Managing Risk on the Frontlines of the Financial Sector

Media Thumbnail
  • 0.5
  • 1
  • 1.25
  • 1.5
  • 1.75
  • 2
This is a podcast episode titled, Managing Risk on the Frontlines of the Financial Sector. The summary for this episode is: <p>One of the most high-profile risk events of the last year was the swift collapse of Silicon Valley Bank and other regional banks amid spiking interest rates. Part of the problem? The lack of a complete, comprehensive view of the risks these banks were facing — in particular, liquidity risk.</p><p>Allstate Canada's Chief Risk Officer Jason Wang has spent his career assessing and analyzing risk in the financial services space, dedicated to anticipating and mitigating risks just like the one that sank SVB. On this episode of GRC &amp; Me, Jason joins LogicGate’s Chris Clarke to discuss the importance of building a holistic risk register, how to position risk management as a strategic enabler instead of a “revenue prevention” department, why it’s critical to include your chief risk officer on the executive team, and more.</p>

Well, hello, welcome to GRC& Me, a podcast where we interview governance, risk, and compliance thought leaders on hot topics, industry-specific challenges, and trends to learn more about their methods, solutions, and outlook in the space, and hopefully have a little fun doing it. I'm your host, Chris Clarke. With me today is Jason Wang, the chief risk officer at Allstate Canada. Jason has over 20 years in the financial services industry focusing on all things risk, from risk analytics to risk reporting. In his last job, Jason was responsible for building the risk register for his entire organization, and in his current role, he's in the process of revamping their risk register, a topic we'll come back to shortly. Welcome, Jason. Could you tell us a little bit more about yourself and what your journey has been in GRC?

Jason Wang: Sure. I started my career as a credit risk analyst and spent most of my junior years analyzing consumer lending. So there's a lot of data analytics involved, data science building, predictive models. So, a lot of numbers, very quantitative. As I become more senior, I start to connect the dots outside of the data science world and realize risk management is bigger and more than just data science. So I started to connect the dots among different risk categories, and realized non- credit and non- financial risks are equally important in a financial institution. As the head of risk for an organization, it's crucial to see the whole picture. Even though credit risk has a direct impact, it easily shows up as one number. What's the loss rate? 2%, 3%, whatever the number is. And that is often tied to compensation of a lot of people, tied to the performance of the whole company. But outside of this number, there is a real world, that's the real GRC world.

Chris Clarke: That's so fascinating. I mean, the path from one type of data, expanding the full risk management. I'd be interested, now that you've kind of seen that full range, what advice do you have for someone who's exploring a career in GRC? Where have you found the most value as you've looked at the risk landscape?

Jason Wang: I would say, depending on your career stage, you should probably think about your midterm and long- term goal. Where do you want to go? If you want to become a chief risk officer one day, then obviously you need to have both, the quantitative and the qualitative side, the credit and the non- credit risk. You need to probably get exposure into both worlds. If you are a junior and you're just building out, maybe finding out which domain do you want to focus on and what's your key strength, then explore a little bit. So keep an open mind would be probably my first piece of advice to people. If you do decide to go into the non- credit and non- financial risk, because there's a lot of qualitative stuff that we're talking about, then you need to be prepared to fight the bias, that( a), it's not important. Two, because it's not data science, so you guys are not the most intelligent people in the world. Why do we have to listen to you? Three, because oftentimes you're actually putting up a stop sign to things and people could see you as, " But why are you stopping this?" Because we're trying to go forward and make money. So in some organizations, risk management is nicknamed revenue prevention, for example, or sales prevention. And that's, I would say, of course, a very wrong conception of what it is. What it is, is to set up guardrails to make sure that the company does things within the risk tolerance. There have been abundance of examples or case studies where if a particular institution, a bank doesn't do things within the risk tolerance. What's going to happen? One day it's going to collapse. And it's always fascinating to look at these case studies.

Chris Clarke: I'm sure this is going to be a theme that comes up pretty often in our conversation around just risk can often be seen as almost the enforcer in a lot of ways. I like the use of revenue prevention because it's such a false narrative I think in a lot of cases where we are really meant to make a strategic enabler, like helping you make better decisions with your risk data to actually empower the business along the way. So I think we're going to hit on a lot of that topic as we go along. Before we jump too heavy into the credit risk and how that should compare to your qualitative risk, I always like starting with something around risk management in real life. So just, I think whether or not we know it, we're all risk managers in some way. One example that I like is this concept of hedging your happiness. So if you're super invested in let's say a sports team, for example, oftentimes you actually bet on your opponent because in that case, either way you win, either you win money from if your team loses or you win happiness from your own team winning. So I love that concept of transferring risk from your emotional state. Do you have an example of some risk management in real life that you've used?

