AI Risk Models Challenge Banking ERM

Traditional risk frameworks often ask two questions: how likely is the risk, and how severe would it be? In modern banking, a single weakness can move through the institution as a chain reaction.

A process failure, for example, may begin as operational risk. If that process affects interest-rate modeling or credit calculations, it can evolve into model or credit risk. If regulators identify the weakness, it can become regulatory risk. If customers or counterparties lose confidence, it can escalate into reputational damage. Viewed separately, each item may appear manageable. Viewed together, they may reveal a systemic problem.

1. Why are banks still relying on static heat maps and siloed risk scoring models when today’s most catastrophic financial failures emerge from interconnected, compounding risks across liquidity, cyber, compliance, credit, and reputational domains?

There are many reasons why banks still rely on static heat maps. Initially, the heat maps that displayed Likelihood and Severity provided a preliminary understanding of the risk environment, but this was prior to advanced products such as CDO (Collateralized Debt Obligations) and CDS (Credit Default Swaps). The creation of such products advanced faster than the mechanisms to mitigate their associated risks.

Secondly, some regulatory guidance has not evolved to align with the overall risks associated with complex financial institutions and economic markets. There are still recommendations in certain regulatory publications that align with the implementation of Likelihood and Impact within organizations.

Additionally, there is a disconnect between what is occurring and the ability to represent that in a methodology that is fully vetted and supported by the risk community. As such, dependence on and comfort with the status quo, and fear of change, have formed an Abilene Paradox that’s taken hold in the risk community.

Finally, the implementation of risk in specific categories (e.g., Credit risk, Market risk, Operational risk) doesn’t facilitate a horizontal view of risk nor a holistic understanding of how risk can interconnect across categorial boundaries. It’s easier to understand how different types of operational risk can interact because they share some characteristics, allowing for a simpler view.

2. How can banks realistically identify events—such as liquidity shocks, digital bank runs or cascading compliance failures—that traditional likelihood-versus-severity frameworks routinely overlook?

In the FFERM (Four Factor Enterprise Risk Management) methodology, the two factors of compounding and predictability assist in understanding and modeling the behaviors associated with events such as liquidity shocks, digital bank runs, and cascading compliance failures. For instance, compounding is the factor that represents systemic or isolated risk event behaviors by focusing on the cascading, amplification, correlations, and contagion associated with risk events. Therefore, compounding as a risk factor is suited for understanding the catalyst and impact of cascading compliance failures.

Predictability is better suited to situations where one wants to understand how to forecast or project when an event might occur, using leading indicators and a signal that provides insight into when a potential future activity may occur within an organization. For instance, if a combination of leading indicators, such as negative social media sentiment and an increase in uninsured deposit ratios (i.e., Uninsured Deposits ÷ Total Deposits), occurs, it could be a strong indicator that a bank run is imminent, as evidenced by the SVB failure.

To be fair, Likelihood and Severity were never built to perform in the way they perform. Likelihood and Severity began as a military systems standard created by the Department of Defense in 1984, in response to the need to triage potential system failures. As popularity grew and paired with color-coded heat maps as visual representations, it gained a life of its own and proliferated throughout many industries, including banking. But the origins were never focused primarily on the issues that plagued financial services.

3. Why do conventional enterprise risk management systems struggle to detect how seemingly isolated operational, cyber or reputational issues can rapidly compound into systemic institutional threats?

The reason why conventional enterprise risk management systems struggle is that they are all built on the foundation of Likelihood and Severity. Now it might be worded differently, such as Probability and Impact, but it still represents the same paradigm. Regardless of whether one calls it Likelihood (Probability) or Severity (Impact), the results are still the same. In fact, one can perform a quick empirical experiment as evidence to verify how ubiquitous the Likelihood and Severity paradigm is in the risk industry. One could perform an image search using a program such as Google. The search criteria would be risk heatmaps. The image will display hundreds of different color-coded heatmap matrices, all having one thing in common: Likelihood (Probability) on one axis and Severity (impact) on the other axis.

