New Risk Challenges and Enduring Themes for the Return

McKinsey on Risk New risk challenges and enduring themes for the return

Number 10, January 2021 McKinsey on Risk is written by Editorial Board: McKinsey Global Publications risk experts and practitioners Tucker Bailey, Bob Bartels, in McKinsey’s Risk & Resilience Richard Bucci, Holger Harreis, Publisher: Raju Narisetti Practice. This publication offers Bill Javetski, Carina Kofler, readers insights into value-creating Marie-Paule Laurent, Maria del Global Editorial Director: strategies and the translation of Mar Martinez, Luca Pancaldi, Lucia Rahilly those strategies into company Thomas Poppensieker, Inma Revert, performance. Kayvaun Rowshankish, Thomas Global Publishing Board Wallace, John Walsh, Olivia White of Editors: Lang Davison, Tom This issue is available online Fleming, Roberta Fusaro, Bill at McKinsey.com. Comments External Relations, Global Risk Javetski, Mark Staples, Rick Tetzeli, and requests for copies or for Practice: Bob Bartels Monica Toriello permissions to republish an article can be sent via email to Editor: Richard Bucci Copyright © 2021 McKinsey & [email protected]. Company. All rights reserved. Contributing Editors: David DeLallo, Roger Draper, This publication is not intended to be Cover image: Kristen Jennings used as the basis for trading © Henrik Sorensen/Getty Images in the shares of any company or for Art Direction and Design: undertaking any other complex Leff Communications or significant financial transaction without consulting appropriate Data Visualization: professional advisers. Richard Johnson, Matt Perry, Jonathon Rivait No part of this publication may be copied or redistributed in any Managing Editors: form without the prior written Heather Byer, Venetia Simcock consent of McKinsey & Company.

Editorial Production: Roger Draper, Gwyn Herbein, LaShon Malone, Pamela Norton, Kanika Punwani, Charmaine Rice, Dana Sand, Sarah Thuerk, Sneha Vats, Pooja Yadav, Belinda Yu

Table of contents

Risk and resilience

The emerging resilients: Resilience in a crisis: An interview 5 Achieving ‘escape velocity’ 12 with Professor Edward I. Altman The experience of the fast movers One of the leading researchers out of the last recession in corporate financial health teaches leaders emerging from discusses what executives can do this one to take thoughtful to help their companies endure the actions to balance growth, financial stresses of crisis times. margins, and optionality.

Meeting the future: Dynamic risk A fast-track risk-management 18 management for uncertain times 26 transformation to counter The world is changing in the COVID-19 crisis fundamental ways, leading to An accelerated transformation dramatic shifts in the landscape of to enhance efficiency and risks faced by businesses. effectiveness will enable risk organizations to deal with the pandemic while addressing rising regulatory and cost pressures.

Risk culture

Strengthening institutional risk When nothing is normal: 39 and integrity culture 46 Managing in extreme uncertainty Many of the costliest risk and In this uniquely severe global integrity failures have cultural crisis, leaders need new operating weaknesses at their core. Here models to respond quickly to is how leading institutions are the rapidly shifting environment strengthening their culture and and sustain their organizations sustaining the change. through the trials ahead.

A unique time for chief risk 54 officers in insurance Amid rising economic uncertainty, leading insurers are looking to their CROs to do even more than manage risks. Extraordinary risks

The disaster you could have How the voluntary carbon market 63 stopped: Preparing for 72 can help address climate change extraordinary risks The voluntary carbon market is Ignoring high-consequence, low- gaining momentum and plays likelihood risks can be damaging an increasingly important role to an organization, but preparing in limiting global warming. for everything is impossibly costly. Here’s how. Here is how leaders can make the right investments.creative, pragmatic solutions.

Derisking

Derisking AI by design: How The next S-curve in 81 to build risk management into 91 model risk management AI development How banks can drive The compliance and reputational transformations of the model risks of artificial intelligence life cycle in a highly uncertain pose a challenge to traditional business landscape. risk-management functions. Derisking by design can help.

Applying machine learning Derisking digital and analytics 97 in capital markets: Pricing, 101 transformations valuation adjustments, While the benefits of digitization and market risk and advanced analytics are well By enhancing crisis-challenged documented, the risk challenges financial models with machine- often remain hidden. learning techniques such as neural networks, banks can emerge stronger from the present crisis.

2 Introduction

The tenth issue of McKinsey on Risk arrives as spirits, battered by public-health and economic hardships, have been lifted by the appearance of COVID-19 vaccines. Vaccines are beginning to reach priority and vulnerable populations, such as healthcare workers and long-term care residents. Governments and institutions are promising ever-wider distribution in the months ahead. Serious questions remain about production timelines and the completeness of vaccine delivery. For most economies, epidemiological uncertainty is the main factor complicating the conditions of return. Yet nations, sectors, companies, and individuals have endured different challenges and will travel different recovery paths, depending on the damage done.

At the far end of the pandemic tunnel, some economies are demonstrating vibrant life. In other regions, the time for countries and organizations to grow again approaches at varying speeds. Those that prepare will benefit, as our lead article on the “emerging resilients” reveals. In the last recession, companies able to take thoughtful actions to balance growth, margin, and optionality separated themselves quickly from less resilient peers. Coming out of the current recession, which companies are poised to achieve “escape velocity”? Our authors—some of McKinsey’s most influential leadership voices—discuss the dynamic business landscape while pointing to a venerable metric that can help companies adjust for the needed balance.

Taken as a whole, these discussions present McKinsey’s latest thinking and recommendations on risk and resilience—including optimal strategies and necessary transformative actions. Resilience as a business concept took on significance during the financial crisis of 2008–09. As cyclical stress levels rose in the global economy, challenges were magnified and new uncertainties were generated. Faced with proliferating risks and spiking volatility, organizations began to realize the need for dynamic risk management, by which serious threats can be prioritized and addressed as they arise.

Today, as companies emerge from the pandemic-triggered economic crisis, risk organizations face extraordinary discontinuities on top of more familiar ongoing challenges. The highly complex risk landscape is marked by an accelerating digital revolution; massive environmental, regulatory, and industry changes precipitated by the changing climate; and rising stakeholder expectations about corporate behavior. Cost pressures, furthermore, mean that organizations must make significant, simultaneous improvements in risk efficiency and effectiveness.

In pursuit of these improvements, companies in all industries are applying advanced quantitative capabilities to support faster operational decision making. Most are launching digital and analytics transformations—digitizing services and processes, increasing efficiency with agile approaches and automation, improving customer engagement, and capitalizing on new analytical tools. The present crisis is also creating a moment in which financial institutions can rethink their entire model landscape and model life cycle. Artificial intelligence, which promises to redefine how businesses work, is already marshaling the power of data to transform a range of business activities and functions.

The inevitable consequences of all this innovation are elevated risk profiles, which many existing organizational approaches are incapable of addressing systematically. The following discussions illuminate the most compelling risk issues that companies in all sectors and geographies are confronting. Here, readers will find deep industry insight and structured risk-management approaches that are helping leaders build risk capabilities, strengthen institutional resilience, and navigate through this crisis toward restored performance.

Let us know what you think, at [email protected] and on the McKinsey Insights app.

Thomas Poppensieker Chair, Risk & Resilience Editorial Board

XXXXXXXXXXXXX 3 Risk and resilience

The emerging 5 resilients: Achieving ‘escape velocity’

Resilience in a crisis: 12 Interview with Professor Edward I. Altman

Meeting the future: 18 Dynamic risk management for uncertain times

A fast-track risk-management 26 transformation to counter the COVID-19 crisis

4 McKinsey on Risk Number 10, January 2021 The emerging resilients: Achieving ‘escape velocity’

The experience of the fast movers out of the last recession teaches leaders emerging from this one to take thoughtful actions to balance growth, margins, and optionality. by Cindy Levy, Mihir Mysore, Kevin Sneader, and Bob Sternfels

5 In 2019, McKinsey asked companies to prepare for protected sectors of healthcare, pharmaceuticals, the possibility of a recession. Of course, we had no and technology, companies are seeing moderate idea then that the COVID-19 pandemic would be the declines in revenue. Heavily affected sectors trigger, nor that the recession would cut as deeply have experienced revenue declines of between as it has. But it was clear then that the foregoing 25 percent and 45 percent. These include growth cycle was already of unusual duration. The transportation and tourism, automotive, and oil pace was slowing, furthermore, and the potential and gas—sectors containing some of the largest for shocks was greater than for renewed growth. In employers in Europe and the United States. the same article, we discussed what top-performing companies had done in the previous downcycle, the We recognized that this downturn was driving financial crisis of 2008–09. We looked at 1,500 stress into the economy at a much faster rate than public companies in Europe and the United States, was experienced in the financial crisis of 2008–09. analyzing performance on a sector-by-sector basis. To measure the extent and speed of the damage, Companies in the top quintile of their peers through we wanted a sounder guide than stock-market that crisis were dubbed the “resilients.” performance. An investigation of the companies in our database using the “Altman Z-Score” yielded Once economic and business results of the second promising results. This measurement was developed quarter of 2020 became known, we began to hunt in 1968 by Edward I. Altman, now a professor for the clues that were contained in nearly 1,500 emeritus of Finance at New York University’s Stern earnings releases across Europe and the United School of Business. It is an equation originally States. This article seeks to understand whether designed to predict the probability of corporate the shape of the next class of resilients is visible bankruptcy. A company’s Z-Score goes up if it has a in the data, and what lessons this would hold for well-established ability to grow margins (measured companies within each sector. as EBIT1/assets) while increasing revenues (measured by revenue/assets) and maintaining optionality (measured by retained earnings/assets).2 The present downcycle: Six times faster than the previous one We calculated the Z-Scores for approximately 1,500 Today, we are in the middle of the deepest European and North American companies in our recession in living memory. As pandemic-triggered database for both the last downcycle (2008–09) lockdowns took hold around the world in early 2020, and the current one.3 We used three categories economies contracted quickly. The International in the results: “good standing,” “gray zone,” and Monetary Fund and World Bank foresee a global “experiencing stress.”4 The Z-Scores revealed that contraction in economic output in 2020 of in the financial crisis of 2008–09, 30 percent of around –5 percent; the Organisation of Economic companies moved to a higher-stress category by Cooperation and Development estimates an even 2009, compared with where they were in precrisis worse result, at –7.6 percent. At any rate, the drop 2007. Only 3 percent of observed companies will far exceed the last global contraction, which was improved their standing. By comparison, in 2020, 25 –1.7 percent in 2009. percent of companies had moved to a higher-stress category and 3 percent improved. The dynamics The distress has hit all industry sectors, some of 2009 and 2020 differ in one glaring respect: in harder than others. Yet even in the relatively the last recession, this movement occurred over 18

1 Earnings before interest and taxes. 2 Our research used a common form of the Z-Score, whose weighted determinants are as follows: Z = 1.2X1 + 1.4X2 + 3.3X3 + 0.6X4 + 1.0X5, where X1 = working capital/total assets, X2 = retained earnings/total assets, X3 = earnings before interest and taxes/total assets, X4 = market value equity/book value of total liabilities, X5 = sales/total assets, and Z = overall index. Edward I. Altman, “Predicting financial distress of companies: revisiting the Z-Score and ZETA® models,” Leonard N. Stern School of Business, July 2000, stern.nyu.edu. 3 Some companies were excluded from results because data or financial reports were unavailable at the time or because they were extreme industry outliers. 4 These were the titles of Professor Altman’s original categories except for “experiencing stress”; we substituted that title for his original, “headed for bankruptcy,” since our research is not focused on bankruptcy.

6 McKinsey on Risk Number 10, January 2021 months, while in the present crisis, the economy planning cycle. Wise planners will prepare for a has arrived at about the same point in three months’ number of outcomes, including a further drift in time—six times faster (Exhibit 1). present conditions or a worsening downturn. In our view, however, they must also be open to the appearance of more positive trends and ready to Fast and deep—but for how long? shift quickly to a growth stance. This means building Our recent conversations with business leaders optionality balanced with tangible, trigger-based suggest that the high level of external uncertainties— growth bets into their plans. political, social, and epidemiological—will likely be with us well into 2021. This will be true whether or Leaders can do this by taking an owner’s view not a COVID-19 vaccine becomes available during of their business, comparing it to their peers’ that time. New challenges can also be expected, rather than their own past performance. Peer such as when governments pull back on the levels benchmarking can more readily become the starting of fiscal stimulus that might have been nourishing point for developing a strategy to achieve full green shoots of recovery. business potential. Companies need to know: What are tomorrow’s resilients doing today to achieve Leaders can thus assume dynamic business “escape velocity” when the time comes? conditions through 2021 as they begin this year’s

Web <2020> Exhibit 1 Exhibit <1> of <4> Corporate stress isis nownow atat thethe same same point point as as it it was was in in the the 2009 2009 trough, trough, arriving arriving inin onlyonly months months versusversus twotwo years.years.

Corporate stress by Altman ZScore, % ● Took on stress ● Stayed roughly same ● Reduced stress

2009 Q1Q2 2020

Experiencing Gray Good Experiencing Gray Good stress zone standing stress zone standing

Good 6 27 67 100% Good 8 25 68 100% standing standing

Gray 38 55 7 100% Gray 41 55 5 100% 2007 zone 2019 zone

Experiencing 92 7 1 100% Experiencing 94 6 1 100% stress stress

(n = 967) (n = 1,300)

● In 2 quarters, 2020 recession has caused stress equal to that in 2008 09 recession ● Companies in good standing or gray zone in 2019 were experiencing stress by 2020

Note: Figures may not sum to 100%, because of rounding. For 2020 vs 2019 analysis, companies without reported financials for Q2 2020 were excluded. For 2020 vs 2019 and 2009 vs 2007 analyses, financial institutions, utilities, and some other companies, including those with Z-Scores of >10 or <–10, were excluded. Good standing: Z-Score >3.0; gray zone: Z-Score 1.8–3.0; experiencing stress: Z-Score <1.8. Source: S&P Capital lQ; McKinsey analysis

The emerging resilients: Achieving ‘escape velocity’ 7 Finding tomorrow’s resilients optional investment opportunities).5 Our research In this crisis, business leaders sometimes take clearly suggests that coming out of the trough solace in the relative ebullience of the stock market of the last recession, the top performers had or the fact that peers are suffering from the same achieved balanced improvements in all three of issues that they are. A quick look back tells us, these measurements of organizational health— however, that stock markets are poor predictors of irrespective of whether they had spikes in any one of success during a recession. The companies that led them. We have concluded that to be counted among equity markets during the recessionary trough of the new resilients, companies must find this balance. 2009 did worse by the end of the cycle relative to the companies that made up the middle tier (Exhibit 2). Accordingly, in the last recession, the companies whose Z-Scores fell the most between 2007 and the The Altman Z-Score turns out to be a better 2009 trough of the recession provided the lowest directional indicator of post-downturn market shareholder returns in 2011. The companies whose performance than does the market itself. The Z-Scores improved the most were the most likely to Z-Score helps highlight three outstanding attributes provide the best returns as the economy emerged of resilience: margin improvement, revenue from the recession (Exhibit 3). growth, and optionality (retained additional

Web <2020> Exhibit <2> 2 of <4> The AltmanAltman Z-Score Z-Score isis aa betterbetter leading indicatorindicator ofof companycompany strengthstrength through a crisis than is stock-market performance. performance.

Excess shareholder return, 200711, %

Companies grouped by market performance (TSR¹) in Companies grouped by Altman Z-Score movement, the trough of the 2007–09 nancial crisis (Q1 2009) 2007–09

20 20

10 10

0 0

–10 –10

–20 –20

Top Quintile Quintile Quintile Bottom Top quintile Quintile Quintile Quintile Bottom quintile by 2 3 4 quintile by Altman 2 3 4 quintile TSR in Q1 Z-Score, 2009 2007–09

¹Total shareholder return (TSR) for Q1 2009 was calculated as an average of medians for each industry sector of ~1,000 companies in total; excess shareholder return over the 2007–11 period was derived by subtracting the median of TSR for each industry sector with actual TSR for each company. Source: S&P Capital lQ; McKinsey analysis

5 Working capital and market equity value were part of Professor Altman’s original score; for the purposes of our research we included the former determinant as part of optionality and recognized that the latter, market value, is externally driven and ultimately a product of the other factors.

8 McKinsey on Risk Number 10, January 2021 Learning from the emerging resilients — Revenue. The emerging resilients seem to be In every sector, we identified the top 20 percent of powering their margin advantage primarily companies that have driven the highest increases in through revenue rather than costs. The revenue their Z-Scores through the 2020 recession. We then gap between emerging resilients and the rest is compared their performance with that of the rest. around 16 percent in this cycle, whereas the gap This is what we found: was 10 percent in the last cycle.

— Margins. The gap in margins between the — Optionality. The emerging resilients—and emerging resilients and the rest of their peer companies overall—seem to be leaving less group is striking. The typical emerging resilient optionality on the table today compared with in 2020 has increased the EBITDA6 margin by what happened in the last cycle. Retained- 5 percent while the rest have lost –19 percent earnings growth for emerging resilients is 11 by this measure, a gap of nearly 25 percent. The percent today, whereas it was 30 percent at difference is much greater than the EBITDA- the time of the 2009 recessionary trough. For margin gap was among the resilients in the nonresilients, the optionality measurement is last recession. This would suggest that today’s 1 percent in this cycle, while it was 6 percent in margin leaders will dominate their sectors more the last. firmly coming out of this recession.

Web <2020> Exhibit 3 Exhibit <3> of <4> Resilient companies demonstratedemonstrate balanced balanced performance performance in in margin, margin, growth, growth, and optionality.

Change in EBITDA1 margin, growth, and optionality, resilients vs nonresilients,2 in last and current recessions Margin: EBITDA margin Growth: revenues Optionality: prots retained for reinvestment

2007–09, % Q2 2020 vs Q2 2019, %3

RESILIENTS NONRESILIENTS EMERGING EMERGING RESILIENTS NONRESILIENTS 29

11 6 7 4 5

–1 1 –5

–13 –16 –17

¹Earnings before interest, taxes, depreciation, and amortization. ²Resilients in the last recession (2007–09) are defined as those companies in each sector in the top 20% in excess total return to shareholders (TSR); nonresilients are defined as the remaining 80%. Excess TSR is calculated by subtracting the median TSR for each sector from the actual TSR for the period of 2007–11. 3For the current recession, emerging resilients are defined as those companies in each sector in the top 20% on the Altman Z-Score (for Q2 2020 vs Q2 2019); emerging nonresilients are defined as the remaining 80%. Source: S&P Capital IQ; McKinsey analysis

6 Earnings before interest, taxes, depreciation, and amortization.

The emerging resilients: Achieving ‘escape velocity’ 9 Exhibit 4 demonstrates the relative performance meaningful glimpses of the possibilities. Faced with of the emerging resilients in 2020 and the resilients a global health crisis requiring physical distancing in 2009. and other restrictions, companies shifted quickly to remote operating models. By sector, we discovered that the emerging resilients are more likely to demonstrate consistent, In a matter of weeks, companies provided the balanced performance across a number of metrics, workforce with new flexibility and skills where as opposed to having a leadership spike in one and needed while maintaining or even increasing lagging performance in the others. This brings us productivity. They massively expanded digital and to our final insight: tomorrow’s resilients are more online capacities to maintain customer relationships likely to be the companies that are driving value- and deliver goods and services remotely and added growth while balancing optionality, rather efficiently. They reconfigured supply chains to drive than those that focus most of their attention on greater resilience. And they set higher standards maintaining operating margins, at the expense of for diversity and inclusion, providing a much needed other proportionate measures. leadership stance on making social change happen through better corporate citizenship. Imagine what companies might be able to do in 2021. Zeroing in on what matters Z-Score insights can help leaders take an ownership Let’s start with the companies in the top quintile view and think more clearly about what their of their sectors according to the Z-Score. They are organizations can achieve—especially by freeing already creating the conditions that allow them to themselves of unnecessary traditional limitations. generate value-added growth while maintaining In this recession, we have already been afforded optionality. They are therefore best positioned to

Web <2020> Exhibit 4 Exhibit <4> of <4> Balanced performers across margin, margin, growth,growth, and optionality areare moremore likely toto emerge asas resilientsresilients than than are are top top performers performers in in only only oneone metric. metric.

Composite ranking of company grading on margin, growth, and optionality Share of Probability of being in total, % emerging resilients, % Margin Growth Optionality Typical grade¹

9 59 A A A Top performer (A in at least 2 metrics)

(B in all metrics; A in 1 metric 11 39 B B B Balanced and B in at least 1 metric)

24 23 A C C Mixed or spiky (A in 1 metric and C in at least 1 metric)

(B or below in all metrics, 56 9 B C C Underperformer with C in at least 1 metric)

¹A: top 20%; B: top 20–40%; C: bottom 60%.

10 McKinsey on Risk Number 10, January 2021 realize their full potential. For these companies, first their organization, so that they may provide on the planning agenda is setting high aspirations for more flexibility to the workforce while executing 2021. These can be defined by bold moves to drive operations at full speed. The experience of most rapid revenue growth, portfolio reallocation, value- sectors demonstrates that companies which creating M&A, and revamped technology spending. execute faster tend to outperform.

Companies that are behind the top Z-Score performers in their sectors need to discover what is holding them back. They may be overemphasizing Companies’ experiments with creating new cost cutting or pursuing a strategy of growth at postpandemic operations models are yielding some all costs. They might be overprioritizing investor interesting results. Digital platforms are allowing payouts at the expense of their organizational some companies to share skills across operations, health. They may be spreading their efforts thinly providing support in ways that were very difficult across many priorities instead of focusing tightly on before. The same approach is also allowing driving margins and productivity. Leaders should workers to enjoy more opportunities while creating also consider rethinking their supply chains end to an effective postpandemic operating model end, especially to improve resilience. that solves for speed and rapid decision making. These are the next-horizon powers that will drive Depending on their standing, lagging companies productivity and propel the emerging resilients into may need to focus their efforts on different the next wave of growth. drivers of growth. Almost universally, however, all companies will need to continue strengthening

Cindy Levy is a senior partner in McKinsey’s London office, Mihir Mysore is a partner in the Houston office, Kevin Sneader is McKinsey’s managing partner and is based in the Hong Kong office, and Bob Sternfels is a senior partner in the San Francisco office.

The authors wish to thank Sumit Belwal, Jeffrey Caso, Martin Hirt, Peeyush Karnani, Jagbir Kaur, Kevin Lackowski, and Sven Smit for their contributions to this article.

The emerging resilients: Achieving ‘escape velocity’ 11 Resilience in a crisis: An interview with Professor Edward I. Altman

One of the leading researchers in corporate financial health discusses what executives can do to help their companies endure the financial stresses of crisis times.

12 Professor Edward I. Altman of the Stern School of That was the path, in my view, that gave GM its main Business, New York University, is a leading expert chance of survival. They were really on the brink in credit and debt. He has written or edited two at that time, having hemorrhaged $2 billion per dozen books and more than 160 articles on finance, month for several months. I was not very popular accounting, and economics. He is also the creator of at that hearing. Congress did not want to hear my the Altman Z-Score, developed originally as a means “B word”—bankruptcy; they preferred the other of predicting bankruptcy probabilities. McKinsey one, bailout. The House voted for a bailout, but the researchers successfully used the Z-Score to test Senate voted against it. President Bush eventually company resilience through a crisis.1 We spoke with bailed out GM and Chrysler under the funding that Professor Altman about how executives can best Congress had given for financial institutions (using face financial stress in times of crisis. GMAC as the entry point).

McKinsey: The Z-Score has had a variety of But the bailout didn’t work. Six months later, under practical applications. Do any stand out as the Obama administration, GM filed for bankruptcy particularly helpful? Have any applications of the and received about $50 billion in debtor-in- model surprised you? possession loans, exactly as I had predicted should happen. The rest is history. GM survived and is now Professor Altman: I didn’t know of McKinsey’s use an investment-grade company. That status may of the Z-Score to indicate resilience. Interestingly, be a stretch, but it is certainly a solvent company you found it useful in gauging firm performance with operations globally, and much healthier today before and after a crisis. Banks have used the because of going bankrupt, not despite it. model in making lending decisions, and some use it to complement their own internal-ratings-based Finally, an application that really surprised me is the models for expected loss provisioning under the use of the Z-Score by managers to make strategic Basel rules. It is also used by investors in making decisions. In 1981, I learned of a turnaround bond or stock purchases. I was surprised, for strategy used by the CEO of a large manufacturer of example, that several investment banks have used precision equipment in which he simulated business the Z-Score as one of several criteria they apply to decisions like selling assets, reducing personnel, customers. Some investment banks offer a basket consolidating locations, paying back some debt. He of common stocks with the highest Z-Scores and plotted the effects of each simulated decision on sell short the lowest. That came as a surprise—that the firm’s Z-Score. No action was taken that would the Z-Score was generating profit for investment depress the Z-Score, at least in his estimation. And it banks selling a structured product. was amazingly successful.

I used the model in my testimony in December 2008 McKinsey: Professor Altman, you have studied before the US House Finance Committee, at the the credit market for years. What fundamental onset of the financial crisis. The hearing would help changes have you observed? Today, we see many determine whether General Motors and Chrysler alternative financing instruments, and high-yield would receive government bailouts. The Z-Score bonds have gained steam as well. Would you model showed very clearly that GM was heading for say that the Z-Score can account for such new bankruptcy. I recommended against a bailout for GM developments? Has it proved timeless as a tool and in favor of restructuring under Chapter 11. for measuring credit risk? Should we do anything

1 McKinsey’s results were published in an article by Cindy Levy, Mihir Mysore, Kevin Sneader, and Bob Sternfels, “The emerging resilients: Achieving ‘escape velocity’,” October 6, 2020, McKinsey.com. The authors used a common form of Professor Altman’s Z-Score, with the

following weighted determinants: Z = 1.2X1 + 1.4X2 + 3.3X3 + 0.6X4 + 1.0X5, where X1 = working capital/total assets, X2 = retained earnings/total

assets, X3 = earnings before interest and taxes/total assets, X4 = market value equity/book value of total liabilities, X5 = sales/total assets, and Z = overall index. Edward I. Altman, “Predicting financial distress of companies: Revisiting the Z-Score and ZETA® models,” Leonard N. Stern School of Business, July 2000, stern.nyu.edu.

Resilience in a crisis: An interview with Professor Edward I. Altman 13 differently today, compared with what you were There are more B ratings than any other for doing 50 years back? high-yield bonds—more Bs than double-Bs or triple-Cs. And the probability of a B-rated Professor Altman: Those are great questions. I company’s bond issue defaulting is about would say most companies are riskier today than 28 percent in the first five years. So, 72 percent they were back in the 1960s when I built the model. of Bs survive. And if you invest in a portfolio of Amazing progress has been made in technology, Bs, assuming you receive interest compounded in strategy, over those 50-plus years, but the over five years, you will do quite well, relative to credit posture and structure of corporations have the risk-free rate—even given the default rate of radically changed too. Back in the 1960s, and as 28 percent and the loss rate of about 20 percent late as the early 1990s, maybe 100 companies in (adjusted for recoveries). the United States were rated AAA, and probably as many or more rated AA. Today, there are two AAA- I now use the bond-rating-equivalent technique rated companies in the US: Microsoft and Johnson to adapt to the changes over time in the capital & Johnson. And who knows how long those ratings structures of corporations. We look at the median will last? score, by bond rating—AAA down to CCC—and assign a bond-rating equivalent to each firm, based An A rating is no longer the objective of companies. on its score. And then we assess the probability of When I surveyed CFOs in the 1970s, as a visiting default given that bond-rating equivalent, using a professor at Hautes Études Commerciales in Paris, mortality-rate approach, like an actuarial approach. the A rating was their predominant choice. Today, That is the way I have adapted the original Z-Score the preference is clearly for BBB. The reasons model, and that model, with its original coefficients, are low interest rates, certainly, but the lower is still quite effective. rating also makes it easier to use leverage to raise earnings per share. Now there are other ways to You can go with the flow, in other words, making raise earnings, as McKinsey and most CFOs well changes in rating equivalents over time, rather know. But a tried-and-true method is to increase than building a new model each year or each five leverage, especially where the cost of capital is years. The Z-Score was originally based on a small low, and then invest in projects for which the return sample of comparatively small companies. Today, will be greater than the cost of debt and hopefully companies are much larger, and the incidence of better than the cost of capital. default for large companies is so much greater. Already in 2020 more than 50 companies in the You mention high-yield bonds—we can add United States with more than $1 billion in liabilities leveraged loans and shadow banking and so forth. have gone bankrupt. Of course there were none The amount of leverage in the system now is far of these “billion-dollar babies,” as I call them, back greater than it was 50 years ago. Is the Z-Score in the ’60s. So it is striking that a model built on model still robust enough to be used today as it smaller companies is still effective, generally, and was then? The answer is yes. But I’ve learned some for much larger companies as well. things over the years about the evolution of credit risk. I no longer use the cutoff scores from 1968. At McKinsey: Speaking of bankruptcies, we observe that time, a company needed a Z-Score above 3.0 to that companies continue to issue bonds—trillions be designated as a safe company. Companies with of dollars worth in 2020. They are short of funds, as a score of less than 1.8 were considered distressed demand has dried up, and they are locking in the and likely to go bankrupt. Today, the cutoff score is low interest rates as well. But the great volumes of much lower—about zero. A score of 1.8 is actually debt are eroding companies’ credit health. Do you above average now for B-rated companies—and the expect filings for bankruptcy protection to rise in the dominant junk bond out there is a B-rated company. months to come?

