Professional Documents
Culture Documents
Risk
Highlights
12 18 23
3 12 18
23 29 37
From scenario planning to The evolution of model risk Digital risk: Transforming risk
stress testing: The next step management management for the 2020s
for energy companies An increasing reliance on Significant improvements
Utilities and oil and gas firms models, regulatory challenges, in risk management can
have long used scenario and talent scarcity is driving be gained quickly through
analysis, but extraordinary banks toward a model risk selective digitizationbut
times call for new measures. management organization that capabilities must be test
is both more effective and hardened before release.
value-centric.
Introduction
Welcome to the second issue of McKinsey on Risk, the journal offering McKinseys global perspective and
strategic thinking on risk. Our focus is on the key risk areas that bear upon the performance of the worlds
leading companiesincluding credit risk, enterprise risk management and risk culture, operational risk and
compliance, regulation, trading and balance-sheet risk, data and technology, advanced analytics, and crisis
preparedness and response.
Response to our first issue exceeded expectations and generated strong interest among risk leaders and
senior executives generally. An overarching theme in those articles was the importance of breaking through
siloed approaches to achieve an enterprise-wide view of risk, with the strategic response centered on the
needs of the business. The articles in this issue deepen our commitment to these themes. Areas of focus are
automation and digitizationspecifically, how leading companies are applying technological innovation
to control costs while improving risk effectiveness.
We begin with a consideration of how financial institutions can manage compliance risk sustainably, by
addressing its root causes rather than adding layers of control. A second article takes up a related theme,
focusing on nonfinancial risk and a unified risk-assessment system to help companies avoid or reduce
the impact of failures. The urgent topic of cybersecurity is addressed in the next piece, which argues for
an enterprise-wide approach that prioritizes key risks based on the business and its value chain. Then we
discuss how, in a volatile global environment, energy companies can use stress testing in strategy develop-
ment and to avoid the normalizing biases of traditional financial scenario analysis. Model risk is the topic of
a further piece, which presents insights from McKinseys experience with leading global banks and indicates
an evolutionary path for model risk management toward capturing value. Our final article discusses digital
riskall the technological advances that improve the effectiveness and efficiency of risk management, from
process automation to advanced analytics and machine learning to artificial intelligence and robotics.
We hope you enjoy these articles and find in them ideas worthy of your consideration. Let us know what you
think at McKinsey_Risk@McKinsey.com. You can also view these articles, the previous issue of McKinsey on
Risk, and many others at McKinsey.com and on the McKinsey Insights app.
The cost of regulatory compliance in banking rose dedicated to testing, monitoring, and other oversight
dramatically in the years after the financial crisis. responsibilitiesat the expense, given budget limits,
Some of the increase came from investment in of production resources.
technology, but most of it wasand remainsdriven
by additional staff. The crisis triggered numerous The investments have magnified industry resilience
critical control failures that required immediate and improved the quality of risk management. The
remedy. Institutions responded, appropriately high cost, however, is now coming into focus. At many
enough given the urgency, by adding layers of control. financial institutions, business, compliance, and risk
An idea of what resulted can be seen in a typical practitioners are beginning to question the sustain-
example. At a large universal bank, a quarter of one ability of the resource-intensive approach to managing
business units resources is now dedicated to control, compliance risks. We believe they are asking the
significantly reducing the share focused on the right question. Banks are still adding layers of control
business (Exhibit 1). While the exact numbers will as the remedy of choice for compliance issues. The result
vary by institution and business unit, whats certain is an unwieldy system of overlapping controls that is
is that more resources than ever before are being difficult to automate and does not address the true root
Exhibit 1 More resources than ever before are being dedicated to testing, monitoring, and other
oversight responsibilities.
2% 100%
6%
3%
13%
75%
1 Full-time equivalents.
2 Figures may not sum, because of rounding.
causes of risk. Arising issues are approached one thousands of entries. Unsurprisingly, separate
at a time and in isolation; remediation efforts are remediation initiatives and audit reports were often
inadequately measured and tracked. directed at the same processes and had the same
underlying causes. These could have been addressed
Fragmented efforts, manual processes, systematically, but individual projects did not have
mountains of data the budget to take that on. Only when the institution
We analyzed the time spent on remediation at took an enterprise-wide view did the case for IT
one global financial institution according to the investment become clear.
importance (materiality) of the issue. We found
that first- and second-line compliance staff were The status quo approach to compliance does not
spending 80 percent of this time on issues of low allow for an integrated view across the enterprise.
or moderate materiality, and only 20 percent on The approach to risk assessment is fragmented:
critical high-risk issues. The issues were approached some risks are covered by multiple assessments
individually, according to an issue log with and others not at all. Nor does a consistent
Exhibit 2 A program for sustainable compliance can free up to 30% of the functions capacity,
improving the effectiveness of risk management.