Jason Wang: Yeah, so I can just piggyback on your example right there to hedge your happiness. I would say a few years ago when oil was pretty volatile, it is still volatile, but these days it's kind of stabilized, I would actually buy into oil related FTUs. Part of the thinking is, if the crude oil becomes more expensive and then we find gasoline is more expensive, I'm paying more than pump, at least I'm making some money off of my stock portfolio. So that's just like your example of hedging your happiness. So if I'm losing a little bit here, don't worry, I'm actually gaining a little bit there too. But talking about beyond myself, I think a real life risk management and stress testing example that a lot of Canadians live, they may not even realize this, but they live this, is the home mortgage stress testing rule that's effective in Canada. So in case you didn't know, in Canada, if you get a mortgage, it's never for the entire duration of the amortization. It's not like you get this, you sign the contract, it's 30 years. It will always be a portion of that. So for example, I always do five years. So after five years, it's open market. You can renew with your existing lender. If you choose not to renew because the rate is better somewhere else, you go somewhere else. So we do this probably every few years. It doesn't have to be five years, but five years seem to be the term duration that is the most attractive to people because of rates. But a few years ago, the regulators in Canada instituted this rule where if you are applying for mortgage, the bank is not qualifying you based on the prevailing rate today. The bank is qualifying you on today's rate plus two percentage points. The whole thinking is, we probably don't worry too much about if you can afford that monthly payment or semi- monthly payment today, but we want to think about... And remember a few years ago, Canada and probably US too were in very low, historically, probably the lowest point in interest rates. So the regulator wanted to be forward- looking and ask the question, " If we approve these consumers for mortgage, we want to make sure even when the rate is increased by two percentage points, they can still make that payment." So everyone is qualified based on the rate as of now plus two percentage points, and we actually call it stress testing. So it's a concept that a lot of consumers, they may not understand the term, but they know that if you are applying for new mortgage or renewing, this is something that you have to go through. So, of course, in normal times this would work well, but when would the rates increase like that, 2% overnight? But as we saw what happened in 2022 and the first half of 2023, the central banks in many countries, so that will be the Fed in the US and the Bank of Canada, and a lot of other countries, they raised interest rates aggressively. So this is early August, news coming out of yesterday's news is that Bank of England just raised the rate again. Canada raised rates by more than four percentage points in the last year and a half. So the 2% buffer turned out not to be enough for some consumers. So they were stress test and they were good for the 2%, but now they may not be good. So this has a real impact to the consumer's monthly budget and cashflow, and banks who underwrote a lot of these mortgages now face a possible increase in delinquencies.

Chris Clarke: That's fascinating because I think a lot of times it's the right risk management move, but then it doesn't always work in these kind of like... It's almost impossible to plan for, I don't want to say black swan because this isn't quite that rare of an example, but in these really extreme cases where you threw outside your 95% confidence bound around it. Do you envision there being changes to that stress test to start to almost take it like, " Okay, can they hit 2% and then also let's say could they hit the 4% threshold as well?"

Jason Wang: I don't know if we're going to change the rule so that the buffer turns to 4% instead of 2%. Again, I think this has to do with our own prediction or policymakers' prediction of, are we going to go through this kind of aggressive rate height in the next short while? The answer is probably no. So current new applicants for mortgages are still being qualified on today's rate plus two, and it's already very high already. So today's rate, depending on which bank you talk to, it could be five, it could be even higher, plus two, that would be seven something. And this is a drastic contrast with what a lot of consumers got into, which was around the two to 3% range. So, very different. I think probably the concern or the focus for the bank's risk management team now will be, what do we do with these consumers who already got in the door when the stress testing was the rate plus two and now they may have a cashflow problem? So the existing problem needs to be solved because otherwise, then you're looking at I would say a domino effect of these people not being able to repay the mortgage, so don't need to sell the house. And then you see the increase in inventory in properties on the market, which drive down the average housing price. And then that triggers some more consumers to realize, " Oh, I'm in a bad deal here so I'm going to have to put it on the market." So this triggers a whole tsunami of bad effect and bad consequences. So I think the banks probably should focus on, let's talk about what we do with these consumers, maybe proactively go off to them to restructure the mortgage in a way that is more friendly to their cashflow in a responsible way. I think that will be in the mutual best interest of both the lending organization and the consumer.