14 McKinsey on Risk Number 10, January 2021 Professor Altman: I was worried about a potential One is that companies are buying back their debt bubble before the pandemic. I was in the debt, reducing the amount of debt in their capital minority then because the economy was doing well, structure, using a lot of the cash that they raised bankruptcies were few, and defaults in the high- over these past four or five months, since April of yield market were below the historical average. But this year. Second is the issuance of new equity. I am I saw a lot of vulnerability. Not only for companies surprised this has happened so quickly. But both going bankrupt but also for the triple Bs, which were IPOs and established companies (with secondary so popular, to be downgraded as fallen angels into equity issuances) are beginning to do this. In my the high-yield and junk categories. Well, things of opinion, the sooner the better. course changed in March. The easiest way to reduce your debt-equity ratio, Because of extraordinary government support as McKinsey well knows as strategists in the around the globe, companies with low Z-Scores corporate-finance area, is an equity-for-debt swap. are surviving. In some countries, it is even verboten, And the best time to do that is when the stock price impossible to go bankrupt. The bankruptcy code is is high. You raise new equity at a very attractive suspended in Germany and some other countries, rate and then, instead of investing in a new plant except where fraud was involved. Italy and other and equipment, you buy back debt with it. Now the countries have applied a moratorium on interest debt comes at low interest rates, so equity-for-debt payments, a measure which reduces bankruptcies. swaps might be less attractive for some companies. But most have a target capital structure in mind, at But the reduction in bankruptcies is temporary, least I believe so. And such a swap is one way to get in my view. We will have a second wave once back to it, if you are overweighted in debt. government supports are reduced. I remain concerned about a debt bubble. Record amounts For companies that cannot buy back debt because of new bonds and loans are being issued, both they don’t have the cash, or those unable to investment grade and noninvestment grade. issue new equity at attractive prices because Companies are doing this to raise cash as a reserve their performance has been poor—these are the against problems stemming from the pandemic. companies that I believe are going to default in Not all can do this—only those with reasonably increasing numbers in 2021, but probably not before good credit profiles. However, even companies then. Other forecasters agree with me on this, that have been downgraded from investment including investment banks and rating agencies. grade to high yield are eligible for support from the Federal Reserve, for example, in purchasing in the McKinsey: As you know, some economists see secondary market of their bonds. This has given things the way that you just laid out, while others are investors the confidence they need to buy the bonds less concerned about the buildup of debt right now. even if they think that the issuing company is going Given the stressed economic environment, what to suffer during the pandemic. Because the price advice do you think the Z-Score offers to executives will be supported—as long as they don’t default, of today, as they approach the 2021 planning period? course. So the market is bifurcated: the haves are issuing debt and the have-nots are not. Professor Altman: One of the interesting applications of the model is as an early-warning There are zombie firms out there—companies system. Executives of companies tend toward a artificially kept alive by banks and nonbanks. biased view of their strengths and weaknesses, What can companies do to keep a debt bubble overestimating the former and underestimating from building and to avoid potentially defaulting the latter. If they see problems on the horizon, they themselves with overwhelming amounts of new think they can handle them. They may not realize the bonds and loans? I see two positive developments. seriousness of a situation until late in the day. Once

Resilience in a crisis: An interview with Professor Edward I. Altman 15 the crisis hits, then they begin to react. If leaders are dramatically. The S&P, where technology open-minded, however, they can use the Z-Score as companies have an outsize role, and the Dow as an objective model. It will show where the company well, where they don’t. And bond prices have also stands in terms of a bond-rating equivalent or a zone rebounded dramatically. of distress. Applied early enough, this approach can help executives take action—selling assets, cutting Puzzled as we may be, we economists and financial back on debt, for example. analysts need to have a view on why the markets have been buoyant. Of course, very low interest In this pandemic, some companies—high-tech rates play a part. Where else will you put your companies and big banks in the United States, money? In a safe? In government bonds? Not very for example—have actually thrived. But many attractive, unless you believe the market is headed companies are in survival mode and preparing for a real fall soon. The US Federal Reserve and for that second wave. Banks are preparing with other central banks have said that interest rates will respect to capital provisioning, because they are remain low for quite a while. And so the outlook for regulated, and they know they should be doing the bond market is not very rosy. A second reason so. Most companies are not regulated. I think a I think is that many people are spending more Z-Score or similar technique could help them see, time following the market and investing. They are unambiguously, how they are deteriorating during focused now on safeguarding their money or making this pandemic. It might also show that they will profits—because they are at home, can’t travel, are recover when the economy recovers. Or maybe unemployed, or whatever. Day and retail traders they will realize that they were deteriorating before have been an important force in this market. Many the pandemic began, if they look at their Z-Scores individual and institutional investors, furthermore, for 2018, 2019, 2020. At any rate, they will see their believe that the economy is going to rebound vulnerabilities to financial distress. I would hope that dramatically and feel that the time is right to buy companies use the Z-Score in that fashion. I know cheap stocks. that investors are. Nevertheless, many investors have been losing The McKinsey study shows that resilient companies in this stock market. Many funds are down, even can be identified as those whose Z-Scores decline though the stock market is up overall. The average less in a crisis. Scores for nonresilient companies investor is probably down in their own portfolio— are affected more negatively. You are not the except for those perhaps who picked some of the only ones to have discovered this: as I mentioned, zooming companies like Zoom or Tesla or the tech some investment banks have products that giants. But will stock-market growth continue if depend on the Z-Score for their investment (and economic recovery lags? I am being cautious in divestment) choices. my own portfolio, taking into account the potential for another big downturn in the financial markets. McKinsey: Can you give us your view on the This could be triggered by one or more factors— apparent disconnection between the stock market continued spread of the virus, delayed or ineffective and the real economy? One much discussed factor vaccines, or a lagging recovery in the real economy. is the overrepresentation of technology companies Investors could lose patience with companies. on the markets compared with their weight in the real economy. McKinsey: I’d like to finish with a question about how business executives might best use the Professor Altman: I am as surprised as anyone Z-Score. It’s the product of several weighted that the stock market is doing so well when the real variables, including earnings, margins, stock economy is not. Noneconomic as well as economic price, optionality. Should executives steer toward and financial reasons play into this. Forecasts improvements in particular metrics or look to strike show overall GDP contractions for most economies a balance among them? in 2020. And yet, the stock market has rebounded

16 McKinsey on Risk Number 10, January 2021 Professor Altman: A balance. Companies need an important factor. And of course, stay away from a multivariate approach, maintaining or improving borrowing, especially short-term borrowing, when performance on a number of metrics. Key drivers in a vulnerable position. in the Z-Score are total assets and total liabilities. Companies concerned about their future could McKinsey advises CEOs all the time, and likely therefore seek to concentrate assets. Consolidate well understands this issue. When a company where you can while reducing investment in fixed encounters major problems, the executives whose assets if your situation is deteriorating. That would decisions led to the situation have a hard time be part of a prudent strategy. It would raise cash turning it around themselves. They can only be needed, either for new investments (in products that effective if they can take an objective view toward are at an earlier point in their life cycles) or to pay their own past, and act without bias. Very hard to back some debt. Companies are doing that also, to do. At such times, companies need an adviser or an reduce vulnerability should conditions worsen. interim CFO or CEO to make the hard choices. CEOs But it’s hard. Reducing exposures to protect could help themselves by recognizing that they can’t yourself in case things don’t improve—that is do this alone. They need a clearly objective model. not part of executive psychology. Executives I have always said that there is help out there, but think about how to improve earnings or market whether leaders can embrace help in times of crisis— share. They don’t want to think about reducing that is the question. exposures by selling assets. Companies also need to better understand their liquidity positions. McKinsey: That is golden advice. Thank you very Inventories that are not selling well now should not much, Professor Altman. be stockpiled in anticipation of better times in the future—unless, of course, companies have good Professor Altman: Thank you. reason to be very confident. So, working capital is

Edward I. Altman is the Max L. Heine Professor of Finance, emeritus, at the Stern School of Business, New York University, and director of research in credit and debt markets at the NYU Salomon Center for the Study of Financial Institutions. This interview was conducted by Jeffrey Caso, an expert in McKinsey’s Washington, DC, office; Peeyush Karnani, a senior expert in the New York office; and Mihir Mysore, a partner in the Houston office.

Resilience in a crisis: An interview with Professor Edward I. Altman 17 Meeting the future: Dynamic risk management for uncertain times

The world is changing in fundamental ways, leading to dramatic shifts in the landscape of risks faced by businesses.

by Ritesh Jain, Fritz Nauck, Thomas Poppensieker, and Olivia White

18 Beyond the profound health and economic management maturity varies across industries uncertainty of our current moment, catastrophic and across companies. In general, banks have the events are expected to occur more frequently in most mature approach, followed by companies in the future. The digital revolution, climate change, industries in which safety is paramount, including stakeholder expectations, and geopolitical risk will oil and gas, advanced manufacturing, and play major roles. pharmaceuticals. However, we believe that nearly all organizations need to refresh and strengthen their The digital revolution has increased the availability approach to risk management to be better prepared of data, degree of connectivity, and speed at for the next normal. The following discussion which decisions are made. Those changes offer describes the core of dynamic risk management and transformational promise but also come with outlines actions companies can take to build it. the potential for large-scale failure and security breaches, together with a rapid cascading of consequences. At the same time, fueled by digital The core of dynamic risk management connectivity and social media, reputational damage Dynamic risk management has three core can spark and spread quickly. component activities: detecting potential new risks and weaknesses in controls, determining The changing climate presents massive structural the appetite for risk taking, and deciding on the shifts to companies’ risk-return profiles, which will appropriate risk-management approach (Exhibit 1). accelerate in a nonlinear fashion. Companies need to navigate concerns for their immediate bottom lines Detecting risks and control weaknesses along with pressures from governments, investors, Institutions need both to predict new threats and and society at large. All that, and natural disasters, to detect changes in existing ones. Today, many too, are growing more frequent and severe. companies maintain a static and formulaic view of risks, with limited linkages to business decision Stakeholder expectations for corporate behavior making. Some of these same companies were are higher than ever. Firms are expected to act caught flat footed by the COVID-19 pandemic. lawfully but also with a sense of social responsibility. Consumers expect companies to take a stand on In the future, companies will require hyperdynamic social issues, such as those fueling the #MeToo identification and prioritization of risks to keep pace and Black Lives Matter movements. Employees with the changing environment. They will need to are increasingly vocal about company policies and anticipate, assess, and observe threats based on actions. Regulator and government attention is disparate internal and external data points. Dynamic reflecting societal concerns in areas ranging from risk management will require companies to answer data privacy to climate change. the following three questions:

An uncertain geopolitical future provides the — How will the risk play out over time? Some risks backdrop for such pressures. The world is more are slow moving, while others can change and interconnected than ever before, from supply chains escalate rapidly. Independent of speed, risks to travel to the flow of information. But those ties can be either cyclical and mean reverting or are under threat, and most companies have not structural and permanent. Historically, most designed robust roles within the global system that firms have focused on managing cyclical, mean- would allow them to keep functioning smoothly if reverting risks, like credit risk, that go up and connections were abruptly cut. down with macroeconomic cycles. Historically, the fundamental long-term economics of Companies require dynamic and flexible risk business lines have held firm, requiring only management to navigate an unpredictable future tweaks through the cycle. Credit risk in financial in which change comes quickly. The level of risk- services is an example of such a risk. However,

Meeting the future: Dynamic risk management for uncertain times 19 Web <2020> Exhibit 1 Exhibit <1> of <2> CompaniesCompanies requirerequire dynamicdynamic and and exible flexible risk risk management management toto navigatenavigate anan unpredictableunpredictable futurefuture inin which which change change comes comes quickly.

3 core components of dynamic risk management

Detect risks and control weaknesses

Ability to anticipate, predict, and observe threats rapidly and accurately based on disparate internal and external data points and to assess risk magnitude, risk-impact duration, and internal-control eectiveness

Delimit risk appetite Decide on risk- management approach Ability to set limits on risk taking dynamically, accounting Ability to decide promptly if risk for business's values, strategy, requires immediate or more risk-management capabilities, prolonged response, design and and competitive environment undertake appropriate response or mitigation, and institute feedback loop to track response eectiveness

the traditional principles of trajectory and and society at large—and what that means cyclicality of risks are increasingly becoming to them. The COVID-19 pandemic has had a less relevant. The global economic shock caused direct impact on most companies but has also by the COVID-19 pandemic has demonstrated meaningfully shifted the global economy and that many companies were not prepared for societal terrain. Companies should consider events with profound and long-lasting impact whether they have the controls, mitigants, and that could fundamentally change how business response plans in place to account for worst- is conducted. case-scenario, systemic risks. For example, as companies house more personal data, the risks — Are we prepared to respond to systemic associated with data breaches become more risks? In today’s world, risk impact can go well systemic, with the potential to impact millions of beyond next quarter’s financial statements to customers globally. These firms need to consider have longer-term reputational or regulatory proactively how to protect against and react consequence. Institutions must also consider to such breaches, including by working with whether the event triggering the risk has broad external stakeholders, such as customers, law- implications for their industry, the economy, enforcement agencies, and regulators.

20 McKinsey on Risk Number 10, January 2021 — What new risks lurk in the future? Companies will digital capabilities, competitive landscapes, and need to cast nets wide enough to detect new and global trends. For example, many companies emerging risks before they happen. Traditional that categorically refused to use the cloud five risk-identification approaches based on ex post years ago are migrating to cloud-based storage facto reviews and assessments will not suffice. and software solutions today, driven by improved Most institutions have not had historical losses technology and security. Geopolitical instability linked to climate change, and many have not has the potential to increase counterparty and encountered significant reputational blowback currency risk considerations for the travel and from being on the wrong side of a social issue. infrastructure industries when considering Institutions will need to work across business and engineering, procurement, and construction functional divisions to maintain forward-looking, contracts for megaprojects lasting several comprehensive taxonomies of the fundamental years. The COVID-19 pandemic has sparked drivers of their risks. To get a real-time view of pharmaceutical companies to consider afresh those drivers, companies should look to internal which risks they are willing to take to develop performance metrics, external indicators, and and produce treatments quickly. qualitative views of what business leaders see in their day-to-day work. Scenario-based — Should we avoid any risks entirely? Companies approaches and premortems also play a critical will want to draw some clear lines in the role by letting leaders play out what might go sand: no criminality; no sexual harassment of wrong before it does. employees. But for many risks, the lines are not clear, and each company will need a nuanced Determining risk appetite perspective built on a strong, objective fact base. Companies need a systematic way to decide which For example, will risk drivers such as climate risks to take and which to avoid. Today, many change render risks in certain businesses institutions think about their appetite for risk in fully untenable (for example, developing real purely static, financial terms. They can fall into the estate in certain coastal regions)? Or should simultaneous traps of being both inflexible and the reputational risk of being caught in the imprudent. For example, companies that do not middle of highly charged environmental and take sufficient risk in innovating can lose out to social-responsibility issues drive a company out more nimble competitors. But at the same time, of certain business segments altogether (for companies that focus on purely financial metrics example, in the way some retailers made the can unwittingly take risks—for example, with their decision to stop selling guns)? Companies will reputation by continuing a profitable business need to develop views on such questions and process that runs counter to societal expectation. update them continuously as their environments and corresponding fact bases evolves. In the future, companies will need to set appetites for risk that align with values, strategies, capabilities, — Does our risk appetite adequately reflect our and the competitive environment at any given time. control effectiveness? Companies are more Effective enterprise risk management will help them comfortable taking the risks for which they have dynamically delimit risk taking, directly translating strong controls. But the increased threat of new financial and nonfinancial principles and metrics into and severe nonfinancial risks challenges status a concrete view of what the firm will and will not do quo assumptions about control effectiveness. at any given time. Companies will need to be able to For example, many businesses have relied on answer the following three questions: automation to speed up processes, lower costs, and reduce manual errors. At the same time, — How much risk should we take? Rapid changes the risks of large-scale breaches and violations can quickly uproot companies’ risk profiles. of data privacy have increased dramatically, They will need to adjust their risk appetites to heightening during the COVID-19 crisis as accommodate shifting customer behaviors, digitization accelerates substantially across many

Meeting the future: Dynamic risk management for uncertain times 21 industries. With less risk of manual errors but in the evolving world, firms will need to build greater risk of large-scale failures, institutions will crisis-preparedness capabilities systematically. need to adjust their risk appetites and associated As the COVID-19 crisis has demonstrated, controls to reflect evolving risk profiles. companies with well-rehearsed approaches to managing through a crisis will be more resilient Deciding on a risk-management approach to shocks. Preparation should involve identifying Firms need to decide on how to respond as they the possible negative scenarios unique to an detect new risks or control weaknesses. Today organization and the mitigating strategies to many rely on linear, committee-based governance adopt before a crisis hits. That includes periodic processes to make decisions about risk taking, simulations involving both senior management slowing their ability to act. and the board. Companies should maintain and periodically update detailed crisis playbooks. In the next normal, however, institutions will need Their strategies should include details on to make risk decisions rapidly and flexibly, laying when and how to escalate issues, preselected out and executing responses, whether immediate crisis-leadership teams, resource plans, and or prolonged, about how to avoid, control, or accept road maps for communications and broader each risk. The decisions should actively engage stakeholder stabilization. leaders from across an organization to determine the mitigation and response efforts that have worked — How can we build true resilience? Resilient well in the past, as well as those that have not. In companies not only withstand threats, but they that way, the organization can develop the ways it emerge stronger. Companies can learn from manages risks in today’s world. Companies will have every actual risk event and control breakdown, to be able to answer the following questions: honing risk processes and controls through a dynamic feedback loop. On a grander scale, — How should we mitigate the risks we are firms also have the chance to turn the fallout taking? Historically, many companies have from true crises into competitive advantage, relied heavily on manual controls and on human as the COVID-19 crisis is demonstrating. For assessments of control effectiveness. That example, some companies providing vacation approach can generate excess, costly layers rentals realized that they would need to do more of controls in some areas while leaving gaps than provide amenities and hygiene measures. or insufficient controls in others. Today, the art They have started offering tailored customer of the possible in defending against adverse experiences, including games, virtual cooking outcomes is rapidly evolving. Automated classes, and remote nature tours, built on an control systems are built into processes and understanding of customer microsegments. detect anomalies in real time. Behavioral These companies have started to differentiate nudges influence people to act in the right themselves from their competitors and are ways. Controls guided by advanced analytics positioned to emerge more resilient, even simultaneously guard against risks and minimize within a very hard-hit sector. Companies false-positive results. should prepare to ensure five types of resilience: financial, operational, organizational, — How would we respond if a risk event or reputational, and business-model resilience. control breakdown occurs? In the event of a Business-continuity, financial, and other plans major control breakdown, companies need to can provide buffers against shock. But true be able to switch quickly to crisis-response resilience also stems from a diversity of skills and mode, guided by an established playbook experience, innovation, creative problem solving, of actions. Most companies have done little and the basic psychological safety that enables to prepare for crises, seemingly taking the peak performance. Those characteristics are attitude that “it won’t happen here.” However, helpful in good times and indispensable when

22 McKinsey on Risk Number 10, January 2021 quick, collaborative adaptation is needed for an competitive landscape. The COVID-19 pandemic institution to thrive. has had a similarly cross-enterprise impact on nearly every company. It should be an objective of dynamic risk management to provide an Five actions to build dynamic enterprise view. risk management Today, many firms see enterprise risk management 2. Establish agile risk-management practices as a dreary necessity but hardly a source of The increasingly volatile, uncertain, and dynamic dynamism or competitive advantage. It can suffer risk environment will demand more agile risk from being static, siloed, and separate from management. Companies will need to tap into the business. But dynamic and integrated risk people with the right skills and knowledge in management, which includes the ability to detect real time, convening cross-functional teams and risks, determine appetite, and decide on action in authorizing them to make rapid decisions in running real time, is growing ever more critical. Leaders the business, innovating, and managing risk. can take five actions to establish the necessary capabilities (Exhibit 2). Building teams and decision bodies dynamically requires the ability to understand quickly the nature 1. Reset the aspiration for risk management of the risk at hand, including its significance and To meet the needs of the future, companies need how quickly it may play out. This helps determine to elevate risk management from mere prevention who needs to be involved and how people should and mitigation to dynamic strategic enablement work together. One fintech company, for example, and value creation. This requires clear objectives, runs daily huddles to discuss customers, bringing such as ensuring that efforts are focused on the together a cross-functional team of business and risks that matter most, providing clarity about risk risk leaders and other subject-matter experts to levels and risk appetite in a way that facilitates review new customer complaints. This enables effective business decisions, and making sure that executives to review funnel metrics for the day side the organization is prepared to manage risks and by side with customer complaints and helps teams adverse events. triage and remediate those complaints promptly, avoiding larger issues down the road. In practice, risk managers should engage in a productive dialogue with business leaders to gain Decisions themselves should receive appropriate an in-depth understanding of how the business transparency, but managers should not get bogged thinks about risk day to day and to share the risk down in excessive bureaucracy. Companies can capabilities they can bring. Businesses typically formulate a clear, principled view of what sorts approach decisions with a reasonable risk-versus- of decisions require committee review versus return mindset but lack key information to do this execution by single responsible parties. In some effectively alone. For example, business units often cases, previously unforeseen issues and risks that do not have a full systematic understanding of the have the potential to evolve rapidly may require full range of risk drivers or a clear view of how a special, fast-track decision-making mechanisms. stressed environment could affect the company. One organization does regular crisis-preparedness exercises and has developed relevant playbooks More broadly, businesses typically also lack that assign decision-making power if needed, an enterprise-wide view of how a risk might depending on the type of issue. unfold. For example, climate risk may affect most aspects of some companies’ businesses, from 3. Harness the power of data and analytics the impact of physical climate risk on operational Companies can embrace the digital revolution to facilities and supply chains to market repricing of improve risk management. Automation technologies carbon emissions to shifts in market demand and can digitize transaction workflows end to end,

Meeting the future: Dynamic risk management for uncertain times 23 reducing human error. Rich data streams from advanced analytics to predict major component traditional sources, such as ratings agencies, and failures. The company improved safety and nontraditional sources, such as social media, reduced its total failure cost for rolling stock by provide an expanding and increasingly granular view 20 percent. Companies can also use natural- of risk characteristics. Sophisticated algorithms language processing to build real-time, digital enable better error detection, more accurate dashboards of internal and market intelligence, predictions, and microlevel segmentation. enabling more effective risk detection, including in customer complaints, employee allegations, internal One global pharmaceutical company adopted communications, and suspicious-activity reports. advanced analytics to help it prioritize clinical-trial sites for quality audits. The company used a model 4. Develop risk talent for the future to identify higher-risk sites and the specific type of To meet the demands of the future, risk managers risk most likely to occur at each site. The company is will need to develop new capabilities and expanded now tightly integrating its analytics with its core risk- domain knowledge. Strong knowledge of how the management processes, including risk-remediation business operates provides a critical foundation by and monitoring activities of its clinical operations supporting true understanding of the landscape and quality teams. The new approach identifies of risk. This enables risk professionals to provide issues that would have gone undetected under its better oversight and more effective challenge while old manual process while also freeing 30 percent of also acting as effective counselors and partners as its quality resources. their company navigates the risk landscape.

Another area in which advanced analytics can Risk managers will also need strong understanding capture significant value is in the predictive of data, analytics, and technology, which are driving detection of risk. One railway operator applied shifts in how most companies operate—a trend only

Web <2020> Exhibit 2 Exhibit <2> of <2> DynamicDynamic and and integrated integrated riskrisk management, management, which includesincludes the ability toto detectdetect risks,risks, determinedetermine appetite,appetite, andand decide onon action,action, is is growing growing everever moremore critical.critical.

5 actions to establish capabilities needed for dynamic risk management

Reset aspiration Establish agile Harness power of Develop risk Fortify risk culture for risk risk-management data and analytics talent for future management practices

Move risk from Authorize cross- Digitize transaction Develop new Build true risk-culture prevention and functional teams workows; use data to capabilities and ownership in front mitigation to to make rapid expand view of risk expanded domain line; hold executives dynamic strategic decisions in characteristics; deploy knowledge to accountable for enablement and business, algorithms to enable support full cultural failings; link value creation innovation, and better error detection, understanding of risk culture with daily risk management more accurate risk landscape business activities predictions, and and outcomes microsegmentation

24 McKinsey on Risk Number 10, January 2021 accelerated by the COVID-19 crisis. This is true for difficulties and have more engaged and satisfied how data and digital interfaces are affecting firm customers and employees. processes, how companies are employing artificial intelligence to support day-to-day decisions, Companies with strong risk cultures share several and how the digital revolution is shaping risk essential characteristics. Most important, true management itself. ownership and responsibility for risk culture sits with the front line, with executive-level To put this all together, risk managers will need to accountability for cultural failings. To be truly develop agile capabilities and mindsets, allowing lived, culture must be linked with the day-to- them to identify opportunities to convene day business activities and outcomes of an stakeholders and contributors across functions institution. At the same time, someone needs to rapidly and generate quick solutions. People will be responsible for coordinating the definition, need the leadership and personal capabilities to tap measurement, reporting, and reinforcement of risk into colleagues with the right skills and knowledge culture—for example, within a risk function, a COO in real time. organization, or HR. Without an enterprise-wide view and vocabulary, it is not possible to effect true, 5. Fortify risk culture coordinated cultural change. Finally, attention to Risk culture refers to the mindsets and behavioral risk culture must be ongoing. Strong culture takes norms that determine how an organization maintenance and requires reinforcement. identifies and manages risk. In moments of high uncertainty—such as those we are living through One fast-growing technology company announced during the COVID-19 pandemic—risk culture is of a culture transformation as the CEO’s top priority. It exceptional importance. Companies cannot rely on selected 30 culture leaders from across the company reflexive muscles for predicting and controlling for to lead the effort. The initiative mobilized around one- risks. A good risk culture allows an organization to fifth of its staff through workshops aimed at helping move with speed without breaking things. It is an managers make risk-informed decisions and creating organization’s best cross-cutting defense. a new risk culture and mindset.

Beyond today’s travails, a strong risk culture is a critical element to institutional resilience in the face of any challenge. In our experience, those The world is facing both uncertainty and rapid organizations that have developed a mature risk change. For companies, risk levels are rising—as culture outperform peers through economic cycles are the expectations of employees, customers, and in the face of challenging external shocks. At shareholders, governments, and society at large. the same time, companies with strong risk cultures Against this backdrop, we believe companies need are less likely to suffer from self-inflicted wounds to rethink their approach to risk management, to in the form of operational mistakes or reputational make it a dynamic source of competitive advantage.

Ritesh Jain is an associate partner in McKinsey’s New York office, Fritz Nauck is a senior partner in the Charlotte office, Thomas Poppensieker is a senior partner in the Munich office, and Olivia White is a partner in the San Francisco office.

Meeting the future: Dynamic risk management for uncertain times 25 A fast-track risk-management transformation to counter the COVID-19 crisis

An accelerated transformation to enhance efficiency and effectiveness will enable risk organizations to deal with the pandemic while addressing rising regulatory and cost pressures.

by Javier Martinez Arroyo, Marc Chiapolino, Matthew Freiman, Irakli Gabruashvili, and Luca Pancaldi

26 Before the coming of the pandemic, banks More specifically, to win in the next normal, the had been reducing the complications and costs risk-management function must make itself more that arose over the years as they dealt with efficient and effective—something high-performing escalating regulations and emerging risks by adding risk organizations have already done. We have policies, processes, and people to their risk and prioritized six specific moves risk organizations compliance functions. must make:

Then COVID-19 happened and threatened to — Redesign underwriting to streamline processes complicate things all over again. and add automated ones.

When banks shut branches and corporate offices, — Enhance monitoring. this altered how customers interact with them, forcing changes to long-held risk-management — Optimize and automate reporting. practices. Activities that typically happened in person were no longer possible, such as credit- — Improve processes for reporting financial crimes. committee meetings to approve underwriting for a new corporate client, or office visits by potential — Streamline the market-risk operating model. small borrowers to verify their creditworthiness or sign loan documents. — Make other changes by taking a big-picture look at risk management’s overall organization, The banks’ risk-management functions, which governance, and performance management. act as a second line of defense between frontline employees who work directly with customers and These changes are often part of a larger the department’s backstop internal risk-audit transformation that can take years to implement. teams, also had to adjust the way they operate. Yet some risk-management functions have adopted For starters, they had to manage employees who the practices we’ve outlined much more quickly—in would now work from home and to prepare for the some cases, in only three months. When these pandemic-triggered problems of small-businesses changes are successful, we estimate that they can and other customers. They also had to adopt new improve efficiency and effectiveness enough to raise practices to monitor existing risks and guard against the productivity of specific activities by 40 percent new ones, including cyberrisks triggered by the or more. Banking-sector risk organizations that had pandemic. Such changes, we estimate, could raise been relatively efficient before implementing these the operating expenses of risk functions by 10 to moves can use them to raise their productivity 30 percent. That’s reason enough to make by 15 to 25 percent. Less efficient bank risk processes as efficient and effective as possible. organizations can raise it by 30 percent or more.

