The right ingredients

In the world of banking, risk is king. Get it right and watch as your profits soar and clients stick to you like glue; get it wrong and watch as the proverbial dealer swipes your chips off the table and moves swiftly on. There are those who thrive on risk, and those who rely on it – but regardless of perspective, all know the golden rule: there is never a guarantee.

And while that rule is as poignant now as it was last decade, the brains working with risk have learnt how to manage it exponentially better. Algorithms, IT architecture and a more confident grasp of risk traits have all pushed the envelope of risk management - and for some countries, it has quite literally evolved their markets. Nowhere is this more prevalent than South Africa, a nation tarred by the international press in years gone by with the brushes of violence, crime and political instability.

But things are on the up once more, and for Annelie Schnaar-Campbell, Director of Group Risk Management at Standard Bank, that equates to more challenges and the chance to implement further risk management programmes on a global scale from the bank's Johannesburg-based headquarters, benefitting not only the company, but its clients and security frameworks too.

"To me, one of the key reasons we have big programmes for risk management is, because we are a global bank, we have lots of operations to graphically disperse across the globe," begins Schnaar-Campbell. "So what these big programmes enable us to do is to set a minimum of standards and frameworks in place, which further enables us to ensure a consistent approach to risk management. One of the benefits of using this type of programme is that we then have the ability to build up a pool of resources, which we can then allocate to these big projects. In doing so, we can develop the components that we need for effective risk management quicker than if we had to conduct separate, smaller projects instead."

Essentially, as Schnaar-Campbell puts it, employing bigger projects opens up the doors to think more strategically. By combining smaller projects, which take up more time and tend to be disparate in nature, she believes you can look at the overall approach and outcome, in turn helping to prioritise resources appropriately and to build something that would make more of an impact in the long-term. Indeed, one of the key priorities for Schnaar-Campbell right now is interpreting the requirements and proposals that have been defined by the banking committee.

Overcoming hurdles

"We analyze all of them as they become available and make sure that we know potential changes would need to be made to our risk management framework. We're also focused on making sure we have an integrated view of risk - both in terms of the legal entities within our group as well as having a view of our consolidated risks across different risk types. So, we're looking at ways in which we can pull data from various sources and bring them together, analyze it and be able to provide the results in the format of a dashboard to the correct management or board committees."

And, as per usual, standing in the shadows of the top priorities are the biggest challenges facing risk and compliance - with new regulations taking the gold in both contexts. But Schnaar-Campbell also cites having operations in more than one company and the need to stay abreast of all relevant requirements as other factors that need consideration.

"Also, if you look at more specific risks, the levels of sophisticated crime - in the context of syndicates that have created very well organised threats towards banks - is also a problem. And it's not just about syndicates from South Africa, but also from cross-border threats. We've also seen that fraud is moving from credit cards to debit cards, so I think whenever the bank closes gaps in being able to identify and frustrate fraud, then people move to a different area and continue their business. In terms of physical crime, we've also seen what we call associated robbery, where people are approached by criminals close to the location of the bank or near ATMs."

Another, obvious area for criminal exploitation is e-crime. With many presuming that because it's online, companies can implement tools and technologies to up security measures and manage risks, the reality is that it affords the criminal element the same leverage. Schnaar-Campbell cites developing the right security technologies at the right time and executing them with precision as one of two ways to protect customers from e-crime and continue to make secure online transactions; the other being education.

"Many times it's ensuring the customers are also aware of the situation, so that means helping them to become more aware of the potential risks and being more cautious about what they do. For example, it doesn't matter if you've got a fantastic system - it's more about taking the technology as far as you possibly can to protect the information of the customer while still ensuring that the customer is up to date about what they should be looking out for."

But in the current business climate, getting the balance right between potential risk and compliance programmes and their financial implications is pivotal to maintaining success across the board: efficiency is key. "The key thing is to understand exactly where the biggest benefits are and that you're focused on those," explains Schnaar-Campbell. "To me, everything we do from a compliance point of view has to be looked at to assess how it strategically fits in with the overall risk management objectives that we have, and ensure that the programmes achieve the outcomes to benefit the business or risk management in question. Essentially, when you implement something, implement it well - but from the start, make sure that you get the optimal benefit from doing that."

Avoid the risk?

The other side of the coin is compliance - a hot topic in the general arena of business since the global financial downturn - with many wondering whether compliance can ever completely eliminate risk. But as Schnaar-Campbell explains, the answer isn't as clear-cut as that, with it being extremely unlikely that risk could ever be completely eliminated. Furthermore, banks are in the business of managing risk and using it to leverage opportunities - so it wouldn't be in their best interests to eliminate it even if it was a possibility.