That's fascinating. I mean, the whole concept of one thing triggers this whole set of events around it. I mean, something similar that I think has been popping up a lot on the news that kind of feels like it could have been a similar situation is the Silicon Valley Bank instance. I know that failure caused a lot of uncertainty in the industry. As you saw things unfold with that, what's your perspective on what happened?Before I get into my analysis of what happened here with the Silicon Valley Bank, I would say risk folks do have a responsibility of being forward looking to not only look at the current quarter or the next quarter or the current year, but also they need to sound alarms if they think that something's going to happen. They also need to have a view on, 'what do I think is the domino effect?' If this happens, what is that going to trigger and what is that going to trigger? This view doesn't always exist because people are sometimes just focusing on short-term performance, because everyone is measured on that and your compensation is tied to that. So this is probably a topic for university professors to think about compensation design to tie you into. It has been an age long conversation. But obviously, I think the way that the current market economy works is that you are incentivized to produce results that are visible right away. But coming back to Silicon Valley Bank, I think the symptom and the trigger of the collapse of the bank was asset liability and mismatch in duration. So what that means is, the bank's assets were largely tied in long duration bonds that were not going to mature for years because they did this, because they wanted high returns. The longer the duration of the bond, the higher returns, of course. They wanted that high returns. But the bank's depositors could withdraw their own money at any time. So this is a mismatch in duration. In my last role, we actually had measures as metrics and quantitative measures on liquidity measure on the asset liability match. So that we were actually looking at... And we had a range of tolerance. So this metric should be between this percent to this percent. If it goes out, then we may have a liquidity issue. So we were every quarter watching this figure. So this Silicon Valley Bank had a lot of capital actually. They were not short of capital, but the capital was just not available. It was tied up in the longer duration and it was not possible to get the money out actually. So when their depositors start to line up at the door to take their money out, it created a liquidity crisis. So that was just the symptom. The root cause, to me, again, is the lack of oversight on a complete and comprehensive risk view. Sometimes we call it the risk register, which is a list of all your risks. This risk register should cover all risk categories. For a bank under the Canadian regulations, there are six types of risks that this risk register will have to cover, and they are credit risk, interest rate risk, sometimes also called market risk, liquidity risk, operational risk, strategic risk, and regulatory/ legal/ reputational risk. At least on a quarterly basis, management should measure their interest rate risk, liquidity risk, and of course all the other risks. But some can be quantified, some can't. But at least on a quarterly basis, the bank should have a view of the entire risk register, not just credit risk, and then present to the board. On an annual basis, at least they need to do stress testing for adverse scenarios, and then present to the board. I'm not sure if this was properly done because when this story was unfolding, when I read the news coverage and the analysis, I think the narratives coming out of the bank was that, " Well, we are always prudent and very diligent in selecting whom we lend money to. The business client that we pick to be our client, for us to give them the lending facility, we actually qualify them on very stringent criteria. So they're all good target." Yes, you're only talking about credit risk. So there's the non- credit risk. This is probably going to be the theme for today. The non- credit risk is what actually caused the bank to collapse, and they may or may not realize that. And then you add on to the fact that the bank was without a chief risk officer for eight months. That probably added to lack of oversight. And I think in fairness to the board, in lieu of the CRO, the board actually jumped in and had more frequent meetings. But in a way, I think the board can't replace domain experts, and that would be the chief risk officer and a team of risk experts, GRC experts that report to the CRO, to compile this full view of what's going on here. So I'm not sure if the board is qualified to do that, and that's also part of, I think you can call it the root cause or the symptom, but that's my analysis of what happened here. Unfortunately, I see this with other lending organizations too, which is just the focus on credit risk because it's easily measured. It shows up on the P& L, easily reported. Credit risk is associated with a group of data scientists who are very smart, intelligent people, and sometimes the non- credit risk team is small. Because they don't use a lot of data science, they're seen as a less fancy job, less sexy job. So this creates some kind of a bias and misconception about risk management in the financial institutions.

Chris Clarke: There's a lot there that I'd love to hit on. Starting from the beginning, you mentioned this concept of misaligned timeframes of it where their investment, their capital is tied up in long- term bonds or long- term securities versus the consumers had immediate cash needs. There's this concept of risk velocity where if a risk is to happen, and with that likelihood, there's almost that third aspect of, well, how quickly could that risk impact an organization? Do you see that starting to be a bigger factor in organizations' approach to risk management now that we are seeing things moving?

Jason Wang: Yes. So I would say the collapse of Silicon Valley Bank was a wake- up call for many organizations, and now they're paying more attention to making sure that they do some analysis in this regard to ensure that at least they don't run into that short- term cash launch.

Chris Clarke: Gotcha. That makes sense. The other piece you mentioned was around a lack of a chief risk officer as a head. I have a two- year- old son, so we're very into kids' movies right now, and one of them is The Incredibles. There's this villain syndrome in the first one who is, he's not a superhero, but he has this line where if everyone is super, no one is. I kind of like that concept where in this case, where there's no chief risk officer or know head of risk in some way, if everyone's responsible for risk, no one is. So I'd be interested in your perspective, what is the right way to structure almost like a risk management organization within a financial institution? Does there always need to be a CRO?

