Skip to Main Content

Mastering the Modernization Maze: Navigating Risk in Core Banking Modernization

As banks move forward on their core modernization agendas, they are coming across a common set of challenges that slow down progress. Traditional change—let alone digital change—in a highly regulated market is complex, a challenge that touches the very core of the organization. When organizations consider the reputational and regulatory risks of failed modernization strategies—including the size of investment—it's imperative to identify the risks to modernization early on, as well as adopt the right controls to mitigate these risks.

Most organizations undertake modernization like any other part of digital transformation. They focus on the setup, mobilization and governance forums for decision-making, tooling, etc. Initially, this works well and drives outcomes on a small scale. However, as the modernization program grows, problems begin to arise.

Given the highly regulated nature of the banking industry, risk identification and management are an inherent function. Yet, when collaborating with global financial services clients, few are aware of the range of risks involved with modernization and lack a systematic approach to address them.

This can often lead programs to adopt a superficial level of risk management. This can take the form of identifying point-in-time risks at a feature team level, setting up weekly forums with first and second lines to review and actioning risks in silos. More often, this strategy ends up with a long list of risks that soon become stale and can potentially lead to significant delays, regulatory scrutiny or, worst of all, risk failure and loss of reputation.
 

How to identify risks to banking modernization

To avoid such failures, organizations can take a set of focused actions. Starting with collaboratively identifying risks that impact the modernization environment. Below is a proposed list of modernization risks for leaders to consider in context with their use case.

Description

  • - Potential risks and uncertainties associated with the use, adoption and reliance on various technologies within an organization

Types of Risk

  • - Stability and resilience of system
  • - Unauthorized access to system
  • - Cloud security controls
  • - Existing knowledge of the core banking system, its data model and data quality
  • - Excessive customization of core banking solution
  • - Integration challenges arising during the integration of different systems
  • - End of Life/End of Service systems
  • - Noncompliance with regulations can introduce legal or operational risks
  • - System scalability challenges while handling increased loads or expanding user bases
  • - Risks associated with adopting emerging technologies

Description

  • - Potential risks that can damage an organization’s brand, resulting in a negative reputation and erosion of trust

Types of Risk

  • - Negative impact on customer satisfaction
  • - Impact on customer access
  • - Impact on colleague access
  • - Operational inefficiencies
  • - Lack of product offerings
  • - Inability to rapidly release product features/offerings
  • - Issues with quality or performance of products and services
  • - Potential for data breaches or data loss
  • - Failure to fulfill corporate social responsibility

Description

  • - Potential risks that have an adverse effect on individuals, businesses or organizations due to changes or uncertainties in regulations

Types of Risk

  • - Risks related to compliance with jurisdiction-specific regulations
  • - Risks related to compliance with financial regulations
  • - Risks arising from changes in laws and regulations that may require rapid response and impact operations, processes and business
  • - Risks associated with data privacy and security regulations including handling and protection of personal or sensitive data

       

Description

  • - Potential challenges and uncertainties that can impact the successful execution of the modernization agenda

Types of Risk

  • - Compartmentalized strategies focused on capabilities rather than end-to-end value stream can introduce business and technical debt
  • - Multiple concurrent strategies running independently can create dependency challenges without the right governance model for management
  • - Change in ways of working, technology and product, without the right capability building and change management setup
  • - Migration failure due to lack of target state vision and evolutionary states
  • - Risks associated with inadequate communication

Description

  • - Potential risks and uncertainties associated with the use, adoption and reliance on various technologies within an organization

Types of Risk

  • - Stability and resilience of system
  • - Unauthorized access to system
  • - Cloud security controls
  • - Existing knowledge of the core banking system, its data model and data quality
  • - Excessive customization of core banking solution
  • - Integration challenges arising during the integration of different systems
  • - End of Life/End of Service systems
  • - Noncompliance with regulations can introduce legal or operational risks
  • - System scalability challenges while handling increased loads or expanding user bases
  • - Risks associated with adopting emerging technologies

Description

  • - Potential risks that can damage an organization’s brand, resulting in a negative reputation and erosion of trust

Types of Risk

  • - Negative impact on customer satisfaction
  • - Impact on customer access
  • - Impact on colleague access
  • - Operational inefficiencies
  • - Lack of product offerings
  • - Inability to rapidly release product features/offerings
  • - Issues with quality or performance of products and services
  • - Potential for data breaches or data loss
  • - Failure to fulfill corporate social responsibility

Description

  • - Potential risks that have an adverse effect on individuals, businesses or organizations due to changes or uncertainties in regulations

Types of Risk

  • - Risks related to compliance with jurisdiction-specific regulations
  • - Risks related to compliance with financial regulations
  • - Risks arising from changes in laws and regulations that may require rapid response and impact operations, processes and business
  • - Risks associated with data privacy and security regulations including handling and protection of personal or sensitive data

       

Description

  • - Potential challenges and uncertainties that can impact the successful execution of the modernization agenda

Types of Risk

  • - Compartmentalized strategies focused on capabilities rather than end-to-end value stream can introduce business and technical debt
  • - Multiple concurrent strategies running independently can create dependency challenges without the right governance model for management
  • - Change in ways of working, technology and product, without the right capability building and change management setup
  • - Migration failure due to lack of target state vision and evolutionary states
  • - Risks associated with inadequate communication

Define, refine and deliver: steps for risk mitigation success in core modernization strategies

Successful modernization strategies embed a set of six focused actions (Exhibit 2). The key is implementing all six actions through the modernization lifecycle in a coordinated fashion across business, technology, operations, risk, legal and security.

  • The modernization lifecycle has several steps to define, refine and deliver when it comes to risk mitigation success.

