Head2Head: Impacts of Digitisation
By Bruce Meuli, Global Transaction Services Advisory Executive, EMEA and Jonathon Traer-Clark, Head of Strategy and Advisory, Global Transaction Services at Bank of America Merrill Lynch
Bruce and Jonathon tackle risk in the digital domain, and discuss the real-world impact of innovation on working capital.
Managing Risk in a Digital Environment
Bruce, let’s talk about risk. We know that the treasury discipline has been very good around things like liquidity risk, exchange rate risk and interest rate risk. But I would argue that there's another concept that treasurers are now worrying about much more today, and that’s digital risk. Would you agree?
Are you thinking pure digital risk or are you coming at this from a wider operational risk perspective? I think people often get that confused.
That’s an interesting take on the matter, can you explain?
The way I see it, some of the weakest points in any process, from an operational risk perspective, are where we see manual intervention, simply because those processes are not digitised.
I think that you could look at this in two ways. Digital does increase the opportunity for cyber threat for instance, but then it may also reduce the opportunity for fraud from a manual basis.
If you fully digitise a process then it becomes an IT issue. With that, you can actually make your response to the process far more proactive. By that I mean you have more data to manage, but if you automate you can manage that data more effectively on a continuous basis because there are no breaks in the chain. If you have manual processes, it becomes more difficult to maintain the flow, and the manual links in the chain – where the process stops and restarts – become the weak points.
But does it? If I write a cheque – a truly manual process – I am saying ‘Here’s the money I owe you’ and I give you the cheque. You have been paid.
Let’s look at it from the other side of the ‘digital’ coin. I might decide to send you the money through an electronic banking system. But if that was a fraudulent payment, how can that be stopped? With a manual process, I can just tear the cheque up. With a digital process, that payment has gone; it’s instantaneous.
That’s a very good point – and if you think about real-time payments, it’s true and there is no ability to stop that. But there have been some incidences where a payment has been initiated and it’s been caught before it’s gone too far through the banking network. If you use real-time payments though, that opportunity for an early catch disappears.
So yes, the digitisation of some of these processes can increase the risk. But what I am saying is that with a digital process such as machine learning, you have more ability to build in checks and balances using data – the ability to detect and mitigate, before something occurs.
So it’s not about the actual mechanism by which you create the settlement, the real story is about how it is possible to actually catch the fraudulent act before you get to settlement?
Exactly. Just on input controls alone, where you can only enter data which fits what has been prescribed for that field, you have an entry check right at the beginning of the process. But even if that goes through further, you can have all sorts of other checks in place. How should this payment be made normally? Do we usually make this payment? Has a payment gone through which doesn’t normally go through? These questions should raise exceptions.
That is similar to pattern matching. What we are picking up then is an abnormal behaviour.
Here’s another consideration – the need to train your staff differently. They have to be comfortable saying ‘no’ to an instruction.
We’ve all seen the messages about receiving an email from the CEO. It looks and sounds legitimate and has an urgency that can trick some people into sending huge sums. To me, there has to be a multifaceted approach to risk. I don’t think it’s only about digital pattern matching or any of the other smart technologies; it also has to be about training people and giving them the confidence and the ability to sit comfortably within that process – it’s about promoting good conduct.
I agree. People will always have a role somewhere in the process and that role will evolve. What’s important, is that education and development prepare people to evolve with the changes and ensure that they work within best practices. It’s about getting people into the right behaviours.
It’s an interesting conundrum that the more a process is digitised, the greater the risk of it being undermined by cyber criminals, and yet the more a process is digitised, the greater the ability to implement embedded controls in a system to protect against such an attack.
But it is also the case that if one or more manual procedures are retained within a process, where rapid digital tools such as Faster Payments are used at the end of that process, those human interventions make it far more likely for error or fraud to occur yet not be detected. This presents a huge risk as once an instruction has been sent through a faster mechanism, it cannot be recalled.
Every manual intervention in an otherwise digital chain will create a potential bottleneck or the opportunity for human error, each time halting the digital flow and adding risk.
Furthermore, these breaks not only create operational cost in terms of staffing, they also have a negative working capital impact; the inevitably slower speed at which collected funds are booked, for example, has wider financial consequences.
The ideal is therefore ‘fully digital’, with appropriate checks and balances embedded throughout the process. Of course, humans will still be involved to a greater or lesser degree in many processes, although more on the managing, rather than the executing side. To minimise the inherent risks this creates, there will always be a need for risk education and instilling good practice as the norm.