Skip to content

Do I Need CRINDATA for Low Probability Events?

Jim Freis from CRINData talks with John Maher about the role of CRINData in risk mitigation for financial institutions. He explains operational risks for banks, and he addresses how CRINData mitigates the risks of working with third and fourth-party service providers for financial institutions.

Transcript

John Maher: Hi, I’m John Maher, and I’m here today with Jim Freis, co-founder of CRINData, a fintech startup supporting financial institutions and their service providers. Today our topic is, do I need CRINData for low probability events. Welcome Jim.

Jim Freis: Thanks John.

How Does CRINData’s Platform Affect Risk Mitigation for Financial Institutions?

John: So Jim, today, we’re going to be focusing a little bit on how CRINData’s platform adds a meaningful difference to a financial institution’s risk mitigation even if those critical incidents seem uncommon. So in describing CRINData, you often explain how the platform helps to mitigate risks from critical incidents, but what if I’ve never had a critical incident, why would I need CRINData?

Jim: Well, it sounds like you’ve been quite lucky, John. It’s practically only a matter of time. And I think a good way to put this into context is, again, the expansion of a financial institution’s reliance on external parties. You’re obviously not going to go out and seek an external party that you don’t think is reliable, and in fact, you’ve done your due diligence to see that that party is reliable, and you’ve integrated in your business continuity management. But if you have tens, dozens, hundreds of external providers, again, as a pure matter or probability and chance, one of them will have a problem from time to time.

Now, while the logic is clear in that regard, from a financial institution’s perspective, it takes a lot of effort with each of those bilateral relationships to put your risk management procedures in place. So what we’re trying to do, and this is an aspect of an industry utility, or scalability, and the sharing of benefits across the multiple players, the platform allows you to have enhanced risk management procedures in place across your range of critical service providers. So that means, even though you don’t know which one is going to have a problem, or when that problem is going to occur, you’re equally ready to deal with them.

That’s what we talk about in terms of probabilities, knowing that the incident is uncommon, but once you’ve identified it as critical, you can’t just wait for something to happen and then to ask, you need to proactively manage and be ready to address that risk. That’s what the regulators are asking you to do, and that’s an aspect of good business.

How Does CRINData Address Operational Risk?

John: Right, absolutely. So, you’re often referring to CRINData in terms of addressing risks, can you explain this a little bit more in risk management terms?

Jim: We talk a lot about risks in the financial industry, traditionally common aspect of financial intermediation, we talk about credit risk, we talk about liquidity risk, market risk, but from a CRINData perspective, we’re talking more about operational risk, particularly in the sense that you are, as a financial institution, relying on a third party service provider to help you carry out your operations. Why is that a risk? Because you don’t have the same control on that external party as you do with in house solutions.

From a risk based perspective, let me just tell you a way that I approached discussions as a former regulator when I was dealing with bank presidents, ask a bank president how many times do you make a loan to a customer with an expectation that that customer will not pay that loan back?

John: Right.

Jim: Any bank president will tell you that, never in his life. His family business is a community banker, and they must not know anything about the business of banking.

John: Right.

Jim: But the next question is quite simple, and then how come you have non-performing loans? Even in a good time in the economic cycle, all institutions will have loans that go sour, don’t get paid back, or at least not in the way that we expected them, and that’s priced into loans, including the rates or some of your choices as to who you would like to have in your customer base.

John: Right, because things happen that you can’t foresee.

Jim: And that’s a risk-based decision from the bag. So you can’t foresee it, but you know that somewhere within your pool something is going to go differently than you expected over some period of time. Well, that’s exactly the same type of risk-based problem we have when we’re relying on an increasing number of third-party service providers. So just as you have your credit risk management for that pool of borrowers, here you have a platform that helps you manage the risk that the many service providers you rely on, one of them could have an incident over time that could disrupt activities that are core to your business.

What Are Operational Risks for Financial Institutions?

John: All right. And then tell me a little bit about operational risks and what that is.

Jim: It’s an area that has had a lot of regulatory focus over the years. And as the individual subcategories have been broken out, it includes aspects that really are germane to the parts of third-party service providers, includes legal risks, enforceability of contracts, it includes regulatory aspects, meaning not only are the regulations very complex and changing, but there are potential ramifications for non-compliance with regulations. If you’re outsourcing some of the delivery of your activities, or even compliance related functions to a third party service provider, the bank is still responsible for making sure that that’s consistent with the regulatory expectations.

