A weak risk culture will eat any fancy risk management framework for breakfast, says Simona Covaliu. StrategicRISK caught up with PayU GPO’s new chief risk officer to get their take on how the risk management landscape is changing, and the most powerful tools for mitigating threats
Tell me about your risk management background, what attracted you to the profession and why?
I have always been curious. As a child, I annoyed my parents with questions about why things were done the way they were done, why things went wrong and how to prevent things going wrong the next time.
In risk management, I’ve found a home – I still ask myself the same questions and I get to ask them about all areas of an organisation. I strongly believe risk management is one of the few domains that allows a professional to know a bit about everything, because risk is everywhere.
I started my career in auditing, working at Deloitte, mostly focused on auditing financial entities. From there I joined LeasePlan, where I lead a local risk team for one of their entities. Later I moved to the headquarters to do credit and asset risk and ultimately lead their global operational risk programme.
I was attracted to this new “fintech” and “tech” world, so in 2017 I moved to Booking.com as a senior risk manager and worked with amazing professionals. It was also the first time I, as a risk manager, got close to the world of payments.
The desire to challenge myself (and my curiosity) came into play again and I could not say no to an offer from Uber, who at that time was working on getting a payments licence in the Netherlands for their European and UK business.
“As a child, I annoyed my parents with questions about why things were done the way they were done, why things went wrong and how to prevent things going wrong the next time.”
I loved my time at Uber, and I grew so much as a professional and a leader! I started as a risk manager with the task of creating the risk framework and building up the team. Within a year I took over the compliance area as well and in my last year with Uber Payments, I was part of their management board as chief risk and compliance Officer.
Lastly, prior to PayU GPO, I worked in Mambu, an innovative SaaS company which offered another challenge: how do you set up a risk and compliance programme suitable for a non-regulated company who offers a regulated product.
My time at Uber really shone a light on how interested I was in the payments sector and in fortuitous timing, I found the opportunity with PayU GPO.
What are your top priorities at PayU GPO and why?
At PayU GPO I am accountable for privacy, security, compliance and risk. Given the span of PayU GPO’s operations and the complexity of the regulatory and market environment in which we operate, these are critical areas for ensuring that the business can make informed day to day decisions.
As such, my priorities are related to scaling these areas across the group, fostering a risk conscious culture and making our programmes future proof and future looking, especially from a regulatory point of view.
What are some of the key risks facing the financial services sector today, and how do you see these evolving?
It is an interesting time to be in risk management and in fintech. Risks, previously assessed as “Highly unlikely” are now a relatively common occurrence.
Businesses today need to manage day-to-day operations in a difficult geo-political and economic environment, third party dependency risk is higher than ever (the world was brought to a halt a few weeks back in such an event), AI and the pace of tech development is simply challenging the relevance of all standard risk, privacy and security management processes, retaining and developing talent remains a significant challenge, and we barely scratched the surface of managing ESG risks.
As second line professionals, we need to assess all these challenges in the context of ever evolving and demanding regulatory changes and help our organisations navigate safely this VUCA (volatility, uncertainty, complexity, ambiguity) environment.
“Risk avoidance is, in most situations, a luxury we cannot afford in this sector.”
To do this, we must know our business, our people, our technology, our processes, our geographical footprint, our 3rd party ecosystem.
We cannot operate in a silo. This knowledge allows us to inform the business on what lies ahead, create those risk scenarios that speak to business leaders and create “safe routes” that the business can take to become resilient and prioritise investments ruthlessly with that overall objective in mind.
Risk avoidance is, in most situations, a luxury we cannot afford in this sector. It’s really a matter of when a risk event will happen, rather than if it will happen – this means having the organisational capabilities to respond quickly and fast becomes a super power.
With regards to artificial intelligence - to what extent do you see this as an important tool vs an introducer of new risk - and what strategies are available for tackling the threats it does create?
As with everything in life, AI offers significant potential for enhancing the financial services sector, but it also introduces new risks that must be carefully managed. The extent to which AI becomes a tool for advancement rather than a source of risk will depend on how effectively these threats are addressed.
For example, AI has the ability to automate routine tasks such as data entry, customer service, and compliance checks, reducing costs and increasing operational efficiency. This allows financial institutions to allocate resources to higher-value activities. AI can also drive an even better customer experience, allowing organisations to employ AI-driven chatbots to offer 24/7 support.