Jason Wang: I would say yes, because I don't want to talk myself out of a job. But joke aside, I think if I go back to textbook definition of what's risk management, there are three lines of defense in a financial institution. The operational teams, the frontline teams, they're the first line of defense. And then risk management is the second line of defense. So the first line of defense is people who do things. The second line of defense is people who check the first line of defense that has to be there. And then the third line of defense is internal audit who comes in to check the first and the second line. Of course, you can expand this to the fourth line, which is the external auditors, regulators. But oftentimes, if you read regulatory requirements or documents, at least in Canada, they actually make it clear that the risk department should( a) have direct access to the board. If they want to say something, they need to have access to the board. Two, the head of this function needs to have the independence and the stature in the company. Stature means if you don't make CRO part of your executive team and it's a director, and sometimes I see very weird setup in some organizations, Chris, for example, the head of risk reporting into the COO. So basically, you're letting the second line of defense reports to a boss that you are actually monitoring, and this isn't right. So the second line of defense needs to have that independence and stature. So the CRO should have the stature where the viewpoint and the analysis is respected by the rest of the organization. It's not about the person by the way, it's about the viewpoint. If the CRO said, " I need to let everyone be aware of a particular risk," or, " We're going to cross our tolerance threshold on a particular thing," everyone needs to listen to that and take corrective actions. If we use the analogy of a vehicle, then everyone else, your sales department, your marketing, you guys go out and drive revenue, you are the gas pedal, the engine, you move the vehicle forward. But if you're going to run into a ditch or if you're going to hit another object, this is where the brakes have to work. So risk management will be the brakes, right? So I think it's safe to argue that it's common sense. You can't have a vehicle without brakes. But in the business world, sometimes people still argue, " Well, are we okay without risk management? Or just to satisfy the regulators, let's set up this team. It's a cost center anyway because they don't make money, but we just let the team sit there. But when they want to brake and stop the vehicle, we don't need to listen." So it's interesting to me where if you use the vehicle as the analogy, everyone kind of understands, but when it's a big organization, then people don't quite understand why brakes are important. Actually they're not important, they're essential. You have to have them.

Chris Clarke: My grandfather might disagree with you about the brakes, but I very much understand the concept of that within an organization. And then I guess the last point from a while ago that I am interested in is, there was this focus on credit risk, but there's these five other types of risks. It's quantifiable, it's sexy, that's the thing. But to play the flip side, devil's advocate here, where historically hasn't credit risk been one of the main sources of risk within financial institutions, should it have that kind of outsized waiting?

Jason Wang: I think, Chris, you brought up a very good word, historically, because everything's evolving. Even the three lines of defense model isn't that old. It's only been here for maybe a couple of decades. So historically, if we go way, way back maybe to I would say 50 or 100 years ago, if you set up a bank, the one thing, the one risk that you will think about will be credit risk. Okay, I'm letting money out to whether it's the business client or consumer client, I worry about the ability to get my money back plus interest. So as the world evolves, we look at the environment that we operate in, that's where we need to add in all the other kind of risks. So operational risk, a big part of the operational risk by the way, is cyber technology. So it's safe to say that because of things that have happened, then risk management kind of says, " Okay, so now we're adding this to our scope and we need to look at this." So I think what goes into your risk register is constantly evolving. And if many, many, many years ago, it was only credit risk for good reason, I would say we respect what happened in the past, but risk people should always look at emerging risks and think about given the environment that we are in today, what are we doing? So emerging risks would be now we're talking about AI, everyone is talking about, and there are risks tied to artificial intelligence and the ethical use of AI. So that's one. And we're in a world where we know cyber risk is a big topic. Ransomware attacks do happen, third- party risk, fourth- party risk. So at some point the risk, I would say probably not annually, but the risk officer also needs to be that voice in the organization to lead a view on, here are the emerging risks. I know that when I present my quarter report to my board, I actually always have a slide to talk about the emerging risks. So I think this evolves, right? So we're definitely past the point where you can only focus on credit risk, because that's dangerous.

Chris Clarke: Well, I mean, you brought up an interesting point of emerging risks where we may not know necessarily the full impact yet because we're still learning to adjust to them. How do you present, say your risk register across these risk domains in an apples to apples comparison? Because credit risk, we can put a dollar amount to, but is that possible with operational risk? What is the right way to present these different types of risk in a way that allows the board to make meaningful decisions on each of them?

Jason Wang: So some of the risks, we're not going to be able to quantify in any way, but you still try your best to think of if you can tie a metric. So cyber risk, if the organizations conduct mock phishing tests with employees, and I hope they do because we're in 2023, if companies are still not doing dropping mock phishing emails to their employees, it's a big miss, right? Then what's the click rate? That's something that you can measure. The benefit of trying to quantify things that seem to not be quantifiable is that you set up a subjective view. You can discuss with your board and upper management about what's our tolerance threshold. So just on phishing email click rate for example, your tolerance threshold shouldn't be zero. Because in my life, I've dropped so many mock tests, I've never seen zero click rates. Particularly with our large organizations, you're always going to have someone who click on whether it's a new employee who doesn't quite get it or someone who's in a hurry and reading the email on the phone and thinking, " Oh, something I have to do, let me click on that." So it's not going to be zero, but then what's your realistic expectation of the range. Discussion with the board, aided by research that you can get from the industry because a lot of people are putting out papers like this. So then you set up something. Even people risk, you can measure your people's turnover. I hope organizations are conducting an annual employee survey to measure their engagements, and of course you ask a whole lot of questions. You can measure, are they happy with you? What's the top three strengths? What's the top three opportunities? Are they happy with total reward, compensation? Do they think that they buy into the company's strategic direction? You can measure all of these with the answers, and they turn all of these answers into a percentage. So that's measurable. When it comes to staffing call center, you always have ratios in call center. You have the call handle time, the drop time, and first resolution contact, which means how many of your customers can actually get their problem resolved with the first call without you having to transfer them to somebody else or without them having to call you back. So I would say try your best, challenge yourself, stretch yourself to think of whether you can put a quantitative measure on even things that seem to not be quantifiable because then, it takes away the feedings. Because some people, when they look at the report, they're like, " I feel that shouldn't be read. I feel that should be..." Well, it shouldn't be your feeding. It should be, let's subjectively measure what's our tolerance? Are we beyond the tolerance? Are we within the tolerance? Also, having that metric would give you the historical comparison because next quarter you can come back and look at, where were we last quarter? Are we better or worse now? And you can present that time series view to the management and the board so that they get a sense of, is the organization moving towards the right direction or going backwards when it comes to risk management?

