Chris Sparks, Chief Risk Officer at Atom Bank, spoke to bobsguide to discuss nightmare risks, the burgeoning technological revolution in risk management and how a digital challenger bank is approaching PSD2 and GDPR.
Chris started out in risk management with a grounding in computational mathematics and data analysis. After leading the analytics team at Forward Trust, Chris pursued a career in risk with a number of the significant names in finance and banking and this culminated in him being chosen to lead Atom’s risk management. To all intents and purposes, Chris’ education and experience in data analytics equipped him with the vital skills of the evolved CRO.
How do you know when a risk manager is doing a good job? Is it simply a case of averting the worst and hoping someone notices?
It’s a fine balance to determine a ‘good’ job - taking too much risk, or not taking enough. On the one extreme, you might not lose a penny, you’ll keep the book clean, but your income numbers will be thin. On the other you could see capital undermined by lax policy underwriting or poor conduct risk decisions. The former will erode your position slowly, the latter can be a quick death; it’s our job to find the balance that ensures profitability and longevity.
We do this by deciding how much rich food and how much fibre the bank needs to survive and prosper. We quite literally set a risk appetite which give the bank boundaries that help it meet its objectives safely. This means setting lines that sometimes appear arbitrary, £1 or 0.1% more or less and we won’t go there. However, risks are never isolated to one event or one number so the appetite is a complex mash-up of maths and experience. It’s also iterative and something that evolves; good for analysts with a wider world view.
There’s a line of defence in risk which we won’t go over, but that is a difficult line to define. It reminds me of that scene in ‘Yes, Minister’ when the Nobel peace scientist is demonstrating that the Prime Minister wouldn't launch Trident as a ‘last resort’ in response to a hypothetical slice-by-slice Russian invasion. It’s the same with risk, where the situation is next to no different just after the line, so where do you reasonably set the risk line?
More and more good data analysis leads to better risk function, do CROs need more freedom than they’re perhaps permitted to leverage emerging technologies?
Absolutely, otherwise you’ll be running yesterday’s risk department. As a CRO, it’s your responsibility to shape a department that will solve tomorrow’s problems. To do that effectively, you need the freedom to keep up with technology and how the trends and regulations are changing. Personally, I do that by attending conferences, reading amongst others a certain bobsguide, and being on the advisory board of the Credit Research Centre at Edinburgh University as well as the Computer Science board at Durham University.
If we look at the evolution of neural networks to deep learning, the technology has pushed at the boundaries of what computers can do and that can be applied to better risk management. If you’re not willing to open your mind to where that tech will go, you’ll very quickly be left behind as a CRO.
Does the digitally native Atom Bank share the same risks as incumbent banks?
Yes and no. No, because we don’t have the issue of outdated systems. Nor do we have risks associated with underused and undervalued branch networks. I also don’t have the big conduct risks that the incumbent banks have been fined over. Whilst we share the same broad risk categories, what’s important is that our cultural and philosophical approach differs to incumbents. We don’t have a conservative history that keeps the system in status quo, for instance; Atom doesn’t have that restriction. Atom is actually trying to build the bank of the future and stepping apart from the slight grubbiness with which the incumbents have been tainted. For those two reasons, I decided to come on board as CRO.
In terms of being a digital bank, Atom is trying to cultivate a secure alternative as an app based bank. It can only be accessed from the authenticated device, so there’s an instant flag. Aside from being completely online, a digital bank carries a certain philosophy that we know what we do, and we’re not trying to cater to everyone.
What risks are you most concerned about for 2018?
We’ve alluded to the regulations coming in next year, and we’re aiming for compliance, nothing less. We’re also monitoring how the economy is going to react. From a bank’s perspective, if the economy takes a tumble and interest rates go up, affordability could be impacted and that might emerge through credit metrics.
Cyber threats have got to concern every company, not just digital banks, particularly with the Ransomware attacks and the Equifax breach, there’s no room for complacency. As a digital bank we keep ourselves focused around the emerging cyber threat landscape and knowing who the actors are.
What is the nightmare scenario for any CRO?
As risk people, we’re always thinking about the worst things that can happen and a lot of that goes into the stress testing that we undertake. The worst scenario is a sequence of things all happening at the same time. As we’ve discussed, a cyber threat is probably of most concern if all your data was compromised; that could be an existential crisis.
Combatting a threat like that is difficult. Even though Atom has highly sophisticated defences built on our confidence and awareness of what’s going on, we can’t relax, we have to be proactive in defence. From a consumer security perspective, by having your account accessible by only your approved device, limits the risk for data exposure.
But to combat any type of scenario, we have a well-developed, risk and control self-assessment process as well as a risk event reporting system which logs and monitors those risks. We know that we’ll make mistakes and part of the reporting system is so that we can review and learn and rule out making the same mistake twice.
There’s a need to have a constantly sceptical attitude towards your systems and controls; just because nothing is going wrong does not mean it’s working perfectly. To perform the risk function well, it’s about having that inquisitive mindset and a restlessness about checking and understanding the nuances of risk.
Would you say that CROs should be innately curious?
Absolutely. We’ve been referred to as Chief Executive Worriers and we’ve had a bad rap. If the only time someone on the board hears from you is when you’re telling them something’s gone wrong, you’re going to be associated with that. It’s not so much an emotion of worry but rather the idea of being curious and being on top of things.
Personally, I don’t think I have any more stress in my role than the CEO does. My own approach is to make sure you’re looking forward and not dwelling in the past and addressing the issues that are in front of you and how the landscape is changing.
If you do that well, it’ll give you confidence, which means you won’t be worried.
What is the future of risk technology?
I don’t think we can be anything other than awestruck about where technology is taking us. For instance, Google has taken us away from the individual expertise of fluency in language and applied machine learning to translation by consuming vast amounts of data (books in different languages) and finding correlations. And that’s what we’ll see with neural network technology - they’re not really interested in the concept behind the question, but they are interested in the patterns. They can quickly find these often deeply embedded or complex patterns that a human simply cannot compute.
I could see neural networks being used in authentication. As we’re a mobile bank, think about the amount of data your phone produces that can be computed into patterns. The neural network can then detect anomalies and changes to those patterns. A combination of inputs might flag up fraudulent use: the phone might be held in the other hand, it might be in an unlogged location, or the tap rate on the screen might be minutely different - essentially, we could build a digital fingerprint of behaviour. But that’s not just about fraud prevention - vice versa, it can be about reducing friction in genuine transactions, for example if you need to transfer a large sum of money quickly which, by today’s standards, would be flagged for manual authorisation, the use of AI could automatically verify that it is you authorising the payment.