Risk Detection is Important

Not often covered well enough, worth thinking about.  Detecting the Risk, working with business partners to understand its implications, is important.  In my observation, not often done well. 

The neglected art of risk detection by  Piotr Kaminski and Jeff Schonert in McKinsey

At the core of risk management is risk detection, an art that can be skillfully improved if banks and regulators accept new analytical methods.

The modern risk-management framework generally relies on the “three lines of defense” scheme, with the businesses, control functions, and audit as the first, second, and third line, respectively. The concept borrows from the language of military strategy, in which intelligence plays a key role. For risk management, intelligence means effective detection: to prevent the bank’s reputation, liquidity, and capital position from being harmed, the lines of defense must detect risks early.

Detection is fundamental in risk management, embedded in its activities and processes. Credit scoring, for example, is a tool for detecting potential borrower-default risk at the application stage, while customer due diligence is designed to identify high-risk customers during the onboarding process, as part of the bank’s know-your-customer (KYC) program. Risk managers are practicing the art of detection when they identify instances of fraud, spot a drifting investment strategy in an asset-management business, monitor their network’s end points to locate cyberintrusions and data theft, or identify potential rogue traders.

Most executives and risk professionals will quickly acknowledge the basic importance of detection. Yet the efficacy of detection—and the levels of “detection risk”—vary widely among risk disciplines and from bank to bank. With poor detection, threats can rise to existential proportions, as some of the world’s largest institutions have learned in recent years. Weak detection capabilities can be costly. Manual controls, for example, are not especially effective and yet they always cost more than automated controls. Poor detection can result in high levels of false positives and the needless diversion of valuable risk resources. .... "