Chris Clarke: That's awesome. It feels almost intangible being able to take these concepts and turn them into some type of quantifiable thing. We talk a lot about the board and you mentioned quarterly reports. Are there other methodologies or mechanisms that you use when reporting to the board that make it effective for them?

Jason Wang: Yes. So when you talk to the board, you want your report to be easily understandable, for example, right? So I think I just talked about color coding, but you can't use your feedings to drive the color code, but you can use things that are either really subjective, quantifiable, or semi- quantifiable to drive this. So I was a user of LogicGate actually, and I can tell you that within the portal, questions are asked about the likelihood of something happening. So this is where you will think about the likelihood of this happening, this risk event happening, whether it's zero to 10, 10 to 20, 20 to 50, and you can define for your organization what the different bands are. So the likelihood. And then on the other access, talk about the impact. So whether it's actual financial impact. Again, things that seem not quantifiable or not financial might always have a financial impact. If you have real data breach and you leak your customer's data outside, this is where we talk about the class action lawsuit, you having to pay for consumer's credit monitoring for an X number of years, we're talking about real dollars here. So X and Y axis where one is the likelihood of something happening, the other one is impact of something happening, then you can put them into color coding. Low likelihood, low impact, that can be green. And as it goes higher, whether it's on the likelihood or impact direction, then the color will change gradually from green to yellow and to orange and red, like glaring red. For the board, then you can present that color coding or heat map. You can also then show them where we were last quarter. So when I used this tool, it was very handy. I found it where on one slide I will always have, " Here's our heat map for this quarter compared to our heat map for the last quarter." We had 21 items on the risk registered, and I would actually put the distribution on the heat map. So we have two items that are red this quarter compared to three. Then you can just point the boards' direction to, " This is because we dropped the one to a lighter color code because we took mitigating measures somewhere," or, " We used to have 10 in green, now we have only five. That's because these five, and you talk about the five, have moved to a more severe color coding for whatever reason." So you try and break it down that way to the board.

Chris Clarke: Yeah, that makes sense. It's not just the point in time risk landscape, but that trend analysis, it almost informs the decision as well because you can see where you're headed and make further business decisions off of that in a lot of ways.

Jason Wang: Yep.

Chris Clarke: Speaking of the board and financial institutions, the SEC has been releasing new regulations and guidelines around cyber, and that's big in the US. I'd be interested in, are similar concerns being addressed in Canada? How is that working?

Jason Wang: Yes, the Canadian regulator for the federal level regulator for all the financial institutions, including insurance companies and banks called OSFI, or OSFI, the Office of Superintendents for Financial Institutions, is going through transformation themselves and they are taking a broader viewpoint on what are the risks. So I think earlier we talked about the journey for a lot of institutions to go from only focusing on credit risk to a bigger risk landscape. OSFI did the same, whereas years ago they would only just ask the financial institutions to make sure that you have good capital. That's it. Now they're looking at everything. So in the last short while, and by short while, I mean maybe a year or a year and a half, OSFI has published guidelines on many different things. And I can name climate risk, it's a very big thing. Insurance companies have either the end of 2024 or the end of 2025, so there's two phases, to implement a lot of the measures to be compliant with the guideline, third- party risk management. And now they're going to publish people and culture risk, and they are initiating something called digital innovation that covers artificial intelligence, cryptocurrency, all of these new things that are new in the industry. So years ago you wouldn't imagine a day when OSFI is actually going to govern these aspects, but now they are. So coming back to your topic, I think on cyber, this is something that OSFI is also working on. They haven't published a guideline yet, but they're working on it. But I would say outside of OSFI, the privacy regulator is beefing up penalties and oversight on the consequences of if you don't manage cyber well. In case you didn't know, unlike the US, Canada has full coverage of privacy regulations among the 13 provinces and territories. Three provinces have their provincial privacy laws, then the rest of the country is governed by the federal privacy laws. So this is different from the US where it started off in California and then it's expanding to a few other states, but there's 50 states, so it's going to take you guys some time together. Canada, right now, I would say everyone, all the businesses, wherever you are in all the jurisdictions are governed by privacy. The regulations have really stringent requirements on reporting of data breaches. So if that's on the back of your mind, then whenever there's a cyber risk, you always think about, okay, if something does happen, not only are we facing our consumers directly, we need to actually report. So businesses are required to report to the privacy regulators if something has happened. The province of Quebec has a new law, brand new, called Law 25, it's going to include monetary penalties. So this is a new trend that's started in Canada. The current law is, there's not a lot of teeth, if you will. So if businesses really fail in some regard, the regulator will just name and shame you. They write a report, put it on the public website with a business's name in there, but there's nothing else they can do. So now there's real monetary consequences starting in Quebec. They're mimicking the European GDPR. So the range of the monetary penalty ranges from 15, 000 Canadian dollars, so that's the lower range, to many million, like 10 million or X percent. Depending on situations and the size of the business, it could be 2% or 4% of your global annual revenue. So think about how much of that would be. So the federal regulation doesn't currently impose penalties, but I think it might go there. Given this regulatory environment, then I would say most companies are pretty proactive when it comes to preventing cyber.

