As today’s global risk landscape continues to change, the role of the risk manager needs to evolve in tandem. Given the interplay of a multitude of rapid developments globally, specifically in Asia, the context of risk management and risk preparedness has changed in recent years.

Structural Disruption

We are living through a period of multidimensional disruption, often referred to as the “fourth industrial revolution.” Developments in extreme connectivity and extreme automation have consequences beyond the world of technology: business models, industries, markets, regulatory and governance regimes have been thrown into flux.

New dimensions such as cyber risk have entered the fray. It is increasingly difficult to differentiate between structural change and cyclical change. What were earlier considered structural and institutional constants—the concept of a non-negative risk-free rate for example—have turned into variables. As such, it is harder to differentiate risk from uncertainty. Are we wasting time trying to estimate “standard deviation” when the underlying distribution may be far from normal and bear no resemblance to its own historical series?

In recent years cyberattacks have plagued both organizations and individuals. They have breached nations and governments—often temporarily crippling them. The Bangladesh Central Bank was robbed when hackers used the SWIFT credentials to send fraudulent money transfer requests to the Federal Reserve Bank of New York. Similarly, there was a hacking attempt on Singapore’s Ministry of Defence in early 2017. More recently in May and June 2017, the Wannacry and Petya ransomware attacks disrupted individuals, organizations, government services, and even hospitals. Countries such as China, Japan, Australia, India and South Korea were all affected.

Asia provides an almost perfect environment for cybercriminals to thrive in. This is made possible due to high digital connectivity, massive digital penetration accompanied with low cybersecurity awareness, and growing cross-border data transfers. As an example, government officials in some Asian countries still continue to use personal email accounts for official communication.

Though many countries in Asia are now developing and introducing cyber regulations, the framework is still weak and much more needs to be done. In this context, Asian businesses and governments need to have a strong cybersecurity policy in place to minimize damages.

Self-Inflating Risk

We are also living through a period of rapid feedback loops in which risk factors combine and aggregate in intricate ways. In several arenas, risk has become endogenous—that is, dependent on seemingly risk-mitigating action—resulting in a potentially wide divergence between perceived risk and actual risk.

Risk management is much more than tools and metrics: it is about people, conduct, processes and culture.

We see this in the buildup of loss-absorbing bank capital on the one hand and a system-wide reduction in trading liquidity on the other. We see increased use of unconventional prudential policy at a macro level and more granular microprudential regulation of investment banks at a “book level”—not always in a mutually consistent manner.

For example, the imposition and withdrawal of a cap on the Swiss Franc (which had the effect of dampening local risk and heightening tail risk) had a direct bearing on subsequent value-at-risk calculations and trading risk capital. The “taper tantrum” of May 2013 and the Chinese stock market volatility of August 2015 were arguably policy-induced sources of macro risk with consequences for micro risk.

Coordination Failure

We are also witnessing a slowdown, if not a reversal, of the kind of global coordination that was a key risk-diminishing factor in the immediate aftermath of the global financial crisis. Global financial standards are being rolled out in fits and starts, the pace of implementation is uneven, national regulators rightly impose entity-level constraints, and administrative macroprudential measures (including capital controls if required) are now an acceptable part of central banks’ repertoires. This, together with geopolitical flashpoints and a weaker backdrop for international conflict resolution, adds considerably to the base level of risk in the system.

In the Asia-Pacific region, the territorial dispute in the crowded shipping lanes of the South China Sea remains a potentially combustible source of risk. In South Korea, we saw the impeachment of the then president, fresh elections and the appointment of a new president. Meanwhile, North Korea remains in the headlines with increasingly belligerent missile tests.

Separately, in January, the U.S. withdrew from the Trans-Pacific Partnership (TPP), a trade pact that many Asian countries had pinned their economic hopes on, leaving the trade agreement in limbo. Ramifications such as these put businesses, governments and individuals at risk. While events such as these do create massive trade problems, they also cause geopolitical imbalances that leave the entire region in a state of uncertainty.

The People Factor

There is now a clear realization that risk management is much more than tools and metrics: it is about people, conduct, processes and culture. While modeling and continuous refinement of risk models will remain key to decision-making, it is important to underline that models will not replace the role of decision-takers. Judgment calls need to be made and trade-offs need to be assessed. To that extent, risk resilience is enhanced through the deliberate design of decision-making processes.

How do risk committees function within banks? How much constructive challenge is entertained? How do they ensure that a diversity of perspectives is considered?

From an Asian context, the cultural values imbibed in the region may be such that, across the board, hierarchy is rigidly followed and not enough constructive challenge is posed in the decision-making process. This could make those processes brittle and less nimble. Asia needs to be appropriately prepared.