Meet Our Bloggers: Chris Thompson
Chris Thompson

Meet Chris Thompson

Managing Director, Accenture Risk Management
Chris Thompson is a managing director in Management Consulting and leads Accenture's Risk Management practice for North America, focused on financial services and capital markets. Since joining Accenture in 1992, Chris has worked with some of the world’s leading retail, commercial and investment banks. With more than 20 years of experience in large-scale change programs, he has experience in financial architectures, performance management, risk management, trading, middle-office operations and back-office systems. Chris holds a master’s degree in engineering from Southampton University, United Kingdom. He lives in Brooklyn, New York.

A blueprint for addressing cyber risk

Read the report.

Read the report.

This series has focused on cyber risk management, but what it’s really about is building cyber resilience. As we’ve seen in previous posts, in my RiskMinds International presentation and in Accenture’s paper, “Making Your Enterprise Cyber Resilient,” no financial firm will be 100 percent successful in preventing cyber attacks.

If complete prevention is not a realistic goal, then preparing the business to survive an attack, while also working to prevent most attacks, is the best way forward.

Businesses can take several steps to move toward a more robust, mature resilience model—one that seeks to reduce the inevitable cyber incursion. If I could recommend a map or a blueprint to follow, it would include these action steps:

  • Design an operating model that brings the right IT, risk and business resources into the process. The model can vary, and can range from an IT-led approach to creating a dedicated cyber risk management function, to appointing a cyber czar. My presentation at the RiskMinds International conference covered the pros and cons of these options. But we believe the best solution is to create a risk-led function that positions the CRO as a leader among peers in managing cyber risk. This will need to fit with your firm’s culture. If not risk led, then another clear leader should be chosen who can help unify the defenses across people, process and technology.
  • Taking the above item one step further, financial businesses could designate a chief cyber risk officer, empowering that person to monitor and manage cyber risk across all facets of the business. This person would work horizontally between the chief risk officer, the chief information officer and the chief operations officer to encourage proper investment, maintenance and control across multiple points of entry and attack.
  • Operational risk has evolved from a “tick the box” exercise for each function to an approach focused on high risk processes and their controls. Sophisticated programs include scenario analysis. We believe cyber risk management should start with scenario analysis, and use that to flesh out the processes and controls that should be reviewed. Only then can you help to mitigate attacks that are looking for the cracks between your functions and processes.
  • Each scenario requires a clear response plan in case the worst should happen. Companies that respond well following a breech seem to preserve their reputation and maintain share price. This is not an area to think about later—it should be included as part of the up-front analysis. As you draft the potential press releases, it becomes clearer which controls should be in place and which are less critical. Again, this emphasizes a scenario-driven approach. Response plans should not be drafted by control or by functional areas.
  • As described in my previous post, firms should clearly identify the crown jewels—the most valuable pieces of content and data that must be protected at all costs. This prioritization step is critical when you acknowledge that 100 percent protection cannot be performed. Put your most powerful locks and your best cyber defenses around your most valuable information.
  • Talent management, in a talent pool that is small and highly competitive, is vital to a good resilience program. Know what talent you need—and when you secure that talent, provide robust training and build a welcoming culture to retain this talent.
  • Lastly, the cyber risk management function should formalize the framework—by building a series of processes and actions owned by the chief risk officer, chief compliance officer, business heads and the chief information security officer.

These steps are not all inclusive, and may not be completely applicable to every institution. But in essence, following these or similar steps can help a financial enterprise prevent cyber attacks where it can, and survive them where it can’t.

Three keys to cyber risk management

In my last post we talked about how financial firms can shift their focus when it comes to managing cyber risk, given the “slow leak” nature of many cyber attacks.

Accenture’s paper on this topic, “Making Your Enterprise Cyber Resilient,” proposes a methodology that weaves in three fundamental steps around identification, prevention and detection. My presentation during the recent RiskMinds International conference digs a little deeper into these three areas. From a prevention standpoint, building a strong risk culture and establishing controls are critical. From a detection standpoint, having the right metrics in place and building the right operating model can help.

These pieces are all important, but here I’d like to talk about three actions that could make a dramatic difference in any cyber resilience plan:

Focus on identifying your “crown jewels”

If you can’t protect everything, then identify what absolutely must be protected and put your best security around it. Think in terms of concentric circles, with your most critical data and resources at the heart of your security efforts.

