In my past tenure as an executive with senior risk teams, I reported to, or worked closely with, Chief Risk Offices or Officers at very large global banks. The analysis and insights that these CRO’s must provide across a vast number and types of risk are complex, and this certainly presented even more challenges during events like the 2008 global downturn. With cybercrime on the rise, and digital banking making transactions even faster and more complex, the problems continue to grow at a rapid pace.
What I noticed during this experience was that not all executives, and that included the CRO’s themselves, were not particularly astute about risks associated with cybercrime and other digital banking issues in general. These CRO’s were buried in stress testing, compliance and regulatory changes, and overall bank economic and operational risk. But these times are requiring changes and increased experience in a range of other concerns that makes the Chief Digital Risk Officer a new or redefined job description at most banks – and if it isn’t, it should be.
Chief Risk Offices at financial institutions and other corporations may really require a new member of the executive risk team, someone who is experienced and can review the new emerging risk that comes with all things digital. 2016 brings with it even greater challenges in the digital protection of our customers and our businesses — evident with many of the headlines in our daily news feeds.
What are some of the key duties that should be part of the job description for this position and which of these would help your business better define and identify the right hire for your business? First, the right candidate for the position would possess the ability to create the right policy, procedure and technology strategy that would both balance the ease of customer use of products and ensure protection in the event of a major breach. Of course, they would integrate with other officers across the firm, but the buck would stop there in protecting customers at the institution.
Specifically working closely with the Chief Security Officer the candidate should demonstrate his or her expertise around managing catastrophic loss via cyber-attacks and the implications of real-time, digital money movement. Since payments are moving more and more in real time around the world, this knowledge base would include all aspects of the bank’s business including Retail, Commercial and Private Banks. This means the Chief Digital Risk Officer would need to have a wide range and deep understanding of digital data, emerging digital threats, and how fraud occurs in a digital environment.
The Chief Digital Risk Officer would also possess the skills needed to identify “who does what” in a digital crisis – and would map the organization according to this plan. The Digital Crisis plan should address escalation issues and contingency planning, and address ownership areas during a cyber or digital crisis affecting data, fraud monetary loss, and other key issues. The bases that need to be covered would be clearly identified and considered in any crisis planning. Beyond planning, the Chief Digital Risk Officer should also ensure that any lessons learned and business intelligence is shared across the organization, so each line of business, product owner or channel owner can adjust their own dedicated risk strategies as digital risk evolves.
Last, the Digital Risk Officer would ensure that the institution has a comprehensive and well-articulated digital fraud risk vision and corresponding technology roadmaps in place, and ensure that this vision is updated as the risk environment changes. The Officer would also have deep industry knowledge on the role of analytics in this vision. The Officer would keep a close eye on convergence, and how digital is enabling mobile product strategies.
Overall the role should be designed to ensure that the banking institution or corporation creates trust in the digital environment, with the ultimate objective that consumer and businesses do not feel “unsafe” when making a digital payment, storing personal information or depositing their money with them.
I know I am not alone in this view – Gartner issued its own commentary on this not too long ago, stating that, by 2017, one-third of large enterprises engaging in digital business models and activities will also have a digital risk officer (DRO) role or equivalent.
I think you have the picture. No matter what title you give to this “new” position, the objectives themselves aren’t so new just because they are “digital”. At the end of the day, we must create confidence in the bank’s product owners, channel owners and technology teams that ‘digital risk ’in its newest forms are fully understood and that digital risk policy is implemented in an agile, smart and efficient approach.