4% 30%
6%
10%
7%
3%
Impact on
effectiveness
business and strategic needs. Resource allocation Building it: Seven steps to sustainable
could then focus on material risks, boosting staff compliance
productivity. Nonessential work was minimized, Compliance practitioners point out that compliance
including the remediation of low-materiality activities are triggered by regulatory requirements
risks. Testing, reporting, and other activities were and by how well businesses manage regulatory
rationalized across the three lines of defense; risks. Regulatory demands, they argue, are outside
duplication, especially in the control functions (such the control of the compliance function, while the
as remediation tracking and risk identification and adroit management of regulatory risks takes time
assessment), was largely eliminated. to mature. In our view, the key to sustainable
For rules-based compliance, the second line needs 2. De-risk and reengineer business and
to define clear standards and shift in-line execution compliance processes.
and approval (such as consumer disclosures) to The demand for compliance resources can be
the first line of defense. For principles-based significantly reduced by reengineering labor-
compliance, some decisions (such as the suitability intensive activities for core compliance processes,
of marketing materials) need to be embedded in such as onboarding or transaction approvals. For
the first line with adequate training, certification, control breaches, root-cause analysis is critically
and monitoring. Conduct risk in retail banking, for important. This will ensure that the true underlying
example, will present challenges in defining first- drivers will be revealed for effective, lasting
and second-line roles and testing and monitoring remediation. Further similar breachesand the
responsibilities. The compliance function will consumption of further resources, such as the
need to clearly articulate regulatory requirements addition of more checkersare eliminated by the
for disclosures, adverse action, advertising, and automation and redesign of the exposure areas. An
For one wealth-management company, automation Detailed adjustments can be made in the frequency
of know-your-customer (KYC) controls reduced the of testing and sample sizes, depending on the
turnaround time for the new-customer-onboarding level of inherent exposure in a given operational
process from five or six days for the most complex area. Moreover, testing and remediation activities
institutional accounts to 24 hours. The cost of can be risk-ranked and embedded in resource-
KYC was reduced by more than 70 percent and the and investment-allocation processes. Compliance
customer experience dramatically enhanced. These priorities can then be regularly reassessed to
savings of time and money were possible because account for new risks, defective controls, and
the institution tackled KYC requirements, along business or regulatory changes.
with credit-process digitization, as an integrated
reengineering and automation program. The Ongoing prioritization based on risk requires that
initiative was built on the understanding that the organizations objectively measure residual risk
end-to-end process is no faster than its weakest link exposures and know where in the business process
which is often the compliance requirements. controls can potentially fail. Understanding where
the critical breakpoints occur in business processes
3. Optimize the compliance operating model. and having a manageable set of quantitative,
The compliance resources needed to support the forward-looking metrics for each process breakpoint
business units can be configured most effectively are critical capabilities. For risks that are difficult
and efficiently by consolidating subject-matter to quantify (such as internal conduct or fair and
expertise and core activities in centers of excellence responsible banking), banks can develop qualitative
and utilities. This will help ensure that the best risk markers. Trends in staffing levels or changes in
expertise is applied across channels in business- business processes and technology often correlate
unit-facing compliance teams. Additionally, the with increased risk. Even if quantitative metrics that
opportunity in optimizing the location strategy for directly measure residual risk cannot be defined,
compliance is often sizable. A new look at location qualitative tracking of these trends can alert the
could lead to lower structural costs for compliance institution about potentially increased exposure.
and offer access to global talent markets to tackle With AML compliance, for example, some exposures
the challenges posed by talent scarcity in traditional can be measured through quantitative key risk
locations. A diversified geographic footprint also indicators, while others will require qualitative risk
ensures greater resilience in the face of adverse markers (Exhibit 3).
business or market events.
5. Actively manage controls and management-
4. Focus on what matters. information systems.
Compliance with laws, rules, and regulations The portfolio of controls needs to be actively
is viewed by banks as a zero-tolerance activity. managed over the life cycle of each control. Old
Requirements Key risk indicators (KRIs) or risk markers Residual risk Test questions
Customer risk New customers not risk-rated appropriately or Medium Customer due-diligence
assessment in a timely manner requirements obtained
and risk appropriately rated?
High-risk customers not reviewed appropriately If high risk, was customer
or in timely manner added to high-risk log?
Employee Reporting forms (SARs, CTRs, CTR exemptions) Medium Risk marker indicates
incentives completed by the same employee who misaligned incentives due to
made the decision to file the reports or grant lack of segregation of duties
the exemptions
1 Higher-risk-customer examples: foreign financial institutions, deposit brokers, cash-intensive businesses, nongovernment organizations.
Higher-risk-product examples: ATMs, private banking, foreign-correspondent accounts, trade finance, foreign exchange.
Source: FDIC, BSA/AML Office of Foreign Assets Control regulation; Federal Financial Institutions Examination Council, BSA/AML
Examination Manual
controls, testing strategies, and management- helps ensure that material risks are not missed.
information systems (MIS) should be discontinued Many controls are redundant or obsoletesuch as
quickly when no longer needed or when deemed reports for a particular issue that no longer exists.
ineffective. Clearing away unneeded controls Others have been added to old processes where
saves compliance and business resources and underlying problems have not been remediated.