With risk, Likelihood and Severity seem to be agnostic of platform, system, industry, technology, and process. It’s used in all areas as the de facto method for quantifying and managing risk. Since Likelihood and Severity can’t detect risk event behaviors such as compounding, cascading, and systemic expansion, the conventional enterprise risk management systems, by default, are also blind to the risk event behaviors.

Therefore, FFERM Risk Intelligence Platform and Methodology was built to interconnect seemingly disparate risks into a holistic view by creating the composite risk score that provides the foundation for the FFERM implementation, then translating that score into a risk profile and the corresponding risk statement, all while keeping the risk view horizontal across multiple siloed risks (i.e., Operational, Cyber, Reputational)

4. How do fragmented data environments and disconnected risk teams contribute to the failure to identify enterprise-wide vulnerabilities before they become crises?

Data is the cornerstone of any analysis and decision-making methodology. There’s an old saying that some technologists use, “Garbage in… Garbage Out”. It basically makes the argument that if the data going into any system or process is in any way damaged or faulty, the output that system or process creates will also be damaged or faulty. A risk event is nothing more than data that describes the behavior of that risk. As such, risk depends heavily on data, whether it be the data in the internal risk register, external data, internal loss data associated with monetary failures, financial statements data, or regulatory and compliance data. It all must be processed in a manner that produces information and, to some degree, intelligence to support making decisions.

FFERM Four Factors perform a major role in ensuring data isn’t fragmented or disconnected. The factors act as a composite to aid in identifying risk from a holistic perspective. Each factor is important in its own right, but when combined, they elevate information and intelligence in a way that offers exponential benefits. From pattern recognition, factor interaction, factor correction, multi-factor risk drivers, and a host of other attributes that 2-factors cannot produce.

Additionally, from a disconnected team perspective, traditional enterprise risk management platforms with a foundation of Likelihood and Severity do not have the capabilities to analyze a multi-attribute, multi-dimensional risk environment or provide vantage points from the perspective of multiple constituencies and stakeholders (i.e., Risk Analyst, Risk Engineers, Risk Support, Risk Management, Risk Leadership). FFERM Risk Intelligence Platform has an Executive Dashboard for the Board of Directors and Executive leadership. The Risk Analysis module is what FFERM primarily created for the Risk Analyst and Risk Engineers. Prescriptive Analytics is built primarily for the CFO’s interests.

5. How does FFERM Technologies’ AI-powered risk intelligence platform help financial institutions move from reactive compliance exercises toward proactive and examiner-ready decision-making?

Traditional Enterprise Risk Management platforms focus primarily on risk scores that do not easily translate into information for which to make decisions. Additionally, there is a heavy reliance on historical data collection, primarily used to create quantitative scoring. That scoring is based on Likelihood and Severity. Therefore, the organization’s scoring prohibits it from expanding beyond the stringent 2-factor analysis for which its system and system users are reliant. To be proactive, one must be able to anticipate and estimate the upcoming events and activities, understanding that there is a level of uncertainty with the estimation. But that uncertainty should not prohibit moving forward in trying to minimize the uncertainty, knowing that one cannot eliminate uncertainty.

The FFERM Applications is called an AI-Powered risk Intelligence platform because the platform adapts, recognizes patterns, and optimizes performance for specific goals associated with risk management using the Four Factors methodology as its foundation for making decisions.

FFERM’s Four-Factor methodology: Compounding, Severity, Likelihood, and Predictability produces a proprietary pattern-recognized behavioral profile of every risk. Each factor is scored on a rigorous quantitative scale, then converted into the proprietary pattern-recognized behavioral profile. As such, the quantitative Four-Factor risk scores are translated into a proprietary pattern-recognized behavioral profile, which is converted into a qualitative behavioral statement such as: The risk is systemic, severe, unlikely to materialize, but in case it does, it’s not predictable. Meaning one has no leading indicators, in essence, blindsiding the individual.

This statement assists senior leadership and the board in understanding the risk environment, implementing proactive measures to mitigate risk, and creating contingency plans, all based on the sequence from Four-Factor quantitative risk scores to pattern-recognized behavioral profiles to a qualitative behavioral statement, all of which support a more proactive stance on risk.