Because your crown jewels are likely to be digital, this means you will be moving from physically segmenting your valuables to cyber segmentation. As noted in our cyber resiliency paper, you’ll certainly want to conduct regular penetration testing and take other measures to secure your cyber defenses. But we recommend moving beyond that, into things like advanced adversary impersonation, or hiring a group or individual to try to break in, helping you expose existing gaps.

Accept that some criminals are already inside

You may think your workforce is above reproach. But the fact is, large financial firms hire employees at scale, sometimes in the tens of thousands. It would be careless to assume not one of these could be a cyber terrorist, or a professional thief, or just looking to make some quick side money.

The internal threat is real, and it is significant. It may be time for firms to develop a dual approach to managing cyber risk—think back to the days when dual processes were built around tellers and around general ledger. Dual control approaches can be applied to the larger employee population as well. This, in tandem with building good locks to keep the outside criminals out, can help provide significant protection.

Bring in risk management

Read the report.

Read the report.

Today, many cyber security programs reside in a business’s IT department, with loose oversight from the Risk Management function. That needs to change. Attack vectors span across business processes and seek out the weakest point to gain entry. Typically people are the easiest target, with technology being compromised later in the attack, once credentials have been obtained.  IT is a key part of the solution, but someone needs to unify fraud management, information process risks, conduct and security risks.

Do we need to make wholesale shifts, and move the whole approach onto the chief risk officer’s desk? Likely not. Further, other departments, such as HR and Communications, also own a piece of this challenge. But we think positioning the CRO as the “lead among equals” could bring the right focus for building cyber resilience.

My next post will focus on specific steps financial firms can take to begin building their cyber resilience strategy.

The new cyber risk mindset

For digital businesses, these are challenging times. While digital technology often brings opportunities and efficiencies, it also brings risk—a lot of risk. Gartner, Inc. predicts that by 2020, 60 percent of digital businesses will have suffered a major service failure due to an inability to manage digital risk in new technology and use cases.[1]

These circumstances apply particularly well to financial services firms who are revolutionizing their back office with Robotic Process Automation (RPA), or are digitizing their customer interactions through mobile payments and fully online management of services. Our paper, “Making Your Enterprise Cyber Resilient,” takes a look at the concerns facing banks and financial institutions. At the recent RiskMinds International conference I talked about the challenges facing banks and financial firms.

One of the biggest difficulties lies in finding a new way to respond to cyber risk. Often, financial businesses have focused on managing cyber risk as they would any catastrophic event. They envision a disaster scenario and prepare accordingly. The problem with this approach? There are some false assumptions at play. A cyber risk management plan that relies on the same backup and recovery plan as a natural disaster, or perhaps a terrorist attack, can quickly fail. Geographically dispersed backups of your data do not help if an active adversary is trying to delete them and they are connected online. For a cyber risk management plan, data should be separated in cyber space rather than physical space, with different passwords and encryption schemes.

Read the report.

Read the report.

Likewise, businesses often build their defenses anticipating a single, catastrophic event. Cyber attacks can be like that. But, unfortunately, they can also be more like a slow leak, with sensitive data dripping quietly away. Or, as I like to say, fighting cyber crime is more like keeping ants out of your kitchen than like keeping a criminal away. The key is this: Those ants may never be contained, but with the right strategy, they can be kept to a minimum.

Firms cannot protect themselves 100 percent of the time against cyber attacks. In our paper, we note that attacks are on the rise, and costs are rising too. We note that for financial enterprises, an attack is a matter of when, not if.

So what’s the answer? For financial firms, one step may be to revisit the evolving strategies around operational risk and compliance built over the past few years. As each of these approaches matured, businesses developed a more comprehensive, process-driven solution to address the issues at hand. They also became more effective at looking across functions and silos to address the highest risk processes.

We expect similar results, over time, when it comes to managing cyber risk. Even better, there are specific steps and actions firms can take now to begin managing cyber risk. Building resilience, versus seeking to manage all the potential leaks, is the essence of a solid approach. See my next post for how to begin.