McKinsey had previously found that risk managers can improve their operations by digitizing and Roadblocks to improving applying advanced analytics to a variety of risk management department functions and by optimizing the Well before the pandemic, risk organizations had organization, among other changes. Those to deal with the external pressures of increased directives still hold. Our latest research shows that industry regulation, and internal pressure to cut to address the business problems COVID-19 has costs. Around the world, both the depth and breadth created and to mitigate the cost and regulatory of banking regulations have increased. The reasons pressures risk organizations still face, they must include the shift to digital channels and tools, a roll out digital and advanced analytics more greater reliance on third parties and the cloud, and aggressively and tie these moves to tactical the threats that all these pose to the strength and improvements in governance. integrity of risk functions. On top of that, bank leaders working to make their organizations more

A fast-track risk-management transformation to counter the COVID-19 crisis 27 competitive expect the risk function to contribute to defense roles—already account for up to half of a overall cost-cutting efforts. bank’s employees and costs. Risk-organization staff in the second line of defense account for COVID-19 has added to those challenges. Risk approximately 2 to 3 percent of the total number managers must understand the pandemic’s impact of bank employees, not including compliance and on credit and market portfolios to mitigate the financial-crimes personnel. Although our research effects on their own operations. They’ve had to track shows that scale is the single most important driver of emerging threats to the newly remote workforce, to efficiency, we have also found that the size and cost current and potential borrowers, and to other bank of multiple risk activities do not correlate directly with customers. They’ve implemented government- scale (Exhibit 1). For these activities, the different directed moratoriums on loan collections and abided operating models of banks explain the variations. by other local or national measures adopted in the pandemic’s wake. Those actions have cut into Lower costs don’t necessarily make a bank’s top-line revenues at a time when banks are adding risk operations less effective. In fact, a McKinsey expensive new risk-management practices. analysis found that banks with the strongest risk operations have 10 to 15 percent fewer full-time- But coping with the new requirements doesn’t have equivalent employees than their less effective to mean adding staff. Risk-management activities— counterparts do (Exhibit 2).1 including resources in first-, second-, and third-line

1 As measured by 2019 Supervisory Review and Evaluation Process (SREP) ratings and corrected for the impact of scale.

Web <2020> Exhibit <1> 1 of <6> Some risk-managementrisk-management activities activities appear appear to to be be more more fixed xed and and suitable suitable for for economies ofof scale.scale.

Total cost of risk management by activity and size of bank MORE VARIABLE Credit decisioning 400 Fully variable activity²

Operational risk The larger the Risk-function management bank, the higher 300 the proportion of Cost of risk- Model risk management risk-management management cost in the activity activities, as a percentage index¹ Enterprise risk management of all bank full-time Credit data, analytics, and reporting equivalents 200 Credit-risk-model development

Risk technology

Fully xed activity² 100 50,000 100,000 150,000 200,000 MORE FIXED Number of full- time equivalents

¹To ensure comparability across functions, total cost of risk organization was rebased to 100 for each function for a bank with 50,000 full-time equivalents to capture marginal increase over institutions’ size. Noise deriving from initial size of each function was removed to observe correlation between overall institution size and function size. ²Same proportion of risk-management cost for banks of all sizes. Source: McKinsey Global Risk Benchmark, 2019

28 McKinsey on Risk Number 10, January 2021 Six actions that improve risk- retail companies and small and medium-size management productivity enterprises (SMEs)—want to know immediately if Risk functions can face their old and new they qualify for a loan and when they can access the challenges, without increasing their size or costs, if funds. That didn’t change when COVID-19 hit: risk they operate more efficiently and effectively. Banks functions must still meet customers’ expectations have a number of options. They can deploy some of even while dealing with them remotely. the moves outlined below relatively quickly to make themselves more efficient and effective while also Credit underwriting already accounts for a adapting their risk-management practices to the substantial part of the total resources of the risk COVID-19 environment (Exhibit 3). organization—an average of 30 percent (and up to 50 percent) of its employees. Adding staff therefore 1. Redesign underwriting isn’t the answer. In fact, our research indicates that Assessing a borrower’s creditworthiness is a the workforce at the most efficient organizations long, labor-intensive process that’s prone to tends to be substantially smaller than it is at the inefficiencies, which make it ripe for improvement. least efficient ones. The desire of borrowers for more transparency into the underwriting process has exacerbated the In the next normal, the ability to speed up existing complexities. Customers—in particular, underwriting turnaround times will become an important differentiator. Risk teams that had

Web <2020> already digitized underwriting before the pandemic Exhibit 2 responded more successfully under the lockdown. Exhibit <2 of <6> Banks with more effective risk By 2021, we expect others to follow suit, pushing Banks with more eective risk up the adoption of digital channels for credit operations areare alsoalso moremore e cient.efficient. underwriting by 5 to 15 percent. Correlation of risk-operation size and SREP¹ evaluations for Tier 13 banks, %² Banks have three primary avenues to improve the efficiency and effectiveness of their credit- 3.5 20% underwriting processes: 3.0 — Adopt straight-through processing (STP) for 2.8 10–15% when adjusted for credit-underwriting workflows. Upgrading to scale impact³ digital from manually inputting data, through data spreading or other means, could help reduce end- to-end workflow costs by up to 40 percent. STP applications include tools that prepopulate credit forms with data from clients or internal or external databases as well as incorporate delegation and structure information.

Tier 1 Tier 2 Tier 3 — Automate underwriting for retail and SME ¹SREP: Supervisory Review and Evaluation Process. customers. Using software to calculate the ²Risk-operation size: risk-operation full-time equivalents (FTEs) vs total-bank FTEs; risk-operation FTEs exclude compliance, anti–money laundering, and risk-IT creditworthiness of a small business by standard functions. Pillar 2 requirements for European Banking Authority (EBA) and Pillar 2A requirements for UK; SREP evaluation used as proxy for risk-function criteria, rather than having staff make these effectiveness, as internal risk-governance framework is 1 of 4 pillars of SREP process. Tier 1: <1.75% for EBA and <2% for Bank of England Prudential decisions, could raise margins by 5 to 10 percent. Regulation Authority (PRA); Tier 2: 1.75–2% for EBA and 2–2.5% for PRA; Tier 3: >2% for EBA and ≥2.5% for PRA. Sample size of 10 EU and UK banks. Software could also improve (by 10 to 25 percent) ³Adjusted for size using correlation inferred from McKinsey Global Risk Benchmark, 2019. an underwriting department’s ability to correctly Source: Bank of England; individual Pillar 3 reports; “Supervisory review (SREP),” European Central Bank, 2019, bankingsupervision.europa.eu predict whether an SME is a good credit risk. Banks that have already automated the function might consider increasing underwriting thresholds— for example, to $500,000, from $250,000.

A fast-track risk-management transformation to counter the COVID-19 crisis 29 Web <2020> Exhibit 3 Exhibit <3> of <6> Risk-management functions functions can can take take action action in in six six areasareas to to realize realize productivity productivity gains of 30 percent oror moremore inin a matter ofof months.months.

Productivity opportunity, % dierence between top and median performers

Redesign Enhance Optimize Optimize Streamline Improve underwriting¹ monitoring² and automate financial- market- organization, reporting³ crime detection risk operating governance, and model performance⁴ ~50

~30 ~30 ~25 ~20 ~15

Potential productivity improvements

• ~10–25% • ~40% • ~50% • ~40% increase • ~50% • ~30% improvement in portfolio-level reduction in in know-your- reduction in reduction in accuracy of decisions data-reporting customer (KYC) data errors complexity underwriting supported errors, reducing process accuracy and exceptions predictions by advanced need for manual • Increased through analytics corrections • ~50% decrease • ~20% awareness advanced and improving in KYC documents reduction of risk analytics • ~15–20% monitoring and process steps in data effectiveness reduction in quality and pricing and efficiency • ~5–10% manual data • ~80% discrepancies through credit-margin entry through improvement between front monitoring growth through natural-language in accuracy of line and risk instant credit processing anti–money decisions laundering alerts

¹Includes credit decisions. ²Includes credit-risk portfolio management and enterprise-risk-management (ERM) risk review and tracking. ³Includes credit, market, operational, and ERM reporting. ⁴Includes management and overhead for all risk types.

To mitigate the increased potential for fraud documents instead of 50 and reserve the more that typically accompanies changes in this intensive scrutiny for less prominent or smaller area, automated banks must also improve enterprises. Other methods to rework corporate their controls. underwriting processes include defining credit limits by company type or industry (rather than — Simplify corporate-credit underwriting. Banks on a deal-by-deal basis) and creating a special- can streamline underwriting that cannot be case system to handle the most complex or automated, because of the counterparty’s size urgent requests. or the complexity involved, by reducing the credit-application documentation and analysis 2. Enhance monitoring required. For large, well-established, or public The widespread economic fallout from COVID- companies, risk managers could review a dozen 19 has forced risk managers to rethink how and

30 McKinsey on Risk Number 10, January 2021 what they monitor to evaluate risks, including Some of these AI-based monitoring tools can creditworthiness and the ability to repay loans. The trigger real-time alerts based on sector-level virus’s spread and reactions to it continue to shift, indicators, such as point-of-sales systems. To often quickly. These developments have helped estimate the impact of new information on some industries and hurt others—boosting the sector-wide rating scores, these tools may revenues of grocery chains, for example, while also use machine-learning models (such as cutting into restaurant sales. They have also hyperparameter random-forest modeling) affected segments within industries differently, so tailored to specific industries or clients. In risk managers have to monitor trends at a more addition to analytics engines, digital-monitoring granular level. On top of that, risk managers need suites typically include smart-workflow to account for the actions that governments are capabilities that focus analytic work on areas taking to help constituencies respond to the virus. where human judgement is necessary, such as Many of these actions, including moratoriums on parameter changes in the models that are not payments for mortgages and business loans, affect associated with a high level of confidence. the environment for credit. — Monitor portfolios in a more granular way. Before the pandemic, risk-monitoring activities Risk functions typically use back testing and accounted for about 15 percent of risk-management internal ratings–based models to evaluate the costs. Banks traditionally executed a not soundness of their credit portfolios. Because insubstantial portion of these activities manually, the pandemic has had such a profound impact so they are ripe for change. Risk departments on the global economy, which continues to can adopt a range of digital systems and tools to shift unpredictably, the typical indicators of automate risk-monitoring tasks: creditworthiness have been affected. Risk functions that in the past may have analyzed — Digitize counterparty-level credit-monitoring 20 to 30 economic sectors may need to review tools. Risk functions can program advanced ten times that number of industry subsectors analytics into early-warning systems to improve to understand how they are faring in the reviews of earnings releases, real-time financial crisis. Some institutions have gone as far as to news, transaction data to find information subdivide the restaurant industry, for example, that could affect a client’s credit outlook. into 15 subsegments, the better to distinguish We estimate that algorithms could support between top and bottom performers and predict 40 percent of counterparty-level credit- nonperforming loans. Instead of analyzing the monitoring decisions. Banks that have already beverage industry, therefore, banks may need to implemented these techniques reduced their review what’s happening in soft drinks, bottled credit losses by 20 to 30 percent, through water, soft alcohol, and hard alcohol, to name a early detection of potential deterioration of few subsegments. counterparty creditworthiness—while reducing monitoring costs by 30 to 40 percent (Exhibit 4). 3. Optimize and automate reporting Banking regulators have increased their reporting — Digitize portfolio-level credit-monitoring requirements—for example, by asking for more tools. Historically, risk-monitoring personnel and better data on risk practices and more closely manually reviewed industry news to extract data scrutinizing these data. We estimate that as a that could be used to make decisions about result, the risk functions of banks devote 10 to the changing credit landscape of different 15 percent of their total resources to comply with economic sectors. Risk departments that adopt such reporting requirements. Automation gives risk applications using artificial intelligence (AI) and managers additional insights into the risk profiles machine learning to track industry news and they must review to meet these requirements—but developments could reduce related data entry without adding personnel to a low-value task. As by up to 15 percent. circumstances and requirements change, automation can also help managers adjust what reports cover.

A fast-track risk-management transformation to counter the COVID-19 crisis 31 Several moves could make risk functions more review reporting information directly, including efficient and effective in this area: both high-level data and the underlying information it’s based on. We estimate that self- — Actively monitor reporting requirements. By service reporting, by itself, could cut the costs of constantly tracking what regulators want and risk departments by up to 30 percent. managers need, risk functions can manage the risks their banks face and provide what’s required, — Improve data architecture and management. without wasting resources sharing unnecessary It’s not unusual for banks’ risk data to reside information. Some banks that have started to in several databases or other applications— merge regulatory and internal reports have cut the result of mergers, expansion into new the number of reports they produce in half. markets, divisions that use different systems, or operations that span several countries or — Offer self-service reports. Risk managers can continents. For such institutions, complying with use self-service reporting tools to update or

Web <2020> Exhibit 4 Exhibit <4> of <6> To reducereduce credit-risk losses and and boost boost monitoring, monitoring, banks banks can can categorize categorize financial nancial owsflows toto leverage transaction data.data.

Small and medium-size enterprise (SME) transactions by category, % of total transactions In ows Out ows

Goods and services Goods and services payments 50 payments 76

Internal self-transfers 14 100 Payments by check 7 Internal self-transfers 14 Other categorized 12 100 Payments by check 6 Uncategorized 4

Other categorized 3 Employees 6

Uncategorized 2 Government services 8

Credit loss, Cost of full-time equivalents for SME-credit index (100 = 100%) monitoring, index (100 = 100%)

Traditional monitoring¹ Traditional monitoring¹

Transactional monitoring² Transactional monitoring²

–20% to –30% –30% to –40%

Note: Figures may not sum to 100%, because of rounding. ¹Traditional, bureau-based monitoring, using manual analysis. ²Enhanced monitoring and upgraded team setup, using transactional data.

32 McKinsey on Risk Number 10, January 2021 reporting requirements may involve manually savings account. Risk functions that do so, we culling data from these manifold sources. estimate, could reduce their financial-crime- compliance spending by 10 to 20 percent and — A data architecture that can pull information improve the accuracy of customer data by from disparate databases into a central location 40 percent. In addition to costing less, algorithms can not only alleviate the need for manual that read and extract data from verification processes but also provide other benefits. As documents eliminate the possibility that part of such an upgrade, risk functions could employees could be paid to falsify information. This create reporting-competence centers for would also free up time that first-line bank staff frontline and risk-management personnel in and internal audit teams could use for other work. multiple business units or subsidiaries. We estimate that automating and unifying data — Optimize AML alerts. All banks use AML alerts architecture and management could cut risk- to flag unusual transactions that could signal reporting costs by 10 to 20 percent and halve irregularities. But false positives are common—in the number of reports that include errors. some cases, accounting for more than nine Depending on how a bank is structured, these alerts out of ten. The use of advanced analytics efficiency changes could take place within either to monitor transactions, often in parallel with the operations or IT organization. existing rules-based tools and models, can improve the accuracy of alerts and thereby reduce 4. Optimize processes for detecting the number of false positives to six or fewer out of financial crimes ten (Exhibit 5). More accurate alerts can reduce Since global regulators began to intensify financial- the need for manual interventions and free up crime-compliance activities a decade ago, they’ve risk-management personnel for other tasks. launched scores of enforcement actions and levied $36 billion in fines around the world. An average — Streamline know-your-customer (KYC) processes of 2 to 3 percent of a bank’s total staff therefore to meet local requirements. The customer works in second-line financial-crime monitoring and documentation that risk functions must provide to reporting efforts. For a global bank with 100,000 satisfy financial-crime-compliance requirements employees, this means that 2,000 to 3,000 people vary from region to region. Many risk functions could be tracking anti–money laundering (AML) and apply the same standards throughout the another compliance processes. organization, creating unnecessary work and expense. By adjusting monitoring and reporting When COVID-19 measures forced banks to send to local requirements, risk functions can meet their risk-management staffs home to work, it their obligations and reduce costs. That kind of disrupted the face-to-face activities these streamlining could reduce the number of required employees rely on to know their customers—still one KYC documents by 50 percent and speed up the of the strongest ways to assess the risk of financial onboarding of new customers. crime. But regulators are not giving institutions a pass because of the pandemic, so risk organizations 5. Streamline the market-risk operating model face the added burden of finding ways to assess, Some banks use dated or very complex operating monitor, and report on financial-crime compliance models, data systems, and architectures to buy and under remote working conditions. sell fixed-income equities or engage in other large- market investment activities for clients. A front-to- We see three ways to make these practices more back review of this data architecture and systems, efficient and effective: as well as of the associated roles, responsibilities, and processes, can result in significantly lower — Automate customer onboarding. Risk costs and sizable improvements in risk management. organizations could automate the collection and We see three important actions that market-risk verification of the documents that prospective managers can take in such a review: customers must present to open a credit or

A fast-track risk-management transformation to counter the COVID-19 crisis 33 — Use the same valuation models throughout and overcome the challenges that such an the organization. Different functions not integration effort might encounter. uncommonly use separate means or models to estimate the worth of the same asset, and 6. Improve organization, governance, that makes it hard or impossible to come up and performance with a consensus value. Front-office staff may Over the past half-dozen years, risk and compliance use one equity-derivatives valuation model to functions added resources, controls, and policies calculate profit and loss (P&L) estimates and to contend with increased regulation and other projections, while the risk department uses demands. Meanwhile, their budgets increased twice a different model to determine regulatory as much as those of other bank functions. P&L and key risk indicators. If the front office and risk organizations use the same market, When a function expands so quickly, the big counterparty-credit-risk (CCR), and liquidity picture of how it is performing can be obscured models and systems, they can reduce data by daily demands. Policies or committees are inconsistencies by 80 to 90 percent and created piecemeal, sometimes duplicating work valuation-related reworks by 20 to 30 percent. done elsewhere. On top of all these problems, the Risk management’s model-risk-management pandemic forced risk functions to set up new ways of (MRM) function could challenge and validate working, including the addition of new (and often ad these models and develop different ones only hoc) committees and policies to assess and monitor when supervisors require them or if the models truly diverge from front-office practices.

Web <2020> — Integrate the system architecture of the Exhibit 5 Exhibit <5 of <6> front office and the risk function. In addition to adopting the same valuation models, risk Advanced analyticsanalytics cancan helphelp reducereduce functions can use front-office data architecture false-positive resultsresults in in anti–moneyanti–money to calculate P&L and risk. When data sources laundering alerts.alerts. are centralized through integrating data architecture, run-the-bank and change-the- Share of false-positive results by type of anti–money laundering alert, % bank technology costs and external spending decline. Some banks that integrated these >90 functions have become up to 20 percent more efficient, though the extent of the improvement –30% depends largely on a particular institution’s operations and starting point. <60

— Integrate front-office and risk reporting. Integrated reporting creates a single source of truth that can minimize data reconciliations, and improve the risk function’s efficiency and effectiveness. Institutions can adopt different organizational models: the integrated reporting

function can sit in risk, finance, the front office, Traditional Upgraded alerts, using or operations. Banks that integrate reporting alerts advanced analytics have reduced related costs by 40 percent or more. But to get there, risk functions need strong management to push for collaboration

34 McKinsey on Risk Number 10, January 2021 Many banks do have multiyear transformation projects in the works. Yet risk managers can take a number of steps that yield high-impact results in far less time.

risks. The new structures sometimes overlap with testing, and monitoring. We estimate that if ongoing work or obscure its importance. risk functions adopt both centers of excellence and agile methodologies, they can increase the To ensure that risk functions are structured in the efficiency of the centralized activities by 10 to most effective way, they can examine four key 20 percent and save up to 20 percent of their organizational elements: outsourcing costs. A number of the 20 largest North American banks have already created — Clarify roles and responsibilities for all three centers of excellence that report directly to a lines of defense. Regulatory scrutiny of risk chief risk officer. Many of these groups focus on practices led many institutions to add controls data, analytics, and reporting. (and the jobs associated with them) haphazardly, with limited clarity about who does what. Some — Rationalize risk governance and policies. To banks switched oversight for technology and focus on what matters most, banks should cyberrisk from the risk function to a technology consider streamlining their downstream group and then back to the risk function—moves procedures and policies. Reducing the number that not only sowed confusion about roles of committees, for example, can not only and responsibilities but also created potential improve focus, accountability, and lines of gaps in coverage and duplicate responsibilities. escalation but also save executives’ time. It’s Banks can improve efficiency by mapping out not uncommon for midsize and large banks to the duties of the front line, the risk organization, have thousands of risk and compliance policies and internal audit departments to identify gaps, spawning dozens of procedures, which in turn fix overlaps, and ensure accountability. A clearer influence processes and the design of controls. organizational chart could result in cost savings If banks structure their policies to focus on the of up to 5 percent. areas of highest risk, they can remove needless red tape. We have seen institutions eliminate up — Centralize shared resources and add agile to 30 percent of their policies while improving practices. Risk managers can move these the quality of the rest, reducing costs and haphazardly added activities and staff into efforts associated with policy administration centers of excellence—both virtually and and management. Institutions undertaking physically—which handle common activities such a transformation may find that they could such as risk data and analytics, reporting, adjust or rewrite nearly all of their policies to

A fast-track risk-management transformation to counter the COVID-19 crisis 35 make them more clear, reflect their current risk neglect opportunities to fine-tune the way appetite, or achieve the appropriate level of they work and thus to make themselves more detail. The renovation of risk policies can start efficient and effective. We recommend that risk with the establishment of design principles to organizations track their KPIs for credit risk, understand the challenges and identify the end market risk, operational risk, and the like, as well goals that policies are meant to achieve. as the related outcomes (Exhibit 6).

— Put a performance-management system in place. Historically, risk organizations have How to update risk-management monitored key risk indicators—for example, practices in the short term the percentage of nonperforming loans or Transforming risk management across the six areas performance against controls—but not their own we’ve described could take at least a year if a bank key performance indicators (KPIs). They may adopted any traditional approach. Many banks do not, for example, track how many credit files a have multiyear transformation projects in the works. risk-function employee processes a day, how Yet risk managers can take a number of steps that many models each validator manages, and the yield high-impact results in far less time. In this way those figures trend over time. By failing to way, banks can make the entire risk organization measure their own performance, risk operations upward of 30 percent more productive—including

Web <2020> Exhibit 6 Exhibit <6> of <6> Banks cancan useuse key performance indicators to help ensure thatthat riskrisk management meets targets.targets.

Sample risk categories and metrics to measure performance

Credit underwriting Detecting Monitoring Data Reporting Model development and adjudication financial crimes and tracking and validation

Touch time for loans • Ratio of STR/ • Qualitative/ • Percentage • Number of • Number of models • Auto SAR¹ filings to quantitative of time spent risk reports by tier/category • Credit cards alerts breakdown of on low-value (eg, internal ratings, • Personal lending KRIs² activities (eg, • Average stress test, internal • Mortgage or home- • Ratio of alerts to sourcing, cost per capital needs) equity line of credit STRs • Percentage of processing, report • Commercial under- automated KRIs quality • Number of models writing, up to $5 million • Average time to (gathered through assurance) • Average managed by • Commercial under- clear alert system checks) cost per modeler writing, up to $5 million • Number of report adjudication • Ratio of nonalerts • Percentage of teams category • Number of models • Wholesale to investigation controls tested performing managed by model personnel within centralized data-related • Report validator Straight-through utility activities frequency processing • Know-your- • Percentage of • Auto customer • Number of • Average models reviewed • Credit cards personnel as required risk report per year • Personal lending percentage of assessments length •Mortgage (assisted total anti–money • Number of model- lending) laundering • Percentage of fully risk corrective personnel actions issued in • Commercial, up to automated controls past year $2 million

¹Suspicious-transaction report/suspicious-activity report. ²Key risk indicators.

36 McKinsey on Risk Number 10, January 2021 cost efficiencies of 40 percent or more in selected defines how the work will be done and who will do activities—in as little as three months. it. In addition, they must determine if they have the right tools for the work, the staff has the necessary Analyze and prioritize activities that must change skills, and change-management and skill-building To determine which aspects of operations would programs are required. Finally, they need to gain from the kinds of changes we propose, look at establish regular check-ins and delivery milestones; the risk organization’s cost base and workforce to provide support, coaching, and other kinds of help uncover functions or processes that increase costs for the teams running the program; and map out how unnecessarily and to benchmark your operations to measure outcomes, such as tracking the cost against those of comparable institutions. Conduct reductions resulting from the changes. workshops, observe people at work, and interview risk-function managers and staff to understand how work gets done and which practices could improve. Risk-management functions increase the odds These insights can serve as the basis for a list of of creating lasting change if the moves they make actions and their expected short-term impact or are part of a well-conceived, well-executed plan, productivity gains. Risk managers can use such a are supported by top leaders, and are part of a list to decide which actions to take first based on broader shift in behavior across the organization. the overall health or goals of the risk organization Organizations that have successfully navigated or the bank. From there, they can create a full this path know that while it may not be easy, the implementation plan. rewards of more effective—yet less expensive—risk management are well worth the challenge. Launch and execute priority actions Once an implementation plan is in place, risk managers have to create an infrastructure that

Javier Martinez Arroyo is a partner in McKinsey’s Paris office, where Marc Chiapolino is a partner; Matthew Freiman is a partner in the Toronto office, Irakli Gabruashvili is a consultant in the New York office, and Luca Pancaldi is a partner in the Milan office.

The authors wish to thank Philipp Härle, Holger Harreis, and Olivia White for their contributions to this article.

A fast-track risk-management transformation to counter the COVID-19 crisis 37 Risk culture

Strengthening 39 institutional risk and integrity culture

When nothing is normal: 46 Managing in extreme uncertainty

A unique time for chief 54 risk officers in insurance

38 McKinsey on Risk Number 10, January 2021 Strengthening institutional risk and integrity culture

Many of the costliest risk and integrity failures have cultural weaknesses at their core. Here is how leading institutions are strengthening their culture and sustaining the change. by Richard Higgins, Grace Liou, Susanne Maurenbrecher, Thomas Poppensieker, and Olivia White

39 The COVID-19 pandemic has created a time of assumptions about risk that individuals hold within unprecedented change for both public and private the organization; risk practices are the daily actions organizations across the globe. Executives and that determine the effectiveness of risk management; boards have had to move quickly to address threats contributing behavior comprises the collective and seize opportunities, all while continuing to actions that build risk attitudes. Ideally, these actions protect employee and customer health and safety will be systematic and deliberately intended to and evolving to adopt new digital and work-from- strengthen individuals’ risk attitudes, with desired home norms.1 risk behavior built into everyday functioning.

Risk and integrity culture refers to the mindsets and Concrete definition behavioral norms that determine how an organization Companies that seek to understand risk culture identifies and manages risk. In this challenging can best begin by establishing concrete, detailed and highly uncertain moment, risk culture is more definitions. They should clearly spell out the specific important than ever. Companies cannot rely on elements of risk culture to set aspirations and reflexive muscles for predicting and controlling measure progress. For example, we define ten risks. A good risk culture allows an organization to dimensions of risk culture, based on a wide range move with speed without breaking things. It is an of experiences with companies across all major organization’s best cross-cutting defense. industries, and incorporating close study of a range of real-world risk-culture failings (Exhibit 1). Beyond today’s travails, a strong risk culture is a critical element to institutional resilience in the Systematic measurement face of any challenge. In our experience, those Once risk and integrity culture is defined, organizations that have developed a mature risk measurement can begin. Leading companies and integrity culture outperform peers through assess themselves systematically, looking at economic cycles and in the face of challenging mindsets, practices, and behavior. external shocks. At the same time, companies with strong risk cultures are less likely to suffer from self- This assessment is often based on interviews inflicted wounds, in the form of operational mistakes among units and functions, then followed by a more or reputational difficulties, and have more engaged comprehensive organization-wide survey. and satisfied customers and employees. The survey will typically include 20 to 30 questions This article explores the steps involved in setting up that measure performance against the elements an effective risk-culture program, when to launch of risk culture (covering mindsets, practices, and such a program, and the factors we have found to be behavior) and will set the organization-wide critical for long-term success. baseline. The team can complement results with qualitative insights gleaned from follow-up interviews to provide further detail on the particular Understanding and measuring strengths or weaknesses revealed, and help risk culture uncover their root causes. The starting point for most organizations looking to improve their risk culture is to diagnose the current Instead of using a dedicated risk and integrity state. Organizations that have built strong risk and survey, many organizations falter by relying on a integrity cultures seek to understand (and then combination of employee-engagement surveys, address) three mutually reinforcing drivers: risk focus groups, and analyses of incidents and mindsets, risk practices, and contributing behavior. near-misses to measure their risk culture. Each of these tools can bring useful results when used Risk mindsets can be understood as the set of with sufficient rigor. However, typical employee-

1 Aaron De Smet, Elizabeth Mygatt, Iyad Sheikh, and Brooke Weddle, “The need for speed in the post-COVID-19 era—and how to achieve it,” September 9, 2020, McKinsey.com.

40 McKinsey on Risk Number 10, January 2021 Web <2020> ExhibitExhibit <1> 1 of <2> Risk culture cancan bebe understood as havinghaving ten dimensions, coveredcovered under under fourfour topics.