Chris Clarke: That's interesting that... I don't have anything to back this up, so bear with me, but typically it feels like the EU and Europe tends to be a little ahead of the US in a lot of these regulations where they're a little bit more proactive around privacy, around data protection, and then the US will follow suit particularly in this area. And it sounds like Canada's a little bit in the middle of that, where the Europe is still setting the trend and then Canada then US. Has that been your experience with the regulatory environment?

Jason Wang: I think you really described it well. So the Canadian regulators would always look to what's happening in Europe. Is there any good practices that we can learn from? Also driven by the historical mindset, and remember, Canada is part of the commonwealth and we plead our allegiance to the king. So given that, there's very strong cultural connections, of course, with the UK, but we look beyond the UK to the rest of Europe to look at what's going on here. I know that we're talking about risk management, but another example in the banking world would be open banking. So this started off in a few different countries, and the United Kingdom implemented open banking a few years ago. So the Canadian regulator in 2021 actually published a paper to say, " We want to evolve our banking and innovate together." So this is something that's currently really progressing fast, both on the government level and the institution level. Fintechs are playing a role, the traditional banking institutions are actually partnering with the fintechs to drive this. So outside of privacy, I would say that open banking is another example of how the Canadian policymakers are looking across the Atlantic Ocean, at Europe to drive some of the industry- leading thoughts and practices.

Chris Clarke: That's so fascinating. Could you explain quickly what open banking is and how that falls?

Jason Wang: So let's visualize what it means to a US consumer. For example, if you have your accounts with Chase and then you have your accounts with Wells Fargo, if open banking were reality in the US and you as a consumer participated, with a few clicks, when you logged in into either, let's say today you're logging in into Chase, you actually get to see your account information from your Wells Fargo accounts, checking, savings, mortgage, lending, credit card, whatever. So obviously under the Wells Fargo logo, and then of course the organizations will have to participate. So that gives the consumer the convenience where you have everything under one view, your own assets, liability, what's your net worth, what's your current debt situation, you have a full picture instead of having to log into different accounts. So that's one type of open banking. Different countries do it differently. We call that read access. So consumers only have the read, and institutions have read access to each other. There's also the more aggressive way of doing open banking work. The institutions have right access. So for example, again, let's visualize now, you log in into your Chase account and you see your Wells Fargo and you may see a Capital One credit card, and then you may see another mortgage, another institution, that there's a sentence summary that says, " Would you like to transfer your account to this institution simply by clicking on this?" So that's where they have right access to each other. Of course, a lot will have to happen behind this. So to the consumer, then with one click, you're like, " Yeah, I don't even remember that. I didn't even know I had this credit card with... What's going on there?" So I want to consolidate. You just click on it, and then that account will be closed, a new credit card will be opened, and things will be transferred here. So I think a lot of this is done with the consumer at the center, but obviously the industry, we need to make sure that when this is happening, you don't cause unnecessary disruptions to the operations. We're going to need to think about data security, transferring of data, and again, privacy, also the burden on a large organization or small organization to be able to do this, because small organizations may not have that technical ability. They may not have their own technical teams. They may need to get some external help, and that's more expensive to go. So policymakers are actually thinking about all of these. In Canada, right now, this is driven by the government. So the government said, " Let's do this." But in the meantime, the government is really open- minded to what the industry is telling them and what the consumers are telling them. So they have focus groups led by different kind of organizations, fintechs, traditional banks, model lines that offer just one type of product, whether it's mortgage or credit cards and fintechs. So they give their voice and their opinions to the government. And then this open banking lead, that actually is part of the federal government, worked with all of them to ensure that when this is implemented in Canada, it's a solution that really benefits consumers, but in the meantime, fosters innovation, fosters collaboration and fair competition among all the market participants.

Chris Clarke: Yeah, that's fascinating. I mean, to your point, it very much feels like a consumer- centric regulation in a lot of ways. I'd be interested in, I'm sure it introduces new risk to the banks, and that's almost lowering the cost of switching for their consumers. How could you see institutions almost mitigating that risk in some way? Is it by complying? Is it purely a compliance- based approach? What else could institutions do basically to almost attract and retain business when the cost of switching is so low?

