The risk equation

Managing risk is critical to the very nature of banking. Will customers be able to pay back the money the bank has lent to them? How will changes to interest rates and foreign exchange rates affect the bank’s business?

"Non-financial risk is essentially the risks that we run from managing our operations, our processes and our systems. And at ANZ, we group them into what we call risk themes.” – Kevin Corbally, Chief Risk Officer, ANZ

While these matters are considered the bread and butter areas of banking, there is another group of risks which banks must take in to account around how their business and systems operate. These are broadly described as non-financial risks.  

I recently sat down with ANZ’s Chief Risk Officer Kevin Corbally to examine what is included within the wide boundaries of non-financial risk – everything from financial crime, data security and international sanctions.

Watch the full interview below.

{video}

Below is an edited extract of the discussion.

Brett Foley: Kevin, we're used to hearing banks talk about credit risk. But there's this whole other area of non-financial risk. Can you help us understand what comes under that umbrella?

Kevin Corbally: Look, understandably, given their role, banks have been very adept over many years at managing financial risks – like credit risks that you mentioned. So, in other words, the risk of us getting the money back that we've loaned to a customer. Other financial risks that we manage include things like market risk, which has to do with movements and interest rates and foreign exchange rates. And also looking at how we fund ourselves, be that capital or liquidity.

But in relation to non-financial risk, that is essentially the risks that we run from managing our operations, our processes and our systems. And at ANZ, we group them into what we call risk themes. So think about things like anti-money laundering, or financial crime as another way of describing it, like data, like fraud, like cyber security. And we take the management of these really, really seriously.

The reason we do that is because if we get them right, then we minimize disruption to our customers. We also at the same time deliver a better banking experience for our customers, and we can ensure that their transactions run smoothly.

Brett Foley: Let's walk through a few of those topic areas. You mentioned financial crime. Can you tell us a little bit more about what banks are expected to do in that area?

Kevin Corbally: So in the case of Australia, we work really closely with our key regulator which is Austrac. We also work with law enforcement agencies and with other participants in the industry. And what we try and do is ensure we can manage those risks. And when I say financial crime or anti-money laundering risks, what sort of risks are there?

It could be to do with laundering money, but laundering money for a purpose of tax evasion. It could be fraud. It could be even child exploitation. There could be a whole range of reasons why people do that. We've been very proactive in that over a number of years. Some recent examples that I think are worth mentioning might be the work that we did developing an algorithm to identify parties who were defrauding the National Disability Insurance Scheme.

We shared that algorithm with Austrac. They in turn shared that with other banks, so the entire system can be more safe and more secure. Another example is the work we did developing, technologies to identify individuals who, when they make a payment to a customer, put some remarks with that payment that are clearly not appropriate. We've been able to identify some instances where it's led to individuals being arrested for breaching apprehended violence orders (AVOs). So that's the type of activity that we do in from a financial crime perspective.

Brett Foley: Data security is obviously another area that's topical at the moment. Can you tell us more about that?

Kevin Corbally: Look at the digital landscape we're operating in, it is rapidly changing. And we need to respond to that rapidly changing environment. So data is a prized commodity. Be that for state-sponsored actors, be it for others who are financially motivated. We've invested heavily in that. We have a team, we call it our Security Operations Center. It operates 24 hours, seven days a week. That team analyze millions of data points every day to try and protect our customers, protect our staff, protect the system and ultimately protect the wider community.

Brett Foley: And sanctions is a very interesting area. How does ANZ manage that risk?

Kevin Corbally: Sanctions has become a more complex area, particularly over the last two years. Obviously with the Russia-Ukraine invasion, there was a significant increase in the number of sanctions. We've had to work really closely with government and with government bodies and with our customers to make sure we're not breaching and our customers are not breaching any of the sanction requirements.

That means having really up to date tools and techniques available to you to be able to respond quickly when, in a given day, that could be multiple numbers of sanctions that are coming through that we need to update our systems for.

Brett Foley is Managing Editor of bluenotes