Acknowledgement Responsiveness

Condence Openness Challenge Speed of response Level of care An assured The degree to which Scrutiny of Perception of external Responsibility to care understanding of management and the quality, changes and reaction about the outcome of an organization’s employees exchange appropriateness, speed to innovation actions and decisions exposure to risk bad news or learnings and accuracy of or change without any false from mistakes others’ attitudes, sense of security ideas, and actions

Transparency Respect

Communication Tolerance Level of insight Adherence to rules Cooperation The degree to which Understanding of risk Identication Alignment of Consideration of warning signs of both appetite and its linkage and understanding individuals’ risk broader organizational internal and external to overall strategy of risks present in appetites to the consequences and risks are shared and decision making the business organization’s impact on overall risk appetite when any one team acts or makes decisions

engagement surveys contain only a few relevant risk culture. While maturity levels across different questions and therefore do not usually uncover dimensions matter, outliers (both strengths and enough insight to create an effective measure. weaknesses) or areas of change where a survey These approaches, furthermore, do not provide is repeated over time tend to drive the greatest a view over time or ready comparisons between insights for an organization. Differences among organizational units. units, functions, geographies, and tenure levels can also be illuminating. We believe that a dedicated survey is an indispensable tool for obtaining a broad measure In one example of this process, a government- of a company’s risk culture. It is the only way to owned corporation held a series of town-hall set a true initial baseline. A comprehensive survey meetings to share the results of its risk-culture creates hard data, comparable across divisions, survey. The town halls were the first active geographies, and roles; with repeated use, it communications on risk culture and demonstrated traces trends through time. The results allow to employees a new openness. The comparative fact-based conversations about risk culture, data shared showed divergent strengths fostering engagement while deepening executive- and weaknesses, which stimulated strong level understanding. interdepartmental conversations in what was a traditionally siloed organization. Sharing results Once an initial baseline is developed, the results As a second example, a high-performing financial should be shared with leadership teams and the institution created tailored readout packs for a series broader organization. Transparent results are an of thoughtful discussions between the chief risk important first step in increasing the focus on officer and the leader of each major line of business

Strengthening institutional risk and integrity culture 41 and function. The readout materials highlighted differences also emerged among business units. As we approach the next inflection areas of opportunity for each business and function, The CEO probed the comparative differences, including dimensions where their risk culture was challenged executives to understand the causes of point, cars will become productive data weaker than the organization as a whole or where low scores, and explored ways for everyone to learn results were at odds with stated strengths or goals and apply lessons from higher-performing business centers and, ultimately, components of the leader. For instance, with one leader who had units. Coming out of the discussions, the team taken pride in his organization’s openness to sharing agreed on focus areas and assigned responsibility of a larger mobility network. bad news, the conversation centered around weak for carrying out the improvements. scores in this area in some geographies. Designing and deploying tailored interventions To lift risk culture, organizations move from Addressing risk-culture shortcomings measuring and planning to taking action. A broad With the help of measured risk-culture results, range of techniques can be summoned to inspire companies can act to address weaknesses in change. Successful efforts are usually the result of risk culture. The leadership team, with support several kinds of actions taken together. In from the team coordinating risk-culture efforts, thinking about how to generate meaningful, can use the strengths, weakness, and cultural lasting changes in risk and integrity culture, differences identified to agree on a set of prioritized leaders can be guided by the “influence model” interventions or intervention areas based on schematized in Exhibit 2. This model has proven enterprise-wide and divisional aspirations. useful in ensuring that change programs draw upon a breadth of approaches, and its use increases the Some interventions will affect the entire chance of success for a transformation by three or organization—for example, certain compensation four times. or recruiting changes. These warrant group-led approaches, and a dedicated team should be The effort to address risk-culture gaps usually created or assigned to take charge of them. involves a balance of short- and long-term interventions. Targeted short-term interventions Many, however, will be specific to and driven by allow organizations to respond flexibly to changing particular parts of the organization. For instance, needs while longer-term programs constantly affected business units would take charge of reinforce core elements of desired risk culture. work to redesign problematic product-approval Long-term interventions are often formal programs processes; likewise, business-unit leaders like speak-up hotlines or training and compensation might “localize” a groupwide focus on a topic like standards (based on risk criteria) that continually accountability. Where possible, interventions or reinforce desired behaviors. their application should be driven, and owned, by the front line to ensure that cultural change is truly In an effective example of a long-term intervention, lived locally and linked to day-to-day business one bank developed a program that both activities and outcomes. Successes and lessons encouraged employees to speak up on risk issues from these localized efforts can be shared across and increased the level of responsive actions. The the organization by a central coordinating team. program includes an externally managed channel for employees to register concerns, with the option of The process of developing interventions end to confidential help from internal speak-up champions end is well illustrated by the experience of one on navigating the process. The board receives insurance company. The company explored the regular reports on both internal and external results of an initial risk-culture survey at a top- complaints, with resolution rates and common team offsite. The survey data allowed leaders to themes and trends. move from discussions based on intuition to those based on evidence. The leaders discovered that The following short-term initiatives are just a few the organization was universally strong in some examples of how organizations have addressed dimensions and universally weak in others. Clear gaps in risk culture:

42 McKinsey on Risk Number 10, January 2021 — A government agency developed a short-term The role is charged with taking deliberately program to increase its speed of response, contrarian positions and pressure-testing which was identified as a major weakness. This proposed products on how well they served the was done with walk-throughs of key processes, long-term interests of the customer and the bank. which identified bottlenecks; components were then redesigned as needed to speed up the — A pharmaceutical company sought to address process and ensure future clarity on escalation a weak culture of challenge by training new and resolution. and junior colleagues on how to constructively question leadership decisions. To encourage the — A bank discovered weaknesses in its approval best results, senior leaders acted as role models, process for new products. Its investigation led to visibly promoting nonhierarchical decision making. the creation of a dedicated challenger role, filled by rotating members of the approval committee.

Web <2020> Exhibit <2> 2 of <2> The ‘inuence‘influence model’model’ denesdefines four dimensions of risk-culture-changerisk-culture-change programs, ensuring thatthat a breadth of approaches are are used. used.

Inuence model for risk-culture change

Capability building

Role modeling and leadership Contributing behavior Formal reinforcement mechanisms

Understanding and commitment

“I have the skills to behave “Systems reinforce “I know what I need to “I see my leaders in the new way” desired change” change, and I want to do it” behaving dierently”

Employees are coached to The organization appoints When things go wrong at a Leaders share risk consider client needs plus senior leaders with the competitor’s, the company knowledge that supports other business concerns right expertise to considers how to change decisions and actions Employees receive training understand and manage its approach Leaders demonstrate on available communication risks Internal communications appreciation when channels, both formal and Systems and processes are prominently feature employees raise mistakes, informal, to identify and in place to quickly identify success stories of change rather than avoiding the escalate risks potential policy or guideline across dierent employee issue or penalizing the Top management is breaches tenures employee coached on communication The organization Workshops with a cross Leaders expect and methods for discussing compensates and section of sta are used to encourage people to risks promotes people to brainstorm improvement challenge their views and encourage them to act in opportunities around risk decisions the organization’s best Leaders systematically and long-term interests eectively communicate key risks faced by the business as well as mitigation approaches

Strengthening institutional risk and integrity culture 43 Launching a risk-culture program devastating impact of other failures in the Risk-culture programs can have multiple triggers. industry. The leaders methodically created formal Leading companies take proactive steps to maintain mechanisms to support desired behavior, helping strong risk cultures in normal times, in times of to ward off potential crises before the point of no stress (such as under the COVID-19 crisis), and when return was reached. they are undergoing transformations. Maintaining risk culture under company Proactively shaping risk culture transformation Building and sustaining strong risk culture requires Many organizations are transforming their proactive attention. In normal times, this means operations, particularly to become more digital addressing risk culture before issues arise. Under and more efficient. The COVID-19 crisis has served the stress of the COVID-19 pandemic, which to accelerate many planned change programs. has disrupted the traditional mechanisms that Large transformations can themselves raise reinforce an organization’s risk culture, this includes risk levels, as risk-management practices are understanding how risk culture is evolving and then disrupted, core processes are redesigned, and taking action to protect or improve it. Because of the teams and organizational structures shift. “Change pandemic, people are working together differently, fatigue,” a species of anxiety that comes with a often from home. In addition, many individuals and transformation, can contribute its own share of risk. organizations are under added stress (including But transformations also afford organizations the financial stress), increasing the risk of nearsighted opportunity to reset their model to their desired risk- decision making and cultural problems. management culture. They must include programs to promote desired behaviors, in transparent, Once a crisis with roots in risk culture hits, existing organization-wide efforts, as opposed to siloed, leadership, including boards, will find it difficult business-as-usual approaches. to lead change as they themselves become increasingly associated with the cultural problems. For example, one global manufacturing company The problems tend to be seen as leadership failings undertook a major transformation in response to in the eyes of the public, investors, and regulators. a series of product- and regulatory-compliance incidents. Front and center were issues of culture, By taking a preemptive look, leaders might see integrity, and compliance, which became the core early signs of concern or inadequate processes for focus of the groupwide transformation. understanding the state of risk culture. An initial deep dive into the root causes of seemingly isolated In a second example, a bank undertook a major incidents or complaints can be a starting point, transformation and restructuring effort, partly in eventually expanded into a broader risk-culture response to COVID-19-triggered considerations. review to build a comprehensive picture. Today, the The program included a dedicated cultural preemptive look should also seek to understand the component with a specific risk-culture stream. As impact the COVID-19 crisis is having on employees the transformation progressed, business units and develop interventions to strengthen the culture incorporated risk-culture initiatives into their broader by filling the gaps created by remote working. program of activities, ensuring risk-culture changes became core elements of the new ways of working. The effort might be triggered by the need to understand whether an organization is vulnerable Getting started to incidents experienced by peers, either before Whatever the original motivation for a risk-culture or during the pandemic. By proactively driving program, a one- or two-year plan covering a range this topic, leaders can avoid larger problems and of intervention types can begin with a small set of demonstrate that they are part of the solution priority initiatives targeting key weaknesses. In and not the problem. For example, a company addition to achieving progress in important areas, in the advanced industries sector built a speak- these initiatives will create visibility and momentum up program after leadership recognized the for the entire plan. An example campaign would be

44 McKinsey on Risk Number 10, January 2021 one that encourages employees to speak up where 3. The case for change is visible and compelling. they see risk concerns. The initiative might include The strengths and weaknesses of the prevailing a confidential speak-up line, communications from risk and integrity culture need to be spelled out, the top to set the tone on the importance of speaking supported by data. The vision for an enhanced up, and, for a dedicated period, an explicit focus on culture and how it will benefit the organization speaking up in team meetings. Results would be and individuals can then be articulated. conveyed to the board in a report covering internal and external complaints, whistleblower activity, 4. The effort is sustained over time. Cultural overarching themes, and resolutions. This would change takes time, and gains must be regularly serve as a first step and a gesture of commitment to reinforced. Successful programs combine the larger effort of changing risk culture. periodic measurement of organizational risk culture with a multiyear change program encompassing short- and long-term initiatives. Setting yourself up for risk-culture Too often organizations bring a burst of energy success to the initial diagnostic but then fail to implement Careful risk-culture definition, measurement, and initiatives or sustain the changes needed to initiative work plans are not enough. Successful drive long-term improvement. risk-culture programs share five essential characteristics that leaders should put in place as 5. The C-suite holds leaders accountable for part of their focus on risk culture: success. Risk-culture programs need someone to provide overarching direction and drive, but 1. True ownership and responsibility for risk to succeed, leadership across the organization culture sits with the front line. To be truly should be actively engaged. Business-unit lived, culture must be linked with the day- owners in particular should champion initiatives. to-day business activities and outcomes of Leaders need to show they are serious about an institution. First-line leaders must feel change if they want their people to adopt accountability for their role in supporting the new risk behaviors, which may themselves be company’s risk culture. perceived as risky—for example, speaking up.

2. Dedicated ownership is assigned for coordinating the definition, measurement, reporting, and reinforcement of risk culture. As senior leaders navigate the complexity of the These responsibilities should sit centrally—either current crisis, they must ensure the organization as within enterprise risk management, with a risk a whole maintains its cultural health. Organizations chief operating officer or an enterprise chief that nurture their risk and integrity culture will operating officer, or within HR. It is helpful be better positioned to serve their clients, team to have a central point, as too often varying members, and society effectively, and to avert risks language is used to discuss culture within a bank. that could potentially prove catastrophic. By taking Without an enterprise-wide view and vocabulary, the steps outlined above, institutions can prepare, it is not possible to effect true, coordinated reap near-term rewards, and be ready for future cultural change. uncertainties and challenges.

Richard Higgins is an associate partner in McKinsey’s Sydney office, Grace Liou is an associate partner in the Seattle office, Susanne Maurenbrecher is an associate partner in the Hamburg office, Thomas Poppensieker is a senior partner in the Munich office, and Olivia White is a partner in the San Francisco office.

The authors wish to thank Tom Martin and Ishanaa Rambachan for their contributions to this article.

Strengthening institutional risk and integrity culture 45 When nothing is normal: Managing in extreme uncertainty

In this uniquely severe global crisis, leaders need new operating models to respond quickly to the rapidly shifting environment and sustain their organizations through the trials ahead.

by Patrick Finn, Mihir Mysore, and Ophelia Usher

46 In normal times organizations face numerous human-caused disasters. Effective action saved uncertainties of varying consequence. Managers many; others spiraled downward. deal with challenges by relying on established structures and processes. These are designed to Existential crises subject organizations to reduce uncertainty and support calculated bets both extreme uncertainty and severe material to manage the residual risks. In a serious crisis, consequences; they are often new and unfamiliar however, uncertainty can reach extreme levels, and and can unfold quickly. In business terms, the the normal way of working becomes overstrained. present crisis more closely resembles economic At such times traditional management operating crises of the past. In the financial crisis of models rarely prove adequate, and organizations 2008–09, for example, many organizations were with inadequate processes can quickly find simultaneously affected. Qualitatively, however, the themselves facing existential threats. present crisis is far more severe.

Uncertainty can be measured in magnitude The COVID-19 pandemic and the resulting and duration. By both measures, the extreme economic recession have affected most large uncertainty accompanying the public-health organizations around the world. Managers and economic damage created by the COVID-19 continue to scramble to address rapidly developing pandemic is unprecedented in modern memory. changes in the public-health environment, public It should not be surprising, therefore, that policy, and customer behavior. And then there is the organizations need a new management model to economic uncertainty. The severity and speed of sustain operations under such conditions. The the crisis is reflected in the International Monetary magnitude of the uncertainty organizations face Fund’s (IMF) projections for US GDP growth. After in this crisis—defined partly by the frequency and an estimated GDP expansion of 2.2 percent in extent of changes in information about it—means 2019 (year-on-year), the US economy, in the IMF’s that this operating model must enable continuous view, was expected to grow at a rate of 2.1 percent learning and flexible responses as situations in 2020 (forecast of October 2019). With the evolve. The duration of the crisis, furthermore, onset of the pandemic, the IMF quickly shifted its has already exceeded the early predictions of many estimate into contraction, of –5.9 percent in analysts; business planners are now expecting April 2020, revised to –8.0 percent in June. The to operate in crisis mode for an extended period. latest estimate (October 2020) is less severe at Leaders should therefore begin assembling the –4.3 percent, but this would still be the worst result foundational elements of this operating model in many decades. The forecasting institution so that they can steer their organizations under foresees the world economy shrinking at a rate conditions of extreme uncertainty. of –4.4 percent in 2020, after having grown 2.8 percent in 2019 (estimate).1 Understanding extreme uncertainty Due to the severity of this crisis, many organizations Uncertainty levels from recent global shocks do not are in a struggle for their existence. An existential approach those of the present COVID-19-triggered crisis puts at stake the organization’s survival in crisis. The IMF’s GDP contraction forecast for 2020 recognizable form. Readers can probably call to is more than double the estimated contraction mind numerous individual companies that faced that took place in 2009, the worst year of the such crises in the recent past. The crises may have earlier global financial crisis. As measured by been touched off by a single catastrophic incident the Economic Policy Uncertainty Index, a metric or by a series of failures; the sources are familiar— developed jointly by researchers at several US cyber breaches, financial malfeasance, improper business schools, uncertainty on a daily basis business practices, safety failures, and natural or has been elevated for nearly 200 days’ running.

1 World economic outlook, October 2020: A long and difficult ascent, International Monetary Fund, October 2020, pp. 141–42, imf.org.

When nothing is normal: Managing in extreme uncertainty 47 By contrast, commensurate uncertainty was cycle. Managers collectively decide on strategies, experienced during the 2008–09 financial crisis budgets, and operating plans once a year and a few times for a maximum of 27 consecutive days. then manage operations in accordance with those The COVID-19 outbreak already accounts for seven goals and cost limits. Between annual-planning of the ten highest-ever daily readings.2 Crises such cycles, amendments are few and usually minor. as Hurricane Katrina or the Fukushima Daiichi The assumptions shape how managers engage nuclear disaster cause high levels of uncertainty with each other: from the content of status reports for individual communities or particular industries. to interdepartmental information sharing to the Since the uncertainty is confined by industry or timing and structure of management meetings. geography, the magnitude decreases steadily Recently, some organizations have adopted more with time. In the present crisis, however, elevated agile techniques to make planning more flexible uncertainty is globally pervasive, and events and responsive to outcomes from pilots or trials. trigger compounding effects. The following exhibit However, the approach is rarely deployed in the conveys a range of crises and their corresponding C-suite to manage the whole organization. levels of uncertainty. The COVID-19 crisis has undermined most of the assumptions of the traditional planning cycle. Why existing operating models fail Existing management operating models are Extreme uncertainty on a global scale is rare; no longer supporting managers effectively in however, existential crises at the organizational addressing the challenges this crisis presents. The or community level are more frequent and thus revenue assumptions managers relied on for 2020, provide lessons concerning which operating models often worked out to two decimal points, are not succeed and fail during periods of uncertainty. relevant in an economy suddenly expected to suffer Many organizations, including publicly traded a historic contraction. Meticulously prepared status companies, operate on an annual-planning reports are now outdated before they reach senior managers. Managers seeking more up-to-date information discover that existing processes are too Web <2020> Exhibit rigid for a timely response. Exhibit <1> of <1> Duration and magnitude of a crisis are Managers thus find themselves working in ways Durationimportant and determinants magnitude of uncertainty.a crisis are unsuited to a highly uncertain environment. They important determinants of uncertainty. know what they need: flexibility, the capability to act collectively, quickly, and across the whole Long organization as challenges arise. They need also to be able to work in this way over an extended COVID-19 pandemic period. Some organizations have therefore begun to experiment with new operating models that allow Regional war zones managers to work together. Some of the changes Time Extreme (duration) have been successful and others have failed. uncertainty

Overcoming challenges Existential To increase the odds that a new operating model crises Short will be effective today, managers must ensure that it addresses the problems of operating under highly Low High uncertain conditions. The COVID-19 operating Source: McKinsey analysis environment requires that managers reexamine their

2 “US monthly EPU index,” Economic Policy Uncertainty, policyuncertainty.com.

48 McKinsey on Risk Number 10, January 2021 The COVID-19 operating environment requires that managers reexamine their collective thought processes and challenge their own assumptions.

collective thought processes and challenge their rate of transmission of COVID-19 (R0) are central own assumptions. Failure to do so will create the to forming a view on the likely impact of the risk of serious errors. Here are some of the pitfalls disease: even a tiny uptick in the reproduction managers will likely encounter: number can create a dramatic increase in the expected infection and mortality rates — Optimism bias. Since managers and their and radically change expectations of likely organizations have never seen anything like this government measures and consumer behavior. crisis, existing heuristics learned from years of management might not apply. One common — Wrong answer. In addition to the instability of problem is that managers experience optimism information, leaders must also be sensitive to bias, both individually and collectively. They will be the possibility that information they thought was inclined to bring forward the date of an expected clear and certain could turn out to be wrong. revenue rebound or minimize the duration of Managers cannot take their own assumptions expected business closure. Simply, managers as facts, since new information could emerge cannot or will not believe how bad the situation that invalidates them. Assumptions and could get, and the organization ends up planning understanding need to be regularly revisited for a much milder scenario than transpires. and revised as necessary, as part of the organization’s practice of continuous learning. — Informational instability. Information is unstable The operating model must be able to absorb in the COVID-19 pandemic. Epidemiological data initial wrong answers and override them quickly; are constantly shifting: infection and mortality organizations can even encourage managers to rates, the proportion of asymptomatic cases, look for opportunities to update assumptions. the intensity and effectiveness of testing, the length of the infectious period, and the extent — Paralysis by analysis. Confusing and ever- and duration of immunity after infection. The changing data can cause managers to delay problem extends to poor or missing economic decisions as they search for more analytical data whose reliability has been affected by the rigor. They may never find it, given the extent speed and severity of change. Conventional of the crisis we are in. Delayed decision making business strategy is most often based on is not advisable in a crisis as fast moving and assumptions about a probable course of events. severe as the COVID-19 pandemic. Delay is In today’s crisis, a single “most likely” planning in itself a decision, since taking no action has scenario is unachievable. The sensitivity of consequences—for example, a continued, statistical models to relatively small changes unchecked spread of the virus. Managers should in assumptions on key variables creates even rather act on what they do know, and adapt their greater hazard. For example, projections of the strategy as new information becomes available.

When nothing is normal: Managing in extreme uncertainty 49 — Organizational exhaustion. In extreme likened to the Intergovernmental Oceanographic uncertainty, organizations are usually unable Commission’s early-warning systems, which to return to business as usual for a long time, rapidly relay data of approaching tsunamis to sometimes years. This exposes managers potentially affected communities. and their teams to the risk of exhaustion in the face of constant and apparently never-ending — Integrated nerve center. Once an alarm change. A crisis may galvanize a company’s has been triggered, leaders must have an senior managers and employees in its initial organizational structure in which a common phase. But once that adrenaline fades, understanding of the crisis can be developed continuing uncertainty becomes enervating. quickly and decisive actions taken with At worst it can take a toll on managers’ mental authority. Such a structure could be part of the and physical health, causing major harm to organization’s ready-made crisis-management organizational effectiveness, from a decline in plan, but leaders must prepare for the possibility responsiveness to a deterioration in the overall that preconceived structures may be unsuitable quality of work. in an existential crisis. They must therefore create a new operating model if the situation requires one. The organization needs an A suitable organizational structure integrated nerve center to oversee a holistic When determining how their organization should crisis response. Within that structure, leadership respond to extreme uncertainty, managers need must identify an inner core: a small group of to estimate the magnitude and expected duration managers who have the judgment and internal of the crisis. At the onset, a timely and centralized credibility to lead the response. Once identified, organizational response—“crisis mode”—should these leaders need to be given decision-making be activated. Then leaders need to switch to authority throughout the crisis, including the an operating model that will be sustainable but top-level support needed to make the “big bets.” appropriately reactive to continuing uncertainty over A recent example of rapid and radical response months or even years. A celebrated example is the was the National Basketball Association’s way the New York City Fire Department handled the decision on March 11 to suspend play for the aftermath of the September 11 attacks. It had to shift season. This action was one of the earliest high- its operating model from one based on immediate profile operational changes taken in the United response to one that could handle continuing fires States in response to COVID-19. at the World Trade Center site and sustain recovery activities for months. — Transparent operating principles. At the outset managers need to define the high-level Activating crisis response approach that will guide their actions during The earlier managers determine that they are in a the crisis. The approach should be spelled out crisis, the faster and more effectively organizations in a set of operating principles made available can respond. Effective response is enabled by throughout the organization. These transparent several fundamental elements. principles will guide decision making throughout the crisis and provide standards against which — Early-warning system. A fundamental operating management actions can be measured. One principle in normal times is for senior managers example of such transparency can be seen in to develop an understanding of the kinds of Airbnb’s response to the consequences of the events that might trigger a crisis. This will allow pandemic for the company—a massive drop them to establish appropriate monitoring and in revenue and significant layoffs. CEO Brian early-warning systems. Such systems can be Chesky wrote an honest letter to the staff

50 McKinsey on Risk Number 10, January 2021 explaining in detail the measures being taken to how it might evolve, and establish and execute ensure the company’s survival and the ways in appropriate actions. which the travel business was being reshaped in the crisis. The cycle of learning and redesign must recur with frequency sufficient to ensure that responses Operating in crisis mode: Discover, design, execute reflect the evolving situation. Managers must Rapidly moving events demand speedy decisions doggedly question established assumptions, but also a wholesale change in the organization’s especially the ideas adopted under conditions of managerial modus operandi. The operating cadence extreme uncertainty. The organization cannot treat in which managers meet, discuss, and take action any assumptions as sacrosanct. Organizations needs to match the evolution of the crisis. This does should accept that they will be wrong and celebrate not imply a simple speedup of existing processes to learning quickly from experience. accommodate the information needs of managers. Rather, it means creating entirely new procedures. To make informed decisions, managers need specialized knowledge and should actively seek Extreme uncertainty turns an organization’s expert advice. Experts can contribute to better operating imperatives on their heads. It demands decisions by filling gaps in existing management continuous learning and constant review of knowledge. For example, managers need external assumptions. Instead of establishing a plan and advice—from epidemiologists—to assess the course ensuring the organization sticks to it, as in more of the COVID-19 pandemic. Likewise, civil-society normal times, managers must understand and organizations can have experts who can provide respond continuously to dynamic and wrenching valuable alternative perspectives on such important change. Rather than making periodic reviews matters as racial bias, diversity, and the importance of a static plan, they need to meet for iterative of female leaders. Internal expertise is also valuable decision-making sessions structured around three in crisis times. Managers should reach deep into imperatives: discover, design, execute. Managers their own organization for frontline insights—such as must work together to diagnose the current those that a customer-service representative could situation, consider its practical implications, explore provide on customer experience.

Instead of establishing a plan and ensuring the organization sticks to it, managers must understand and respond continuously to dynamic and wrenching change.

When nothing is normal: Managing in extreme uncertainty 51 The organization should also systematically chain disruptions, inventory shortages, and shifting challenge proposed solutions. One established demand across channels. Today companies face way to do this is to create a “red team” of experts economic instability as well as secondary incidents to pressure test managers’ decisions, identifying created by extreme uncertainty. To manage an potential weaknesses or overly optimistic extended recovery period, management structures assumptions. This type of exercise has been very and processes have to shift to a long-term, successful in enabling more robust solutions. sustainable operating model. Leading companies, including Microsoft and IBM, perform regular exercises in which red teams test One way of thinking about this problem is to cybersecurity infrastructure, for example. imagine that a major fire strikes a company’s headquarters. Once the fire itself is extinguished, a Unprecedented crises frequently require leadership different set of challenges emerges, from damage to take unprecedented actions—bold, speedy assessment to restarting operations. The shift from actions that would feel risky in normal times. A crisis mode to recovery of sustainable operations historic case in point is Johnson & Johnson’s 1982 is more an evolution than a transformation. As decision to recall 31 million bottles of the painkiller it reshapes its overall strategy and goals, the Tylenol after some product samples were found to organization needs to maintain its integrated have been laced with cyanide. The swift, decisive nerve center, as crisis circumstances may require action saved this valuable product and enhanced reactivation. However, the nerve center would no the company’s reputation. longer own day-to-day activities. Decisions and actions can increasingly return to their traditional As they focus intensely on making fast practical owners such as business units. The operating decisions, managers must also be prepared to cadence established in crisis mode will not return shift course if the situation changes. Actions, to normal, but it will likely moderate. Teams might furthermore, need to be prioritized. First must scale back to meeting weekly from daily but need to come actions to mitigate the worst-case scenarios maintain the flexibility to ramp back up as needed if for the organization. Low-cost (“no regrets”) actions something occurs. can also be taken quickly, to address issues that could arise in any of several potential scenarios. In The issues to monitor will change, but the an existential crisis, managers must feel comfortable importance of monitoring and early warning making conscious decisions and taking deliberate remains critical. In the COVID-19 crisis, for example, action. Otherwise, events will take their course, employees continue to work from home in many decisions will be made by default, and organizational countries. For this reason, IT departments must control will be lost. remain extraordinarily vigilant in monitoring for cyberattacks. Furthermore, when the time comes A sustainable model for employees to return to their offices, testing and The global COVID-19 pandemic is in its tenth month, monitoring processes will have to be in place. When a protracted period defined by extreme uncertainty. infection is detected, quarantine and treatment can Depending on their industrial sector and geography, thereby quickly follow. The experiences of Korea organizations have experienced different forms of and China well illustrate the importance of country- uncertainty at different times over the course of level monitoring and quick response in the recovery the crisis—with falling consumer demand, supply- of public health and the economy.

52 McKinsey on Risk Number 10, January 2021 Whether operating in crisis mode or in recovery managers and organizations. The radically changed mode, leaders still need to prioritize actions. circumstances call for new forms of leadership, Resilient organizations should be able to begin new ways of working, and new operating models. looking for opportunities once the worst of the crisis Crisis-tested managers will develop a tolerance of is past. Our research indicates, for example, that ambiguity, a quickened operating cadence, and a more resilient companies shifted to M&A quickly culture of constant refinement, review, and revision. after the 2008–09 financial crisis, using the cash Management structure and processes need to be saved during the crisis to purchase new assets. adapted, too, as the crisis unfolds, to ensure the organization is sustainable and can take advantage of new opportunities.