Jason Wang: So institutions will have to innovate. If we think that some traditional institutions have been kind of complacent in the past because they're a big bank, they have good market share, they have a good brand name and they have a huge branch network, then that might not be your competitive edge in the future. So consumers, if it's that easy for them to switch with one click, then guess what? All that matters would be probably just the rate. What's the pricing? So this is where, because of the overhead for large organizations, then they need to think about, strategically, do they want to still maintain that or do they want to be more agile? So I think competition, pricing, innovation, and then strategically institutions will have to think about now there's a whole ecosystem, do I actually still want to be the bank that I was yesterday? Some interesting concepts that have been thrown out will be, do we want to be just a distributor of somebody else's product? Because if there's a lot of fixed costs to underwrite or service, whether it's a checking accounts, and we know that checking accounts actually don't make money, mortgages tie up a lot of your capital. So institutions of different types and sizes, now is a good opportunity for them to think about, " Okay, do I pivot strategically? Because in the past I've always wanted to underwrite mortgages, but we're a smaller fish in the pond and we don't have that capital. So now with this one centralized view for the consumer, we can simply be the reseller and the distributor of certain types of products." Even for legacy banks, because they take on all the product themselves, if they don't think that they can compete with more agile companies on the same products on pricing, then they could even become distributors themselves. So it's a good opportunity for them to really, really think about what they want to be in the future given the open banking reality and innovate and pivot.

Chris Clarke: That's fascinating. Yeah, it's an interesting concept. Will people start to specialize? It's going to drive innovation. It's cool. That's exciting. I didn't know I was going to be this interested in the Canadian financial market this quickly. Speaking of innovation, there's been a lot of buzz around artificial intelligence and the way it is going to change basically everything. I'd be interested in, what do you see as some of the main risks around AI in the world?

Jason Wang: There are a lot of risks. So AI is not a new thing, by the way. I think the buzz around ChatGPT and other generative AI, that's actually generative AI, but AI in the data science world has been there for a long time. If you hear terms machine learning, that's actually read AI called a different name. And what it means is, traditionally, we would use humans to do a predictive model to use data science. You throw a whole bunch of variables and data points into your modeling exercise and you build a predictive model. And now we just tell the machine to do this by themselves. The one risk that comes out of unsupervised modeling practice would be that if you don't tell the machine to stay away from those variables, that could violate fair lending, that could be seen as discriminative, then the output of your model would be crossing the line. If I give you an example, we know that you can make your lending decision based on the applicant's age, gender, origin of a country. So these are the variables you can never use in making a decision about lending. But if you don't tell the machine to stay away from these and you don't structure your data in a way, there's almost seems to be a firewall where these variables can get into your machine learning environment. But sometimes, people are not always that diligent. When raw variables are coming in from all different sources, you have various different source tables and other convenience. If one day a junior analyst who happens to be a little sloppy that day is like, " Yeah, I'm just too lazy to name this whatever demographic, I'm just going to call it the variable M34," and the machine doesn't know that that's something to stay away from, you create a model, you use the model, then you realize M34 is somebody's age, so that's going to be violating the rules. So that's, in the traditional data science world, the biggest risk being violating fair lending. In generative AI, the risks are more around, can we verify the results to make sure that they are accurate? And I would liken this to using a search engine, the predominant one being Google. It's in a way like that. So if I go onto Google and type in the search terms, I think it's everyone's common practice where you don't always go to the first link that comes up. Sometimes that's an ad, sometimes that's whoever pays the biggest dollars for that particular term. And sometimes you don't trust that that link actually gives you the correct information. For example, if I'm looking for, what's the current immigration rule around the particular thing for the US or the Canadian government, you type it in. Guess what? The first few links that come up might be from law firms that specialize in immigration. They probably interpret things correctly because that's what they do, but you don't know if that information is old or new. And if the link is actually timestamped at 2012, well, then more than a decade has passed. The whole pandemic has passed, right? So is that information still up to date? We don't know. This is where I would look at the link and the URL to look for that one that's actually the US or the Canadian government. So if we do that with a search engine, we need to be doing that with ChatGPT or generative AI. But guess what? Today, if you ask a question, something is given to you, I don't think they give you two to three different options to say, " Well, you asked me to write an essay about whatever. Here's three different ways to do it. You be the judge." That's not what's happening today. So they just give you one answer and a lot of people take that and run. So is that accurate? Have you validated that? We don't know. So that would be the first risk. The second risk would be intellectual property. So we know that Hollywood is really nervous about this because machines can take whether it's their scripting, characters, actors' voices, whatever that's existing, whether it's text or image or sound, and machines can just turn them into something totally different without paying them. And that's a huge concern for us too. If you use generative AI in your business, you ask the machine to write up something, " Well, let's think of a marketing script for you, or let's do whatever," you may not know that part of it is protected because it's somebody else's IP. And then you publish that and then you get a letter from a lawyer. So IP is a big risk here. And then, of course, if you ever put your customer's data into this, well, where is that stored? Because you're using a third party to generate this thing for you. So where's that data going to go? Are they deleting your customer's data after you use this one- time thing? We don't know. So these are the big risks for everyone to think about if you ever to use a generative AI.

