Last month over three hundred risk professionals gathered in Washington D.C. to focus on the digital landscape and emerging risk factors for Third Party Risk Management at the 10th annual Shared Assessments Summit. Thought leaders from many verticals, including financial services, healthcare, asset management, and consumer products provided market insights on a variety of topics that are shaping our collective perspectives on third party risk. Panelists and Keynote speakers challenged our viewpoints and helped us focus our reflections on the pace of digital innovation, market disruption & disrupters, and how cyber technology transformation is changing the risk landscape. During networking events and case studies with peers, the dialog on information sharing and best practices showed the power of collaboration.
As I took notes and jotted ideas to bring back to my coworkers and business partners, I highlighted key “Ah-Ha” concepts and thoughts to share with the power of simple words that highlighted the messages shared at the event.
Uncertainty and change tend to top our media news feed, and change is occurring within the financial services industry. The traditional bank, the traditional consumer, are adapting to the new suite of services that leverages enhanced technology and innovation.
Pace of Digital Innovation
A milestone occurred at the end of June when the smartphone celebrated its’ 10-year anniversary. Who knew a decade ago, the number of products that the smartphone would eliminate from our daily lives: Maps, watches, personal cameras, landline phones, etc. The power of a smartphone today has the computing capacity that our mainframe computers had back in 1969, when the unachievable had been going to the moon, and that moon-shot goal was met. Digital Innovation continues to grow as access to payments and mobile are changing the way consumers pay. It is challenging for the laws and regulations to keep pace with these changes, and even the traditional ways that policy is influenced are going digital. “Social Lobbying” or using social media to spotlight a topic, a change, or a need for regulatory innovation are speeding the pace for how we adapt traditional financial products and services. Agile development has eclipsed traditional models when apps can release new capability every three hours vs. a staged software release process.
Market Disruption & Disruptors
The market disruption is not just based on new entrants to financial services – the so-called “FinTech” disrupters; but also by our demographics, business models, buying behaviors and workforce patterns. The Baby Boomer generation is staying longer in the workforce, triggering fewer opportunities for workplace advancement. Millennials have different perspectives on how they look at credit and use payments. Millennials, in fact, are more likely to go to the dentist more frequently than going into the bank branch. Their smartphone is becoming the new financial advisor to the younger generation.
Business models and business needs are shifting – who knew how concepts like Uber and AirBnB could disrupt established businesses. This shift in business models has industry predictions that 40% of today’s Fortune 500 companies won’t exist by 2025. Change is not just a transformation, but the digital data landscape is creating exponential change. These changes are disrupting traditional banking services at a greater pace. Peer-to-Peer lending which today is a $10-15 billion-dollar marketplace is expected to rise to $1 trillion by 2025. It is also estimated that 40% of our workforce by this same timeframe will not be employed in the traditional corporate structure, but in an independent or entrepreneurial capacity.
This level of disruption has triggered a strategic dialog for the need for “Regulatory Sandboxes” to aid regulated financial institutions and their service providers to have a safe place for innovation, and continue to meet the needs of consumer trust and regulatory oversight. We are going to the concept of “RegTech” in terms of how we balance innovation and regulatory compliance. Technology and business models like Bitcoin and Blockchain, change perspectives on how to manage oversight, risk, and compliance in a Cyber ecosystem.
Cyber Technology Transformation
Today’s Cyber landscape has evolved past traditional security breach notification obligations. The usage of Cyber for warfare and disruption is changing how difference ecosystems respond. Recent Ransomware attacks on targeted verticals focused on the criticality of the speed of response, and collaboration or information sharing to identify solutions. Wannacry was a wake-up call on disruption, and Petya identified downstream impacts when even international shipping and distribution can be disrupted by a targeted attack. IoT is changing the cyber technology footprint. Responding to each type of vulnerability threats can be compared to a cyber version of the childhood game of “Chutes and Ladders” where security and risk professionals are responding to the threats that impact their organization, or leverage the events to broaden cyber acumen to the C-Suite with up the ladder communications.
Building out an organization’s cyber defenses requires unconventional controls to mitigate risk in today’s technology transformation. MIT’s Technology Review identified trends in Artificial Intelligence for 2017 to highlight the transformation of technology vectors like positive reinforcement, dueling neural networks, language learning, a boom in AI in China, and predicted even backlash to AI hype. Knowing your devices is not a perimeter game, but an ecosystem and interconnectedness mapping plan. Think the game of Risk and Battleship, but on the cyber security game stage.
We are going from a focus on binary authentication to behavior based authentication. Securing data is not just about controls – but rather the threat can come not from the stealing data, but changing the data, or repurposing the data. Data integrity is becoming an emerging area for thought leadership as the quality and accuracy is not just about trust, but rather how modified or “fake data” can change collective thought and actions by not only individuals but companies and governments. I remember a spy novel from decades ago that spoke to the difference between “misinformation” and “disinformation”, and those words read truer today. Content and data integrity are key controls in this new landscape.
Evolving Focus on Third Party Risk
In a time of transformation, risk professionals need to collaborate to mature and adapt third party risk programs. The definitions of a third party evolve as cloud computing becomes the norm. Each organization needs to expand their cloud expertise to ensure they have a clear understanding of which controls are within their direct accountability. The focus is becoming more strategic and focused on the revenue enablement vs. being structured as the “no department” for risk approvals. Third-party risk management is shifting from continuous monitoring to automated monitoring. Risk appetites adapt to leverage innovation and transformation. I’d call this evolution 3rd Party RiskTech.