Extreme uncertainty—defined in terms of novelty, magnitude, duration, and the rapid pace of change— generates a difficult operating environment for

Patrick Finn is a senior partner in McKinsey’s Detroit office, Mihir Mysore is a partner in the Houston office, and Ophelia Usher is an expert in the Stamford office.

When nothing is normal: Managing in extreme uncertainty 53 A unique time for chief risk officers in insurance

Amid rising economic uncertainty, leading insurers are looking to their CROs to do even more than manage risks.

This article was a collaborative effort by Kevin Buehler, Marco Carpineti, Erwann Michel-Kerjan, Fritz Nauck, and Lorenzo Serino, representing views from McKinsey’s Risk Practice.

54 As COVID-19 continues to threaten lives, and product leaders are contemplating future communities, and industries around the world, insurance solutions—including public–private insurers face profound disruptions. Uncertainty insurance partnerships—that would enable insurers abounds. No one knows when the crisis will truly to remain relevant to their customers. end, when safe vaccines will be used at scale, or whether they will stop the pandemic for good. Its Our research shows that the industry’s returns to ultimate impact on public health and the global shareholders since the beginning of the year were economy will be measured in the months and years down by 19 percent at the end of October 2020. In to come. mid-June they had been down by 23 percent—the sharpest drop in recent memory and deeper than Underwriters are struggling to calculate their those recorded in many other industries (Exhibit 1). exposure to pandemic-generated vulnerabilities. Economists are trying to anticipate the direct and With regard to current business impact, insurers indirect impact of massive new government debt. will experience pressure on retention rates and Managers are wondering how long people can margins as customers shop for lower prices. The work productively from home and maintain healthy impact on claims will vary by line of business: auto organizational and risk cultures. And in a long- claims may decline because people are driving less lasting low-interest-rate environment, strategists at the moment, but homeowners’ claims could rise as

Web <2020> Exhibit <1> 1 of <2> Market capitalization hashas declined declined across across sectors sectors in in 2020, 2020, with with significant signi cant variation inin thethe extentextent of thethe declines.declines.

Shareholder returns in 2020 by industry,¹ % (Jan–Oct 2020)

Commercial Pharmaceuticals Advanced Logistics and trading aerospace electronics Chemical and 35 Retail agriculture Automotive Healthcare payers and assembly High Financial services Food and beverage tech Electric power and natural gas Apparel, fashion, and luxury

Defense Media Real estate 0 Oil Banking and gas Basic materials Consumer services

Business services Healthcare supply and distribution Conglomerates Consumer durables Telecom Health facilities and services Medical technology Insurance –35 Air and travel carriers Transport and infrastructure Personal and oce goods

0 10 20 30 40 50 60 70

Market capitalization, $ trillion

¹Weighted average; shareholder returns calculated in local currency; width of bars is starting market capitalization in US dollars; data set includes global top 5,000 companies by market capitalization in 2019, excluding some subsidiaries, holding companies, and companies that have since delisted. Source: S&P Capital Insights; McKinsey analysis

A unique time for chief risk officers in insurance 55 CROs are engaged in the most difficult decisions, providing top management with perspectives and guidance on strategic business risks.

policyholders work from home. Investment income and assure the chief executives and boards that will continue to suffer as interest rates stay low, and companies are achieving a proper risk-management life and annuity carriers will be hardest hit. We also balance. In approaching heightened risk levels, believe that the pandemic’s full impact on economies CROs aim to limit the downside danger but also around the world will be felt through 2022. enable the business to make the necessary risk– reward trade-offs to capture the upside. It is a The pandemic-related challenges intersect with delicate balance. cost-reduction and efficiency pressures. These were intense before the pandemic struck, as discussed For a long time—and especially as a consequence in McKinsey’s recent state-of-the-industry reports of the financial crisis of 2008–09—the CRO role on P&C¹ and on life.² Legacy IT systems and, in in financial services was regarded as a necessary some cases, lagging digital capabilities are growing response to regulatory pressure, to provide required impediments, as the COVID-19 environment controls and guardrails. Today, the importance of pushes many more customers toward digital-first the CRO role has outgrown this conception, and that relationships. Insurers, reinsurers, and brokers that is a good thing. Many CROs are working with CEOs, made bold moves into digital years ago are now executive teams, and boards, stepping forward in harvesting the benefits of their investments. Others this crisis and taking the opportunity to shape the need to catch up in a hurry. future of the organizations they serve. Over the past few months, we have been listening to leaders of Given the profound uncertainties and their varying insurers of all sizes around the globe—CEOs, board impact across business lines, insurers must commit members, CFOs, HR heads, as well as CROs. One strongly to risk-oriented, structured decision- insight that has emerged is that the CRO role as making approaches. We believe it is time for chief risk manager has continued to evolve. CROs are risk officers (CROs) to step up to this challenge. With engaged in the most difficult decisions, providing their help, the industry can reinvent itself to stay top management with perspectives and guidance relevant to customers and attractive to investors. on strategic business risks—when to take them and for which expected financial, organizational health, and reputational rewards. The CRO and the evolution of the insurance industry Unsurprisingly, therefore, leading insurers are CROs for leading insurers are playing a critical role investing more in their risk-function capabilities. in the present risky and uncertain environment. At a recent CRO roundtable with 25 leading North They have risk oversight of activities conducted American insurers, 95 percent of the participants by the first line (business and corporate functions) indicated that demand for the services of the risk

1 Sylvain Johansson, Andy Luo, Erwann Michel-Kerjan, and Leda Zaharieva, “State of property & casualty insurance 2020: The reinvention imperative,” April 2020, McKinsey.com. 2 “Life insurance and annuities state of the industry 2018: The growth imperative,” October 2018, McKinsey.com.

56 McKinsey on Risk Number 10, January 2021 function will increase next year. At this critical and develop strategic implications, CROs should juncture, CROs should join top management to set develop advanced stress-testing for profit and and implement a strategy for capturing value in the loss (P&L) and the balance sheet (for example, next three to five years. A new CRO role is evolving: investment portfolios). The program should be scenario-based and refined through iteration. — from using static, backward-looking risk- Carriers around the world, from employee-benefit measurement tools to developing state-of-the companies to global multiline insurers, have art capabilities, such as scenario planning, developed analytical tools to rebase revenue dynamic stress testing, and advanced analytics expectations using detailed economic data. — from focusing only on financial risk to taking Some risk leaders are gaining new insights into a more holistic view of the risk landscape, market dynamics in metropolitan statistical including nonfinancial risk: the new focus areas by combining customer projections with includes cyberrisk, technology risk, fraud risk, epidemiological and economic scenarios. This model risk, people risk, and compliance risk, but can help improve the accuracy of projections of also wider external risks, including climate risk customer default or renewal rates: projections can and geopolitical risk become more precise with stronger links between — from performing a limited-control function to risk identification, economic scenarios, and overall counseling the CEO and board in developing company strategy. and executing a sustainable growth strategy supported by a balanced risk appetite 2. Review the investment strategy. Pressure on industry performance is coming from several sources, including equity-market volatility, the The CRO’s contribution to a low-interest-rate environment, and sometimes sustainable growth strategy the repricing of assets associated with climate This is an important moment for chief risk officers. risk. The squeeze is felt on insurers’ balance Most insurance companies are rethinking their sheets, product profitability in life insurance, strategies and need the knowledge and skills of and investment-management fees for savings CROs to navigate the perils of unprecedented times. products. Given these pressures, CROs will need To support a sustainable growth strategy under to ensure that the investment strategy is reviewed stressed conditions, CROs can start by maximizing and realigned according to the results based on the risk organization’s existing capabilities. New economic scenarios and resulting risk capacity capabilities are also needed as CROs help their and risk appetite. companies embrace a holistic view of risk, including financial and nonfinancial risks. The following Addressing the nonfinancial-risk profile actions are essential and consistent with the new Here are measures to strengthen cyberrisk CRO leadership paradigm. practices, address fraud and other operational risks, and adapt and remediate models. Managing risk through COVID-19 uncertainties It will be necessary to develop high-frequency 3. Strengthen cyberrisk practices. The new stress tests and business-plan forecasts and to working environment has increased network review investment strategies. exposures to cyberrisk. As employees use personal devices for work, for example, they can become 1. Develop high-frequency stress tests and more vulnerable to phishing. Traffic volumes business-plan forecasts. To reveal vulnerabilities

A unique time for chief risk officers in insurance 57 are rising sharply on virtual private networks as leading indicators to help executives gain a more employees work from home, straining IT systems accurate view of risks and make better-informed and personnel; sensitive data and systems must decisions. That gives them a significant advantage be protected against access through insecure during the pandemic crisis. networks or devices. CROs must take account of these new strains and vulnerabilities, and 6. Adapt and remediate models. The CRO should strengthen cybersecurity and cyber practices lead a full review of critical models used across across the organization. Many insurance companies the organization since they could have been have completed comprehensive assessments compromised in this changed environment. The of their systems and information assets—for assessment should include the rapid triage and example, the likelihood that any component will be remediation of models most affected by the compromised. CROs must prioritize and reprioritize pandemic. The associated economic downturn assets as needed, protecting critical assets and has triggered significant step changes that are closing critical control gaps as they appear. often not accounted for in the original assumptions made several years ago, when these models 4. Pay more attention to fraud. Fraud and were designed. The persistent low-interest-rate financial crime³ seem to be on the rise as a result environment—and potentially negative-interest- of the new remote-working environment and the rate environment—must also be factored in. The economic downturn, a situation recalling the spike CRO should manage remediation on a risk-based in insurance fraud during the financial crisis of timeline and ask the business to develop new 2008–09. As CROs strengthen essential controls models as needed. and the technology infrastructure, they should also push to improve analytics capabilities for Building the insurance organization of the future fraud. The necessary moves could include building CROs should partner with senior management to an identification engine capable of ingesting vast revisit the risk appetite and strategy, transform risk amounts of claims data, accurately sizing and culture, build reputational resilience, and improve analyzing drivers of current losses, and quickly insights about systemic risks. identifying high-risk claim reimbursement. 7. Partner with senior management to revisit the 5. Address other operational risks. Rising levels risk appetite and strategy. By becoming thought of digital interaction and remote work have also partners with top management, CROs can help changed companies’ overall operational risk steer the organization, identifying and selectively profiles, which CROs must monitor and assess committing to strategic opportunities. They can accurately. They can then build tools to mitigate also engage in dialogue with regulatory agencies to these and other nonfinancial risks and quickly better anticipate the regulatory landscape. CROs address emerging concerns. In a recent McKinsey have a key role to play in shaping the risk appetite. survey of North American carriers, participants The CRO should work closely with the CEO, the discussed their latest approaches to nonfinancial CFO, and the heads of businesses to help cascade risk. One large global life insurer, for instance, it through the whole organization, calibrate it as part launched an ambitious review of its nonfinancial- of the new sustainable growth strategy. risk metrics and upgraded them in key businesses, covering the entire nonfinancial-risk taxonomy in 8. Transform the risk conduct and culture great detail. Before the pandemic, the company framework. In the current environment, companies had begun to shift its reportage from lagging to have to make decisions quickly—too quickly,

3 Salim Hasham, Shoan Joshi, and Daniel Mikkelsen, “Transforming approaches to AML and financial crime,” September 2019, McKinsey.com.

58 McKinsey on Risk Number 10, January 2021 sometimes, for existing governance and guardrails. More sophisticated stress testing to An appropriate framework for risk conduct and discover business vulnerabilities culture creates a safe environment for speaking For many financial institutions, including insurers, up about dangers, fosters adherence to company annual investment and product planning was values, and therefore helps risk leaders make completed before the economic impact of the sustainable decisions quickly. As CROs work COVID-19 pandemic was universally apparent. In with top management to develop the future performing stress tests on the impact of market organization, they should partner with HR heads stress on solvency, most insurers used short-term, to transform the risk culture.⁴ Many insurers have next-budget-cycle timelines. Now, deep into the already begun to assess current risk culture and pandemic, insurers understand that the economic to identify opportunities for improvement by recovery path is uncertain and performance may making employees aware of present and emerging change widely during the next two- or three-year risks and giving them the skills to protect both period, and even beyond. The changing probabilities policyholders and the organization. Risk culture concerning the duration of the work-from-home can be measured and actions taken to enhance it model and restrictions on travel and retail activity, where improvements are most needed. for example, make it clear that more than short-term planning is required. In this context, companies must 9. Build reputational resilience. The pandemic go beyond their normal stress-testing regimens. is creating unprecedented challenges to organizational culture. In the work-from-home To understand how rapidly evolving economic model, maintaining that culture and transmitting conditions will affect their portfolios, leading it to new hires can be more difficult. Furthermore, insurers are using stress-testing tools accompanied as companies address their customers’ changing by continued close monitoring. They are looking needs, they must take into account the heightened beyond regulatory compliance and building the public scrutiny and societal impact of the ongoing data and capabilities needed to test scenarios crisis. The CRO must therefore ensure that robust rapidly and to support responsive decision making governance is in place, and work to strengthen risk according to the changing outcomes. New analytics culture and organizational resilience. skills and tools are needed, which for most insurers would complement existing capabilities in scenario- 10. Significantly improve the company’s insights based assessments of assets and liabilities. They about systemic risks. The pandemic is a reminder can be developed using existing resources and that low-probability, high-consequence events capabilities present in the risk organization, in a do indeed happen. Pandemic scenarios were coordinated effort by the CEO, CFO, CRO, and the heretofore mostly considered as extreme cases heads of businesses. in advanced modeling exercises. That no longer works. With the right mandate from the rest of Insurers need to think through scenarios with the organization, the central risk function could varying timelines and sequences of events and become a center of excellence to protect insurers by how they intersect with different types of stress developing and defining better insights on systemic testing—for liquidity and capital, business strategy, risk. The center of excellence could also identify and climate and catastrophic events. This holistic issues—climate change and geopolitical risks, for assessment will give CROs a wider view of the example—that call for innovations to keep insurers uncertainties and therefore support effective relevant in a fast-changing risk landscape. risk management. Exhibit 2 shows how more

4 Richard Higgins, Grace Liou, Susanne Maurenbrecher, Thomas Poppensieker, and Olivia White, “Strenghtening institutional risk and integrity culture,” November 2020, McKinsey.com.

A unique time for chief risk officers in insurance 59 sophisticated stress tests can account for many economic data—using detailed, location-specific factors affecting P&Ls over longer time horizons. analytics, since the dynamics of economies will probably differ widely from one city to another. The The new orientation also requires a shift in the models should use relevant business-sensitivity stress-test horizon from one year to a three- or metrics (such as policy renewals or new sales) four-year period. The objective is rapid design to estimate the impact of different scenarios and testing of a wide range of scenarios exploring on business performance and to act on those different company vulnerabilities. The method estimates. Insurers can use these exercises to involves the development of more sophisticated reallocate capital quickly across the product lines econometric models—statistical analysis of and markets where it can be put to best use.

Web <2020> Exhibit <2> 2 of <2> Stress testing testing links links scenarios scenarios to to the the key key profit-and-loss prot-and-loss factors factors of of underwriting income.underwriting income.

Sanitized auto-insurance dashboard example, impact of factors on P&L metrics

Severe adverse Adverse Favorable Uncertain Hypothesis on approach Regression-driven Factor, value (variation vs Impact on prioritized prepandemic baseline) metrics (prevaccine) Judgement-driven

Factors Prevaccine, Postvaccine, % New- Retention, New- Claim Claim for personal 6 18 18 36 retention, policy cancellation policy frequency severity auto months months cancellation growth premium premiums

Exposure GDP/ X1% X2% Fraud, (buy the car) unemployment enhanced propensity to Disposable Y1% Y2% claim income

Vehicle Z1% Z2% sales

Frequency Distance N1 N2 (driving driven accidents) Driving N/A N/A behavior

Severity (pay Change in car XX% XX% the claim) value

Repair cost, XX% XX% lead time

Combined change on metric

Underwriting-earning impact TBD TBD TBD TBD TBD TBD

60 McKinsey on Risk Number 10, January 2021 Many of these capabilities require significant involvement, insurers should return to developing business expertise and may now lie in the realm of process-automation and artificial-intelligence business planning and strategy. However, risk teams programs. The CRO can help speed up these have the unique analytical and data capabilities advances and free colleagues to focus more keenly to support such modeling. These broader stress on the risks requiring experience and judgment. tests will also help CROs develop a view of potential emerging business risks and set the company’s strategic direction. The insurance industry is undergoing significant change to remain relevant in a changing risk The CRO role in increasing efficiency environment that is now evolving even faster as and effectiveness result of the pandemic. We believe that the gap Operational efficiency and effectiveness between companies that embrace and act upon have always been vital in insurance, and the these changes, make bold moves, and capture the pandemic has made them more important than resulting value and those that do not will continue ever. CROs can lead or contribute to efforts to to widen. Experience suggests that if companies address the challenges—for example, by shifting adapt quickly to the crisis and emerge stronger in governance or strengthening the most critical the first year, they will continue to lead for the next controls. Partnering with the first line, CROs five. The pandemic has certainly elevated the risk can work to minimize the burden of controls, function’s strategic role. CROs now have a unique without compromising the effectiveness of risk opportunity to seize the moment. management. On a deeper level, and with CRO

Kevin Buehler is a senior partner in McKinsey’s New York office, where Marco Carpineti is a consultant and Lorenzo Serino is a partner; Erwann Michel-Kerjan is a partner in the Philadelphia office, and Fritz Nauck is a senior partner in the Charlotte office.

The authors wish to thank Abhishek Anand for his contributions to this article.

A unique time for chief risk officers in insurance 61 Extraordinary risks

The disaster you could 63 have stopped: Preparing for extraordinary risks

How the voluntary carbon 72 market can help address climate change

62 McKinsey on Risk Number 10, January 2021 The disaster you could have stopped: Preparing for extraordinary risks

Ignoring high-consequence, low-likelihood risks can be damaging to an organization, but preparing for everything is impossibly costly. Here is how leaders can make the right investments. by Fritz Nauck, Ophelia Usher, and Leigh Weiss

63 The COVID-19 crisis is dramatically highlighting organizations and policy makers discussed the the potential impact of high-consequence, low- danger on the global stage. Many organizations likelihood risks. Low but never zero: that is the accounted for it in their enterprise-risk-management probability of risks such as a viral epidemic (ERM) frameworks as a high-consequence, low- ballooning into a pandemic that costs millions likelihood event. Some organizations, especially of lives and shuts down economies across the in the healthcare and travel sectors, even had globe. The chances of an extraordinary regional firsthand experience with the SARS pandemic in catastrophe, whether naturally occurring or 2003. Nonetheless, companies were by and large human-caused, are similar, as are the disastrous unprepared for COVID-19. More than 50 billion-dollar effects. A severe earthquake, a massive oil spill, or companies have filed for bankruptcy in 2020 in the a nuclear accident can result in heavy loss of life, United States alone. As Exhibit 1 shows, furthermore, ecological damage, and financial loss for countries the pandemic’s adverse economic effects have and companies. varied widely by industry sector.

The relative improbability of such events well Some high-consequence, low-likelihood risks have illustrates the decision makers’ dilemma: which to do with business strategy, such as those posed by of them should their organizations plan for? The the digital disruption; operational risks are another danger of a pandemic was not unknown. Health category and include serious quality-control failures

Web <2020> PreparingForRisk Exhibit 1 of 3 Exhibit 1 The impact of the COVID-19 pandemic in the United States varies widely by Theindustry impact sector. of the COVID-19 pandemic in the United States varies widely by industry sector. Year-over-year change in real GDP for selected industries, 2Q 2019 to 2Q 2020,1 %

Accommodations Arts, Finance and Transportation and food entertainment, insurance Construction Retail and warehousing services and recreation 0

–7 –9

–23

–45

–60

Note: As of October 2, 2019. 1 Indexed to 4Q 2019. Source: Bureau of Economic Analysis

64 McKinsey on Risk Number 10, January 2021 in manufacturing. Missed opportunities are another low-likelihood event, as potential losses were averted equal source of extraordinary risk. Opportunities and a large opportunity was captured. to adopt disruptive innovation can bring companies to crucial moments of truth, when movers gain significant market advantage over hesitant peers. Big risks that matter Amazon, for example, moved to help third parties The number of potential high-consequence, build e-commerce sites, leading to Amazon Web low-likelihood risks is far too great for corporate Services (AWS). Now, through AWS, Amazon has decision makers to plan for all of them. Indeed, around 30 percent of the cloud-computing market.¹ the abundance of possibilities is one reason why Our work on resilient corporations demonstrated some companies don’t plan for any of them. The that those able to do more than just hunker down first strategic requirement that is often missing in an economic crisis—retaining the wherewithal to when addressing these risks, therefore, is the invest in new opportunities—will emerge from it in a identification of the risks that matter. This action, strengthened position. known as risk ID, is an important part of robust ERM. It means differentiating risks that could hurt the Some organizations have even built business business from risks that could damage or destroy models around taking advantage of low-likelihood the company. opportunities (such as those in pharmaceutical pipelines). The models allow for fast movement when Some organizations have concluded that such a high-consequence risk or opportunity occurs. existential risks are unknowable. This is an Missing a high-consequence opportunity can lead to error, in our view. By far, most existential crises ultimate demise just as ignoring a risk can. that companies have faced in recent years were identified in advance by experts—from oil spills to A recent article in the McKinsey Quarterly described chemical disasters to nuclear accidents. the decisions by boards or management teams to ignore or act on these high-consequence, low- The threats behind these high-profile incidents were likelihood risks as “big bets.” That characterization is known and recognized in advance by industry and based on the broad scope of a decision and the size government specialists. They were “predictable of its impact.² When it comes to extraordinary risks, surprises,” as Michael Watkins and Max Bazerman the decisions are also governed by the unfamiliarity described in an eponymous article in the Harvard and infrequency of these risks. These consequential Business Review.⁴ Predictable surprises meet three decisions are not highly visible parts of the CEO’s criteria: first, they are the result of risks decision public agenda, unlike more familiar big bets such makers know are possible, even if unlikely—such as as mergers and acquisitions. For example, the a 500-year flood. Second, leaders feel confident decision by Nokia’s mobile-phone division to develop that if the risk materializes, the event will have a big a response to potential supply-chain disruptions impact on the whole organization. Third, predictable was not even discussed by investors. This decision surprises require organizations to respond. allowed the telecommunications company to act fast to find alternative chips suppliers when a fire Sometimes, but not always, these risks are disrupted the normal supply. The move led to Nokia identified in ERM frameworks, where they are expanding its share of the global market and boosting categorized as high consequence, low likelihood. profits significantly.³ The big bet in supply-chain The predictable surprises found here can include resiliency doubly paid off in this high-consequence, epidemics, pandemics, cyberattacks, hurricanes,

1 Ron Miller, “How AWS came to be,” Tech Crunch, July 2, 2016, techcrunch.com. 2 Aaron De Smet, Gregor Jost, and Leigh Weiss, “Three keys to faster, better decisions,” McKinsey Quarterly, May 2019, McKinsey.com. 3 Amit S. Mukherjee, “The fire that changed an industry,” InformIT, October 1, 2008, informit.com. 4 Michael Watkins and Max Bazerman, “Predictable surprises: The disasters you should have seen coming,” Harvard Business Review, April 2003, hbr.org.

The disaster you could have stopped: Preparing for extraordinary risks 65 floods, financial fraud, economic recessions, oil the whole company is situated along the vertical spills, and other catastrophes, whether natural axis and the decision makers’ level of certainty or human-caused. Decision makers should about the impact is situated on the horizontal axis. prioritize these potential threats, making big bets High placement on the vertical axis means that on those that would precipitate an existential the company’s existence would be threatened if crisis for their organization. this risk occurred—or the company would miss a massive opportunity. Low vertical-axis placement Understanding the potential impact of such events means that the impact or opportunity would be is the first step for decision makers in reducing the limited or isolated. The vertical axis allows senior chance that a particular event results in an existential decision makers to distinguish risks that require crisis. The likelihood does not matter for these board- and CEO-level attention from those that can risks—they are all unlikely, according to traditional be managed at a lower level. These risks will vary ERM programs. Once scored by ERM, they all land in significantly by company and industry sector. For the same low-likelihood corner. However, the impact example, the impact of COVID-19 is varied according on the organization does matter. Not all the risks are to a company’s ability to conduct operations and equal: some would create an existential crisis while serve customers with employees working remotely. others would not. Thus decision makers need a way to distinguish among these high-consequence, low- A risk placed to the right on the horizontal axis likelihood risks. means that decision makers are relatively certain of its scope and intensity; leftward placement signals doubt about the risk’s reach and impact. Using Identifying the most important risks the horizontal axis, decision makers recognize To identify and define the most important risks, we the differences between familiar risks with known recommend using a two-by-two risk grid (Exhibit impact and risks that they are still investigating. 2). In this plan, the potential impact of an event on The placement of low-certainty risks will shift as decision makers learn more about the potential risk.

Exhibit 2 Organizations must planplan forfor predictablepredictable surprises—events surprises — events that that would would pose pose an an existential crisis.crisis.

High-consequence, low-likelihood risks can be plotted according to scope and certainty of impact

Whole company, High certain impact: predictable surprises Scope of impact Risk threshold

Low

Low High Level of certainty about impact

66 McKinsey on Risk Number 10, January 2021 Potential risks are ranked in relation to each can damage a financial institution by undermining other, rather than on an absolute scale. This customer confidence. Reliable service provision approach allows decision makers to separate into could be at the core of a company, especially where distinguishing categories risks that are traditionally customers have a switching option. Decision makers grouped together in ERM frameworks. The identify core elements by the essential role they play; technique could be used by an insurer, for example, without them, the business would disappear. to create differentiated products by applying deeper segmentation to populations formerly categorized Once the core is established, decision makers can as high risk. identify the high-consequence, low-likelihood risks that would adversely affect the core, locating Risks placed in the upper-right corner are the high- the risks along the vertical axis of the grid. Risks consequence, low-likelihood risks that everyone that would not affect an organization’s core agrees would pose an existential threat to the are less likely to create an existential crisis. By company. These can then be addressed with the big focusing on the core, decision makers are making bets and they might move lower down on the vertical their organization’s strategy crystal clear. Those axis as a result. Big bets to address these types of organizations with clear strategies are nearly three risks can take many forms—financial, operational, or times more likely than others to lead in their sector. strategic. Energy providers, for example, sometimes Those that make good decisions faster, that is, are divide their organizations into several legal entities more likely to outperform industry peers. so that a catastrophic loss in one physical location would not result in a collapse of the entire enterprise. In one category of existential risk are catastrophic operational failures, such as those caused by natural Despite big-bet actions, the potential impact of disasters, accidents, negligence, and cyberattacks. certain risks may not diminish. As long as a process Reputational risk events can also set off existential is in place for quickly identifying and addressing crises; these may be the result of operational failures, an emerging event, the company will survive and cyberattacks, data breaches, or fraud and other may also thrive (as Nokia did). Decision makers can forms of financial malfeasance. Decision makers also move risks up or down on the vertical axis as can look along their ERM frameworks for the most they learn more about potential impact. The same common risk segments: health and safety, reputation, risk could have widely different impact on different operations, strategy, compliance, and financial. companies (see sidebar, “Different companies, same risk, different impact). It is also important to consider other risk segmentations to avoid missing critical risks— internal risks arising from the business model, Risks and the core of the organization for example, versus external risks, such as those Decision makers locate potential risks, such as a potentially arising from global economic conditions. pandemic, on their own grid after defining their Other useful risk pairs to consider are adversarial core business and identity and understanding what risks such as an activist investor or cyber- or impact a risk would have on this core. The core of the terrorist attacks, versus nonadversarial risks company could include products and services, the such as natural or human-caused disasters and loyalty of a customer segment, public perception, accidents. High-consequence, low-likelihood brand identity, and legal requirements that must be risks that could cause existential damage might be met. For example, technical failure of a particular found in any of these categories. The impact will of part can adversely affect the reputation of a course depend on the company’s established core manufacturer’s entire product line; high-profile fraud and many other variables.

The disaster you could have stopped: Preparing for extraordinary risks 67 Different companies, same risk, different impact

The exhibit demonstrates how pairs of with several sources of raw materials and fashion items that are stable from year companies with much in common and some several manufacturing sites. Electronics to year. The other sells trendy fashion differences would assess the same risk on company B has a leaner supply-chain items that have a life cycle of eight weeks, the risk grid. model. If the two companies are assessing after which they lose their customer the risk of a pandemic, electronics appeal. Imagine these two companies are The first scenario shows two electronics company B is at greater risk of a whole- assessing the risk of a labor strike in the companies with the same value proposition company disaster, and the greater risk is major US port they share where their items and different operating models. They shown in the risk grid. arrive from Asia. If the clothing items of make the exact same product for the same trendy fashion company C are stuck in a customers. The main difference between Scenario two shows two retail companies port for months, the items become virtually them is their supply chain. Electronics with different business value propositions. worthless. Customers are not interested company A has a resilient supply chain One sells traditional men’s and women’s in last quarter’s fashions. The traditional

Web <2020> PreparingForRisk Exhibit 3 of 3 TheThe same riskrisk willwill have a differentdi erent impactimpact on on different di erent companies, companies, depending depending on culture, supply chain,on culture, financials, supply and chain, other nancials, characteristics. and other characteristics.