Where manual controls are still required to plug Copyright 2017 McKinsey & Company.
an existing gap, banks need to develop plans to All rights reserved.
automate them and/or redesign the underlying
business process. Appropriate cost-benefit
Ask senior managers at any company if they have evidence that appropriate controls are in place.
nonfinancial risk under control, and the answer is They are usually not embedded in the business
likely to be yes. But as managers of companies in but are instead delegated to risk and compliance
automotive, banking, oil and gas, pharmaceuticals, departments, which have a limited understanding
and many other sectors can attest, the reality is of how to manage risk and compliance within the
often very different. And as personal liability for business context.
corporate actions takes hold, board membersboth
executive and nonexecutiveare on the hook not In other cases, the business takes all the responsibility
just for their personal involvement in risk- and for managing risk, but without any link to the com-
compliance-related issues but also more broadly panys formal compliance, risk, and control frame-
for the companys whole risk profile and enterprise- work. Quality control, for example, is embedded in
wide compliance. the day-to-day management of manufacturing organi-
zations, but those responsible are not involved in
Nonfinancial risk1 has typically been addressed determining enterprise risk, leaving a major gap.
by one-off showcase initiatives based on a specific
regulation or requirement, and left to experts in Both shortfalls have led companies from all sectors
each field. What principles exist typically focus to be caught off guard when failures occur. And
on adhering to formal standards and providing those failures have led to catastrophic incidents
Using the map and the risk taxonomy, therefore, a Report backand act
business can profile the risk in each process and To make sense of the assessments, management
assess both the probability and severity. This must have a consistent view of nonfinancial risks
information is aggregated from the R&CM unit level and the underlying controls, with systematic
to the enterprise level. reporting to the board. This requires an integrated
management-information system. Typically,
Understand the controls these are bespoke versions of externally available
Knowing which risks exist is only half the equation. packages that broadly match the companys specific
The other half is knowing how to mitigate them. R&CM requirements, or internally developed
Organizations struggle to tie controls to risks for platforms. When selecting commercial packages,
many reasons, which range from unclear definitions companies must be careful not to tailor them to a point
of controls to a limited understanding of how where system upgrades become difficult to manage.
effective the controls actually are. This means that
the business reviews hundreds of controls. But Where identified risks fall outside the companys
without a clear view on which are the most relevant risk appetite, concise and action-oriented risk and
and effective, no clear management perspective on control reporting recommends where, how, and
the overall control strategy will be developed. To when the risk is mitigated. The actions might range
take an extreme example, in a nuclear-power plant, from redesigning the entire control environment
controls that monitor the performance of the core to reinforcing supervisory responsibilities, or even
should have a much higher priority than controls removing the product or process that is creating the
that focus on avoiding outages on steam turbines risk. Ultimately, the reporting, based on the risk and
through preventative maintenance. Both matter, but control assessments, should enable the company
not to the same extent. to prioritize controls, based on specific context. Of
course, any change to a control must happen within
If an organization assembles only a list of controls, the organizations existing control framework in
with no hierarchy, then that list is useless for order to retain clear accountability.
for business units and control functions are crucial. requires company management to establish processes
Careful planning of R&CM entities and identifying regarding risk and compliance that are in line with industry
practices for a business model of this complexity.
those with similar profiles (such as all sales or 3 COSO: Committee of Sponsoring Organizations of the
production units) becomes paramount. Treadway Commission; ICS: frameworks for the internal control
system; ERM: enterprise risk management; CMS: compliance-
An annual risk-assessment exercise will never be management system.
The idea that some assets are extraordinaryof the perimeter of business operations and are applied
critical importance to a companymust be at the disjointedly across different parts of the organization.
heart of an effective strategy to protect against
cyber threats. Because in an increasingly digitized Our research and experience suggest that the next
world, protecting everything equally is not an option. wave of innovationcustomer applications, business
The digital business model is, however, entirely processes, technology structures, and cybersecurity
dependent on trust. If the customer interface is not defensesmust be based on a business and technical
secure, the risk can become existential. System approach that prioritizes the protection of critical
breaches great and small have more than doubled information assets. We call the approach digital
in the past five years, and the attacks have grown resilience, a cross-functional strategy that identifies
in sophistication and complexity. Most large and assesses all vulnerabilities, defines goals on an
enterprises now recognize the severity of the issue enterprise-wide basis, and works out how best to
but still treat it as a technical and control problem deliver them. A primary dimension of digital resilience
even while acknowledging that their defenses will is the identification and protection of the organi-
not likely keep pace with future attacks. These zations digital crown jewelsthe data, systems, and
defenses, furthermore, are often designed to protect software applications that are essential to operations.
