Cyber attacks, errors in operational processing, unsatisfactory performance from a partner company, or interest rate movements that affect the equity and revenue in the bank – these are all risks that can occur in financial institutions. By establishing a risk management team, companies identify, assess, monitor and control the risks that are relevant to them. Matthias Lips, Head of Risk Assessment & Control at PostFinance, shows which types of risk PostFinance is confronted with, how risk management is organized internally and how all employees are made aware of the risks in their unit.

What types of risk are there at PostFinance?

We generally differentiate between financial, strategic and operational risks. Financial risks include interest rate, credit, market and liquidity risks. Strategic risks are more about the danger that a strategic decision to access a new market subsequently proves incorrect, or a danger that arises as a result of disruptive changes in the market environment. With operational risks, we’re talking about a very broad range of possible events, connected for example with cybercrime, sourcing partners, faulty business processes, pandemics or dealing with data.

What are the specific tasks of the Risk Assessment & Control unit?

We belong to the Risk Control unit and, from an integrated and independent perspective, we ensure the identification, assessment and control of risks throughout all units of the company. We focus on the strategic and operational risks for the entire bank, ensuring that all significant risks for the bank are identified and that those responsible for dealing with them adopt an appropriate approach.

Two monitoring teams are also part of Risk Control. One of these monitors the financial risks and the other the non-financial risks. To do this, both teams carry out testing, analyses and controls in very specific topic areas and ensure appropriate reporting to the management team. They check in great detail whether all risks have been identified, measure them correctly and ensure that they are being appropriately managed. This can for instance include validating models that calculate key figures relating to financial risks.

Which competencies are bundled in your section?

As our tasks are very varied, employees working in my team have quite different backgrounds. We primarily have a SPoC role (SPoC stands for “Single Point of Contact”), where we specifically look after individual units and this requires specific skills. For example, if a team member is responsible for the Payment Solutions business unit, they ideally have experience in the field of payment solutions; if they support IT and Security, they should have an IT and security background. As a team, we are very broadly positioned – between us we have experience in banking, security, revision and financial reporting.

How has risk management developed in recent years for banks, especially PostFinance?

In recent years, things have become highly professionalized. At PostFinance, especially since the FINMA regulations and the awarding of the banking licence in 2013, there has been a sharp escalation in risk management. This trend has further intensified with PostFinance’s designation as an essential service. Just recently, FINMA wrote to all banks to announce additional requirements that we now have to implement in the field of operational risks. Digitization also has a huge influence on the quality of risk management. Three years ago, we introduced a new tool in our internal control system, which enables us to trigger controls and tasks automatically for the inventoried risks that affect each workflow.

What particular challenges do banks face these days in terms of risk management?

On the one hand, it’s a fact that banks are always potential targets for cybercriminals. It’s important to mention here that banks are absolutely first class where cybercrime and IT security are concerned – and in terms of risk management. However, we are still continually required to develop our knowledge in this field. On the other hand, we are confronted – like all other companies – with increasing market uncertainties, such as coronavirus and the Russia-Ukraine war. In times of uncertainty like these, risk management is extremely important and can be crucial to the ongoing survival of a company. But it’s important to note that risk management is not directly related to crisis management. In risk management, we try to classify the risks and manage them preventively. In the case of a crisis, relevant bodies like the crisis management committee come into play. And naturally, we are represented in these bodies and we work with them.

How does PostFinance ensure that all employees are aware of risks?

We regularly raise the awareness of employees and remind them that it takes a lot less effort to know the risks in your own area of responsibility and to prevent their negative consequences than it is to carry out damage control after the fact. So we inform them about the relevant directives and carry out risk assessments. Employees are also obliged to refresh their knowledge at regular intervals using an e-learning course.

And now a personal question: as a risk manager, are you critical of everything? Do you only see dangers?

We certainly have a critical approach professionally but that doesn’t necessarily mean that we live our lives in fear. Even a risk manager might do a parachute jump at some point! Our task is to ask the right questions and identify what realistically can go wrong, despite measures, especially when the human factor is taken into account. Then it’s up to us to ensure that these events do not happen and to find ways to eliminate the dangers or at least to reduce them to acceptable levels. So we have to remain persistent, even if our counterpart in a risk scenario is saying “But that’s never happened before". In such situations, I like to mention the case of a German bank that, on the morning of the crash that had already been reported in the media, transferred 300 million euros to Lehman Brothers. The expected return of 500 million dollars didn’t materialize and this became part of the insolvency proceedings. Such a case hadn’t been seen before, but it could have been prevented.