And then again, the pure aspect of operations, when your operation is meeting the carrying out of a software function, the settlement function, the delivery of value through payments, the delivery of a service, or even communications to your customers. If for that operation you’re relying on a third party, and they do not deliver those as you would expect it, or your customer would expect from you, that’s a risk that you bear. So this is the way that we need to think, it might not directly flow into credit risk in the same way of a loan not being paid back, but these are the risks to your carrying out your business functions.

How Financial Institutions Deal With Operational Risks

John: So what might be analogous to CRINData’s platforms in terms of some common ways to deal with operational risks?

Jim: So starting again back with financial risks, you can transfer risks in different ways. Securitization is a perfect example. You originate a loan, and then you bundle it up, and you sell it off to another party, such as mortgages. You then don’t bear the risk anymore that the borrower will pay back that mortgage in 30 years, it’s no longer on your books. But that’s something that’s not available to you when you take on a third party service providers. 

It’s one thing that you can forget, that signing the contract is only the beginning of the relationship, which can be a long termrelationship. Just because a bank expects certain delivery by a third-party service provider doesn’t mean that the bank can in any way delegate the risks of that service not being provided. It bears those risks and that’s why it goes up through the management and to the board of directors.

In a way, you could think about your business continuity and the preparatory work for an incident as a type of insurance. I have homeowners insurance not because my house ever burned down, thank God, not that I expect my house to burn down, but if it were to burn down, it’s something that’s fairly catastrophic to me, and that’s why insurance companies spread the risk across all of the different payers. They, over time, have an understanding of what the probabilities are, and that’s something that is a pool benefit for all of the purchasers of that insurance. It’s exactly the type of analogy for a reasonable cost, a shared pool of information so that a bank can come together and help insure itself against this potential disruption, or an incident related to one of its many critical service providers.

How CRINData Protects Financial Institutions From Unlikely Events

John: Okay. So you’re saying that CRINData is really kind of a type of insurance against unlikely events in the same way that my homeowners insurance would cover me if an unlikely event like a tree falling on my house happens.

Jim: So it has some of the same focus in terms of the preparation and the aspects of the low probability and unpredictability of any particular event that you can leverage that platform to be able to react appropriately. In that sense, it’s a utility and a mutual type benefit, like the way many insurance providers started. Must be clear that it’s not something that we cover the cost of an incident, and you’ll find particularly in the IT area that either insurance coverage does not exist, or it’s prohibitively expensive to cover for indefinite losses.

But what CRINData does is, again, help you to focus on what’s important to you as a financial institution, and that are the activities that are critical to your bottom line and your customers. This is where the regulators are expecting you to show more due diligence and more monitoring beyond your day to day management of relationships and contracts. So think about it this way, just like a question that we often ask when we’re considering to purchase insurance, it’s not the premium that is the starting point, it’s whether we can really afford not to protect ourselves against this unforeseen incident. And here, when we’re talking about activities most critical to our institution and our bottom line, can we afford not to use a solution available to us like this?

Contact CRINData to Reduce Your Operational Risks

John: Absolutely. That’s great information, Jim. Thanks again for speaking with me today.

Jim: My pleasure.

John: And for more information, you can visit the website at crindata.com. That’s C-R-I-Ndata.com.

Tags:

Related Posts

Third Party Risk Management and Cybersecurity for Banks—Interview with Jim Freis

Mark: Hello, everyone. This is Mark Stetler, CEO of CRINDATA. I’m with our fearless leader, Jim Freis, chairman of CRINDATA. We are going to discuss today… Read More »Third Party Risk Management and Cybersecurity for Banks—Interview with Jim Freis

FDIC 2022 Risk Review expands focus on operational risk management, emphasizing cybersecurity risks in connection with third-party service providers and new incident reporting rule

  • Blog

On May 20, 2022 the Federal Deposit Insurance Corporation published the 2022 Risk Review, the FDIC’s comprehensive summary of emerging risks in the U.S. banking system as observed over the past year.

Jim Freis Presents at The Institute of Operational Risk

Jim Freis to discuss practical aspects of the Computer-Security Incident Notification Requirements fat NACHA annual conference