Protecting your critical digital assets: Not all systems and data are created equal 19
These examples illustrate the need for a unified, the business and its value chain. The CISOs
enterprise-wide approach to cyber risk, involving team, particularly when it is part of the IT
the business and the risk, IT, and cybersecurity organization, tends to begin with a list of
groups. The leaders of these groups must begin applications, systems, and databases, and
to work together, identifying and protecting the then develop a view of risks. There are two
organizations critical digital assets as a priority. major flaws to this approach. First, it often
The process of addressing cyber risk will also have misses key risks because these can emerge
to become technologically enabled, through the as systems work in combination. Second, the
implementation of work-flow-management systems. context is too technical to engage the business
Cybersecurity investment must be a key part of the in decision making on changes and investments.
business budget cycle, and investment decisions By beginning with the business, the team
must be more evidence based and sensitive to changes. encourages stakeholder engagement naturally,
increasing the likelihood that systemic
The business-back, enterprise-wide approach exposures will be identified.
The key point is to start with the business problem,
which requires a consideration of the whole The CISO must actively lead. In addition to
enterprise, and then to prioritize critical risks. This being a facilitator for the businesss point of
work should be conducted by an enterprise-wide view, the CISO should bring his or her own view
team composed of key individuals from the business, of the companys most important assets and
including those in product development, and the risks. By actively engaging the business leaders
cybersecurity, IT, and risk functions. The teams and other stakeholders as full thought partners,
main tasks are to determine which information the CISO will help establish the important
assets are priorities for protection, how likely it is relationships for fully informed decision making
that they will be attacked, and how to protect them. on investments and resource allocation. The
To function, the team must successfully engage role of the CISO may thus change dramatically,
the leaders of several domains. They need to work and the role description and skill profile should
together to discover what is most importantno be adjusted accordingly.
mean challenge in itself. The best way to get started
is to found the team on the agreement that cyber risks Focus on how an information asset can be
will be determined and prioritized on an enterprise- compromised. If an information asset is
wide business back basis. In other words, the team exposed by a system being breached, the
will first of all serve the enterprise. Critical risks, vulnerability of this system should be
including the impact of various threats and the likeli- considered, even if the systems primary
hood of occurrence, will be evaluated according to purpose does not relate to this information asset.
the dangers they pose to the business as a whole.
Focus on prioritization, not perfect
Guiding principles quantification. The team needs only enough
The following principles can help keep companies information to make decisions on priority
on track as they take the unified approach to assets. It does not need highly precise risk
prioritizing digital assets and risk: quantificationsthese would be difficult to
produce and would not make a difference in
Start with the business and its value chain. deciding between investment options.
The effort should be grounded in a view of
Protecting your critical digital assets: Not all systems and data are created equal 21
An institutions progress
One financial institution that used the approach team was now able to identify the critical information
described in this article was able to identify and assets based on potential risk impact. The level of
remediate gaps in its control and security systems control in each system was also evaluated, as the
affecting critical assets. The change program began team mapped information assets to the systems and
with a risk assessment that highlighted several applications where they reside and isolated gaps
issues. Business and IT priorities on cybersecurity between current and needed controls.
spending were found to be somewhat out of
alignment, while communication on risks and risk The critical data assets requiring additional
appetite between risk management and businesses protection were identified globally and by business
was less than optimal. The lack of agreement among unit. The systems and applications holding critical
stakeholder groups consequently stalled progress on data that needed remediation could then be
a mitigation plan for cyber risk. addressed. The team developed a series of detailed
scenarios to reveal system vulnerabilities and help
In response, the company established a unified stakeholders understand what could happen in a
group that developed a work plan to protect breach. A comprehensive set of prioritized initiatives
critical data. The team inventoried all systems and and a multiyear implementation plan was then created.
applications in all business units, validating the results The data resulting from this process are continually
with key stakeholders to ensure completeness. They updated and provide guidance in budgeting decisions
then identified critical data and performed a risk and board reviews on an ongoing basis.
assessment with input from the stakeholders. The
enterprise value, providing transparency on what They face the tough task of fully protecting their
risks they are willing to accept and why. most important assets while not stifling business
innovation. To achieve this balance, the business, IT,
Results inform budget and investment decisions, risk, and other functions will have to work together
helping to satisfy both regulatory and shareholder toward the same enterprise-wide endto secure
expectations. With investments targeted to best the crown jewels so that senior leaders can
protect the most sensitive digital assets, costs are confidently focus on innovation and growth.
held down as the digital resilience of the organi-
zation is elevated. To build digital resilience into Piotr Kaminski is a senior partner in McKinseys New
their operations, furthermore, the process can York office, Chris Rezek is a senior expert in the Boston
help organizations create periodic assessments office, Wolf Richter is a partner in the Berlin office, and
to highlight trends and new gaps. Risk managers Marc Sorel is a consultant in the Washington, DC, office.
can then develop new initiatives prioritized to the
enterprises global needs. The authors wish to thank Oliver Bevan and Rich Cracknell
for their contributions to this article.
