to play in leading that digital

transformation, whether it’s on a modest or

more comprehensive scale. They must align

risk priorities and ensure that controls and

metrics are in place to scale risk initiatives

to meet market and transaction dynamics

while achieving an optimal level of business

performance.

To move these initiatives forward, CROs

will require an investment strategy that

prioritizes the adoption of technology,

process and tools that improve accuracy

and process, efficiency and reporting.

The modern CRO is culmination of at least three “generations” of an evolving role

To understand the significance of what might be required of CRO 3.0, here is a perspective on CRO’s role transition since mid-1990s.



Source: (1), (2)



Build risk models

















Source: (1), (2)



Build risk models

















Source: (1), (2)



Build risk models

















Source: (1), (2)



Build risk models

















Source: (1), (2)



Build risk models

















Source: (1), (2)



Build risk models
















EXLservice.com | 4

Key considerations should be given to

solutions that:

• Handle growing volumes of data with

greater efficiency

• Provide a single, firm-wide view of risk

and control

• Create consistent risk assessments

performed on similar processes across the

enterprise

• Provide assurance over a larger population

of transactions

• Consolidate multiple tools and

technologies and siloed reporting

standards that impede integrated

reporting

• Forecast and develop early-detection

mechanisms for cyber-risk and other

operational risks

As CROs align these priorities, they’ll likely

find inconsistent risk levels across the

organization and potential weaknesses in

the integrity of business processes and

service delivery. Where formerly security

practices and systems were segmented,

the digital model must have an integrated

approach.

Roadmap for Digital Risk ManagementAs strategic risks increase and the

marketplace innovates, CROs must have

a plan to innovate and quickly respond

to market events and emerging risks.

They should also gradually integrate

those technologies into the fabric of work,

building them into their operating model

and the work style of their people.

Create a center for excellence to

manage strategy, standardize execution

and reduce costs. CROs have learned

that they can achieve greater levels of

efficiency by centralizing risk processes for

reporting and transaction management.

Such centers help promote best-practice

adoption, competency development

and enterprise standardization. They also

enable other critical functions, such as the

rollout of early-warning mechanisms and

development of comprehensive risk reports

with consistent standards for board and

executive-management audiences.


EXLservice.com | 5

Implement robotics and automation to

improve accuracy and speed of reporting,

and provide continuous monitoring.

Robotics have many applications that

support high transaction volumes,

enterprise-wide compliance processing

and identifying discrepancies in large data

sets. This wasn’t the case ten years ago

when CROs relied on manual processes

to test controls on a sample basis. But

current technology and automation have

significant data-management and detection

capabilities that allow them to cover a

larger group of transactions. For instance,

robotics help risk managers focused

on fraud ensure that active employees

follow authorization rules and departed

employees are removed from databases in

a timely way.

Accelerate adoption of analytics to assess

organizational risk and embed in all risk

management processes. The complex and

global nature of business and its growing

dependence on information technologies

are increasing a company’s exposure to

events that can deeply impact its operations

and those of its suppliers. While modeling

methods and tools exist, many do not fully

address the challenges arising from the

development of end-to-end, integrated

risk-management systems. Predictive

analytics help harness and assess

Establishing a Centralized Risk Center of ExcellenceBy consolidating key enabling operational risk processes into a centralized CoE, organizations can drive efficiencies through better utilization and best practices adoption, promote competency development and enable standardization.

Risk Program Components

Policies & Standards

Organization/ Roles & Responsibilities

Program Governance

Risk Prediction & Reporting

Risk Reporting

Validation & Verification

Documentation & Data Management

Risk Policy and Strategy

Management Information

and Reporting

Scenario Analysis and

Predictive Analytics

Risk Analytics

DocumentationOperational

Risk Systems Management

Risk Compliance

Quality Control & Process

ImprovementEnab

ling

Com

pet

enci

esC

ore

R

isk

Pro

cess

esP

rog

ram

St

ruct

ure

Execution Support

Owns

Owns

Owns

CEO/CFO Board of Directors

CRO

Risk Management Team> Group Leadership> Risk Managers> Functional Leads> Analysts

Risk CoE> CoE Leadership> Competency Group Leads> Data Scientists> Domain SMEs


EXLservice.com | 6

enterprise risk. It allows CROs to pull data

from multiple systems to build long-term

policies and procedures. They also provide

a continuous feed of risk information to

facilitate real-time decision-making.

Leverage third party platforms to build

risk infrastructure. In order to reap the

full benefits of risk strategies, CROs need

to ensure that the risk infrastructure is

keeping pace with the increased complexity

of risk analytics. In the past, with little

innovation happening in the outside

markets, most of the companies ended up

building their own proprietary platforms.

