Mastering the Modernization Maze: Navigating Risk in Core Banking Modernization

As banks move forward on their core modernization agendas, they are coming across a common set of challenges that slow down progress. Traditional change—let alone digital change—in a highly regulated market is complex, a challenge that touches the very core of the organization. When organizations consider the reputational and regulatory risks of failed modernization strategies—including the size of investment—it's imperative to identify the risks to modernization early on, as well as adopt the right controls to mitigate these risks.

Most organizations undertake modernization like any other part of digital transformation. They focus on the setup, mobilization and governance forums for decision-making, tooling, etc. Initially, this works well and drives outcomes on a small scale. However, as the modernization program grows, problems begin to arise.

Given the highly regulated nature of the banking industry, risk identification and management are an inherent function. Yet, when collaborating with global financial services clients, few are aware of the range of risks involved with modernization and lack a systematic approach to address them.

This can often lead programs to adopt a superficial level of risk management. This can take the form of identifying point-in-time risks at a feature team level, setting up weekly forums with first and second lines to review and actioning risks in silos. More often, this strategy ends up with a long list of risks that soon become stale and can potentially lead to significant delays, regulatory scrutiny or, worst of all, risk failure and loss of reputation.
 

How to identify risks to banking modernization

To avoid such failures, organizations can take a set of focused actions. Starting with collaboratively identifying risks that impact the modernization environment. Below is a proposed list of modernization risks for leaders to consider in context with their use case.

Define, refine and deliver: steps for risk mitigation success in core modernization strategies

Successful modernization strategies embed a set of six focused actions (Exhibit 2). The key is implementing all six actions through the modernization lifecycle in a coordinated fashion across business, technology, operations, risk, legal and security.

1. Create a fit-for-purpose governance structure that evolves over time:

In the initial phase, a governance structure should be more centralized to ensure coordinated planning and future state design. In subsequent phases, the structure should be more “federated,” as teams are trained and start acting and executing independently. A rollout to the new system will be centralized to manage risk and impact to customers and the bank, but backlog delivery should be decentralized after training to individual feature teams.

Exhibit 3 is an example of a governance model in a successful modernization strategy.

The Transformation Management Hub (TMH) will be a critical vehicle in providing a unified view of value delivered. It will sit at the center of the strategy and weave together the governance layers to drive transformation. It will coordinate and provide the necessary direction through five key responsibilities:

1. Modernization strategy and roadmap: shapes the modernization strategy and roadmap including migration and transition states
2. Coordinated proposition shaping: leads the end-to-end shaping and prioritization of the modernization scope
3. Architecture, engineering and data: defines solution architecture, engineering methodology and standards
4. Culture, capability building and operating model: drives capability building across the program, embedding a shared culture and standardized ways of working. Designs, evolves and supports the adoption of the target operating model
5. Dependency management and value capture: assures ongoing roadmap delivery through integrated, dynamic reporting and accelerated governance, including dependency management
    

2. Adopt a “migration first” approach to the investment case and planning:

Ultimately, the success of modernization is derisking and implementing a timely migration to the new platform followed by decommissioning applicable assets. Migrating to a new core and its corresponding ecosystem can be tricky. The migration strategy should be laid out early in the transformation process and be aligned to the business case for core banking modernization.

In identifying the optimal migration strategy, organizations should focus on reputational risk mitigation, technical risk mitigation, operational risk mitigation and opportunities for early benefits realization.

Establishing a roadmap and rubric for migration early on in the modernization lifecycle will keep the focus on a value-release approach. Now with more clarity on the evolution of the platform and transition stages, the “build” roadmap and investment case can further align to the value release roadmap.

Typically, organizations can broadly consider three types of migration strategies: Big Bang, Parallel run and Coexistence migration. Ultimately, the optimal choice of strategy will depend on the customer, technology and people risks and investment case.
 

3. Identify and manage risk in an agile way:

Risk management and risk functions cannot be an afterthought. There should be collaboration early on to identify risks and shift-left the management of risks. Refer to the list of risks earlier in the article for a set of modernization risks. Consider cross-functional teams with first and second lines of defense embedded in the backlog delivery. In addition, risk functions should adopt the agile methodology of providing guidance and controls, seeking digitization where possible.

Automated risk assessment at a backlog level will enable product owners to respond to emerging risks and mitigate them at a feature level, if required. These can then be rolled up at the program level for a view of the pain points and mitigation discussion where required. An automated risk dashboard will provide dynamic insights to governance forums enabling rapid unblocking where required.

With the dawn of AI, risk functions can also leverage emerging technologies to provide enhanced insights and reduce manual work.
 

4. Automate controls for value, quality, speed and risk:

Real-time, data-driven decision-making is key to enabling rapid unblocking of issues as they arise. Automated measurement, monitoring and reporting should be implemented across the dimensions of value, quality and speed, including dependencies and risks.

In addition, code reviews, application security testing and risk mitigation (e.g., compliance as code) should be automated and embedded within the existing continuous integration and continuous deployment (CI/CD) flow.
 

5. Upskill and manage talent:

Introducing new systems, technology and operating models requires employees to be trained accordingly. Building up a solid, digital-ready talent pool requires investment in new hires and in upskilling existing talent.

Most organizations struggle with attracting and retaining diverse digital talent (e.g., design, engineering, agile, etc.), and organizations should curate a set of resources to attract, develop and retain talent. These can vary from:

• Creating a talent blueprint
• Providing incentives to attract talent
• Exploring strategic partnerships
• Carving out differentiated career paths
• Building skills-based communities to foster community building
• Provide training and learning opportunities both in-person and remote
   

6. Communicating frequently via traditional and digital methods:

Developing momentum and excitement across the entire organization is critical for ensuring that all areas of the business are engaged and enthusiastic about the modernization strategy. Organizations should identify the most important elements of their digital transformation story and craft a communication plan around it. The digital transformation story should address why the organization is undertaking this change, why it is important, how the employees can be part of this change and what it means for them.

There are five phases to a successful communications plan:

Conclusion:

Given the complexity of modernization and the stakes, adopting a strategic, dynamic and enhanced approach to managing risks offers better insights and creates the ability to rapidly respond to new risks. If done right, it will ultimately drive significant efficiencies and cost reduction while ensuring scalability for future growth.