This is an interesting paper that is doing the rounds in the sharing circuit at the moment, published by McKinsey & Company, it's a typically good read as to be expected.

The idea under this work is to explore what a risk function in a bank will look like in 2025, ten years or so from now and the paper highlights six structural trends in risk management which it lists with appropriate detailing. I have summarised the six trends here:

[1] Continued expansion of the breadth and depth of regulation.

Optimization, Principles Based Compliance, Automated Compliance.

[2] Changing customer expectations.

[3] Technology and analytics as a risk muscle.

[4] The identificaiton and management of "additional (nonfinancial) risk types".

[5] Better risk decisions through the elimination of biases.

[6] The need for strong cost savings.

I see these centres of risk influence as mature and totally believable. In fact, we can observe some of these risk management activities in the leading banks today. Definitely there is a trend at present for banks to improve their analytics functions around not only credit scoring but also fraud identification and this trend has been in play for about a decade now.

Figure 1 - The Future of Bank Risk Management | McKinsey & Company [LINK]

The changing profiles of a risk management team described in the white paper is a stark reminder of what a mature risk function should look like; less concerned about definitions, culture and processes around risk management because these components of the leading risk function are already in place.

If you think about it more broadly, once the foundations of a risk framework are present and functioning effectively in a company, the next evolutionary gap is filled by improving the way in which a business measures uncertainty. To make that evolutionary leap, many firms will need to upskill their risk teams or delegate these analytic activities away from them, but skilling the team up should logically be the easiest route to follow.

Figure 2 - The Future of Bank Risk Management | McKinsey & Company [LINK]

The three levels of risk maturity on the risk assessment diagram shown in figure 2 is also encouraging and moving left to right across the boxes, I am seeing the following in play with many of businesses out there ...

[1] Level one "The Real Life Phenomenon" is where roughly 75% of average risk departments are currently positioned today. So many risk management functions seem to reach this level one of maturity and stop.

[2] Level two "Parametric measures of risk" is where around 20% of risk departments or the leaders today are positioned and in my opinion, this is an outcome of the advanced measurement approaches described within Basel II regulation. Away from banking, even within banking, only a handful of the best seem to be operating in this space.

[3] Level three "Machine-Learning" is where it gets really interesting. Risk management seriously derives value for the business it serves when it is reporting in a 'factor sensitive' manner. I am personally only seeing a handful of companies, say around 5% of market players at this maturity level.

Figure 3 - The Future of Bank Risk Management | McKinsey & Company [LINK]

The most exciting element in the McKinsey Risk Management Maturity paper is perhaps the debiasing activity.

Biases are one of the most destructive cultural aspects of risk management and they are extremely difficult to treat. You can present coherent information to theoretically logical people and they still make the wrong decisions, it's utterly frustrating to see play out. The ability to "de-bias risk" has to be an end goal for risk management because I believe risk management is about improving the way in which people select choices for their objectives in the realm of uncertainty.

You are absolutely winning in risk management if you are able to improve the decision making process of stakeholders.