Strategic and financial scenario analysis has a long, most resemble their current experience. Extreme
venerable history at energy companies. Shell Oil scenarios are deemed a waste of time because they
popularized the technique in the 1970s, and almost wont happen or, if they do, all bets are off. But this
all of them have adopted it as a vital part of their approach leaves companies dangerously exposed to
decision-making processes. But as executives know dramatic changes.
well, scenario planning has its pitfalls; 40 percent
of the leaders we surveyed in 2013 said that it didnt Consider the shocks and disruptions of recent
meet their expectations. Often, companies fall prey years. The 2010 Deepwater Horizon disaster had
to one of several tendencies, such as availability or far-reaching effects on the oil companies involved,
stability bias, that hinder the exercise and produce and many others. The 2011 Fukushima earthquake
unusable results. and tsunami upended nuclear policy in Japan
and elsewhere, changing the industrys structure.
Energy companies are finding that in todays Geopolitical shocks have upset the plans of energy
volatile world, one flaw of scenario planning is companies in too many countries to name. Most
particularly acute: when business leaders consider recently, the rise of antiglobalization sentiment has
a range of scenarios, they tend to chop the tails thrown a new wrench into energy planning.
off the distribution and zero in on those that
From scenario planning to stress testing: The next step for energy companies 23
Its hard to overstate the consequences of events like consider some previously overlooked sources of
these. Take the German experience of Energiewende, stress, the potential magnitude of their impact, and
the nations transition to sustainable energy. To the adequacy of the companys risk-bearing capacity
predict the effects on electricity prices, most energy to absorb them. Stress testing should be only one
companies relied on the classic scenariosa base element of a risk-management system, but done well,
case, with best and worst cases that skewed slightly it can be a tool to build the resilience that todays
to either side. However, the Fukushima disaster environment requires.
vastly accelerated the switch to renewables. The
price of power tanked by more than 50 percentfar What extreme means
worse than the gloomiest projections (Exhibit 1). The Companies need to be bold as they imagine
effect has been devastating: power producers had to extreme scenarios; almost nothing is too strange or
write off tens of billions of euros. ridiculous to consider. To show the range of ideas
that energy firms might contemplate, we offer five
Enter stress testing extreme scenarios covering several kinds of risk,
At most companies, scenario analysis looks for the from compliance and legal risk to business-model
likely development of core risk factors over time. disruption to full-bore crisis.
That approach can work well in an era of gradual
change. But at times like the present, it is extreme Energy for free
risks, not the everyday ones, that should most Real-time energy-consumption data are increasingly
concern energy companies. Likewise, it is the prospect seen as crucial for a knowledge of customers and
of chaotic overnight change, not gradual shifts, that their behavior patterns. Smart meters can identify
should keep energy executives awake at night. the appliances in operation. Combining data sets
on electricity use, heating use, and mobility could
Enter stress testing, a form of scenario planning provide even more detailed insights. Data-driven
focused on the tails of the distribution. Scenario companies such as Amazon might challenge
planning and stress testing are methodologically incumbent utilities by offering energy for free in
identical; they differ only in the likelihood of the exchange for personal data. In this scenario, utilities
scenarios they consider. Stress testing therefore lose the customer relationship and are reduced to
requires a shift in mind-sets. In todays environment, mere suppliers of commoditized power. Given the
the sum of low-probability events quickly adds up negotiating power, agility, and customer-centricity
to a high probability that one of them will actually of digital giants, margins erode significantly.
happen. The banking industry offers an example:
the financial system has become so volatile, and A decentralized energy landscape
subject to so many unexpected disruptions, that New entrants focus on serving customers in a
regulators now require banks to conduct compre- completely decentralized energy regime, bundling
hensive stress tests. solar photovoltaic rooftop systems with power-
to-heat technologies, powerful batteries, and
Lets be clear: stress testing will not prevent stress. electric cars. An integrated solution and a strong,
Nor can it identify, with total confidence, precisely emotionally compelling brand (such as Teslas)
which stressful scenarios might play out in the help these attackers to reduce residual demand
futureespecially those that feature unknown for grid-based power substantially and to capture
unknowns. But it can help senior executives to the customer relationship. As in the first scenario,
Exhibit 1 German power prices far underperformed even the low-price scenario.
90
87 High-price scenario
80
75 Business-as-usual
70 scenario
60
50 51 Low-price scenario
40
30
22 Actual price
20
10
2008 2009 2010 2011 2012 2013 2014 2015 2016 Energiewende
targets for share of
Fukushima, 26% 30% 32% power produced by
March 2011 renewable sources
utilities are reduced to suppliers of commodity organization: top leaders knew that analyses and
power, infrastructure operators, and backup impact assessments had intentionally been skewed.
providers. Volumes and margins shrink quickly in As a result, all energy companies suffer a loss of
the wholesale and retail businesses, and generation public and political trust. They are then subjected to
assets lose value rapidly. intense scrutiny of their assets and processes, and
this leads to increased regulation, massive penalties,
An emissions fraud and personal liability in the form of substantial fines
A data leak reveals that a power company and imprisonment.