Crisis scenarios for pairs of companies in three sectors

Weak attribute Stable attribute Strong attribute

Scenario 1 Scenario 2 Scenario 3 Same business value Dierent business Same business value proposition, dierent value proposition proposition, dierent operating model organizational culture Trendy Traditional Electronics Electronics fashion fashion Automaker Automaker company A company B company C company D E F

Customer loyalty

Brand identity

Supply-chain resilience

Psychological safety1

Inventory durability

Financial stability

Certainty of impact High High Medium Medium Medium Medium

Impact on whole company Medium High High Medium High Medium

1 The freedom to raise mistakes and problems without fear of repercussions.

68 McKinsey on Risk Number 10, January 2021 fashion company’s items can still be sold freedom to take risks and where failure because no one wants to be the person because their styles are more enduring. is seen as an opportunity to learn and to share bad news. Imagine these two The risk assessment varies, as shown on improve. Their relatively flat organizational companies are assessing the potential the corresponding risk grids. structure and culture of personal of a major quality-control problem. Both ownership passes bad news up the chain companies are fairly certain that such a Finally, the third scenario shows two auto of command when necessary. In contrast, risk exists. Automaker E is much more manufacturers with similar business value automaker E has a hierarchical structure concerned about the impact of that risk on propositions and different organizational with a risk-averse culture of finger-pointing the company because it is much less likely cultures. Automaker F has a culture of and blaming others. When mistakes are to be reported if it is discovered. empowered employees who are given noticed, they are usually papered over,

Organizations can sometimes survive existential their risk grid based on the size and certainty of their crises, though with diminished value. But crises impact on the company’s core value. and missed opportunities can also cause an entire organization to fail. It is therefore important Avoiding bias in your risk grid for decision makers to consider all types of high- When identifying the risks of greatest consequence, consequence, low-likelihood risks. By measuring decision makers need to avoid optimism bias—a the impact on the core, they can differentiate view that tends to see more positive outcomes than among them, illuminating the particular issues that the evidence warrants. Confirmation and anchoring are of highest importance to the organization. bias also reduce predicted impact—through assumptions that future threats will recapitulate Conducting a ‘premortem’ for risk events those of the past. The premortem exercise is a technique decision makers can use to identify which predictable Biases can be partly neutralized by a healthy surprises would have serious consequences on organizational culture in which people are their organization. It involves a thought exercise rewarded for speaking up, sharing dissenting in which the core value proposition is assumed to ideas, and listening to others’ voices. For such have been damaged or destroyed. Decision makers a culture to thrive, people must feel completely then consider all the possibilities that could have secure in sharing their views. Without that personal led to this, with help from risks experts who have security, important risks might go undiscovered. been warning about the potential for such events. Whistleblowers, furthermore, must be protected Missed opportunities should also be considered. A and their concerns investigated—especially when diversity of perspectives and the quality of debate the risks in question are those that could cause are essential conditions for making high-quality, physical harm—such as catastrophic accidents big-bet decisions quickly. To obtain perspectives due to product-safety failures. of sufficient diversity, especially for external risks, organizations sometimes need to bring in experts. Impact measurement For example, an insurance company might bring The goal is to create a risk grid where the in hydrologists and climate-change scientists to predictable surprises that could destroy the consider how their exposure to flood risk might be organization are measured according to impact. evolving. Once these “whole-company risks” have Their probability is not in question here, since been identified, decision makers can plot them on all of these risks are considered low likelihood.

The disaster you could have stopped: Preparing for extraordinary risks 69 However, an organization’s confidence in its impact them; in another approach, leaders are chosen and assessments does matter. Once the risks are assigned to explore these questions and monitor mapped on the vertical axis (severity of impact), the organization for ideas. Whatever method an decision makers must continue to probe them. organization chooses, the outcome should be a range of potentially effective actions for decision On the horizontal axis (certainty of impact), risks makers to consider. positioned to the left (low certainty) could shift position as more about them is learned. For those From the lists, leaders should identify actions that risks situated farther to the right on this axis, their could reduce the impact of several risks at once. higher certainty of impact signals to the board and Those that would reduce harm significantly in the the CEO that mitigating these risks will require here and now can be taken as no-regrets moves; investment (big bets). others can be designated as trigger-based decisions, to be taken when certain conditions occur.

Taking action No-regrets moves might include the creation Starting with the high-consequence, low-likelihood of a more resilient supply chain by allowing risks of greatest impact—those in the upper-right single-source suppliers as an exception only. The hand corner of the grid—the organization must introduction of multiple sources for a majority of decide on what actions would reduce their potential items promotes resiliency while helping companies impact to an acceptable level. What is acceptable manage working-capital costs. This example will vary by board and management team, based aligns with a broader suite of resiliency solutions, on many factors, including inherent risk within such as adequate capitalization for rainy days, their industry and availability of resources. Decision strong stakeholder relationships, a culture of makers recognize that many of these risks— people speaking up, and a crisis-response plan. earthquakes, pandemics, recessions—are Creating more resiliency could be a big-bet option outside the organization’s control. With such that decision makers might consider because it risks, the objective is to reduce—below the strengthens an organization’s ability to withstand existential threshold—their potential impact on risk events. the organization. Decision makers might also think about developing To identify and decide on the most effective actions, leading indicators for predictable surprises. This decision makers can assemble external and internal no-regrets move gives decision makers more experts and cross-functional teams. A diverse time to respond to a threat, reducing its adverse perspective and sharp, high-level discussion are impact. Leading indicators of financial fraud, for needed for this task. Lists of potential actions can example, might be overly smooth profits or a rise be generated and pared down as the teams discuss in the use of nondisclosure agreements (NDAs). them. In one approach to this step, participants Other leading indicators can help detect significant create lists of choice actions that if taken today arising opportunities. could reduce risk down the road. Then they fast- forward into six-month or one-year scenarios and Some actions are taken once the likelihood of a identify a small decision that could have made particular risk event reaches a certain threshold a big difference in protecting the core value of or trigger. A weather forecast, for example, with a the organization. Alternatively, experts develop reasonable amount of certainty that a company’s potential actions, and a “red team” pressure-tests operations are in the path of an oncoming hurricane

70 McKinsey on Risk Number 10, January 2021 would trigger necessary countermeasures. Decision proposition, however, leaders can identify makers should develop the appropriate actions and mitigate the risks that would threaten the while ensuring that the triggers they choose provide whole company. enough of a window for the actions to be effective. The objective is to protect the company’s core value High-consequence, low-likelihood events proposition. An example of an effective trigger and can fatally damage an organization. The response would be a storm warning that sets in investments organizations make to protect their motion actions to stop production on an offshore value propositions—and not miss significant rig to prevent an oil spill. Obviously, trigger-based opportunities—can mean the difference between decision making requires a monitoring process that extinction and survival. More than that, however, alerts the organization when a trigger has occurred. these investments (big bets) can improve an organization’s overall resiliency.

Protecting against extraordinarily rare events may seem counterintuitive. The risks are many and resources are finite. By defining the core value

Fritz Nauck is a senior partner in McKinsey’s Charlotte office, Ophelia Usher is an expert in the Stamford office, and Leigh Weiss is a senior expert in the Boston office.

The authors wish to thank Aaron De Smet and Mihir Mysore for their contributions to this article.

The disaster you could have stopped: Preparing for extraordinary risks 71 How the voluntary carbon market can help address climate change

The voluntary carbon market is gaining momentum and plays an increasingly important role in limiting global warming. Here’s how.

This article was a collaborative effort by Christopher Blaufelder, Joshua Katz, Cindy Levy, Dickon Pinner, and Jop Weterings.

72 As business leaders set increasingly ambitious standards such as Gold Standard and Verified commitments to reduce global greenhouse-gas Carbon Standard (VCS)—credits can be issued. (GHG) emissions, a market is developing that can The impact of a carbon credit can only be help to achieve them by supplementing companies’ claimed—that is, counted toward a climate efforts to reduce their own emissions. This is the commitment—once the credit has been retired rapidly growing market for voluntary carbon credits. (canceled in a registry), after which it can no longer be sold. A carbon credit is considered a Carbon credits (often referred to as “offsets”) “voluntary carbon credit” when it is bought and have an important dual role to play in the battle retired on a voluntary basis rather than as part of against climate change. They enable companies to a process of compliance with legal obligations. support decarbonization beyond their own carbon footprint, thus accelerating the broader transition The proceeds from the sale of voluntary carbon to a lower-carbon future. They also help finance credits enable the development of carbon- projects for removal of carbon dioxide from the reduction projects across a wide array of project atmosphere—delivering negative emissions, which types. These include, among others, renewable will be needed to neutralize residual emissions that energy; avoiding emissions from fossil-fuel- will persist even under the most optimistic scenarios based alternatives; natural climate solutions, This article was a collaborative effort by Christopher Blaufelder, Joshua Katz, Cindy Levy, for decarbonization. However, while the voluntary such as reforestation, avoided deforestation, or Dickon Pinner, and Jop Weterings. carbon credit market is currently experiencing agroforestry; energy efficiency; and resource significant momentum, it is still relatively small. recovery, such as avoiding methane emissions from The recently launched report by the Taskforce on landfills or wastewater facilities. Scaling Voluntary Carbon Markets aims to create a blueprint for solutions that could help overcome While most of the projects types that include obstacles to its further growth. (For more about renewable energy, avoided deforestation, and the taskforce, which McKinsey supports as a resource recovery focus on avoiding carbon knowledge partner, please read our article "Scaling emissions, others, such as reforestation, focus on voluntary carbon markets to help meet climate removing carbon dioxide from the atmosphere. goals."¹) This article will explain how carbon credits This is a meaningful difference, illustrating the work and how they can help in the global effort to dual role voluntary carbon credits can play in address climate change. addressing climate change:

— In the short term, voluntary carbon credits The dual role of voluntary carbon from projects focused on emissions credits in addressing climate change avoidance/reduction can help accelerate A carbon credit is a certificate representing one the transition to a decarbonized global metric ton of carbon dioxide equivalent that is either economy, for example by driving investment prevented from being emitted into the atmosphere into renewable energy, energy efficiency, and (emissions avoidance/reduction) or removed natural capital. Avoiding emissions is typically from the atmosphere as the result of a carbon- the most cost-efficient way to address reduction project. For a carbon-reduction project atmospheric GHG concentrations. to generate carbon credits, it needs to demonstrate that the achieved emission reductions or carbon — In the medium to long term, voluntary carbon dioxide removals are real, measurable, permanent, credits could play an important role in scaling additional, independently verified, and unique (see up carbon dioxide removals (or negative sidebar “Criteria for carbon credits”). If a project emissions) needed to neutralize residual meets these criteria—as specified by independent emissions² that cannot be further reduced.

¹Christopher Blaufelder, Cindy Levy, Peter Mannion, Dickon Pinner, and Jop Weterings, “Scaling voluntary carbons markets to help meet climate goals,” November 2020, McKinsey.com. ²Emissions that can only be eliminated at prohibitive cost or that cannot be eliminated with existing technology.

How the voluntary carbon market can help address climate change 73 Criteria for carbon credits

Carbon credits should represent emission reductions or carbon dioxide removals that are:

— real and measurable—realized and not projected or planned, and quantified through a recognized methodology, using conservative assumptions

— permanent—not reversed; relating to projects with a reversibility risk such as forestry projects, which could suffer from fire, logging, or disease; here, comprehensive risk mitigation and a mechanism to compensate for any reversals need to be in place

— additional—would not have been realized if the project had not been carried out, and the project itself would not have been undertaken without the proceeds from the sale of carbon credits

— independently verified—verified by an accredited, independent third party

— unique and traceable—transparently tracked in a public registry and not double-counted

Additionally, it is important that appropriate safeguards are in place to ensure projects comprehensively address and mitigate all potential environmental and social risks.

In a recent analysis, we found that at least 5 words, the target needs to be in line with the gigatons of negative emissions will be needed level of decarbonization required to limit global annually to reach net-zero emissions by 2050. warming to well below 2 degrees Celsius above These could be realized through a combination preindustrial levels at a minimum—and ideally be of natural climate solutions such as reforestation in line with a 1.5-degree pathway, which scientists (for example, sequestering carbon in trees) and estimate would reduce the odds of initiating nascent technology-based carbon capture, use, the most dangerous and irreversible effects of and storage solutions such as direct air capture climate change. For setting such a target, the with carbon storage (DACCS), and bioenergy Science Based Targets initiative has developed with carbon capture and storage (BECCS). methodologies, which have been already adopted Voluntary carbon credits can help finance the by more than 1,000 companies, including many scale-up of these solutions. leading multinationals. To achieve the required emissions reductions, companies can pull levers such as improving energy efficiency, transitioning The role of voluntary carbon credits in to renewable energy, and addressing value-chain corporate climate commitments emissions. A credible corporate climate commitment begins with setting an emissions reduction target that As a next step, a company may commit to a covers both a company’s direct and indirect GHG target that involves the use of voluntary carbon emissions: if a company does not already have credits—either to compensate for emissions that it an emissions baseline from which to set a target, has not been able to eliminate yet or to neutralize creating one is a necessary first step. Aligning such residual emissions that cannot be further a target’s ambition level with the latest climate reduced due to prohibitive costs or technological science is widely seen as best practice. In other limitations. These types of targets come with

74 McKinsey on Risk Number 10, January 2021 various designations (for example, carbon neutral, 2019, both in issuances and retirements (exhibit). climate neutral, net-zero, carbon negative, climate Issuances were 138 million tons of carbon dioxide positive) but they all typically involve a company equivalent—almost double the 2018 volume— supplementing reductions achieved within its own and retirements 70 million, a 33 percent increase carbon footprint by financing reductions elsewhere compared with 2018. This growth has been through the purchase and retirement of voluntary driven by a combination of new corporate climate carbon credits (see sidebar “Types of carbon commitments, such as those to carbon neutrality targets”). By offsetting its remaining emissions and net zero, as well as so-called point of sale in this way, a company can claim it is mitigating offerings of voluntary carbon credits, such as its residual impact on the climate. Some, such as Shell’s carbon-neutral fuel, which is a bundled Microsoft, have gone further by setting aspirations retail offering of gasoline and voluntary carbon to make a net-positive impact on the climate. credits and airline-passenger offsetting programs, which enable passengers to offset the emissions Strong momentum, mainly driven of their flights through the airline’s website. by new corporate commitments and point-of-sale offerings Based on year-to-date volumes and an Following three years of robust growth, the extrapolation in line with historical seasonality voluntary carbon market³ reached a record high in patterns, we expect the market to set another

³We estimated the voluntary carbon market size based on five standards: VCS, Gold Standard, Climate Action Reserve, American Carbon Registry, and Plan Vivo. We excluded ARB-eligible credits and Gold Standard–labeled Certified Emission Reductions (CERs) used for meeting compliance targets.

Types of carbon targets

In the context of corporate target setting, “carbon neutral” refers to offsetting all unabated greenhouse-gas emissions through the application of carbon credits to a given part of an organization’s footprint (for example, company-level, activity-level, product-level), usually on an annual basis. The term carbon neutral is typically used to cover other greenhouse gases as well; relevant standards, such as PAS2060, clearly specify carbon neutral’s scope as including carbon dioxide equivalent (CO2e) emissions, beyond just carbon dioxide.

“Climate neutral” is often used interchangeably with carbon neutral, but it places more of an emphasis on covering greenhouse gases beyond carbon dioxide. In addition, it can include climate impacts other than greenhouse-gas emissions, for example, radiative forcing from aircraft contrails.

While the exact definition of “net zero” is still being debated, it is considered a forward-looking commitment requiring companies to reduce their emissions and balance remaining (residual) emissions by a given target year. There is an emerging view among stakeholders, including nongovernmental organizations and corporate climate leaders, that a credible net-zero target requires reducing emissions in line with the latest climate science and neutralizing residual emissions (at net zero) using carbon dioxide removals (not carbon credits from emissions avoidance/reduction projects).

Finally, both “carbon negative” and “climate positive,” which are used interchangeably, have not yet been clearly defined, but they imply going beyond the targets described above to make a net-positive impact on our climate.

How the voluntary carbon market can help address climate change 75 Exhibit TheThe voluntary voluntary carbon carbon market market has has grown grown significantly signicantly in recent in recent years. years.

Voluntary carbon market, millions of metric tons of carbon dioxide equivalent Issuances Retirements

200

150

100

0 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 (estimate)

Note: We estimated the voluntary carbon market size based on 5 standards: Veried Carbon Standard (VCS), Gold Standard (GS), Climate Action Reserve (CAR), American Carbon Registry (ACR), and Plan Vivo. We excluded ARB-eligible credits and Gold Standard–labeled CERs used for meeting compliance targets. Data were retrieved from aforementioned registries on December 2, 2020, for YTD volumes up until the end of November (ie, 150 million tCOe of issuances and 81 million tCOe of retirements). We projected volumes for full-year 2020, based on extrapolation in line with historical seasonality (past 5 years), and did not adjust for any COVID-19 related impacts on seasonality patterns. Source: ACR; CAR; GS; Plan Vivo; VCS

record this year, with issuances and retirements Natural climate solutions (NCS), a category including both growing by approximately one-third compared project types such as reforestation, avoided with 2019. After years of declining prices (from deforestation, improved forest management, and an average price of around $7 per ton in 2008 to agroforestry, have grown faster than any other around $3 per ton in 2019⁴) due to supply outpacing project category and contributed significantly to the demand, we expect average prices to go up in the voluntary carbon market’s growth trajectory. From near to medium term, mainly due to strong demand 2016 to 2019, issuances within this category more growth especially for higher-cost project types than doubled every year, on average—and in 2019, such as reforestation and carbon dioxide removal NCS accounted for 53 percent of total issuances. projects more generally (see sidebar “Issuances Meanwhile, retirements in this category have also and retirements”). While still relatively small, the rapidly grown (close to 50 percent per year, on voluntary carbon market is experiencing significant average). We believe this trend could be the result momentum and its impact (and future potential) is of increased awareness of NCS’s potential (they getting more and more attention. can deliver one-third of the emissions reductions

⁴According to the Ecosystem Marketplace.

76 McKinsey on Risk Number 10, January 2021 Issuances and retirements

To analyze the voluntary carbon market, we focus on two metrics: issuances and retirements, which together give a good idea of market dynamics. Issuance volume is a proxy for supply, as it represents voluntary carbon credits issued by a standard (for example, Gold Standard, VCS) upon the successful verification of emission reductions or carbon dioxide removals realized by a certified carbon-reduction project. Retirement volume is a proxy for demand, as it represents voluntary carbon credits bought and canceled in a registry, preventing the onward sale of the certificates. Only upon retirement can the buyer in whose name the credit was retired claim its impact (that is, count the credit toward a climate commitment).

needed to align with the Paris Agreement between the progress of the carbon-reduction projects in now and 2030⁵), a growing focus on carbon dioxide their portfolio. Stakeholders also regularly raise removal (of which NCS is the most cost-effective questions about certain types of projects, such and technologically proven method), and buyers’ as those related to additionality in large-scale preference for co-benefits beyond climate-change renewable-energy projects; biodiversity in the mitigation, such as biodiversity and impact on context of afforestation projects planting non- local communities. native species and/or monocultures; leakage and insufficient local-community engagement in the case of avoided deforestation; or permanence of What’s next: Challenges and natural climate solutions more broadly (see sidebar opportunities “Additionality, leakage, and permanence defined”). To accelerate the voluntary carbon market’s growth trajectory and realize its full potential, it will be While reputable standards have implemented important to address some significant challenges. safeguards to address these issues, the These include the need to strengthen impact combination of insufficient transparency and and quality assurance, to align stakeholders on continued stakeholder skepticism has led buyers the criteria for credible use of voluntary carbon to demand a further strengthening of impact and credits as part of an overall climate strategy, build quality assurance. As a result, we expect innovation new market infrastructure, and reduce regulatory in measurement, reporting, and verification uncertainty. We believe that implementing practices to accelerate over the coming years. innovative solutions to these challenges could unlock further growth. The recently launched Aligning stakeholders on credible use of Taskforce on Scaling Voluntary Carbon Markets voluntary carbon credits aims to create a blueprint for these solutions. There is currently no consensus among stakeholders on what it takes to use voluntary Strengthening impact and quality assurance carbon credits credibly as part of an overall climate While reputable standards such as Gold Standard strategy. Therefore, companies may have different and VCS certify projects’ adherence to the interpretations of the role voluntary carbon credits requirements of their respective methodologies, could play in their journeys toward net-zero. Key buyers typically have limited transparency on points of discussion include the extent to which

⁵ B ronson Griscom et al., “Natural climate solutions,” Proceedings of the National Academy of Sciences, October 2017, Volume 114, Number 44, pp. 11645–50, pnas.org.

How the voluntary carbon market can help address climate change 77 Additionality, leakage, and permanence defined

A carbon-reduction project is considered “additional” when its impact (emission reductions and/or removals) would not have been realized if the project had not been carried out, and that the project itself would not have been undertaken without the proceeds from the sale of carbon credits. As technology costs continue to fall, a growing number of renewable-energy projects no longer need the proceeds from the sale of carbon credits to be viable—a key reason why the criterion of additionality is particularly relevant in the context of renewable energy projects. In response, standard bodies have started to phase out large-scale renewable-energy projects. For example, VCS no longer certifies new, grid-connected renewable-energy projects unless they’re located in the least-developed countries.

Leakage occurs when a carbon-reduction project displaces emission-causing activities and produces higher emissions outside the project boundary. For example, protecting a certain forest area may cause loggers to go elsewhere. Leakage risk can be mitigated by strengthening project design as well as conservatively quantifying emission reductions and removals, making appropriate adjustments for estimated leakage.

Carbon-reduction projects should realize permanent emission reductions and/or removals. Where projects have a reversibility risk—such as forestry projects, which could suffer from fire, logging, or disease—comprehensive risk mitigation and a mechanism to compensate for any reversals needs to be in place. It is common practice for standard bodies to include buffer provisions (requiring all projects with reversibility risk to set aside a certain percentage of credits in a buffer or insurance pool). In the unfortunate event of a reversal of emission reductions and/or removals (for example, due to fire or disease), credits from the buffer would be used to cover the losses.

a company can rely on voluntary carbon credits could help increase liquidity and scale transactions, versus reducing its own footprint; the type of credits provided that the quality of credits traded and (for example, emissions avoidance/reduction versus integrity of market participants are ensured. carbon dioxide removal) to use, and how their role may evolve over time. There is a clear distinction Reducing regulatory uncertainty between the role of voluntary carbon credits today The negotiations over the Paris Agreement’s Article 6, and that which they will play when a company has all which introduces a new international carbon but fully decarbonized its footprint and needs only market/mechanism, are ongoing. As a result, the to neutralize its residual emissions. implications of Article 6 for the voluntary carbon market are still unclear. Should voluntary purchases Building new market infrastructure of carbon credits by private-sector actors help Today, voluntary carbon credits are mainly traded countries achieve their post-2020 climate pledges over the counter, resulting in limited transparency (which are referred to as nationally determined on market data (for example, transaction volumes, contributions), or should they be incremental to such price levels) and a paucity of reference data, which targets? Will governments continue to allow projects was a key barrier to market growth in the past. to issue voluntary carbon credits? When is double- Standardized, tradable products and contracts counting an issue, and how can that be avoided?

78 McKinsey on Risk Number 10, January 2021 Reducing regulatory uncertainty may encourage decarbonization beyond their own carbon footprint more buyers to make long-term commitments, and and help neutralize residual emissions by financing developers to make large-scale investments. carbon dioxide–removal projects. To realize this potential, significant practical effort is required to address current challenges and scale up the voluntary carbon market. Achieving that will create Voluntary carbon credits could play a critical role significant benefits not just in the battle against in helping the world attain a 1.5-degree pathway. climate change but also in preserving nature and the They can both accelerate the transition to a lower- untold benefits it provides to humanity. carbon future by enabling companies to support

Christopher Blaufelder is a partner in McKinsey’s Zurich office; Joshua Katz is a partner in the Stamford office; Cindy Levy is a senior partner in the London office; Dickon Pinner is a senior partner in the San Francisco office; and Jop Weterings is director of environmental sustainability, based in the Amsterdam office.

The authors wish to thank Alexis Depiesse, Damien Mourey, and Julian Vennekens for their contributions to this article.

How the voluntary carbon market can help address climate change 79 Derisking

Derisking AI by design: 81 How to build risk management into AI development

The next S-curve in 91 model risk management

Applying machine learning 97 in capital markets: Pricing, valuation adjustments, and market risk

Derisking digital and 101 analytics transformations

80 McKinsey on Risk Number 10, January 2021 Derisking AI by design: How to build risk management into AI development

The compliance and reputational risks of artificial intelligence pose a challenge to traditional risk-management functions. Derisking by design can help. by Juan Aristi Baquero, Roger Burkhardt, Arvind Govindarajan, and Thomas Wallace

81 Artificial intelligence (AI) is poised to redefine how In a previous article, we described the challenges businesses work. Already it is unleashing the power posed by new uses of data and innovative of data across a range of crucial functions, such applications of AI. Since then, we’ve seen as customer service, marketing, training, pricing, rapid change in formal regulation and societal security, and operations. To remain competitive, expectations around the use of AI and the personal firms in nearly every industry will need to adopt AI data that are AI’s essential raw material. This is and the agile development approaches that enable creating compliance pressures and reputational risk building it efficiently to keep pace with existing for companies in industries that have not typically peers and digitally native market entrants. But they experienced such challenges. Even within regulated must do so while managing the new and varied risks industries, the pace of change is unprecedented. posed by AI and its rapid development. In this complex and fast-moving environment, The reports of AI models gone awry due to the traditional approaches to risk management may not COVID-19 crisis have only served as a reminder that be the answer (see sidebar “Why traditional model using AI can create significant risks. The reliance of risk management is insufficient”). Risk management these models on historical data, which the pandemic cannot be an afterthought or addressed only by rendered near useless in some cases by driving model-validation functions such as those that sweeping changes in human behaviors, make them currently exist in financial services. Companies far from perfect. need to build risk management directly into their

Why traditional model risk management is insufficient

Model risk management (MRM) in — Traditional MRM workflows are applications are very different from the regulated industries such as banking is often sequential and require six to 12 traditional model types (for example, currently performed by dedicated and weeks of review time after the model capital models, stress-testing models, independent teams reporting to the chief development is complete, which delays and credit-risk models), and traditional risk officer. While these firms have developed deployment. These workflows are not MRM approaches are not easily applied. a robust MRM approach to improve the easily adapted to the agile and iterative governance and control of their critical development cycles frequently used in — AI and machine-learning algorithms models determining capital requirements and AI model development. are often embedded in larger AI lending decisions, this approach is usually application systems, such as software- not ideal for firms with different requirements — MRM is often focused more on as-a-service (SaaS) offerings from or in less heavily regulated industries, for the traditional risk types (primarily financial vendors, in ways that are significantly following reasons: risks, such as capital adequacy and more complex and more opaque credit risk) and may not fully cover the than traditional models. This greatly — MRM is typically based on a point-in- new and more diverse risks arising complicates coordination between time model assessment (for example, from widespread use of AI such as those who review the model and once every one to five years), which reputational risk, consumer and those who assess the application and assumes that the models are largely conduct risk, and employee risk. platform (IT risk) or the vendor (third- static between reviews. AI models learn party risk). from data, and their logic changes — Some applications and use cases, when they are retrained to learn from such as chatbots, natural-language new data. For instance, a fraud model processing, and HR analytics, can is retrained weekly in order to adapt to qualify as “models” under regulatory new scams. definitions used in banking. But these

82 McKinsey on Risk Number 10, January 2021 AI initiatives, so that oversight is constant and is becoming widespread and, in many institutions, concurrent with internal development and external decentralized across the enterprise, making it provisioning of AI across the enterprise. We call this difficult for risk managers to track. Also, AI solutions approach “derisking AI by design.” are increasingly embedded in vendor-provided software, hardware, and software-enabled services deployed by individual business units, potentially Why managing AI risks presents new introducing new, unchecked risks. A global product- challenges sales organization, for example, might choose to While all companies deal with many kinds of take advantage of a new AI feature offered in a risks, managing risks associated with AI can be monthly update to their vendor-provided customer- particularly challenging, due to a confluence of relationship-management (CRM) package without three factors. realizing that it raises new and diverse data-privacy and compliance risks in several of their geographies. AI poses unfamiliar risks and creates new responsibilities Compounding the challenge is the fact that AI risks Over the past two years, AI has increasingly cut across traditional control areas—model, legal, affected a wide range of risk types, including data privacy, compliance, and reputational—that are model, compliance, operational, legal, reputational, often siloed and not well coordinated. and regulatory risks. Many of these risks are new and unfamiliar in industries without a history of AI risk management involves many design widespread analytics use and established model choices for firms without an established risk- management. And even in industries that have management function a history of managing these risks, AI makes the Building capabilities in AI risk management from risks manifest in new and challenging ways. For the ground up has its advantages but also poses example, banks have long worried about bias among challenges. Without a legacy structure to build individual employees when providing consumer upon, companies must make numerous design advice. But when employees are delivering advice choices without a lot of internal expertise, while based on AI recommendations, the risk is not that trying to build the capability rapidly. What level of one piece of individual advice is biased but that, if MRM investment is appropriate, given the AI risk the AI recommendations are biased, the institution assessments across the portfolio of AI applications? is actually systematizing bias into the decision- Should reputational risk management for a global making process. How the organization controls bias organization be governed at headquarters or on is very different in these two cases. a national basis? How should we combine AI risk management with the management of other risks, These additional risks also stand to tax risk- such as data privacy, cybersecurity, and data management teams that are already being stretched ethics? These are just a few of the many choices that thin. For example, as companies grow more organizations must make. concerned about reputational risk, leaders are asking risk-management teams to govern a broader range of models and tools, supporting anything Baking risk management into AI from marketing and internal business decisions to development customer service. In industries with less defined To tackle these challenges without constraining AI risk governance, leaders will have to grapple innovation and disrupting the agile ways of working with figuring out who should be responsible for that enable it, we believe companies need to adopt a identifying and managing AI risks. new approach to risk management: derisking AI by design. AI is difficult to track across the enterprise As AI has become more critical to driving Risk management by design allows developers and performance and as user-friendly machine-learning their business stakeholders to build AI models that software has become increasingly viable, AI use are consistent with the company’s values and risk

Derisking AI by design: How to build risk management into AI development 83 appetite. Tools such as model interpretability, bias mitigate them. Once the solution is in production, it detection, and performance monitoring are built in is also important for organizations to understand so that oversight is constant and concurrent with AI when updates to the solution are being pushed development activities and consistent across the through the platform and to have automated enterprise. In this approach, standards, testing, and processes in place for identifying and monitoring controls are embedded into various stages of the changes to the models. analytics model’s life cycle, from development to deployment and use (Exhibit 1). It’s possible to reduce costly delays by embedding risk identification and assessment, together with Typically, controls to manage analytics risk are associated control requirements, directly into applied after development is complete. For the development and procurement cycles. This example, in financial services, model review and approach also speeds up preimplementation validation often begin when the model is ready for checks, since the majority of risks have already been implementation. In a best-case scenario, the control accounted for and mitigated. In practice, creating function finds no problems, and the deployment a detailed control framework that sufficiently is delayed only as long as the time to perform covers all these different risks is a granular exercise. those checks. But in a worst-case scenario, the For example, enhancing our own internal model- checks turn up problems that require another full validation framework to accommodate AI-related development cycle to resolve. This obviously hurts risks results in a matrix of 35 individual control efficiency and puts the company at a disadvantage elements covering eight separate dimensions of relative to nimbler firms (see sidebar “Learning the model governance. value of derisking by design the hard way”). Embedding appropriate controls directly into the Similar issues can occur when organizations source development and provisioning routines of business AI solutions from vendors. It is critical for control and data-science teams is especially helpful in teams to engage with business teams and vendors industries without well-established analytics early in the solution-ideation process, so they development teams and risk managers who conduct understand the potential risks and the controls to independent reviews of analytics or manage

Learning the value of derisking by design the hard way

A large food manufacturer developed an party review of the model, which uncovered that the company needed to undertake a analytics solution to forecast demand for several problems with the model, including broader initiative to embed risk management each of its products across geographies in a critical data leakage. The model had into model development to prevent this order to optimize manufacturing, logistics, accidentally included a feature that captured and other issues from recurring. The and the overall supply chain. The new model the actual demand. Once the feature was manufacturer began the effort by creating showed higher accuracy compared with the removed, the model accuracy dropped below new roles within the group to perform model company’s existing expert-based approach. the existing expert-based approach. review, defining roles and responsibilities for model checks throughout the modeling But before the model was deployed, the This revelation led to a complete redesign of pipeline, and implementing standards for manufacturer initiated an independent third- the model architecture and the realization development and documentation of analytics.