[1] “Gartner Says 2015 Will See the Emergence of Digital Risk and the Digital Risk Officer,” Gartner, July 10, 2014.

Learn how financial algorithms fall under MiFID II compliance requirements

New trends are shaping and re-shaping financial markets—but regulations are quick to catch up.

Consider, for example, the trend toward using algorithms (“algos” for short) to help make trading decisions. Post market crash, European regulators were wary. They understood algos had the potential to adversely affect financial markets—particularly around transient liquidity that can result when order canceling volume is high, as well as impacting markets’ infrastructure when high volumes of cancellations occur.

Algos are well within the scope of Markets in Financial Instruments Directive (MiFID) II. Regulations stopped short of banning algorithmic activity altogether, but they do clearly require firms to implement critical controls and disclosers—to avoid adversely affecting the functioning of financial markets’.

From a MiFID II standpoint, algos are considered to be systems, and the decision to transact at a particular price or quantity should be made without human intervention.

Much of the thrust of MiFID II, as noted in our recent paper, From Impact to Implementation: Addressing the Key Technology Impacts from Markets in Financial Instruments Directive II, is around technology fixes and solutions to help financial firms comply with MiFID II requirements. As you might expect, there are technology implications around MiFID II requirements and algo trading—both things to look out for in existing technology and new technology solutions that can address concerns. Here’s a look at some of them:

Read the report.

Read the report.

  • Before algos can be released into production, MiFID II requires that test packs, trade populations and environments be reviewed for compliance. Organizations should apply their best testing methods, but they also now need to document the testing and review process and be able to provide evidence as needed.
  • Trading venues will need to provide an appropriate environment for testing algos, Per MiFID II, they’ll additionally need to identify orders generated by algos, and know what algo strategy is employed by the counterparty.
  • Market making falls within the domain of algos and MiFID II too. Financial institutions engaged in certain algo activities are obliged to continually make markets, depending on certain conditions.
  • Business continuity plans are required by MiFID II, and for some businesses this includes an algo specific “kill switch,” which may require sufficient human monitoring of the market and of executed transactions.

Technical solutions and processes can support financial firms as they work to comply with MiFID II requirements. Our paper offers much more on algos, as well as a deeper discussion on a variety of other business processes and strategies that fall under new scrutiny with MiFID II. I invite you to take a look.

Risk Leaders Can Take the Reins in Addressing Cyber Security

We’ve talked here about cyber security and its many tentacles: Whenever a business closes one security gap, a cyber criminal will continue “testing the walls” in search of another gap to exploit.

The problem spreads from the IT department to nearly every part of an organization, including, for example, a financial provider’s call center team, its fraud protection organization, its procurement and vendor management teams, the HR and recruiting department, the training department and even the corporate culture itself.

Seen this way, financial businesses seem almost porous when it comes to the potential for security breaches. Nearly every department is vulnerable, and thus each department must have its own security protocols and metrics.

When each department has its own processes, budget and strategy for cyber security, who owns the problem? Who is providing centralized coordination, and closing the gaps that might spring up between departments and operations?

In large part this is a corporate governance challenge that mandates individual departments put aside politics and jockeying for position so they can work together for the common good. Because the problem is all about risk, the CRO is the right person to lead this charge.

The risk department can push the conversation forward: Instead of a Chief Information Security Officer talking about secure technologies and budget needs, the Chief Risk Officer can elevate the discussion so security risk appetite and limits can be discussed alongside traditional risk types, such as credit risk, driving the conversation to a deeper, more sophisticated level.

Risk leaders know something must be done, but some are proceeding cautiously, waiting to see how things shake out. They can’t afford to wait very long. Banks need a comprehensive, holistic approach that can close the gaps in their business.

Banks that don’t solve this problem remain exposed to the opportunistic whims of terrorists and cyber criminals.

Cyber Criminals Opportunistically Exploit Gaps

If my client conversations are any indication, risk leaders everywhere are grappling with cyber security. Previously we observed how cyber risk has moved beyond monetary theft into data theft—opening an organization to potentially dramatic reputational risk.

Historically, risk leaders were often content to leave the cyber security problem to the IT department. A new role evolved, called Chief Information Security Officer (CISO). Securing the business rested in the CISO’s hands, and hinged on how much the business could spend to devise better cyber security.