has manipulated processes affecting human
healthsay, flue-gas purification at a coal plant A cyberattack on critical infrastructure
or the handling and disposal of wasteand has Popular movies have frequently exploited the idea
thus emitted substantially more pollution than that the infrastructure of modern life is vulnerable
allowed. Subsequent investigation shows that the to well-staged cyberattacks. But the real-world
manipulation was deeply anchored within the Stuxnet virus succeeded better than anything out
From scenario planning to stress testing: The next step for energy companies 25
of Hollywood in proving that power plants and the profits and losses, balance sheet, and cash
other nuclear assets can indeed be sabotaged. A flow of a hypothetical utility for each of several
cyberattack that takes critical infrastructure offline business segments: generation, renewables, trading,
is more probable than ever now that power and distribution, and retail. After modeling the effects of
gas grids, street lighting, and traffic control are a scenario separately for each business, we combined
more and more connected; the Internet of Things them to show the effect on the enterprise. To be clear
is beginning to reach into every home and building; on the overall effects, you must understand, in detail,
and autonomous, connected vehicles are set to that the scenarios have specific impacts on different
emerge over the next few years. In such a scenario, business units.
terrorists hack into the distribution network and
shut down national power systems or even make Exhibit 2 offers a heat map of these effects, highlighting
key assets malfunction or self-destruct. Public trust the areas of greatest impact. For example, it shows
would disappear, and energy companies would be that the energy-for-free and decentralized-energy-
subject to enormous pressure from regulators. Those landscape scenarios would of course have a direct
deemed vulnerable to further attacks might even and massive impact on revenues, leading to a
lose their operating licenses. substantial loss of equity and an increase in net
debt. On the other hand, an emissions fraud
Radical price transparency or cyberattack would have almost no relevance for
Price-comparison websites, such as Verivox in revenuesbut equity would suffer substantially.
Germany, have established a strong position in
several European countries. They greatly increase This exhibit also highlights the key drivers of these
price transparency in retail markets for power, gas, effects: for example, in the energy-for-free scenario,
mobile telecommunications, banking, auto rentals, B2C volumes and market share would decline
and broadband, so retail customers change suppliers sharply, and retail prices would fall by 5 percent.
more frequently. In a transparency scenario, price- In an emissions-fraud scenario, operating and
comparison portals help customers to change their maintenance costs would soar by 50 percent, and
electricity and gas providers regularlyfor example, utilities would pay regulatory penalties of up to
by acting as energy agents or through an automated 5 percent of revenues. If a cyberattack should take
process that selects the cheapest offer at the end of a down a national grid, affected utilities would have to
contract. Verivox recently announced the first steps write off 5 percent of their physical assets; to replace
in such a process. them, they would boost their budgets for property,
plant, and equipment by 7.5 percent. Earnings would
With such rapid churn, utilities may lose many crash, though the effect would be milder after taxes
customerseven some who have never indicated and depreciation.
any desire to change their suppliers. Once again,
companies might be reduced to providers of The financial implications would be considerable
commoditized electricity. Retail margins would across the scenarios, though none would necessarily
wilt in the face of the negotiating power, agility, and bankrupt a company. Significant profit and
customer-centricity of energy agents. liquidity risks appear, especially in the generation
and retail businesses. In the absence of successful
Assess the stress countermeasures, all five scenarios lead to
To understand the potential impact of these five negative recurring earnings before interest and
extreme scenarios, we modeled their effects on taxes, revealing major risks for the sustainability
Capital
Revenue EBITDA1 EBIT2 expenditures Equity Net debt
From scenario planning to stress testing: The next step for energy companies 27
A cyberattack taking critical infrastructure offline is now
more probable, as power and gas grids, street lighting, and
traffic control are highly connected.
Energy companies should also monitor external The strategy function is stress testings natural
developments closely. Today, many utilities are owner, as part of the main strategic-planning
watching the development of battery costs, since if process and linked to financial planning. The
they fall sharply, as they have in solar photovoltaics, businesses should offer input much as they do today.
generation and retail businesses would be Decision-making groups (such as the executive,
vulnerable. Some utilities are partnering with or strategy, or investment committees) should use
investing in battery companies. Many long-term stress-test results in their work, integrating the new
strategic options are available, including nimble capability into the organization. The traditionally
resource allocation and the transformation of strong links among strategy, finance, and operations
companies into digital utilities. should insure smooth integration and interaction.
All these techniques for building resilience are well Sven Heiligtag is a partner in McKinseys Hamburg
covered elsewhere. Our point is that only by building office, where Susanne Maurenbrecher is a consultant;
a stress-testing capability can a company know Niklas Niemann is a consultant in the Cologne office.
where to focus its efforts for resilience. Leaders need
to make stress testing an integral part of the DNA Copyright 2017 McKinsey & Company.
All rights reserved.
of decision making. They can start by defining a
set of suitable stress tests in two ways: conducting
a thorough review of the business system (to see
around corners) and questioning basic assumptions.
Then they can quantify the potential impact of any
risks and assess the resilience of the company and its
individual business units.