84 McKinsey on Risk Number 10, January 2021 Exhibit 1 Risk management by design embeds controls across the algorithmic model’s life cycle.

associated risk. They can move toward a safe and controls into their analytics-development processes agile approach to analytics much faster than if (Exhibit 2): they had to create a stand-alone control function for review and validation for models and analytics — Ideation. They first work to understand the solutions (see sidebar “An energy company takes business use case and its regulatory and steps toward derisking by design”). reputational context. An AI-driven decision engine for consumer credit, for example, poses As an example, one of the most relevant risks of AI a much higher bias risk than an AI-driven and machine learning is bias in data and analytics chatbot that provides information to the methodologies that might lead to unfair decisions for same customers. An early understanding of consumers or employees. To mitigate this category the risks of the use case will help define the of risk, leading firms are embedding several types of appropriate requirements around the data and

Derisking AI by design: How to build risk management into AI development 85 methodologies. All the stakeholders ask, “What frequency. These requirements will depend on could go wrong?” and use their answers to the risk of the use case, the frequency with which create appropriate controls at the design phase. the model is used, and the frequency with which the model is updated or recalibrated. As more — Data sourcing. An early risk assessment dynamic models become available (for example, helps define which data sets are “off-limits” reinforced learning, self-learning), leading firms (for example, because of personal-privacy use technology platforms that can specify and considerations) and which bias tests are execute monitoring tests automatically. required. In many instances, the data sets that capture past behaviors from employees and customers will incorporate biases. These biases Putting risk managers in a position can become systemic if they are incorporated to succeed—and providing a into the algorithm of an automated process. supporting cast To deploy AI at scale, companies need to tap an — Model development. The transparency and array of external and unstructured data sources, interpretability of analytical methods strongly connect to a range of new third-party applications, influence bias risk. Leading firms decide which decentralize the development analytics (although methodologies are appropriate for each use common tooling, standards, and other centralized case (for example, some black-box methods will capabilities help speed the development process), not be allowed in high-risk use cases) and what and work in agile teams that rapidly develop and post hoc explainability techniques can increase update analytics in production. the transparency of model decisions. These requirements make large-scale and rapid — Monitoring and maintenance. Leading deployment incredibly difficult for traditional risk firms define the performance-monitoring managers to support. To adjust, they will need to requirements, including types of tests and integrate their review and approvals into agile or

An energy company takes steps toward derisking by design

Companies in industries that have been to produce higher-quality coal. The a centralized inventory for all analytics running analytical models for decades company set up an analytics center of use cases and related information (such under the scrutiny of regulators, such as excellence (COE), which discovered that as developer and owners); establishing financial services, often have a foundation thousands of analytics use cases had a tiering system to identify the most for moving to a derisk-by-design model. been developed and deployed across the material models; creating standards for organization without any clear oversight, model development and documentation; Organizations in industries that have creating risks for human health and safety, defining and implementing requirements adopted analytics more recently and are financial performance, and company for model review and monitoring for all less regulated (at least in the area of model reputation. models; and defining model-governance outputs) will need to build their capabilities processes, roles,and responsibilities for all nearly from scratch. In response, the COE appointed a model stakeholders across the modeling pipeline. manager to oversee the model-governance These changes helped the organization One large North American energy rollout across the organization. The take a giant step toward embedding risk company initiated a multiyear analytics manager’s team identified six key priorities: management into the end-to-end process transformation in order to improve the implementing a process to identify of model development. efficiency of current assets—for example, models as they are developed; creating

86 McKinsey on Risk Number 10, January 2021 Exhibit 2 Bias is one important risk that can be mitigated by embedding controls into the model- development process.

sprint-based development approaches, relying But monitoring AI risk cannot fall solely on risk more on developer testing and input from analytics managers. Different teams affected by analytics teams, so they can focus on review rather than risk need to coordinate oversight to ensure end-to- taking responsibility for the majority of testing and end coverage without overlap, support agile ways of quality control. Additionally, they will need to reduce working, and reduce the time from analytics concept one-off “static” exercises and build in the capability to value (Exhibit 3). to monitor AI on a dynamic, ongoing basis and support iterative development processes. AI risk management requires that each team expand its skills and capabilities, so that skill sets

Derisking AI by design: How to build risk management into AI development 87 in different functions overlap more than they do in — an agreed-upon documentation standard that historical siloed approaches. Someone with a core satisfies the needs of all stakeholders (including skill—in this case, risk management, compliance, developers, risk, compliance, and validation) vendor risk—needs enough analytics know-how to engage with the data scientists. Similarly, data — a single workflow tool to coordinate and scientists need to understand the risks in analytics, document the entire life cycle from initial concept so they are aware of these risks as they do their work. through iterative development stages, releases into production, and ultimately model retirement In practice, analytics teams need to manage model risk and understand the impact of these models — access to the same data, development on business results, even as the teams adapt to environment, and technology stack to streamline an influx of talent from less traditional modeling testing and review backgrounds, who may not have a grounding in existing model-management techniques. — tools to support automated and frequent Meanwhile, risk managers need to build expertise— (even real-time) AI model monitoring, including, through either training or hiring—in data concepts, most critically, when in production methodologies, and AI and machine-learning risks, to ensure they can coordinate and interact with — a consistent and comprehensive set of analytics teams (Exhibit 4). explainability tools to interpret the behavior of all AI technologies, especially for This integration and coordination between analytics technologies that are inherently opaque teams and risk managers across the model life cycle requires a shared technology platform that includes the following elements:

Exhibit 3 The responsibilities for enabling safe and ethical innovation with artificial intelligence span multiple parts of the organization.

1 Articial intelligence/machine learning.

88 McKinsey on Risk Number 10, January 2021 Getting started outlined earlier: ideation, data sourcing, model The practical challenges of altering an organization’s building and evaluation, industrialization, and ingrained policies and procedures are often formidable. monitoring. Controls should be in place at each But whether or not an established risk function already stage of the life cycle, so engage early with exists, leaders can take these basic steps to begin analytics teams to ensure that the design can putting into practice derisking AI by design: be integrated into their existing development approach. — Articulate the company’s ethical principles and vision. Senior executives should create a — Establish governance and key roles. Identify top-down view of how the company will use key people in analytics teams and related risk- data, analytics, and AI. This should include management roles, clarify their roles within a clear statement of the value these tools the risk-management framework, and define bring to the organization, recognition of the their mandate and responsibilities in relation associated risks, and clear guidelines and to AI controls. Provide risk managers with boundaries that can form the basis for more training and guidance that ensure they develop detailed risk-management requirements further knowledge beyond their previous experience down in the organization (see sidebar “Building with traditional analytics, so they are equipped risk management into AI design requires a to ask new questions about what could go wrong coordinated approach”). with today’s advanced AI models.

— Create the conceptual design. Build on the — Adopt an agile engagement model. Bring overarching principles to establish the basic together analytics teams and risk managers framework for AI risk management. Ensure this to understand their mutual responsibilities covers the full model-development life cycle and working practices, allowing them to solve

Exhibit 4 Both analytics and risk professionals will need to complement their traditional skill sets with sufficient knowledge of the others’ function.

Derisking AI by design: How to build risk management into AI development 89 Building risk management into AI design requires a coordinated approach

While AI applications can be developed efforts. This fragmentation created a host demonstrate that all AI risks were managed in a decentralized fashion across an of challenges around key risk processes, through the development life cycle. organization, managing AI risk should be including tracking and assessing coordinated more centrally in order to be the risks of AI embedded in vendor The bank alleviated these issues by effective. A major North American bank technologies, triaging and risk oversight establishing one multidisciplinary team learned this lesson when it set out to of AI tools, building controls into AI model to define a clear target state of AI risk create a new set of AI risk-management development involving multiple analytics management, build alignment across capabilities to complement its existing groups, and operationalizing ethical stakeholders, clarify AI governance risk frameworks. Intitially, multiple groups principles on data and AI approved by the requirements, and specify the engagement began their own AI risk-management board. As a result, the bank struggled to model and technical requirements

conflicts and determine the most efficient training can build institutional knowledge of way of interacting fluidly during the course of new model types. Teams with regular review the development life cycle. Integrate reviews responsibilities (risk, legal, and compliance) will and approvals into agile or sprint-based need to become adept “translators,” capable of development approaches, and push risk understanding and interpreting analytics use managers to rely on input from analytics teams, cases and approaches. Critical teams will need so they can focus on reviews rather than taking to build and hire in-depth technical capabilities responsibility for the majority of testing and to ensure risks are fully understood and quality control. appropriately managed.

— Access transparency tools. Adopt essential tools for gaining explainability and interpretability. Train teams to use these tools to identify the AI is changing the rules of engagement across drivers of model results and to understand the industries. The possibilities and promise are outputs they need in order to make use of the exciting, but executive teams are only beginning to results. Analytics teams, risk managers, and grasp the scope of the new risks involved. Existing partners outside the company should have approaches to model-risk-management functions access to these same tools in order to work may not be ready to support deployment of these together effectively. new techniques at the scale and pace expected by business leaders. Derisking AI by design will — Develop the right capabilities. Build an give companies the oversight they need to run AI understanding of AI risks throughout the ethically, legally, and profitably. organization. Awareness campaigns and basic

Juan Aristi Baquero and Roger Burkhardt are partners in McKinsey’s New York office, Arvind Govindarajan is a partner in the Boston office, and Thomas Wallace is a partner in the London office.

The authors wish to thank Rahul Agarwal for his contributions to this article.

90 McKinsey on Risk Number 10, January 2021 The next S-curve in model risk management

How banks can drive transformations of the model life cycle in a highly uncertain business landscape. by Frank Gerhard, Pedro J. Silva, Maribel Tejada, and Thomas Wallace

91 The economic effects of the COVID-19 pandemic An optimized model landscape have thrown into stark relief the significant As the economy begins to revive, organizations will challenges facing banks’ financial models. Some likely be under budgetary stress. Differing priorities models have failed in the crisis, an outcome that has will compete for fewer resources. Leaders will have drawn attention to models generally. The causes of to make smart choices to realize model strategies, the failure include not only COVID-19 effects but also investing efficiently and sustainably. Banks will regulatory requirements and models’ increasing time likely seek to upgrade their modeling capabilities, to market. Institutions are realizing that even models rationalize the model landscape, and streamline the which have not been significantly affected by these processes for developing, monitoring, maintaining, stresses are wanting in other ways. and validating models.

The present crisis is creating a moment in which Banks will have to manage trade-offs among banks can rethink the entire model landscape and expected impact on capital, regulatory provisions, model life cycle. The next S-curve for model risk costs to remediate issues, and capacity constraints. management (MRM) includes new model strategies The objectives will be best served by avoiding to address new regulation and changing business unnecessary complexity. As part of the effort to needs. Models must become more accurate, so rationalize the model landscape, better models will be banks need to recalibrate them more frequently and built—those that ensure regulatory compliance but develop new models more rapidly. A sustainable are also more accurate and best serve the business. operating model is needed, since monitoring, validation, and maintenance activities must support Models will also be recalibrated and run more the redevelopment and adjustment of models. The frequently. Some will be replaced by next- solution will have to be designed to manage models generation models, an effort that will require effectively over the long term. investment in technology and data initiatives to serve the business. The development cycle for The new strategy will require a top-down approach new models will be shortened, so that they can to model development because the institution has to be deployed faster. To manage increasing costs, be able to identify those changes that can be made banks will have to ensure that model development, through overlays and those that need recalibration monitoring, and validation are performed efficiently. and redevelopment. Once the model-development Banks also must demonstrate to regulators that wave is complete, model validation, monitoring, and their model-management frameworks are robust maintenance can be “industrialized”—conducted and that the impact of the crisis on models is being in a methodical, automated manner, sufficient capably addressed. for managing an increasing number of models. High standards are needed for both model risk management and regulatory requirements. The role of the model-risk-management function For the most part, quick solutions become Proactive MRM activities, aligned with both unsustainable in the long run, for several reasons: business needs and risk-management objectives, experience has shown that banks cannot rely on must be in place to prevent overgrowth of the model expert judgment alone; many solutions address inventory. To ensure that the inventory is rational temporary conditions (such as the effects of and effective, banks need to manage the model government intervention or changes in customer landscape as a whole. They also need to ensure that behavior); budgets are strained by the resources model quality is high. Gaining transparency to direct needed to monitor, recalibrate, and develop or such efforts can involve deploying model workflow redevelop the ever-increasing model inventory; and inventory tools, consistently applied model- and finally, the short time periods in which the work risk-rating approaches, and regular monitoring of must be done demand a more industrialized and model performance and use. comprehensive approach.

92 McKinsey on Risk Number 10, January 2021 The MRM function can support the bank by fully costs are justified, programs are run efficiently, optimizing the portfolio of models. This support and models are well monitored and maintained. goes beyond performing validation work and Such active collaboration eliminates work silos, ensuring consistency across modeling and allowing the use of common elements across monitoring practices. Model development is also the model life cycle. This minimizes friction and in need of optimization and consolidation, since boosts efficiency. development is usually fragmented across different business units. — Capability building. The effort to build the model strategy must be supported by a thorough Hundreds of models now need to be adjusted, capability-building program. All model users and developed, and recalibrated. There is a lesson in owners and the leaders of affected functions this—the effective and efficient development of and business units need to be trained in the new new models must result in models that are easy approach to MRM, so that they all understand and inexpensive to maintain in the future. In taking their risk-management responsibilities. Given stock of existing models, banks should seek to the current environment, defined by new improve the quality of the best models while and complex technology and accelerating decommissioning poor-quality, ineffective, and automation, an aware and responsive workforce outdated models. is indispensable to strong model governance.

— Agenda setting. The MRM function should work Sharing responsibility for model closely with the first line to set the agenda, management identifying the models that are most important Model management can no longer be primarily to the business and operations and defining or even mainly the responsibility of the MRM the priority model activities. That requires function, a fact that the COVID-19 crisis has a forward-looking view into how pandemic- underscored. The responsibility must be with the related factors have affected or will affect business stakeholders—those who use the models models. Those that are adversely affected will and extensively rely on their outcomes. MRM has need recalibration or redevelopment. to be approached as the collaborative work of all three lines of defense. The second line—the — Active management of the model landscape. MRM/validation function and the risk function— Managing the model landscape will be a joint should enable a clear program for building MRM effort between first- and second-line teams. capabilities among all business stakeholders and Model-risk managers will guide the efficient model owners. Only through real collaboration can allocation of model-risk appetite by setting banks ensure that effective controls are designed definitions for where models should be used, and models are properly monitored. thresholds for materiality and complexity, and precision requirements based on use cases. At As responsibility for MRM is shared, so are its the same time, model developers will be given benefits, and certain activities will undergo changes incentives to consolidate similar functions, and adaptations. reduce model count and complexity, and promote modularization and reuse of code. — Validation. The MRM function and risk function will still focus on validation practices, ensuring — An agile operating model. The function that models are of good quality and model also needs to determine the best operating risk is capably managed. But the business approach to manage delays in development stakeholders and model developers are the and validation plans that were made before the ultimate users of models. As such, they must pandemic. This would include a flexible project- be responsible for ensuring that development management approach, with joint calendars

The next S-curve in model risk management 93 The big lesson for the new MRM framework is that it must establish standards and standardize processes.

for both development and validation. New Crucially, banks must develop a model strategy for organizational structures should be established the coming years that meets these demands in a to ensure cross-functional teams, career- and cost-efficient manner. knowledge-development opportunities, rotation programs, and an effective location strategy. As model-life-cycle processes are reimagined, the A multidisciplinary team, with representatives ultimate goal is to bring about strategic change. But from business, development, technology, and flexibility is built into the process, so progressive validation, can be used to break down siloes and efficiency gains, such as technical solutions, can meet the needs of various stakeholders. be made to capture near-term benefits until more fundamental strategic programs are completed. For — Ownership. Most organizations that have been automation, processes need to be standardized. successful in optimizing their model landscape This is accomplished through a complete review of have established clear model ownership and process maps, applying lean fundamentals. defined roles for those model owners. This ensures that the model-life-cycle process is integrated MRM should become the agency driving model across the organization, with stakeholders efficiency. Modeling teams and business interacting in a coordinated manner. Where model stakeholders will need to work alongside risk, ownership has not been established, strong including the MRM and model-validation teams. focus should be given to onboarding programs to Together they can fully utilize MRM frameworks ensure the business understands its model risk to manage the increasing number of models management responsibilities. efficiently—including newly developed and redeveloped models as well as the monitoring and validation conforming to the increasing level of Streamlining and automation standardization and automation. The big lesson for This perfect storm of model-inventory revisions and the new MRM framework is that it must establish development presents organizations with a unique standards and standardize processes. This work is opportunity to act strategically. The requirement essential for streamlining and automation. is clear: institutions need to streamline the entire model life cycle, including ideation, development, The increasing number of models poses a significant implementation, validation, and monitoring. The challenge. These models must be validated within objectives are to avoid future bottlenecks, support budgets but without eroding quality. Banks should business continuity, and improve institutional therefore ensure a high-quality, independent model performance, while minimizing risk and cost. review that is also cost-efficient.

94 McKinsey on Risk Number 10, January 2021 Finding efficiencies in the model during development by as much as 30 percent life cycle by applying standard model principles, a Banks can find efficiency opportunities throughout standard library of testing codes, automatic the model life cycle (exhibit). To do this, they can testing, and other techniques. assess and review their current model process maps, rethinking the processes themselves. — Model validation. Banks have reduced the time it takes to validate and produce the associated Processes can be redesigned and automated report to comply with regulations and ensure using standard digitization programs, generating business continuity, in some cases by as much efficiencies in a range of areas: as 65 percent. The key drivers of the savings are standardized tiering, automated test selection — Model testing. Some firms have been able to and testing by model type, and automated reduce the time it takes to perform testing population of documents and reports.

Exhibit Significant savings result from optimizing the model life cycle, especially in validationSignicant processes. savings result from optimizing the model life cycle, especially in validation processes.

Opportunities for automation Automating model activities Automating documentation

Dene business requirements Lorem ipsum Model Select methodology and redevelop models development Automate model-parameter creation and analysis of outcomes and review No Complete model documentation Automate generation of sections of model documentation Accepted in validation Periodic Conduct completeness assessment model queue? validation Conduct validation Yes Automate replication and performance testing

Model Complete model-validation report implementation Automate generation of technical-validation report and production Prepare business-requirement documentation

Insert model in IT system and complete user testing Ongoing monitoring Model performance Test model performance deteriorated? Conduct regular, automated performance monitoring

Complete annual model review Automate generation of specic sections of template No

The next S-curve in model risk management 95 — Model monitoring. A predefined monitoring Proactive MRM owned by all lines of defense is pack built around a library of key performance needed now—not only to meet new regulatory indicators can reduce the time required to expectations but also to strengthen institutional execute ongoing monitoring activities by as resiliency in this crisis and the next. It is also much as 35 percent. needed to maintain and improve model efficiency. A redefined MRM framework will include all — Data-quality standardization and automation. stakeholders and cover the entire model life cycle. Banks can reduce the workload for data- The model inventory will be reshaped to better quality testing for models by 20 to 40 percent. support the needs of the business. Standardized For both models in the pipeline and models processes will provide the foundation for the being monitored, testing can use standard use of advanced analytical and digital tools and libraries. With machine-learning techniques progressive automation. and automation, banks can scan terabytes of data without human intervention. With only gray Banks have to do all this while maintaining high areas left to be addressed, the savings in time standards for MRM and regulatory compliance. A and effort are significant. lot of ground must be covered in the coming months, and given the depth of the present crisis, banks The streamlining and automation of model-related should get started right away. processes—from model development to validation, monitoring, and maintenance—is thus an MRM project integrated across the lines of defense.

Frank Gerhard is an associate partner in McKinsey’s Stuttgart office; Pedro J. Silva is a consultant in the London office, where Thomas Wallace is a partner; Maribel Tejada is a senior expert in the Paris office.

The authors wish to thank Pankaj Kumar for his contribution to this article.

96 McKinsey on Risk Number 10, January 2021 Applying machine learning in capital markets: Pricing, valuation adjustments, and market risk

By enhancing crisis-challenged financial models with machine-learning techniques such as neural networks, banks can emerge stronger from the present crisis.

This article was a collaborative effort by Juan Aristi Baquero, Akos Gyarmati, Marie-Paule Laurent, Pedro J Silva, and Torsten Wegner, representing views from McKinsey’s Risk Practice.

97 When the COVID-19 outbreak became a global sufficient computational power are imperatives. pandemic, the volatility of financial markets hit its Indeed, “speed” is of the essence. highest level in more than a decade, amid pervasive uncertainty over the long-term economic impact. In response, some leading institutions have started Calm has returned to markets in recent months, but to incorporate advanced techniques into their volatility continues to trend above its long-term quantitative armories. In pricing, an area that has average. Amid persistent uncertainty, financial experienced a spike in recent activity, several banks institutions are seeking to develop more advanced are applying machine learning (ML) to enhance quantitative capabilities to support faster and more traditional models—for example, by calibrating accurate decision making. parameters more efficiently. In particular, banks have used neural networks, a type of ML focused on As financial markets gyrated in recent months, nonlinear and complex data relationships. Advanced banks faced particular problems calculating machine-learning techniques can do the following: value at risk (VAR) across asset classes. Many institutions experienced elevated levels of VAR — speed up calculations, reducing operational back-testing exceptions, leading to higher costs and allowing real-time risk management of regulatory-capital multipliers. Increases of as much complex products as 30 percent were reported, prompting regulators to apply exemptions in some cases. There were — animate more complex models that may also challenges with valuation adjustments, as currently be unusable in practice, and unlock derivatives faced snowballing collateral calls more accurate valuations and increasing funding costs. Where credit- value-adjustment (CVA) risks were excluded from — generate high volumes of synthetic but market- market risk models, CVA hedges sat “naked” on consistent data, helping, for example, to offset the balance sheet, leading to significant uplifts in the disruptive impact of COVID-19-related exposures, and therefore in risk-weighted assets market moves (RWAs). One large US dealer was hit with a loss of $950 million stemming from a valuation adjustment One way to implement neural networks is to apply (XVA) in the first quarter of 2020. Elsewhere, rising them to pricing, where they can “learn” how to price gap risk in illiquid securities catalyzed painful fair- vanilla calibration instruments under a given (possibly value losses—as high as $200 million in the case of complex) model, and then act as pricing engines for a major Europe-based bank. new model calibration. The approach obviates one of the most significant challenges associated with ML, In an unpredictable environment, financial modelers which is parameter interpretability. In this case, there is were required to come up with solutions but were no interpretability issue because the network uses the often stymied by inadequate models or the need original model’s parameters. This means that there is for huge computational power that was not always no ML “black box,” and the key calibrated parameters available. Given the speed of response required, can be interpreted in the original model’s context. models in some cases were rendered unusable. The inevitable result was an increase in risk exposures Neural networks can also support future-exposure and opacity from valuations, sometimes in absolute modeling for valuation adjustments (Exhibit 1). value and other times relating to the reason for specific model outputs. The network can be trained on established samples, such as those relating to the evolution of risk factors An imperative to act and corresponding cash flows for the products being Since forecasting institutions expect the global modeled. The additional efficiency provided by the economy to have contracted by about 5 percent in network makes for improved accuracy and faster 2020, banks should aim to optimize their trading processing (Exhibit 2). That saves banks from using books and risk positions. This ambition requires time-consuming nested Monte Carlo approaches more accurate and timely valuations. With those and less accurate analytical approximations or “least priorities in mind, more advanced models and squares”—style regressions.

98 McKinsey on Risk Number 10, January 2021 There are equally promising applications in real-time There is no blueprint for model development, and portfolio valuation, risk assessment, and margining. individual businesses must solve for their own pressing needs. However, the experience of early movers suggests that reliable options for establishing Three steps to deepening ML engagement a track record encompass three key steps: Machine learning offers significant enhancement for conventional quantitative approaches, through 1. Identify quick wins its ability to interpolate across large data sets and While ML can help to improve numerous streamline model calibration. Banks would benefit calculation processes, it is more useful in some by deepening their ML engagement and testing contexts than others. The task for decision makers new use cases. The uncertain macroeconomic is to identify potentially winning applications that environment should act as a catalyzer to this will help create a positive track record. Likely process and trigger banks to act. The emphasis candidates are models that consume large initially should be on discrete applications rather amounts of time or computing power. ML can than wholesale transformation. Use cases can later both speed the work of these models and lay the be extended and expanded across the business. groundwork for scaling their application. Among the applications that have begun to attract

Web <2020> ExhibitExhibit <1> of1 <2> NeuralNeural networks networks can can support support future-exposure future-exposure modeling. modeling.

Articial Machine Deep learning intelligence learning and neural networks Intelligence exhibited by machines, Major approach to realizing Branch of machine learning where mimicking cognitive functions articial intelligence by learning systems of algorithms, based on that humans associate with from and making data-driven simulating connected neural units, other human minds; cognitive predictions on data and experiences; mimic how neurons interact in functions include all aspects of categories include supervised brain; uses large-scale neural perceiving, reasoning, learning, learning, unsupervised learning, networks that can contain millions and problem solving and reinforcement learning of simulated “neurons” structured in layers; successful in many dierent applications Web <2020> ExhibitExhibit 2 <2> of <2> NeuralNeural networks networks can can enable enable fast fastand andaccurate accurate exposure exposure calculations. calculations.