Chris Clarke: Yeah, that's so fascinating, the IP kind of concept of it. I think a lot of people, I don't know, this is kind of a joke on the internet, but people were saying that we worry about AI was going to come and take all the office jobs. It was going to put the office out of business. And really, what we're finding is, it's taking the artists, the poets, the animation out instead, which is really something that I don't think people thought about or predicted in generative AI as being a risk. It was not going to be around automated tasks, but rather around this creative thought in a lot of ways, which is fascinating.

Jason Wang: I absolutely agree with you. In my analysis, the reason why the first type of jobs that could be replaced by generative AI would not be what you and I do as office jobs, but more on the creative side, is because in the creative world you are allowed to be creative. There's no right or wrong answer on any particular topic. So that might be different for the business world where, for example, I think the traditional consulting companies, although they do tell you that they're nervous, they may not need to at least for the next few years, but who knows what the technology is going to be 10 years from now. But for now, if you have a business problem, you go out to a consulting company and you're like, " We have this critical problem that we definitely need to solve right away," probably you need somebody who's done this for a long time to give you that solution, that package. This is where you are allowed to be too creative. Generative AI is doing things that's kind of not in... You can't put guardrails on this so they can give you whatever they find in their source data. So imagine a scenario where you're like, " Oh, the world is, we're running out of real estate because we typically have only two floors of this building, but in the last short while, we expanded, we doubled our sales. So now we actually have double our employees, what do we do?" And you ask generative AI, and AI tells you, " Go to Mars, follow Elon Musk." You won't take that. You're going to be like, " Oh gee, well, might as well just ask somebody who's real." So I think for office jobs where creativity isn't really a few words, like allowed or appreciated or valued depending on the type of job, then this is where I think you need that human, someone who's intelligent and experienced and knowledgeable to still do that job. But again, I think creative jobs and creative kind of work, AI could even be better than humans. So this is where I think the concern lies.

Chris Clarke: That's so interesting, and it kind of goes back to the concept of what you said. A lot of it is based on the data that's coming in, and in the creative world, you may not need as much data to define what is good because art is on the forefront and it's breaking and it can change versus in a lot of scenarios, you need a lot of data to build a model that is accurate and correct and capable. So I appreciate that perspective on it. Those are all the main questions I had today. What I'd love to hear is... It's been a fantastic conversation. I can say I've learned so, so much. What are some of the common... Is there a book? Or what do you do to learn about the risk industry? What are some great sources for folks and me to look at?

Jason Wang: There are so many books. I think I can't name one, but we're in a world where there's a lot of free resources on the internet. So there are YouTube videos and there are tech talks that you can follow. I would say if you are looking to learn, then typically go after names that are well known in the risk management world, actually LogicGate being one. And you guys have your resources that can be shared to some extent with your existing clients and also with just the public, right? And there are some other names where they specialize in risk. So I sign up for a lot of newsletters. Also, another good thing that happened as a good byproduct of the pandemic is the fast increase of webinars. So I can imagine being in webinars this frequent before the pandemic, but now I get newsletters, " Tomorrow we have something to talk about third- party risk management. Click here to sign up." So you sign up, you have the time to participate, you listen. If you don't, they'll send you the recording probably and you get a copy of the deck. So be hungry, I would say, for the risk world, things are always changing. The frequency and the amount of emerging risks, I would say, is outpacing how a normal human would learn in a classroom setting. So you have to be creative in how you teach yourself. So keep your eyes open, your ears open, and just sign up for newsletters.

Chris Clarke: That's awesome. I appreciate it. Any last thoughts you'd like to share with our listeners?

Jason Wang: I would say I think we talked about a lot today. I probably would recommend our listeners to think of your longer term career aspiration. Risk management is a good place to be, because I'm speaking as one who has enjoyed my own career growth in this area, but also think about how you can drive impact by being the brakes for the organization. And when you talk to people who don't quite understand this, use real life examples and real life analogy to break this to them. So risks are real. They're happening everywhere. The wildfires from Canada, the smoke is blown all the way to the US, right? The air quality isn't good. I mean, we live in the real world, and the real world have real risks. So I think it's a good career to pursue. So think about if that's what you're passionate about, and if you are passionate about that, pursue it.

Chris Clarke: That's awesome. I appreciate you sharing that. Well, Jason, thank you so much for coming on. We loved having you on and I appreciate all you shared. I've learned a ton. Thanks, everyone, for listening. We'll talk to you soon.

Jason Wang: Thank you.


One of the most high-profile risk events of the last year was the swift collapse of Silicon Valley Bank and other regional banks amid spiking interest rates. Part of the problem? The lack of a complete, comprehensive view of the risks these banks were facing — in particular, liquidity risk.

Allstate Canada's Chief Risk Officer Jason Wang has spent his career assessing and analyzing risk in the financial services space, dedicated to anticipating and mitigating risks just like the one that sank SVB. On this episode of GRC & Me, Jason joins LogicGate’s Chris Clarke to discuss the importance of building a holistic risk register, how to position risk management as a strategic enabler instead of a “revenue prevention” department, why it’s critical to include your chief risk officer on the executive team, and more.