1. Create a fit-for-purpose governance structure that evolves over time:

In the initial phase, a governance structure should be more centralized to ensure coordinated planning and future state design. In subsequent phases, the structure should be more “federated,” as teams are trained and start acting and executing independently. A rollout to the new system will be centralized to manage risk and impact to customers and the bank, but backlog delivery should be decentralized after training to individual feature teams.

Exhibit 3 is an example of a governance model in a successful modernization strategy.

  • This chart is an example of a governance model in a successful modernization strategy

The Transformation Management Hub (TMH) will be a critical vehicle in providing a unified view of value delivered. It will sit at the center of the strategy and weave together the governance layers to drive transformation. It will coordinate and provide the necessary direction through five key responsibilities:

  1. Modernization strategy and roadmap: shapes the modernization strategy and roadmap including migration and transition states
  2. Coordinated proposition shaping: leads the end-to-end shaping and prioritization of the modernization scope
  3. Architecture, engineering and data: defines solution architecture, engineering methodology and standards
  4. Culture, capability building and operating model: drives capability building across the program, embedding a shared culture and standardized ways of working. Designs, evolves and supports the adoption of the target operating model
  5. Dependency management and value capture: assures ongoing roadmap delivery through integrated, dynamic reporting and accelerated governance, including dependency management
     

2. Adopt a “migration first” approach to the investment case and planning:

Ultimately, the success of modernization is derisking and implementing a timely migration to the new platform followed by decommissioning applicable assets. Migrating to a new core and its corresponding ecosystem can be tricky. The migration strategy should be laid out early in the transformation process and be aligned to the business case for core banking modernization.

In identifying the optimal migration strategy, organizations should focus on reputational risk mitigation, technical risk mitigation, operational risk mitigation and opportunities for early benefits realization.

Establishing a roadmap and rubric for migration early on in the modernization lifecycle will keep the focus on a value-release approach. Now with more clarity on the evolution of the platform and transition stages, the “build” roadmap and investment case can further align to the value release roadmap.

Typically, organizations can broadly consider three types of migration strategies: Big Bang, Parallel run and Coexistence migration. Ultimately, the optimal choice of strategy will depend on the customer, technology and people risks and investment case.
 

3. Identify and manage risk in an agile way:

Risk management and risk functions cannot be an afterthought. There should be collaboration early on to identify risks and shift-left the management of risks. Refer to the list of risks earlier in the article for a set of modernization risks. Consider cross-functional teams with first and second lines of defense embedded in the backlog delivery. In addition, risk functions should adopt the agile methodology of providing guidance and controls, seeking digitization where possible.

Automated risk assessment at a backlog level will enable product owners to respond to emerging risks and mitigate them at a feature level, if required. These can then be rolled up at the program level for a view of the pain points and mitigation discussion where required. An automated risk dashboard will provide dynamic insights to governance forums enabling rapid unblocking where required.

With the dawn of AI, risk functions can also leverage emerging technologies to provide enhanced insights and reduce manual work.
 

4. Automate controls for value, quality, speed and risk:

Real-time, data-driven decision-making is key to enabling rapid unblocking of issues as they arise. Automated measurement, monitoring and reporting should be implemented across the dimensions of value, quality and speed, including dependencies and risks.

In addition, code reviews, application security testing and risk mitigation (e.g., compliance as code) should be automated and embedded within the existing continuous integration and continuous deployment (CI/CD) flow.
 

5. Upskill and manage talent:

Introducing new systems, technology and operating models requires employees to be trained accordingly. Building up a solid, digital-ready talent pool requires investment in new hires and in upskilling existing talent.

Most organizations struggle with attracting and retaining diverse digital talent (e.g., design, engineering, agile, etc.), and organizations should curate a set of resources to attract, develop and retain talent. These can vary from:

  • Creating a talent blueprint
  • Providing incentives to attract talent
  • Exploring strategic partnerships
  • Carving out differentiated career paths
  • Building skills-based communities to foster community building
  • Provide training and learning opportunities both in-person and remote
     

6. Communicating frequently via traditional and digital methods:

Developing momentum and excitement across the entire organization is critical for ensuring that all areas of the business are engaged and enthusiastic about the modernization strategy. Organizations should identify the most important elements of their digital transformation story and craft a communication plan around it. The digital transformation story should address why the organization is undertaking this change, why it is important, how the employees can be part of this change and what it means for them.

There are five phases to a successful communications plan:

Overall objectives and principles

Defining objectives and principles for the communication plan and ensuring it is tied to the modernization vision ensures alignment. It is a simple way to provide guidance to everyone who may not be involved in all aspects of the transformation

Stakeholder mapping and analysis

Mapping key stakeholders and influencers based on their impact on change and their importance to the modernization strategy’s success is critical. Individual communication strategies/engagement models can then be created for them

Channel selection

Using multiple internal and external communication channels catering to specific groups is critical for success. Evaluating the use of remote and digital methods of communication versus in-person and the frequency of communication is equally essential

Communications calendar

Create an integrated communications calendar to ensure common understanding of the communications sequence

Metrics to track effectiveness

Use tools such as short and punchy surveys to gather feedback from employees. Create focus groups and unified dashboards to see employee viewership across communication channels to track effectiveness

Conclusion:

Given the complexity of modernization and the stakes, adopting a strategic, dynamic and enhanced approach to managing risks offers better insights and creates the ability to rapidly respond to new risks. If done right, it will ultimately drive significant efficiencies and cost reduction while ensuring scalability for future growth.

Related Reading

Viola Fernandes
Viola Fernandes
Senior Director Agile Program Management
Abhishek Bhattacharya
Abhishek Bhattacharya
GVP Technology
Vikki Cheung
Vikki Cheung
Client Partner