On the flip side the integration of AI increases the attack surface for cyber threats. AI systems can be vulnerable to hacking, data breaches, and manipulation, leading to financial losses, data privacy issues, and reputational damage.
“Establishing internal ethical guidelines and governance structures for AI use can help manage these challenges proactively.”
Implementing robust cybersecurity measures, such as encryption, regular security audits, and AI-specific threat detection systems, can help mitigate these risks.
AI can also pose regulatory and ethical challenges. The use of AI in financial services raises questions about accountability, especially when AI-driven decisions have significant impacts on customers. Regulations may lag technological advancements, creating uncertainty and potential legal risks.
To mitigate against this, financial institutions should engage with regulators to shape AI policies and ensure compliance. Establishing internal ethical guidelines and governance structures for AI use can help manage these challenges proactively.
What do you think are some of the most important risk management frameworks / tools / strategies to help genuinely move the needle on risk?
This is such a difficult question because there is no silver bullet in risk management. You need to have a diverse tool kit and use it at will, based on the risk you are facing and the context of the organisation.
I am increasingly driven to risk modelling as a risk tool – using big data to define key risk indicators and add predictive power to those, where possible.
“There is no silver bullet in risk management. You need to have a diverse tool kit and use it at will, based on the risk you are facing and the context of the organisation.”
Holistic risk management is another approach I try to take – I always try to think about risk scenarios in correlation.
Horizon scanning is also an unmissable strategy for a risk team these days. These all work great if, as a risk professional, you remain close to the business – know what they do, who they are, what drives them and focus on bringing value to their day to day work with your interactions.
How important is risk culture - and what steps will you take to build it?
A weak risk culture will eat any fancy risk management framework for breakfast, any day of the week.
We know people remain at the core of managing risks – doing the right thing when nobody’s watching, taking accountability when things go wrong and ownership to manage risks to the business day in and day out, at a tactical level – these are invaluable to keeping an organisation safe.
Building these values in the organisation goes beyond having policies and procedures and controls in place, these are important. They need to be pragmatic, make sense, be as easy as possible to access and apply, but they will fail without having the right behaviours.
“A weak risk culture will eat any fancy risk management framework for breakfast”
I’m a firm believer that “leading by example” and “walking the walk” at the top levels of the organisation is the best foundation for a strong risk culture.
Addressing unwanted behaviour is also an important part of this, as well as allowing for mistakes to happen and when they do, focussing on getting things back on track as fast as possible.
People who feel safe in their working environment and who understand the expectations and values of their organisation, will feel empowered to become “day to day” risk managers.
Your role encompasses both risk and compliance: how important is it that these two functions work well together, and what are the strategies for creating harmony there?
I have always considered compliance a type of risk. Compliance professionals manage compliance risks. Their toolkit might be different, but it is still a risk management toolkit.
I feel privileged that I am in a position to consolidate all these areas under one roof. As one team, we can move faster when dealing with compliance risk. We are able to better communicate with the business on exposure and impact, as well as alternatives to mitigation, because we have a diversity of skills and experiences and backgrounds.
“Compliance professionals manage compliance risks. Their toolkit might be different, but it is still a risk management toolkit.”
As for strategies for creating harmony, it all starts with creating a unified vocabulary (eg. using a common risk impact classification) and deepening the understanding of both team about each other’s domain.
I also take any opportunity to pair compliance and risk professionals when dealing with a topic – working together to solve a problem, looking at the same thing from various perspective is a great way to bring these teams together.
And I do try to ensure that there is always clarity about each of their roles and responsibilities.
How do you see the risk landscape evolving and what are the next big threats on the horizon?
A VUCA world is here to stay and so are risks such as macroeconomic volatility, geopolitical unrest, highly integrated and vulnerable 3rd party ecosystem, AI usage and governance, ESG challenges.
The way in which these risks will materialise in the coming years is going to evolve and I strongly believe that we will face increased risk velocity and correlation and therefore impact.
These will significantly challenge standard approaches to risk management – predictive models will become a key differentiator in how risks are managed.
One thing will not change: a weak risk culture will eat any fancy risk mitigation measure for breakfast.
Source
No comments yet