Integrated risk management: all risks on the radar

Cyber attacks, errors in operational processing, unsatisfactory performance from a partner company, or interest rate movements that affect the equity and revenue in the bank – these are all risks that can occur in financial institutions. By establishing a risk management team, companies identify, assess, monitor and control the risks that are relevant to them. Matthias Lips, Head of Monitoring Operational Risks at PostFinance, shows which types of risk PostFinance is confronted with, how risk management is organized internally and how all employees are made aware of the risks in their unit.

Interview with Matthias Lips, Head of Monitoring Operational Risks at PostFinance

What specific tasks is your Monitoring Operational Risks department responsible for?

Matthias Lips: we belong to the Risk Control unit and, from an integrated and independent perspective, we ensure the identification, assessment and control of risks throughout all units of the company. We ensure that all significant risks for the bank are identified and that those responsible for dealing with them adopt an appropriate approach.

The Risk Control unit is made up of three monitoring teams: one oversees financial risks, another cyber, IT and data risks, while my team manages all other operational risks. As part of our work, we carry out testing, analyses and controls and ensure appropriate reporting to the management team. We check in great detail whether all risks have been identified, measured correctly and managed appropriately.

Which competencies are bundled in your section?

As our tasks are very varied, employees working in my team have quite different backgrounds. We take responsibility for individual risk categories in our team. These include the third-party, legal, payment and processing risk categories. Specific knowledge and competencies are therefore required. For example, if a team member is responsible for payment risks, they ideally have experience in the field of payment solutions; if they support IT and Security, they should have an IT and security background. As a team, we are very broadly positioned – between us we have experience in banking, security, revision and financial reporting.

How has risk management developed in recent years for banks, especially PostFinance?

In recent years, things have become highly professionalized. At PostFinance, especially since the FINMA regulations and the awarding of the banking licence in 2013, there has been a sharp escalation in risk management. This trend has further intensified with PostFinance’s designation as an essential service. Just recently, FINMA wrote to all banks to announce additional requirements that we now have to implement in the field of operational risks. Digitization also has a huge influence on the quality of risk management. Some years ago, we introduced a new tool in our internal control system, which enables us to trigger controls and tasks automatically for the inventoried risks that affect each workflow. This tool has undergone significant development in the meantime and now has various additional inventories and functions.

What particular challenges do banks face these days in terms of risk management?

On the one hand, it’s a fact that banks are always potential targets for cybercriminals. It’s important to mention here that banks are absolutely first class where cybercrime and IT security are concerned – and in terms of risk management. However, we are still continually required to develop our knowledge in this field. On the other hand, we are confronted – like all other companies – with increasing market uncertainties, such as coronavirus and the Russia-Ukraine war. In times of uncertainty like these, risk management is extremely important and can be crucial to the ongoing survival of a company. But it’s important to note that risk management is not directly related to crisis management. In risk management, we try to classify the risks and manage them preventively. In the case of a crisis, relevant bodies like the crisis management committee come into play. And naturally, we are represented in these bodies and we work with them.

Do you already use artificial intelligence for risk management at PostFinance – and if so, in which units and with what experience?

Artificial intelligence has two aspects that are relevant to us. On the one hand, it functions as a risk driver and brings new attack vectors for criminals or presents risks in the application of AI models. On the other hand, it can also reduce risks by improving or comprehensively implementing monitoring or control measures using artificial intelligence. It enables us to analyse large data quantities or automate control processes, for example.

How does PostFinance ensure that all employees are aware of risks?

We regularly raise the awareness of employees and remind them that it takes a lot less effort to know the risks in your own area of responsibility and to prevent their negative consequences than it is to carry out damage control after the fact. So we inform them about the relevant directives and carry out risk assessments. Employees are also obliged to refresh their knowledge at regular intervals using an e-learning course.

And a personal question: as a risk manager, are you critical of everything? Do you only see dangers?

We certainly have a critical approach professionally but that doesn’t necessarily mean that we live our lives in fear. Even a risk manager might do a parachute jump at some point! Our task is to ask the right questions and identify what realistically can go wrong, despite measures, especially when the human factor is taken into account. Then it’s up to us to ensure that these events do not happen and to find ways to eliminate the dangers or at least to reduce them to acceptable levels. So we have to remain persistent, even if our counterpart in a risk scenario is saying “But that’s never happened before". In such situations, I like to mention the case of a German bank that, on the morning of the crash that had already been reported in the media, transferred 300 million euros to Lehman Brothers. The expected return of 500 million dollars didn’t materialize and this became part of the insolvency proceedings. Such a case hadn’t been seen before, but it could have been prevented.