Budgets hemorrhaged with cost overruns,

deadlines came and went, and it became

difficult to keep investing more money for

upgrades to keep in line with the changing

environment. The situation is drastically

different today. A variety of third-party

platforms have been developed that are

easy to use, integrate well with a variety

of data infrastructures, help spread the

platform development costs over a wider

number of users and provide a continuous

stream of upgrades and refinements over

time. Companies are finding it much more

economical to use third party solutions

for their data visualization and reporting,

data aggregation and analysis, big data

model development and implementation,

model scoring, model monitoring as well

as their risk decisioning platforms. Some

organizations are going even a step further

and creating sandboxes to experiment with

emerging technologies with third party

vendors. These third party solutions not

only help fast track major technological

augmentation, but also provide much-

needed, real time visibility into threats and

organizational readiness.

Develop proprietary assessment

frameworks to determine readiness

and response time for cybersecurity

and critical operational risks. In most

organizations, cybersecurity is a board-

level issue. CROs must work across the

enterprise to assess preparedness and

fortify resilience. Building and testing

new frameworks are critical to proactively

identify remediation practices that enhance

security and minimize fraud, malware and

other operational threats.

Build new talent models with professionals

who use machine learning and analytics.

As work shifts from human beings to

centralized platforms and bots, there will


EXLservice.com | 7

be a shift in the roles and talent profiles

required to do those jobs. CROs will need

to attract, retain and develop professionals

capable of taking big-data assets and

providing frameworks for quick business

decisions. In lieu of data collection and

reporting, digital risk managers will be

skilled in analytics and able to provide

insights into future risks and how to manage

them. They’ll also need to be savvy in

cybersecurity risk and effective approaches

to minimize threats.

Analytics: The CRO’s New WeaponAnalytics are providing CROs with powerful

tools to improve their ability to predict

and manage risks. With machine learning,

new modeling techniques and improved

profiling and reporting, CROs can take a

more strategic view of risk. They’re able

to better target growth with risk models

that work across the customer life cycle

on an ongoing basis; minimize the cost of

compliance with reporting strategies to

better analyze trends; improve the accuracy

of credit-risk testing; and effectively

balance the company’s growth goals and

risk appetite. Most importantly, they bring a

scientific approach to risk management with

models that align risk to a particular level of

performance.

Change in Expections from Risk Organizations


EXLservice.com | 8

Finding the Path ForwardAs CROs shift from technician to forecaster,

they must shed their traditional approach

to risk management for one that balances

technical knowledge with business

acumen. CROs will need to be savvy in

digital technologies and business models

that assess risk in an integrated digital

enterprise. They must also proactively

identify emerging risks and establish

early-warning mechanisms to ward off

internet-based threats. To accelerate that

transformation, the CRO should focus on a

few key areas:

• Increasing risk-management efficiency

and accuracy through process

standardization across the enterprise

• Prioritizing emerging-risk solutions to

address cybersecurity, financial crime

and IoT. CROs must bring a scientific

approach to identify both threats and

opportunities.

• Strategic partnering with the business

units and corporate functions to jointly

develop risk management plans. CROs

will help lead the company through a

period of rapid digital innovation and new

emerging risks.

• Enabling and sustaining business growth

by balancing risk and performance as the

company takes on additional risk.

• Becoming a change agent and managing

transformation with new collaboration

models and pilots based on testing and

learning and scaling and deploying.

Like any large-scale, change initiatives, the

path will be a zig and a zag. Implementing

an enterprise ecosystem of integrated

technology, processes and predictive

analytics will require strong working

relationships across the organization to

effect policy and cultural change. Business

structures must be reengineered with

security priorities in mind. And the CRO

3.0 will need excellent communication

skills to work with the board and executive

and business unit leaders to embed new

risk practices. In an age of increasing

technological complexity, these are not

easy times. But CROs have never had

a better platform to influence business

strategy and growth than they have today.

End Note1 Global Risk Management Survey, Deloitte, 2017


EXLservice.com | 9

GLOBAL HEADQUARTERS280 Park Avenue, 38th Floor, New York, NY 10017

T: +1.212.277.7100 • F: +1.212.277.7111

United States • United Kingdom • Czech Republic • Romania • Bulgaria • India • Philippines • Colombia • South Africa

Email us: [email protected] On the web: EXLservice.com

© 2017 ExlService Holdings, Inc. All Rights Reserved.

For more information, see www.exlservice.com/legal-disclaimer

EXL (NASDAQ: EXLS) is a leading operations management and analytics company that designs and enables

agile, customer-centric operating models to help clients improve their revenue growth and profitability. Our

delivery model provides market-leading business outcomes using EXL’s proprietary Business EXLerator

Framework®, cutting-edge analytics, digital transformation and domain expertise. At EXL, we look deeper to

help companies improve global operations, enhance data-driven insights, increase customer satisfaction,

and manage risk and compliance. EXL serves the insurance, healthcare, banking and financial services,

utilities, travel, transportation and logistics industries. Headquartered in New York, New York, EXL has

more than 26,000 professionals in locations throughout the United States, Europe, Asia (primarily India and

Philippines), South America, Australia and South Africa.

Date post:	12-Jun-2020
Category:	Documents
Upload:	others
View:	4 times
Download:	0 times

From Defense - EXL Service, Digital Intelligence, …...company culture. CRO 3.0: The Forecaster...

Documents