From an examiner-ready perspective, preventive controls, or a combination of detective and corrective controls, are at the forefront of what examiners expect in a well-controlled risk environment. Preventive control, or a combination of detective and corrective controls, must be proactive to be effective and gain examiners’ consent.

6. How does FFERM Technologies’ Four-Factor Enterprise Risk Management methodology help institutions identify risks that become invisible inside static or isolated models?

The FFERM AI-Powered Risk Intelligence platform has a combination of approximately 150 distinct quantitative, statistical, and AI/ML implementations. These implementations are at the heart of how FFERM assists in moving from reactive to proactive, using the Four-Factor methodology as its foundation. Therefore, static models built from Likelihood and Severity can be hindered by their inability to use leading indicators and a signal for upcoming risk events, and therefore, the events stay invisible to the risk practitioner.

Specific to FFERM Technologies’ Four-Factor Enterprise Risk Management, the Predictability factor is at the heart of revealing risk that may appear invisible to other methodologies. Predictability refers to the degree to which a risk can be forecasted or anticipated in advance; however, FFERM treats it in a specific manner.

In FFERM, Predictability serves as a measure, signal, indicator, or pattern. Predictability measures how strong and reliable the leading indicators or signals are that let one anticipate or forecast. High Predictability equates to strong, reliable signals, where events can be expected and managed (e.g., hurricanes using weather models). Low Predictability equates with weak or absent signals where events are not easily forecast or arrive as surprises (e.g., zero-day exploits, black swans).

Sometimes, Predictability is used synonymously with Likelihood, which is not the case. Predictability differs from Likelihood, which is the probability of occurrence within a specific time horizon (“How probable?”). Predictability is the reliability of forecasting signals (“How much warning?”). Although predictability refers to forecasting ability, it doesn’t guarantee that one can say exactly when an event will occur (timing is still probabilistic/stochastic). Instead, it tells you: “How much foresight we have with a risk event.”

About Dr. Jeffrey L. Edwards:

Dr. Jeffrey L. Edwards is the Founder and CEO of FFERM Technologies Inc., an AI-powered enterprise risk-intelligence platform built for the financial services industry. FFERM ships as five edition-specific products serving Banking, Credit Union, Insurance, Registered Investment Advisor, and Broker/Dealer institutions, with embedded GRC capabilities in the securities editions and a proprietary Market Watch module for external risk intelligence. The platform’s Four-Factor methodology, Compounding, Severity, Likelihood, and Predictability, was developed to address the structural blindspots of legacy enterprise risk management frameworks built on static likelihood-and-severity models.

Dr. Edwards brings more than 30 years of experience at the intersection of financial services risk management and enterprise technology, including over 20 years in technology roles and senior risk leadership positions, Chief Risk Officer, Chief Control Officer, and other roles across multiple financial institutions. He currently serves as an adjunct professor and has taught at approximately 10 colleges and universities; additionally, he previously chaired an academic department. He has also served as a peer reviewer for The Journal of Operational Risk and has been published in leading banking and risk management periodicals. His credentials include a Doctorate of Business Administration, an MBA from the McColl School of Business at Queens University of Charlotte, an MS in Financial Mathematics from Johns Hopkins University, a BS in Statistics, the Certificate in Quantitative Finance (CQF), and Certified Six Sigma Black Belt (CSSBB).

About FFERM Technologies:

FFERM Technologies is a financial risk intelligence company founded by Dr. Jeffrey L. Edwards, a 30+ year financial services and risk executive. The company developed a patent-pending Four-Factor Enterprise Risk Management methodology that expands beyond traditional likelihood-and-severity scoring to include Compounding and Predictability. FFERM Technologies helps financial institutions identify, quantify and prioritize interconnected, systemic risks that traditional models can miss, transforming risk management from a static compliance function into dynamic, forward-looking intelligence. FFERM’s platform is designed for regulated financial institutions, including banks, credit unions, insurers, RIAs and broker/dealers. For more information, visit https://www.ffermtech.com/site.