"I think it's more up to the board, as well as senior management, to ensure that there's actually a risk culture in the bank. In addition, ethics training is absolutely key - and that should never be about compliance. It should be about the best risk management that a bank can produce. For me, it's more about risk management than trying to eliminate risk, and banks are in the best possible position to do that - something compliance alone could never achieve.

"We need to be able to have a forward-looking view of what the potential risks that we have to face are; that we can measure it in a way that makes sense to us; we can price it; and we can then use it to our competitive advantage. So we really need to be able to track areas where there may be potential risks arising so we can measure and manage it. That's more important than trying to avoid it."

Of course, the idea of banks preferring to manage risk as opposed to attempting to avoid it is far from being groundbreaking news, but with risk becoming far more diverse and quicker to prevail in the current climate, perhaps the wish of companies like Standard Bank has come a little too true. But for Schnaar-Campbell, more risk translates into more opportunity. So where does she see priorities moving over the next 18 months?

"Well, it's looking at the integration, consolidation and aggregation of risk information across geographically split areas, as well as across risk from a systems point of view, tracking the new BCBS proposed changes to the regulations. What we're also focusing on is looking at data rationalization and making sure that we have the data available for management decisions at the right time, so making our systems more efficient in order to get the information available as fast as possible. That's from a systems point of view.

"From a governance point of view, if I can call it that, we're interested in streamlining the decision-making process, and for that we need to have the information available in a format that it can be understood and analysed very quickly in order to be incorporated into the decision-making process. Delving into more specific areas, we're also dealing with ongoing methodologies. We started conducting stress testing by building specific pockets of stress tests, for example in market risk, which has already been a requirement for a couple of years. As we've become more and more sophisticated in our stress testing, we've also seen a very good group level entity stress test with results, which we can then measure back against risk."

For Schnaar-Campbell, the remaining focus centres around coming up with the appropriate stress correlations between risk types: how to aggregate the different risk stress results in the best possible way - from the macroeconomic to a complete stress event - enables a better perspective of the complete picture. Indeed, as Schnaar-Campbell asserts, they already have a total picture available, leaving them enough maneuverability to work with the next level of stress tests.

"Our other focus is in the bank," continues Schnaar-Campbell. "At the moment, we're busy implementing the AMA approach for operational risks, so we started with a formal programme in January last year - and it's now one of the biggest programmes we have running. Obviously, that takes plenty of resources and a lot of focus, but again, it comes down to making sure that we get the right benefits and the optimal value out of that.

"For me, the key is whenever you do something, make sure it fits in with your risk management vision and framework, and don't do things in isolation," concludes Schnaar-Campbell. "But I also believe that these are the key risks that international active banking groups with banks in different locations are have to face at the moment. Make sure that you're able to get your data quickly and are able to analyse it and provide it in a way that people can make those key decisions as fast as possible. That's what you want to achieve in the end, so make sure that every component you've bought is aligned to that overall vision or framework that you have."

The fight against e-crime

As Schnaar-Campbell affirms, you can have the best technology in the world, but without educating your customers on the risks of e-crime - and how to overcome them - criminal activity will continue to prevail at blistering place.

With that in mind, back in May of this year Standard Bank became the first South African bank to provide its customers with free anti-phishing software that also protects against online fraud by malware, by offering protection against divulging sensitive financial details to unscrupulous third parties when banking online.

Itumeleng Monale, Standard Bank Director of Self Service Banking, said: "Phishing globally costs customers and the financial industry billions of rands annually. While financial institutions like Standard Bank have spent a great deal of time on consumer education and internal mechanisms to secure our systems, customers still find themselves out of pocket when defrauded by unscrupulous fraudsters over the internet when responding to phishing emails.

"Standard Bank believes that with the introduction of the free Rapport secure browsing software it has provided our customers with an effective mechanism that will help prevent them from divulging sensitive and personal financial information to third parties over the internet."

And, with over 500,000 phishing sites identified across the web in 2009 - with an average of 294 financial institutions targeted globally - Standard Bank is certainly putting the best foot forward for its customers. Unlike conventional security software, which block known attacks but can't keep up with the sophistication and speed of new ones, Standard Bank's online banking software can detect new threats where conventional applications like anti-virus software often fail to detect a phishing threat. On top of that, the software also has the capacity to inform the bank of potential bogus sites to that the bank's security division can take proactive action to prevent further acts of fraud.

"Very often customers have little recourse in claiming back funds from banks if they have compromised their personal financial details over the internet. Standard Bank believes that the introduction of our new security software will greatly reduce customer exposure to online threats like phishing" concluded Monale.