The number of models is rising dramatically planning, and asset-liquidity management. Big
10 to 25 percent annually at large institutionsas data and advanced analytics are opening new areas
banks utilize models for an ever-widening scope of for more sophisticated modelssuch as customer
decision making. More complex models are being relationship management or anti-money laundering
created with advanced-analytics techniques, such and fraud detection.
as machine learning, to achieve higher performance
standards. A typical large bank can now expect The promise and wider application of models
the number of models included within its model risk have brought into focus the need for an efficient
management (MRM) framework to continue to MRM function, to ensure the development and
increase substantially. validation of high-quality models across the
whole organizationeventually beyond risk itself.
Among the model types that are proliferating are Financial institutions have already invested millions
those designed to meet regulatory requirements, in developing and deploying sophisticated MRM
such as capital provisioning and stress testing. But frameworks. In analyzing these investments, we
importantly, many of the new models are designed to have discovered the ways that MRM is evolving
achieve business needs, including pricing, strategic and the best practices for building a systematically
Events like these at top institutions have focused Capital improvement comes mainly from the
financial-industry attention on model risk. reduction of undue capital buffers and add-ons.
Supervisors on both sides of the Atlantic decided When supervisors feel an institutions MRM is
that additional controls were needed and began inadequate, they request add-ons. An improved
applying specific requirements for model risk MRM function that puts regulators in a more
management on banks and insurers. In April 2011, comfortable position leads to a reduction of these
the US Board of Governors of the Federal Reserve penalties. (The benefit is similar to remediation
System published the Supervisory Guidance on for noncompliance.) Capital inefficiency is also
Model Risk Management (SR 11-7). This document the result of excessive modeler conservatism. To
provided an early definition of model risk that deal with uncertainty, modelers tend to make
subsequently became standard in the industry: conservative assumptions at different points
The use of models invariably presents model risk, in the models. The assumptions and attending
Exhibit CROs can address the model life cycle with key questions about model risk management.
Model implementation
Governance What models are within the scope of model risk management?
Model Do they include regulatory and nonregulatory models?
Model
and standards How should models be prioritized (model tiering)?
planning
implemen- and
tation develop- Model control and monitoring
ment Isthe control unit independent of the validation unit?
How can compliance with the line-of-defense framework be ensured?
conservatism are often implicit and not well docu- able to align model investments with business risks
mented or justified. The opacity leads to haphazard and priorities. By reducing model risk and managing
application of conservatism across several components its impact, MRM can also reduce some P&L volatility.
of the model and can be costly. Good MRM and The overall effect heightens model transparency and
proper validation increases model transparency (on institutional risk culture. The resources released
model uncertainties and related assumptions) and by cost reductions can then be reallocated to high-
allows for better judgments from senior management priority decision-making models.
on where and how much conservatism is needed.
Systematic cost reduction can only be achieved with
This approach typically leads to the levels of an end-to-end approach to MRM. Such an approach
conservatism being presented explicitly, at precise seeks to optimize and automate key modeling
and well-defined locations in models, in the form processes, which can reduce model-related costs
of overlays subject to management oversight. As by 20 to 30 percent. To take one example, banks
a result, the total level of conservatism is usually are increasingly seeking to manage the model-
reduced, as end users better understand model validation budget, which has been rising because
uncertainties and the dynamics of model outcomes. of larger model inventories, increasing quality and
They can then more clearly define the most relevant consistency requirements, and higher talent costs. A
mitigation strategies, including revisions of policies pathway has been found in the industrialization of
governing model use. validation processes, which use lean fundamentals
and an optimized model-validation approach.
Profit and loss
With respect to improvement in profit and loss (P&L), Prioritization (savings: 30 percent). Models
MRM reduces rising modeling costs, addressing for validation are prioritized based on factors
fragmented model ownership and processes caused such as their importance in business decisions.
by high numbers of complex models. This can save Validation intensity is customized by model tiers
millions. At one global bank, the capital budget for to improve speed and efficiency. Likewise, model
models increased sevenfold in four years, rising tiers are used to define the resource strategy and
from 7 million to 51 million. By gaining a better governance approach.
understanding of the model landscape, banks are
Most North American banks are in stage 2 of MRM evolution, while many European peers are still in stage 1.
Tier 1
Model 1. Model
Conceptual Data Testing Documentation Communication Ongoing
Tier 2 review validation design and and report with model monitoring
inventory prioritization creation developers and reporting
execution
Tier 3
sharing and a clear view of validator capabilities and to create the most value amid costly and highly
model characteristics. consequential operations. The sooner institutions
get started in building value-based MRM on an
Consistent standards for model planning and develop- enterprise-wide basis, the sooner they will be able to
ment allow institutions to develop more accurate get ahead of the rising costs and get the most value
models with fewer resources and in less time. In our from their models.
experience, up to 15 percent of MRM resources can
be conserved. Similarly, streamlining the model- 1 Many fewer respondents cited a lack of sufficient
validation organization can save up to 25 percent in resources (14 percent) and the need to validate each model
costs. With the significant regulatory spending now comprehensively (10 percent).
being demanded of institutions on both sides of
Ignacio Crespo is an associate partner in McKinseys
the Atlantic, these savings are not only welcome but
Madrid office, Pankaj Kumar is an associate partner
also necessary.
in the New York office, where Peter Noteboom is a
partner, and Marc Taymans is a managing partner in
McKinseys Risk Dynamics group.