That approach won’t suffice anymore. Why not? Because cyber criminals have moved on. They now pose threats that go beyond the IT infrastructure. Cyber criminals exploit whatever security gaps they can find.

Contrary to popular belief, cyber criminals are rarely devising brilliant code to break through the latest cyber security measures. These criminals—like any other thieves—are too opportunistic for that. Instead, when one gap closes they just poke around for a new gap.

Maybe a half-dozen years ago, cyber thieves could (and did) steal credit card data from big box stores by pointing an antenna at the store’s unsecured Wi-Fi. Once Wi-Fi security and encrypted data became the norm, criminals shifted to a new strategy—perhaps stealing an unsecured laptop from a call center professional. Or distributing spyware a bank’s associate might unwittingly install onto his networked PC. Or paying an hourly worker to take cell phone pictures of a computer screen containing social security data.

The problem isn’t always “cyber,” but it’s almost always tied to data and information theft. And, as we’ve seen, the problem is no longer confined to the IT department.

For risk managers, this is less an opportunity and more a mandate. In my next post we’ll look at how the CRO can lead the business toward comprehensive cyber security.

Cyber Security Shifts Risk from Financial to Reputational

Many of us have seen cyber security grabbing headlines lately. This past March at GARP, cyber security was a hot topic. Often it’s one of the first things my clients mention to me.

But despite the buzz, cyber security isn’t actually a new thing. Historically, banks and financial providers have long dealt with threats to their IT infrastructure involving cyber criminals breaking in and stealing money. Often it’s been viewed as a cost of doing business.

What’s new today is that cyber theft is no longer only about money. As data theft comes on the scene, the whole equation changes. When social security numbers, credit card numbers, embarrassing e-mails, health records or strategy documents are among the many data items that can be stolen, the challenge no longer is about working to minimize possible monetary damage.

Instead, the risk becomes reputational. The potential for damage to be catastrophic—and instantaneous—is real.

When hackers breech a bank’s security to steal money, it rarely makes headlines. But the theft of information is somehow more damaging and more embarrassing, and the entire world discovers in an instant—as we’ve seen more than once in global headlines.  Money is fungible, and stolen funds are replaced by the banks. Our information is not.

Seemingly overnight, businesses have gone from managing fairly known concerns such as credit risk—which can be measured and, to some degree, predictable—to managing little known and maybe more damaging risks posed by cyber security gaps.

Is this an IT challenge, or is it a risk management challenge, or both? What can—and should—risk managers do? In my next post we’ll explore what cyber risk looks like these days, and why “cyber security” itself may be a misnomer.

Data Helps the Risk Function Manage New Operational Risks

In last week’s post, I talked about the need for risk teams to use analytics and modeling so they can leverage data to make decisions. Why is mastering this so critical for capital markets risk leaders? Because getting operational risk management right changes the nature of risk management.

Traditional operational risk management is about measuring the damage and ensuring sufficient capital exists if something really bad happens. Now the emphasis shifts to prevention—the risk of reputational damage, to give one example, is so potentially sudden and far-reaching that averting disaster is far better than mitigating it.

Good use of analytics and data can go far toward developing a preventive approach. It’s called “predictive analytics” for a reason—gathering the right data and applying the right analysis provides trend information that can help predict events. Thus, when a bank sees a trader making an unusual transaction, say, at odd times, or with unusual products or volumes, it can insert an additional approval point into the process to help prevent fraud or abuse. That’s one small example of how capital markets risk leaders can leverage data to become proactive protectors of the business.

Capital markets leaders are stepping in the right direction. Our report shows 42 percent of respondents have data analysis skills within their risk function, 38 percent have data management skills and 37 percent have modeling skills.

View the image.

View the image.

I would expect those numbers to rise as capital markets risk executives retool their teams, pushing them toward being a proactive, strategic partner to the business.

For more on how the capital markets risk function is evolving, see this year’s report.

Data and Analytics Equip Risk Managers for Proactivity

In my previous post about the results from the 2015 Global Risk Management Study I talked about making risk a part of the capital markets growth engine. Today I wanted to share a finding that I find particularly interesting for capital markets: The need for risk teams to use analytics and modeling so they can leverage data to make decisions, be strategic and act proactively.