Problem: Future-exposure modeling is main bottleneck in Solution: Neural-network approach proposed to achieve current valuation-adjustment models; portfolio-valuation all 3 goals at same time: and risk calculations must be fast, accurate, and consistent 1. Perform portfolio-valuation and risk calculations via with FO1-pricing models, but typical approaches fail to neural networks meet all 3 goals at same time 2. Train neural networks using simulated risk-factor paths and pathwise-evaluated cash ows—no extra cost to Nested Monte Analytical approximations/ generate training sample Carlo method LSM2-style regressions 3. Use dierential regularization to optimize accuracy for Fast both pricing and risk while achieving fast training Accurate Consistent with FO-pricing models

1Front oce. 2Least-squares method. Source: Danske Bank SuperFly Analytics

Applying machine learning in capital markets: Pricing, valuation adjustments, and market risk 99 attention are valuations of level-3 assets, XVA • acquire continuous feedback on how new calculations, profit-and-loss attributions (“P&L applications can fit into the wider organization explains”), adaptations for Fundamental Review of the Trading Book (FRTB), and stress testing. 3. Roll out at scale Over time, sprints, prototypes, and quick wins A “discovery phase” of an ML transformation will have accumulated sufficiently to create could proceed as follows: the conditions for a more sustained machine- learning rollout. Assuming a critical mass of use • Identify concrete cases based on accepted cases, quant teams should move to integrate ML criteria, such as the complexity of models, into a wider range of activities. They may begin exposure in books, or computational with the front office and extend into risk, finance, bottlenecks. For example, complex, hard-to- compliance, and research. value derivatives such as structured callable trades could be good targets. A plan to scale up the machine-learning program could include the following activities: • Size the estimated impact and align various stakeholder groups. • strategic execution of identified priority use cases

• Create an action plan, including the effort and • continuous exploration of additional areas where time required for implementing the identified ML could be relevant, such as anti–money use cases. laundering, know your customer, or cybersecurity

2. Build capabilities to embrace a culture • updating risk-management practices, such enabled by machine learning as model governance and risk assessment, to Machine learning has the potential to create monitor and control new risks introduced by ML significant efficiencies in a range of activities. However, financial institutions cannot maximize the ML opportunity without acquiring the necessary capabilities to build, maintain, and Machine learning has the potential to enable apply ML-enabled models. They must also take institutions to do more in capital markets, to move steps to help employees understand and exploit faster, and to move with greater accuracy. The potential benefits so that ML is embedded in the working conditions created during the pandemic culture of the organization. have accelerated reliance on digital access and the data-driven environment. Given these factors, This could be achieved by following through machine learning could easily begin to migrate into with the earlier approach and establishing mainstream operations. With this in mind, firms must and executing pilot programs to implement not delay in building their capabilities. They must prioritized use cases. During these pilots, the experiment, develop use cases, and move quickly following practices can be applied: to the production of machine-learning-enhanced models. Those that create and execute a sensible • build capabilities via learning on the job implementation strategy are likely to emerge from the current crisis stronger, more assured of risk • understand typical challenges and pitfalls and exposures, and better prepared for what lies ahead. how to solve them

Juan Aristi Baquero is a partner in McKinsey’s New York office, Akos Gyarmati and Pedro J Silva are consultants in the London office, Marie-Paule Laurent is a partner in the Brussels office, and Torsten Wegner is an associate partner in the Berlin office.

100 McKinsey on Risk Number 10, January 2021 Derisking digital and analytics transformations

While the benefits of digitization and advanced analytics are well documented, the risk challenges often remain hidden.

by Jim Boehm and Joy Smith

101 A bank was in the midst of a digital transformation, across industries and around the globe to better and the early stages were going well. It had understand the scope of the issue.¹ While the successfully transformed its development teams benefits of digitization and advanced analytics are into agile squads, and leaders were thrilled with the well documented, the risk challenges often remain resulting speed and productivity gains. But within hidden. From our survey and subsequent interviews, weeks, leadership discovered that the software several key findings emerged: developers had been taking a process shortcut that left customer usernames and passwords vulnerable — Digital and analytics transformations are widely to being hacked. The transformation team fixed undertaken now by organizations in all sectors. the issue, but then the bank experienced another kind of hack, which compromised the security — Risk management has not kept pace with of customer data. Some applications had been the proliferation of digital and analytics operating for weeks before errors were detected transformations—a gap is opening that can only because no monitors were in place to identify be closed by risk innovation at scale. security issues before deployment. This meant the bank did not know who might have had access to — The COVID-19 pandemic environment has the sensitive customer data or how far and wide the exacerbated the disparity between risk- data might have leaked. The problem was severe management demands and existing capabilities. enough that it put the entire transformation at risk. The CEO threatened to end the initiative and return — Most companies are unsure of how to the teams to waterfall development if they couldn’t manage digital risks; leading organizations improve application-development security. have, however, defined organizational accountabilities and established a range of This bank’s experience is not rare. Companies in effective practices and tools. all industries are launching digital and analytics transformations to digitize services and processes, McKinsey has developed approaches and increase efficiency via agile and automation, improve capabilities to address the challenges implicit customer engagement, and capitalize on new in these findings. They include a new four-step analytical tools. Yet most of these transformations framework to define, operationalize, embed, and are undertaken without any formal way to capture reinforce solutions; supporting methodologies and manage the associated risks. Many projects have to accelerate frontline teams’ risk-management minimal controls designed into the new processes, effectiveness and efficiency; and a cloud-based underdeveloped change plans (or none at all), and diagnostic assessment and tracking tool. This often scant design input from security, privacy, and tool is designed to help companies better identify, risk and legal teams. As a result, companies are assess, mitigate, and measure the nonfinancial creating hidden nonfinancial risks in cybersecurity, risks generated and exacerbated by digital and technical debt, advanced analytics, and operational analytics transformations at both the enterprise resilience, among other areas. The COVID-19 and product level. pandemic and the measures employed to control it have only exacerbated the problem, forcing Fortunately, to take advantage of these approaches, organizations to innovate on the fly to meet work- most companies will not have to start from scratch. from-home and other digital requirements. They can apply their existing enterprise-risk- management (ERM) infrastructures. This is typically McKinsey recently surveyed 100 digital and used for financial and regulatory risks but can be analytics transformation leaders from companies modified to be more agile and adaptable to meet the

1 The McKinsey Global Survey on digital and analytics transformations in risk management, 2020. The 100 participants were a representative sample of companies from all geographic regions; nearly 89 percent have annual revenue of at least $1 billion. The companies spend, on average, 12 percent of their IT budgets on digital and analytics transformations.

102 McKinsey on Risk Number 10, January 2021 risk-management demands of digital and analytics A broad set of new (and expensive) risks transformations. Most companies appear to do little about the nonfinancial risks generated and exacerbated The advantages of digital and analytics by digital and analytics transformations. The transformations are real but so are the risks (Exhibit 1). scope of these risks is broad. Digital and analytics transformations are often deployed across By understanding the insights from our research organizations, involving many departments and and taking the approach outlined here, companies third parties. Soft factors such as skills, mindsets, can achieve the value of digital and analytics and ways of working, as well as hard factors such transformations while also safeguarding their as technology, infrastructure, and data flow are all organizations and customers. Ultimately, companies being changed at once during such a transformation. can inspire more productive relationships among groups and foster a sustainable competitive Some traditional risks are more common to most advantage for the company by preserving the impact projects—including those arising from budget of their transformation activities for the long term. and schedule overruns, talent (employees and

Web <2020> Exhibit <1> 1 of <6> Digital and analytics transformations use use machine machine intelligence, intelligence, automation, automation, and agile approaches to to improve improve products products and and operations. operations.

Approach to digital and analytics transformations

Transform the core business Transformation Build a new business model

Transform enterprise technology and analytics systems

Transformation domains

Multichannel customer experience: Supply chain and procurement: Data transformation: unify data redesign and digitize top customer digitally redesign and manage governance and architecture to journeys end to end operations to improve safety, enable next-generation analytics delivery, and costs Digital marketing and pricing: Core-system modernization: achieve revenue management, promotions- Next-generation operations: drive through refactoring or platform dynamic B2B pricing, cross-selling step changes in eciency through replacement and upselling digitization, AI, advanced analytics, and agile lean approaches Cloud and DevOps: migrate Sales digitization: digital sales, applications to hybrid cloud and/or remote-selling eectiveness Digital architecture: set up digital software as a service (SaaS) and architecture combining application implement software development New digital propositions: create programming interfaces (APIs), and IT operations (DevOps) new revenue streams by building microservices, and containers digital propositions, using next- Digital and analytics talent and generation articial-intelligence (AI) capabilities: acquire new talent technologies to achieve cost savings and build capabilities at scale

Derisking digital and analytics transformations 103 third parties, including contractors, suppliers, of the staff was permitted to use unsecured and partners), IT performance, and compliance personal devices to connect remotely, exposing and regulatory issues. Yet digital and analytics the company to “bring your own device” attacks. transformations also introduce new cyberrisks, Similarly, a bank found that employees were data risks, and risks from artificial-intelligence printing documents on their home printers, thus (AI) applications. Digital and analytics initiatives running corporate data through unsecured home require more detailed data to be collected from a routers, which are notoriously vulnerable to wider range of sources. These data are then used hackers. Another firm expressed concerns about in different parts of the organization to generate employees having “smart home” listening devices insights. The moving data create inherent risks that could record discussions during video calls in in data availability, location, access, and privacy. executives’ home offices. Sources of risk to operational resilience include new IT services and migration to the cloud. Predictive Artificial intelligence is also poised to redefine how analytical models could be biased or deviate from businesses work and is already unleashing the the original focus of the initiative exposing an power of data across a range of crucial functions.² organization to legal liability or reputational risk. But the compliance and reputational risks of AI pose If not handled appropriately, such risks can lead a challenge to traditional risk-management functions. to expensive mistakes, regulatory penalties, and consumer backlash. The different concerns have arisen from the rapid changes in the way we work now. Current The business disruptions caused by the COVID-19 risk-management capabilities are falling short crisis have compounded these additional risk layers. in addressing them, since the risks are new and In a sense, the pandemic has set off the largest growing exponentially. A new risk-management wave of digital and analytics transformations in approach is needed. history, compressing transformations that would have taken years into a few hectic months (or even weeks), often with little advance planning. A snapshot of digital and analytics Most organizations had some security policies transformation risk management and training in place before the pandemic struck. The results of the McKinsey Global Survey permitted Few, however, had established detailed policies or a holistic view of the risks facing digital and training on how to safely set up a remote work space analytics transformations and how well companies or think through other risks associated with the are managing them. Several salient points emerged rapid acquisition and deployment of new tools. from participants’ transformation experiences.

One oil and gas company, for example, had to divide Transformations are becoming commonplace its virtual private network to expand bandwidth across industries so that all employees could have access to the Survey participants completed an average of six corporate network from their homes. This caused transformations in the past three years, with a slowdowns in patching on employee laptops, which range of objectives. More than 80 percent have exposed the company to vulnerabilities commonly implemented at least one end-to-end customer exploited by attackers. journey transformation, and 70 percent developed new digital propositions and ecosystems. A telecom company allowed its call-center staff Organizations are also changing their operating to work from home, but it left specific policies up models to support the changes. Approximately to team managers. The result was that 30 percent 80 percent of companies intend to shift up to

2 Juan Aristi Baquero, Roger Burkhardt, Arvind Govindarajan, and Thomas Wallace, “Derisking AI by design: How to build risk management into AI development,” August 2020, McKinsey.com.

104 McKinsey on Risk Number 10, January 2021 30 teams to work in agile ways in the next three transformations. Surprisingly, 14 percent have never years; the remaining 20 percent are shifting more formally assessed the risks for these initiatives—a big than 30 teams to agile. This means, of course, that oversight for established companies. 100 percent of the 100 companies we surveyed intend to adopt or scale agile in the coming years. If Companies are unsure of how to manage done well, this is very good news for risk managers, digital risks given the inherent risk-mitigating structures and Unlike for financial risk management, in which culture of early identification and remediation of companies tend to have established roles and defects inherent in well-implemented agile teams. processes (such as model risk management), companies in our survey do not have established Risk management is not keeping pace roles, processes, or even consolidated understanding Companies’ risk-management capabilities are of digital and analytics risk drivers. The biggest lagging behind their transformation efforts. challenge leaders say they face in managing digital Organizations are transforming far more frequently and analytics risks is simply identifying them. The than they are updating their risk frameworks to challenge gives credence to the maxim, “You cannot include new and exacerbated risks, and risk and legal manage what you do not measure.” professionals often operate in separate siloes. Hence, the risk infrastructure is not keeping pace with the Notably, the results show virtually no relationship innovation. Overall, most respondents assess their between IT spending levels and overall riskrisk-management maturity as average, but more management maturity for digital and analytics than 75 percent have not conducted a formal, holistic transformations. Simply put, the challenges are not risk assessment for half of their digital and analytics solved by budget size (Exhibit 2).

Web <2020> Exhibit <2> 2 of <6> Risk-management maturity in digital and analytics is not related to IT spending. Risk-management maturity in digital and analytics is not related to IT spending.

Average reported risk-management maturity by IT budget, scale 1–51

1 0–200 401–600 801–1,000 1,201–1,400 1,601–1,800 201–400 601–800 1,001–1,200 1,401–1,600 1,800+

IT budget, $ million

1Question: At a company like yours, how mature are digital and analytics risk-management capabilities? Companies rated their risk-management capabilities from 1 to 5, with 5 representing the most advanced in eectiveness and eciency. Source: McKinsey Global Survey on Digital and Analytics Transformations in Risk Management, 2020

Derisking digital and analytics transformations 105 Roles and responsibilities are insufficiently clear Leading companies apply a range of effective Survey participants little agree on where practices and tools to manage risks responsibility should lie for addressing digital Companies in our survey with the highest risk- and analytics transformation risks. For almost all management maturity are more comfortable with respondents, the chief information or chief data managing digital and analytics transformations. officer leads digital and analytics transformation These companies are more likely to centralize or activities; participants do not align, however, on the automate their risk-management functions, and lead for identifying and mitigating the associated they report using an array of practices and tools risks. For more than 40 percent of respondents, the to identify and reduce the risks of their digital and task falls to the digital and analytics transformation analytics transformations (Exhibit 3). leads themselves. Unfortunately, these individuals often lack a detailed understanding of embedded Here are the most relevant approaches leaders cite: risk factors and are given incentives to “get the transformation done.” Even for those individuals — Reengineering processes and retraining who do focus on risk management, responsibilities employees. Respectively, 74 and 69 percent are perceived as ancillary and less of a priority than of respondents across industries and regions project completion. cite these practices, making them the most

Web <2020> Exhibit <3> 3 of <6> Companies withwith higherhigher risk-management maturity maturity use use several several transformation transformation practices andand toolstools to to manage manage risks. risks.

Reported use of transformation practices by risk-management maturity level,1 % of respondents

100 100 Risk-management maturity level

5 4 80 80 3 12 Average 60 60

40 40

20 20

0 0 Retrain Automate New Reengineer Redesign Did not personnel processes tools processes organization use tools

1Question: At a company like yours, how mature are digital and analytics risk-management capabilities? Companies rated their risk-management capabilities from 1 to 5, with 5 representing the most advanced in eectiveness and eciency. Question: What levers would a company like yours use to identify and reconcile risks associated with digital and analytic transformations? Source: McKinsey Global Survey on Digital and Analytics Transformations in Risk Management, 2020

106 McKinsey on Risk Number 10, January 2021 popular for managing digital and analytics — Automated feedback loops. The risk-maturity transformation. These practices are especially scores of companies that have them are more important for agile ways of working. When than 30 percent above the average. implemented well, they can be critical to derisking technology using agile methodologies. — Centralization. Companies with the highest The agile approach permits companies to risk-management scores are more likely to track automate, create new organizations, or deploy digital and analytics risks in a single, centralized new tools with less effort, and has early source, rather than several sources. identification and remediation of defects inherent in its culture. Pain points in managing digital and — Formal risk assessments. Companies do not analytics transformation risks conduct these assessments as broadly as Survey participants also describe their biggest pain necessary; however, companies that do conduct points in identifying and mitigating risks. them report an increase of 75 percent in their understanding of risks from digital and analytics Understanding risks transformations. Formal risk assessments also The top concern, which 48 percent of respondents correlate to higher comfort levels in managing cite, was simply understanding the risks associated those risks (+47 percent), and greater risk- with digital and analytics transformations (Exhibit 4). management maturity (+33 percent). Many transformation leaders are essentially flying

Web <2020> Exhibit <4> 4 of <6> The toptop risk-management pain pain point point is is in in understanding understanding the the risks risks generated generated by bya digital a digital and and analytics analytics transformation. transformation.

Reported risk-management pain points,1 % of respondents

Issue with understanding risks and accountability Di culty managing changes Lack of sponsorship Problems with tools

Di culty Not enough Di culty Lack of Di culty Unclear or no understanding executive/stakeholder managing many overall view of training whole end-to-end risks generated sponsorship teams making enterprise-wide or organization on accountability of by transformation or buy-in decisions at speed function-wide risks new practices risk management 48 32 26 22 19 16

Di culty Risk management No clear Lack of risk- Exposure of Lack of managing changing slows down management organization sensitive data due tools or tool regulatory business standards for involvement early in to transformation standardization requirements processes nonnancial risks development process changes 13 11 11 9 9 9

1Question: In your most recent digital and agile projects, what were the top ve risk-management pain points? Source: McKinsey Global Survey on Digital and Analytics Transformations in Risk Management, 2020

Derisking digital and analytics transformations 107 blind: risk ownership is not clear, the complex and Overcoming operational limitations changing technology and regulatory environments In digital and analytics transformations, the whole are not well deciphered, and design and test plans organization must be trained to work in new ways do not consider risks early enough in the process. (such as the agile approach) and be vigilant about Unlike financial risks, nonfinancial risks are hard mitigating new risks. One common goal of digital to benchmark, and there is no one standard to and analytics transformations is to better serve manage them. end users, who are often the weakest link in a risk- management chain. Low risk-awareness can expose Managing changes at speed the enterprise to significant risks associated with Digital and analytics transformations are the new digital and analytics tools and processes. often delivered rapidly through agile and other Risks may even be generated by the front line methodologies. If traditional risk-management through user errors, where, for example, cloud practices are not also transformed along with the buckets have been misconfigured or access rights new ways of working, they can introduce delays that have been wrongly granted. threaten ambitious timelines. In some cases, even complying with new policies can create problems IT infrastructure can be a source of operational due to unforeseen interdependencies. For example, constraints as well. Digital and analytics a North American distributor launched an analytics transformations deploy new systems and transformation and, during the implementation decommission legacy systems, yet organizations phase, also established a new information security sometimes lack adequate training and experience policy. Suddenly, all work on the transformation was to manage patches and vulnerabilities of the new subject to the new policy—which meant that data systems. Legacy systems, if not decommissioned had to be logged daily, maintained in the cloud, and properly, may additionally leave vulnerabilities that removed after 30 days. Because of these changes malicious actors can later exploit. For example, a in data-handling processes, the transformation was company implemented a piece of hardware in a data delayed by four weeks, triggering a loss of more center for research purposes but did not include the than $20 million—a financial risk directly connected device in regular production-patching cycles. After to a new digital way of working. Risk management a vulnerability was exploited on the device, malware should be designed, implemented, and supported to spread across the whole data center, causing a loss keep pace with digital and analytics transformation of data and rendering the system unavailable. Cloud teams and avoid these and other similar risks. migrations can mitigate or even eliminate many of these risk types, but only if the cloud migration is Accessing resources done properly with security as a part of its core. Nearly one-third of respondents cite a lack of sponsorship or buy-in from executives or other stakeholders in prioritizing risk-identification and A framework for digital and management activities. Generating short-term analytics transformations revenue is prioritized over managing embedded The risks engendered in a digital and analytics risks. The latter, of course, is critical to preserving transformation may be different from those that long-term value. More than half of participants companies normally face—or they may be traditional face resource limitations when improving risk risks that happen with extraordinary frequency management with needed talent and capacity. and potential for significant impact. Fortunately, Companies also struggle in putting the right most companies already have a foundation in place tools and processes in place. For example, some to begin addressing these risks: their existing organizations still manage digital and analytics enterprise-risk-management infrastructure, which transformation risks manually using an array is used for financial and regulatory risks. Enterprise of spreadsheets. Even those that apply more risk management typically consists of several advanced tools do not do so consistently across common activities, including the following: organizational boundaries.

108 McKinsey on Risk Number 10, January 2021 — defining a mature enterprise-risk framework it easier for organizations to do this. It consists of four steps that define, operationalize, embed, and — developing an effective risk governance with reinforce the elements of the transformation. taxonomy, risk appetite, reporting, and key risk The framework fosters a dynamic approach, helping indicators adapt the existing ERM infrastructure for an increasing flow of risk-mitigating information and — building a risk organization and operating model actions. Within the framework, organizations design (including the three lines of defense, where transformation activities and make appropriate relevant) and assembling the needed resources interventions. The framework is updated as the and talent activities change ways of working, risk appetites, risk exposure, and talent needs (Exhibit 5). — establishing risk-management processes — Define: In the first step, organizations apply the — creating a risk culture technology-specific elements of their existing risk-management framework—in place to These activities are critically important to digital address traditional categories such as financial and analytics transformations. They must be and regulatory risk—to the transformation transformed alongside digital and analytics teams, scenario. Organizations without an ERM however. This is because risk management will have framework in place will need to start there, ideally to keep pace with the rapidly changing digital-risk creating one with a transformation-specific landscape to continue mitigating risks but avoid framework to address digital and analytics slowing down the business. Our framework makes risks. The objective is to articulate risks and

Web <2020> Exhibit <5> 5 of <6> Successful digital digital andand analyticsanalytics transformationstransformations need need a atailored tailored framework framework to tokeep keep pace pace with with a rapidly a rapidly changing changing digital-risk digital-risk landscape. landscape.

Current state

Cumbersome risk and compliance Challenges from second line are Inadequate tools for risk reviews lead to frequent delay of perceived as convoluted and do identication, resulting in a lack product launches not always lead to clear set of actions of appropriate transparency and for front line guardrails

Transformed state

1 1 Dene: articulate risks and hypothetical solutions for a given data and analytics transformation (via diagnostic risk assessment, interviews, review of metrics)

2 Operationalize: convert solution hypotheses into action; controls tie directly to risks, and control program is tracked with both eectiveness Digital and analytics 4 2 and eciency metrics risk-management framework 3 Embed: drive ecient risk management through transformed operating model, organization design, processes, and governance

4 Reinforce: strengthen and scale risk-management ways of working 3 through cultural and talent changes

Derisking digital and analytics transformations 109 hypothesize potential solutions through a relevant Benefits of the framework and risk matrix with a clear taxonomy, defined risk transformation roles owners, available controls and resources, and a The framework enables companies to manage governance structure for the initiative. the risks of a digital and analytics transformation systematically, so that it keeps pace with an — Operationalize: In the second step, organization’s innovation. It incorporates lessons transformation leaders work with risk subject- from the front line to improve the conceptual matrix matter experts or a risk center of excellence and adjusts risk-management methods along to convert risk-management hypotheses the transformation journey. It meshes with agile into solutions. Specific actions could include working models to enable better risk management, introducing software and data controls, encourages collaboration, and fosters an enhanced validating algorithmic models, implementing risk culture. systems and infrastructure patching, teaching frontline technologists relevant cybersecurity Companies have already seen significant risk- practices, and validating product resilience mitigation effectiveness and risk-management through defect and unit testing. As a part of this efficiency benefits from taking this approach. step, teams also start generating risk reports Although in its early stages, the approach promises based on clearly defined metrics such as key risk to yield further benefits to risk managers and indicators and key performance indicators that transformation teams (Exhibit 6). critically measure not only risk effectiveness but risk-management efficiency as well. To support the framework and put its approach into practice, companies will need to also define these — Embed: This step is designed to embed the roles and responsibilities for digital and analytics lessons from risk management—including transformation risks: testing results, risk assessments, incident reports, and performance measurement—into — Digital and analytics transformation lead: This existing control implementation operating lead is accountable for delivering the digital and models, processes, governance, and, if needed, analytics transformation activities. organizational design. In this step, new derisking initiatives are generated based on these lessons. — Digital and analytics transformation-risk Frontline colleagues in the transformation team owner: This role is responsible for all and in units being transformed are fully trained transformation risks. on risk awareness, identification, and mitigation. — Transformation working teams: These groups — Reinforce: In this final step in the cycle, typically work in agile squads, with risk- transformation teams strengthen and scale management resources assigned. risk-mitigation practices by entrenching these practices in talent management and culture — Transformation-product customers: These are change. They also feed critical insights, learnings, end users of the transformed-products, services, and new risks back to core risk teams to update and features; the changes here may affect risk infrastructure as needed and pull inputs and transformation-risk appetite and risk posture. feedback back into the “define” step. This keeps risk management, mitigation, and performance current with transformation activities.

110 McKinsey on Risk Number 10, January 2021 Web <2020> Exhibit <6> 6 of <6> Improved technology risk management better mitigates risk while signicantly Improved technology-risk management better mitigates risk while significantly increasing eciency and reducing costs. increasing efficiency and reducing costs. Reductions from improved technology-risk governance and management, range, %

Number of Cost reduction Number of Cost reduction from risk-related from fewer risk-related technology-risk- fewer technology- technology defects technology defects related processes risk-related processes

–40 –45

–75 –85 –90 –90 –90 –97

— Enterprise-risk-management and control In most cases, defining such roles will not require partner organizations: Transformation-risk adding head count. Companies have found that leads will work closely with the enterprise- existing team members are ready and eager to take risk-management group and individual control on these responsibilities. They may need some partner groups to ensure transformation training to become fully effective, but generally most risks are accounted for at the enterprise level, team members are motivated to take on such training and enterprise risks are considered at the simply because they know about the risks being transformation level. generated or exacerbated in transformation activities.

— Transformation-risk manager: Risk managers Finally, companies will have to raise awareness specialize in change risks and risks arising in of digital and analytics risks in the organization, digital and analytics transformations. They work including with the executive team and board. closely with transformation teams on the front Likewise, they must adequately incorporate digital line and take part in designing risk controls from and analytics risk management into their formal the early planning phases of the transformation. risk-governance models (see sidebar, “Snapshot of a successful transformation”). — Transformation sponsors: The sponsors of the overall transformation should be on board during the entire change process.

Derisking digital and analytics transformations 111 Snapshot of a successful transformation

What does successful risk management formal risk assessment to identify and with a single source. Competencies, skills, in a digital transformation look like? One mitigate risks using a best-of-breed risk- and qualifications are clearly defined for bank successfully integrated risk controls management tool that covers different each risk-management role to inform the into its digital transformation through a risk taxonomies. That tool digitally feeds requirement needed to build and retain a systematic approach. A number of aspects derisking interventions into the work- strong risk-management talent pool. in its approach stand out. management software backlogs of product teams. Risk interventions then are In this bank example, risk management The bank clearly defines all roles and pulled forward into product-team sprints is deeply embedded in all phases of responsibilities, accountabilities, as capabilities and features in and of product development, including product and oversight related to digital and themselves that enhance the product and road map planning, business review, analytics risk management and creates extend its impact. release planning, and deployment. Other a governance model across the lines of companies implementing digital and defense. Risk generalists are involved early A risk and cybersecurity resource is analytics transformations should consider in design processes—even sitting with integrated into the transformation-delivery adopting a similar model. agile development teams as necessary. hub to ensure that risk is always part of the Those leading the project conduct a conversation and that all risks are tracked

In the current business environment, digital and become more pervasive, the companies that will analytics transformations are core to success. If capture the most long-term value from their digital transformations go forward without the right risk- and analytics transformations are those that management approach, however, companies simply manage to accomplish their target objectives while trade one set of problems for another, potentially also systematically identifying, understanding, and larger, set. As digital and analytics capabilities mitigating the associated risks.

Jim Boehm is a partner in McKinsey’s Washington, DC, office, and Joy Smith is an expert in the Philadelphia office.

The authors wish to thank Liz Grennan, Arun Gundurao, Grace Hao, Kathleen Li, and Olivia White for their contributions to this article.

112 McKinsey on Risk Number 10, January 2021 Risk & Resilience Practice leadership

Cindy Levy Global [email protected]

Fritz Nauck Americas [email protected]

Maria del Mar Martinez Europe [email protected]

Gabriel Vigo Asia [email protected]

Gökhan Sari Eastern Europe, Middle East, North Africa [email protected]

Kevin Buehler Risk Dynamics, Cyberrisk [email protected]

Marco Piccitto Risk People [email protected]

Luca Pancaldi, Olivia White Risk Knowledge [email protected] [email protected]

Thomas Poppensieker Corporate Risk; chair, Risk & Resilience Editorial Board [email protected] In this issue The emerging resilients: Achieving ‘escape velocity’ Resilience in a crisis: An interview with Professor Edward I. Altman Meeting the future: Dynamic risk management for uncertain times A fast-track risk-management transformation to counter the COVID-19 crisis Strengthening institutional risk and integrity culture When nothing is normal: Managing in extreme uncertainty A unique time for chief risk officers in insurance The disaster you could have stopped: Preparing for extraordinary risks How the voluntary carbon market can help address climate change Derisking AI by design: How to build risk management into AI development The next S-curve in model risk management Applying machine learning in capital markets: Pricing, valuation adjustments, and market risk Derisking digital and analytics transformations

This McKinsey Global Publication meets the Forest Stewardship Council® (FSC®) chain-of-custody standards. The paper used in this publication is certified as being produced in an environmentally responsible, socially beneficial, and economically viable way. Printed in the United States of America