Marsh & McLennan Advantage Insights logo
Conversations and insights from the edge of global business
Menu Search

BRINK News is transitioning to This Moment platform on as of March 31, 2023. Read the update here.


Digitizing Risk: Don’t Give the Robots Free Rein Just Yet

Before giving artificial intelligence and machine learning free rein, financial firms must ensure that the decisions these programs make do not result in new risks and expensive regulatory breaches.

The risk and compliance standards put in place after the financial crisis are not going away. But what if financial institutions could turn the situation into a competitive advantage?

Some firms are beginning to recognize the possibilities and are working toward them. From increasing efficiency to lowering operating costs, digitizing risk and compliance functions makes sense on many levels. In the past three years, several financial institutions in Europe, North America and Asia have begun to use new digital technologies — including application programming interfaces, digital analytics, machine learning, robotic process automation and artificial intelligence.

Given the obvious upside of this new regulatory technology, known as regtech, many financial institutions are embarking on ambitious, yet vital, risk digitization programs.

Yet, as seen in many high-profile cases of machine learning bias, AI is not foolproof. In some instances, technology solutions fail to catch issues that would almost certainly have been spotted by an experienced risk manager or compliance professional. In others, the risks of automation outweigh the benefits. 

As a result, for the next three to five years, financial institutions must approach the digitization of risk and compliance with a healthy dose of human supervision, governance and monitoring to ensure that automation is still within the perimeters of auditability and traceability. In short, digitization must not become a new emerging risk in itself.

Within risk and compliance functions, there are many obvious, less risky areas to automate. Yet, on the flipside, the consequences of mistakes can be severe, ranging from steep fines and regulatory scrutiny to customer attrition and reputational damages. To avoid these risks, companies should take the following three steps:

Controlling Failures

Soon, machines will be able to perform most of financial institutions’ risk and control assessment tasks just as well as humans — if not better. One such area is automated alerts for process failures, which can be remediated by using combinations of robotic process automation and advanced data analytics techniques. But we are still a long way off from allowing machines to make important strategic decisions on the impact of such control failures.

Digitizing risk does not mean displacing humans with robots and advanced analytics, but rather adapting to new skills and ways of working.

For now, human oversight and decision-making are still crucial, including the correlation to any regulatory noncompliance. For example, machine-executable risk algorithms are not yet smart enough to perform a complete risk assessment of trades booked by an investment financial institution against all applicable regulations and then determine if such trades are in line with the regulatory obligations.

Capabilities such as this require multidisciplinary data science and algorithmic reasoning skills, which are still scarce. As a result, algorithms could miss or overlook a few key hints or alerts that might account for less than 1% of the overall population, but could lead to serious consequences. Human experience is still essential to make these types of judgment calls.

Eliminating Algorithm Biases

AI has the ability to learn from vast amounts of unstructured complex data and translate them into actionable insights. However, from flawed facial recognition to gender-skewed credit and insurance underwriting, there are plenty of high-profile cases of algorithm biases that make us feel uncomfortable about machine learning within risk management.

Technology can greatly reduce the time required by manual processes from weeks to hours, but digitization also comes at a price. For example, when onboarding new customers, digital financial institutions can detect patterns using digital identity-verification and pixel-matching technologies for facial recognition. This helps to clarify and authenticate the identity of applicants in real time.

The problem lies in predicting a new customer’s authenticity by using the potential biases formed from previous customers’ demographics and then making decisions when the provided information is not conclusive. Worst case, this can lead to significant financial-inclusion issues.

Crunching Complexity

Management often struggles to keep pace with the onslaught of regulatory changes. Downloading and digesting thousands of new rules is a major drain on time and resources. Regtech advancements in the form of machine-readable regulations are now able to speed up and simplify assimilating new legislations, drastically reducing the time taken to do manual reviews and assessments. By collecting, cleaning up and parsing data, these tools can crunch huge data sets into succinct bullet points.

Undoubtedly, the potential for model-driven, machine-readable, and executable regulation will deliver significant efficiencies. But, these technologies still rely on identifying patterns, and because most of the regulations are principles-based, it is often difficult to develop practical data use cases for automation. Also, pattern recognitions could “blindside” financial institutions to specific risks and provide a false sense of comfort.

New regulatory technologies are a much welcome development to update outdated compliance processes and increase efficiency. As more tasks are automated, risk and compliance roles and jobs will also evolve. Digitizing risk does not mean displacing humans with robots and advanced analytics. It is about adapting to new skills and ways of working. This will only work if financial institutions have viable modern learning programs for the challenges of tomorrow’s workplace. Regulatory technologies will have a major impact on the way risk teams collaborate both internally and with the external ecosystem.

The article originally appeared in Global Risk Regulator.

Subas Roy

Partner, Digital Technology & Operations and Finance & Risk Practice at Oliver Wyman

Subas Roy is a partner in Oliver Wyman’s digital technology & operations and finance & risk practices. He has over twenty years of strategic digital consulting experience including advanced analytics, machine learning, and automation tools. Subas is also the non-executive chairman of the International RegTech Association.

Jayant Raman

Principal, Finance and Risk Practice for Oliver Wyman

Jayant P. Raman is a principal in Oliver Wyman’s Finance and Risk Practice based in Singapore. He jointly leads Oliver Wyman’s Non-Financial Risk work across Asia Pacific, focusing on emerging areas such as regulatory compliance, cyber risk and digital risk. In the area of compliance, he works with international Financial Institutions to design and improve compliance and anti-financial crime frameworks, including deploying data and analytics initiatives in these areas.

Michael Heaney

Principal, Finance & Risk and Data, Technology & Analytics Practice at Oliver Wyman

Michael Heaney is a principal in the finance & risk and data, technology & analytics practice based in London. Michael has over 18 years of experience in technology, risk and business consulting. He has a successful track record of delivering high-profile global cyber, risk and data privacy transformation and risk programs.

Get ahead in a rapidly changing world. Sign up for our daily newsletter. Subscribe