Skip to main content

The Evolution of Risk Management


Good afternoon. My name is Andrew Gray, and I’m the Group Chief Risk Officer at The Depository Trust & Clearing Corporation. I’m honored to speak to you today. I also want to thank the PBC School of Finance and GARP for the invitation.

To begin, let me share some background about my company – DTCC. We’re a user-owned and governed market utility that serves the global financial services industry. What that means is we work behind the scenes to risk manage and process hundreds of millions of financial transactions each day, helping to bring stability and certainty to global financial markets. Over the course of one year, we handle more than $1.6 quadrillion in trading activity.

When you’re responsible for overseeing such a critical infrastructure, it’s clear why risk management stands at the heart of our mission at DTCC. Over the 45 years we’ve been in business, the way we manage risk has evolved dramatically, but the most dynamic changes have occurred since the 2008 financial crisis – and I expect this pace to continue accelerating in the years ahead. So today I’d like to talk to you about three trends that are shaping the evolution of risk management and what it means for the industry and investing public. In doing so, I’ll discuss:

  • One, the dynamics that have led to an expansion of the risk management function and how this has reoriented our approach,
  • Two, the critical need to build resilience to protect market stability, and
  • Three, the transformative impact of financial technology or fintech on how we manage risk.

Trend #1: The Remit of Risk Management Will Continue to Grow

Let’s begin with the growing remit of risk managers. As I mentioned, a confluence of factors over the past 10 years – from the fallout of the financial crisis and the accompanying regulatory response, to the explosion of new technology, and the growing interconnectedness of global markets – has driven an expansion of the function.

At the same time, the nature of risk itself has changed, and the industry now faces threats from a wider range of sources than ever before. For example, cyber-attacks, which barely registered as a serious concern a decade ago, is now ranked as the top risk facing financial services, according to DTCC’s Systemic Risk Barometer survey.

In an environment of such rapid change, the risk function has expanded its scope from overseeing credit, market and liquidity risk to now managing operational, systemic, technology, information and physical security risks. With a broader set of issues under their purview, risk managers have had to refresh their approach and mindset to take a more comprehensive view of risk.

The more holistic view of risk also now extends beyond the boundaries of individual institutions. In the past, we tended to focus on risks within each of our own institutions. That is no longer realistic given the interconnectedness of financial markets and the growing complexity and unpredictability of risk. Today, organizations need to apply a systems view to the risk landscape and recognize that risk is distributed across the system and may not always be completely transparent. This view includes risks posed by other financial institutions and market participants, their clients, vendors and even vendors of vendors.

Trend #2: Building Resilience is Critical to Protecting Stability

At DTCC, we’ve reoriented how we look at risk to take these factors into account. But we’ve also begun to place greater emphasis on building resilience because, given the openness and complexity of the financial ecosystem, it’s inevitable that breakdowns will occur. It’s a question of when, not if. This is the second issue I’d like to discuss this afternoon.

For financial firms, it’s no longer sufficient to measure, analyze and mitigate risk. Firms need to be able to detect problems and have the ability to recover efficiently and effectively from them, minimizing contagion and ultimately learning from these events.

In order to build resilience, not just manage risk, companies need to update their conceptual frameworks and make the necessary investments in people, processes and technology. I believe a fundamental cornerstone is establishing the right culture, not just for risk and control functions, but for everyone in the company. Everyone needs to have a resilience mindset, thinking through what could happen, using scenarios based on real or hypothetical examples, and what can be done to proactively prevent them, minimize damage and recover quickly.

At DTCC we have successfully empowered employees to act as risk managers and encouraged them to speak up when they see something that raises alarms. We have also nurtured a learning mindset to sharpen awareness among employees of potential risks and encourage them to question assumptions through regular post-mortem analyses of incidents and scenario analyses.

Building on the points I made previously about the need to take a systems view, the resilience mindset also needs to extend to the industries we operate in. As an example of this, DTCC recently led an effort with a number of financial institutions to discuss what we collectively needed to do to prepare and recover from a cyberattack targeting an institution that could potential threaten the overall system. And we, the industry, our regulators, and other government agencies will continue to work together to ensure we have a joint playbook for dealing this and other potential disruptions to the system.

Trend #3: Fintech Will Transform How We Manage Risk

The third topic I want to talk about today is fintech, because technology has a critical role to play in mitigating risk and building resilience.

Central to this work is the need to take a data-driven approach to managing risk and using new innovations to more effectively identify and respond to the wide range of risks the industry faces today. Financial services has become proficient at collecting reams of data, but the bigger question is: can we effectively manage and interpret all of it?

Big data analytics and artificial intelligence can help organizations act on their data by providing sophisticated analytical tools to mine it for actionable intelligence to identify risk, including extreme but plausible events that could spark contagion or create systemic shocks.

For example, machine learning has the potential to enable analysts to look at operational and incident data to identify trends and patterns that could be indicators of future disruptions and allow them to prevent them from materializing. Models could also be used to determine the financial resources required for stress events using unsupervised learning techniques.

Connecting all these new technologies will enable us to create an architecture to support what we call "intelligent resilience." The foundation of this is a data lake, which would be comprised of structured and unstructured data capable of capturing all aspects of risk and enable real time monitoring. This data lake could extend across boundaries, provided the right controls are in place, to help our clients have access to their slice of the same data and to support a broader systems view.

In addition, an expanded set of tools for scenario and complex systems analysis as well as machine learning algorithms could be used to make decisions, generate insights and automatically update risk manager models. While many of these ideas are only theoretical or in their infancy right now, we believe fintech holds enormous potential to transform how risk management is practiced.


As I conclude, I want to reiterate that firms will need to continue innovating how they manage risk in order to build resilience. While the industry has made tremendous progress in recent years, there is still work to do to ensure we are prepared to protect against the many new risks we face.

The trends I highlighted today – the expansion of the risk management function, the critical need to build resilience, and the transformative impact of fintech – will continue to shape risk management and the global financial markets for years to come.

I want to thank you for listening today and sincerely express my appreciation to the PBC School of Finance and GARP for the opportunity to speak to you this afternoon.