Today only eight percent of risk executives say their decision making is aided by risk-based analytics tools. Clearly, there is room to grow.

View the image.

View the image.

Digital technologies generate reams of data, both internally and externally. We’re talking about big data here. Leveraging this vast, unstructured data is still a new discipline. It’s about tapping into traditionally gathered data sources, but also monitoring non-traditional sources like e-mails and other transactions, and keeping tabs on social media chatter.

This is where, for the risk function, the nature of the game changes. Yes, risk leaders still must manage traditional risk, ensure compliance and monitor progress on regulations. But now the function is taking on a whole additional role.

The new challenges facing risk managers, including exposure from social media channels, internal personnel miscues, gaps exposed via online transactions and more, are encompassed within operational risk.

Capital markets risk leaders have only started to tap into the many facets of operational risk. Yet our report shows 58 percent of them anticipating an increase in cyber risk, one key element of operational risk. Fifty-six percent expect disruption from new digital technologies. The same percentage foresees a rise in operational risk overall.

Resource constraints are an immediate concern: The Risk Management Study found only nine percent of capital markets leaders saying they have sufficient resources necessary in specialist areas such as modeling and emerging risk. There’s a glimmer of hope, in that 27 percent expect to have the necessary resources within another two years.

Why is mastering this so critical for capital markets risk leaders? Stay tuned for next week’s post. In the meantime, read more about how the capital markets risk function is evolving in this year’s report.

Making Risk a Part of the Capital Markets Growth Engine

If I could summarize the results of this year’s Global Risk Management Study for capital markets, I would say: Seize the moment. For risk leaders in capital markets, now is the time to move the function beyond control and approve. Given the increasing complexity of today’s risk environment, Chief Risk Officers (CROs) and other risk leaders can’t be content to act in a “middle management” capacity.

Our study found nine of 10 capital markets risk leaders agreeing that the risk function has an important role to play in supporting the business’s long term growth. These leaders know the risk function must change—and, ready or not, is changing—in response to the new threats and opportunities available in today’s digital, social, data-driven market place. But nearly as many leaders (78 percent) say their existing controls and compliance responsibilities are a barrier to change.

Capital markets risk leaders still need to handle their traditional activities, but they must unveil their ability to drive profitable, long-term growth for the enterprise. CROs now have a role to play when it comes to outpacing competitors and helping the business rise above today’s challenges.

How can capital markets CROs start moving the risk function forward? I believe a few key steps can help risk leaders elevate their function:

  • Crafting partnerships throughout the organization, supporting the journey toward building a comprehensive risk culture. Surprisingly, only 10 percent of capital markets risk leaders say their organizations have a strong risk culture—plenty of room for improvement here.
  • Recognizing—and stepping into—the new role demanded of the risk function. Businesses generally have good mastery of financial risk and so risk management has settled into a control role. It’s the new risks that are less understood but no less troubling for capital markets: cyber, conduct, social media and operational risk. Four of every five risk survey respondents say emerging risks, such as cyber attacks, are consuming more of their resources. Guiding the business through these concerns will increasingly be a priority for the risk function.
  • Tightening connections between risk and finance to drive efficient use of capital, balancing between profitability and regulatory requirements. Today, only one in five (22 percent) of risk leaders say their function coordinates closely with finance to drive decision making. The same percentage uses integrated data resources for risk and finance.
Read the report.

Read the report.

Taking these steps won’t be easy. CROs will need to build deeper relationships throughout the business, but that alone won’t move the risk function to where it needs to be. Investing in talent, particularly in specialized areas such as modeling non-financial risk and assessing emerging risk, will be a critical step in building a stronger, more influential risk function. Much progress is to be made on this front. Only nine percent of risk leaders say they have the right talent in place when it comes to specialized areas such as emerging risk.

Accenture’s 2015 Global Risk Management Study explores these issues across financial services and particularly for capital markets. My next post will take a look at big data, and what capital markets risk leaders can do to make the most of it.

Meanwhile, remember: Seize the moment. The market conditions and regulatory climate make this the right time for capital market risk leaders to expand their role beyond the second line of defense.

To learn more, read the Global Risk Management Capital Markets Report