Risk innovation of the year: Credit Suisse

When guarding against operational risks, it is sometimes better to be lucky than good – and better still to be both. As Covid-19 swept across the globe in the early months of last year, banks were exposed to huge increases in the operational threats they faced, as employees and clients alike decamped en masse almost overnight to work from home.

A matter of months earlier, Credit Suisse had begun deploying a new dashboard for non-financial risk (NFR) management analytics – DNA, for a short – a smart, tech-driven solution to bolster its op risk analytics and monitoring capabilities. The dash’s outputs were designed to give the bank a more forward-looking gauge of its op risks, based on monitoring controls in real time, and reducing the lag in responding to and shutting down operational incidents before they turn into potential loss events.

But the timing of the rollout also meant it became a key plank of the bank’s response to Covid, helping it actively manage the disruption to its almost 50,000 employees, and informing more than a dozen practical initiatives it embarked on in the days and weeks that followed. Many of these were rooted in risk identification and appetite: monitoring traders’ risk limits, for instance, at a time when banks were seeing hundreds of soft breaches as markets gyrated wildly.

“We were able to pivot within days – to pull together components of our programme both to bring in information externally and internally, and present it under very intense, stressful scenarios where you had high market volatility,” says Jim Barkley, head of non-financial risk at Credit Suisse. “You had individuals at every level of the organisation – our CEO, our executive board, our board of directors – all wanting real-time information throughout the course of that. This tool allowed us to pull that together very quickly – and that was only because we built it in such a way that it could leverage those analytic capabilities and the [underlying] data platforms,” he adds.

All the more impressive is the DNA dash’s development story: from the project’s inception meeting, a core team of 12 engineers, working in partnership with two external vendors – one aiding the bank with visualisation elements, the other using big data analytics to leverage and make sense of the 17 different data sources the dash pulls information from – took just six weeks to build the dash’s initial deployment.

At the height of the Covid crisis in March, when volatilities were elevated, Barkley and his team were getting live, rich data as breaches occurred, and sharing it in real time with the bank’s desk-level, divisional and regional controls heads – the first line executives charged with monitoring front office staff, many of whom were now working remotely – allowing them to zero-in on breaches in real time.

As a result, processes that would previously have taken place weekly – monitoring risk limits, for instance, but also signoff limits on asset valuations, with liquidity gapping and pricing models nullified – were able to be shifted to daily, or intraday.

We were able to pivot within days – to pull together components of our programme both to bring in information externally and internally, and present it under very intense, stressful scenarios where you had high market volatility

Jim Barkley, Credit Suisse

“They were able to zone down to a specific desk,” adds Barkley. “In some cases, they had calls two to three times a day to determine how those controls were doing.”

That would have been help enough in the midst of a crisis – but the bank’s developers went one better, building a Covid adjunct to the dash within five days flat, giving risk teams information on newly monitorable metrics such as Covid infection rates in its key jurisdictions, internal infrastructure stability reports and business continuity information.

Equally important, Barkley told Risk.net in the advent of the crisis, was the ability to analyse incidents not in isolation but with a view to how they could occur elsewhere: because all the bank’s controls are aligned to risk registries, it can immediately see if that control is impacting other divisions, Barkley noted at the time. For example, if a breach occurs on one of the bank’s equity trading desks, Barkley’s team can look at the key controls that were involved, as well as the linkages between them and those affecting other desks.

Pre-DNA, that might not have happened, he notes: the bank’s enterprise risk controls framework provided a top-down view, but usually siloed by business function, with historically less sharing of knowledge and controls, making it difficult for senior managers to gain a holistic view of the risks facing the firm. That in turn meant its risk control self assessments were less informed than they would be now.

“The way that risk appetite is set in the operational risk space is very much backward-looking. It’s based on incidents that happen, and how that impacts the bank with regard to loss profiles. That’s all very, very important – but, if I’m running a business, I want to know my projections going forward,” argues Barkley. “I like to think about operational risks like running a hedge fund; I want to have all the information in front of me flashing, and I want to know my potential impacts.”

Barkley, who earlier in his career was a bank prop trader, got his wish sooner than imagined: “A year ago, we were all talking academically about what could happen if you had a pandemic, or what could happen if markets go to a certain level” – then in March, “it all just happened”.