The contours of a mature stage of model risk Copyright 2017 McKinsey & Company.
management have only lately become clear. We now All rights reserved.
know where the MRM function has to go in order
Digitization has become deeply embedded in banking Experience shows that the structural changes
strategy, as nearly all businesses and activities needed to bring costs down and improve
have been slated for digital transformations. The effectiveness in risk can be accomplished much like
significant advantages of digitization, with respect digital transformations in other parts of the bank.
to customer experience, revenue, and cost, have The distinguishing context of the risk environment,
become increasingly compelling. The momentum however, has important implications. First, risk
to adopt the new technologies and operating practitioners in most regulatory jurisdictions have
models needed to capture these benefits continues to been under extreme pressure to meet evolving
build. The risk function, which has seen significant regulatory requirements and have had little time
growth in costs over the past decade, should be for much else. Second, chief risk officers have been
no exception. Indeed, we are starting to see digital wary of the test-and-learn approaches characteristic
transformations in risk create real business of digital transformation, as the cost of errors in the
value by improving efficiency and the quality of risk risk environment can be unacceptably high. As a
decisions. A digitized risk function also provides result, progress in digitizing risk processes has been
better monitoring and control and more effective particularly slow.
regulatory compliance.
Three dimensions of change: Processes, data, Adapting digital change to the risk context
organization Most institutions are digitizing their risk functions
To realize the full benefits of process and decision at a relatively slow pace, taking modular approaches
automation, banks need to ensure that systems, to targeted areas. A few have undertaken large-
processes, and behaviors are appropriately fitted scale transformation, achieving significant and
for their intended purpose. In the risk environment, sustainable advances in both efficiency and effective-
prioritized use cases are isolated in such areas as ness. Either way, in the risk context, care must be
credit underwriting, stress testing, operational risk, taken when adapting test-and-learn pilots commonly
compliance, and control. In most banks, current used in digital transformations in other parts of
processes have developed organically, without a the bank. Robust controls must be applied to such
clearly designed end state, so process flows are not pilots, as the tolerance for bugs and errors in risk
always rational and efficient. Operational structures is necessarily very low. When digitizing processes
will need to be redesigned before automation and relating to comprehensive capital analysis and
decision support can be accordingly enabled. review (CCAR), for example, solutions cannot be
Exhibit 1 Digital risk management can significantly reduce losses and fines in core risk areas.
Impact from digitization: High Medium Low
Losses Losses
2015, Fines, 200915, $ million 2015, Fines, 200915, $ million
Risk areas $ billion Year avg. Top decile $ billion Year avg. Top decile
Credit
risk 2040 3050 600+ 35 510 150+
Operational
300600 4,500+ 1020 225+
risk
24 0.20.3
Compliance
400600 1,850+ 1530 350+
risk
Market and
liquidity risk <0.5 75150 500+ <0.1 2040 300+
Stress
testing NA NA NA NA NA NA
The greatest financial opportunities from digitization for both universal and regional
banks are in the areas of operational and compliance risk
Note: Credit risk losses are gross charge-offs; operational and compliance risk losses do not include opportunity costs (such as unearned
revenue due to operational risk events); the average total yearly fines are given for banks fined at least once in the period 200915.
Source: Bank holding company Y9C reporting forms; Financial Times bank-fines data; McKinsey analysis
Exhibit 2 An integrated digital risk program for consumer credit can protect revenue, improve risk
assessments, and reduce operational costs.
Analysis
Application
Decision making
Issue identification
Monitoring/early-
warning system Action recommendation
Workout strategies
Collection and
restructuring Restructuring
Report generation
Reporting
Insights/analysis
Work-flow support
processes are prime candidates for digital automation Templates and outputs are standardized, and
and work-flow tools. golden sources for data are designated. The
resulting process becomes increasingly transparent
The underlying stress-testing process is the starting and effective. Process optimization is supported
point. The improvement program will aim at by digital-automation initiatives for data loading,
optimizing resources. Dedication of resources will overlays, Y14A reports, and the end-to-end review
be prioritized based on materiality of risk. and challenge process. Real-time visualization and
Institutions can achieve additional efficiency through sensitivity analysis are digitally enabled as part
parallel processing, centralization, and cross- of the transformation. In addition to optimizing
training of staff, as well as better calendaring. stress testing directly, banks are also looking for
Exhibit 3 There are many ways digitization can improve efficiency and effectiveness of
comprehensive capital analysis and review (CCAR) and stress testing.
Jump-off data and forecast execution Automated aggregation engine with feeds
Aggregation and Aggregation and schedule construction from model-development environment
reporting
Implementation of control-monitoring
Internal controls
and attestation tool