Enterprise risk management has traditionally been associated with governance oversight, policy oversight and regulatory compliance. But the role of risk management inside banks is changing rapidly as institutions confront more volatile operating conditions, faster execution cycles, greater technology dependence and rising supervisory expectations around accountability.

For Affin Group, the transformation of enterprise risk management became part of a broader institutional shift under its Affin Axelerate 2028, or AX28, transformation programme. The Malaysian financial group, which comprises Affin Bank, Affin Islamic Bank and Affin Hwang Investment Bank, was recognised with the Achievement in Enterprise Risk Management in Asia Pacific award for 2026 under the TAB Global Risk Management Awards.

The recognition reflected not only improvements in governance and control frameworks, but also the group’s attempt to reposition risk management into a more intelligence-led and business-integrated capability. According to the evaluation supporting the award, Affin Group’s transformation combined governance reform, automation, behavioural-risk tools and data-driven decision support within a more unified operating model.

The shift reflects broader changes taking place across the banking industry. Risk functions are increasingly expected to operate not simply as retrospective control layers, but as forward-looking capabilities supporting resilience, operational agility and more responsive decision-making. Institutions now operate in environments shaped by tighter regulatory scrutiny, digital transformation, cyber threats and increasingly interconnected operating environments.

Ricky Dang Cheong Min (Ricky), group chief risk officer of Affin Group, said the institution no longer views enterprise risk as a standalone control function operating separately from the business. Instead, risk management is increasingly embedded directly into capital allocation, product strategy, liquidity management and operational decision-making across the group.

“What has fundamentally changed at Affin is that enterprise risk is no longer positioned merely as a standalone or independent control function,” Ricky said. “It is now ingrained directly into how the business runs, makes decisions and optimises opportunities.”

Ricky described traditional risk structures as largely compliance-driven models focused on policy setting, limit monitoring and periodic reporting. Affin Group instead attempted to shift towards what he described as a “value-driven intelligence-led operating model” built around real-time analytics, predictive insights and closer alignment between risk and business priorities.

Embedding risk into business execution

One of the most significant changes inside Affin Group involved repositioning risk management from a parallel oversight function into a more integrated component of institutional execution.

According to Ricky, risk appetite is no longer treated as a high-level governance statement disconnected from operating decisions. Instead, it is increasingly embedded into capital allocation, product strategy and day-to-day decision-making across the organisation.

“The focus is rather on how do we do this safely instead of saying no outright,” Ricky said.

The group adopted a more collaborative three-lines-of-defence approach in which risk officers are embedded directly within business units across areas such as credit, market and operational risk. According to Ricky, this allows earlier identification of emerging risks emanating from the business while also improving coordination between the business and the risk function.

The approach reflects one of the broader shifts identified in the award evaluation, which described Affin Group’s risk framework as moving away from a purely defensive control structure towards a more commercially useful model.

Ricky acknowledged that the transition was not easy. He noted that many employees initially preferred maintaining existing ways of working and that obtaining buy-in across the organisation became one of the more difficult aspects of the transformation.

“I would say that the shift is actually not that smooth because initially everybody will have their own way of thinking,” Ricky said. “Usually people normally prefer to do things status quo.”

According to Ricky, support from the Board, PGCEO and senior management played an important role in driving the transition. He said that such “Tone from the Top” consistently reinforced the need to strengthen systems, improve efficiency and elevate standards across the organisation to achieve competitive advantage and sustainable growth.

The closer integration between risk and business units has also changed how products are developed and evaluated. Ricky said business teams increasingly engage risk functions much earlier in the process rather than only seeking approval towards the final stages of product development.

“A lot of times before business even launch a new product, they will engage risk at an earlier stage,” Ricky said. “When the product is towards the tail end of the development cycle, a lot of things have already been ironed out.”

Moving from static reporting to integrated real-time intelligence

Another major component of Affin Group’s transformation involved shifting from periodic manual reporting towards more automated and near real-time risk monitoring.

According to the award evaluation, one of the group’s most significant operational improvements came through the automation of liquidity and market-risk reporting. Affin Group moved away from manual spreadsheet-based processes towards more integrated systems capable of producing daily automated analytics.

Ricky said the group previously relied heavily on Excel-based liquidity monitoring tool before migrating the functionality to Statistical Analysis System, or SAS as part of the risk management modernisation initiative. The group also implemented enhanced market-risk monitoring capabilities through systems provided by Fidelity National Information Services, or FIS.

“We had moved from periodic manual reporting to daily automated analytics, particularly in market risk, liquidity and part of credit-risk monitoring,” Ricky said.

The shift allowed traders, treasury teams and management to respond more quickly to changes in funding conditions and market exposures. According to Ricky, the move away from delayed periodic reporting  significantly improved the group’s ability to adjust funding strategies and risk positions earlier.

“This allows management to make adjustments at an earlier stage  to funding strategies and risk positions based on near real time, intraday or end-of-day positions,” Ricky said.

The award evaluation stated that Affin Group achieved a 96% improvement in liquidity-reporting agility through the automation initiative while also reducing manual workload and operational inefficiencies.

The group is also integrating operational risk, business continuity management and technology risk through the Archer integrated risk management platform to provide a group-wide view of operational exposures and interdependencies. Archer is used as a governance, risk and compliance platform that centralises operational-risk monitoring, workflow management, business continuity management and enterprise-wide reporting.

Ricky explained that the integrated system is designed not only to centralise monitoring and reporting, but also to facilitate  data correlation across functions and risks. He gave the example of RCSA (risk and control self-assessment) highlighting staffing issues potentially affecting technology-system patching schedules, which could then automatically trigger alerts to the technology-risk teams before the issues escalate further.

“This is a consolidated non-financial risk system that will give management a holistic view,” Ricky said. “It will have a correlation model in-built into it as well.”

Ricky described the broader transformation of group risk management into an “enterprise intelligence hub” capable of providing predictive insights through stress testing, scenario simulations and emerging-risk analytics.

He said the function now conducts multiple thematic analysis throughout the year focusing on vulnerable sectors, market volatility and external cyber incidents in order to identify potential risks earlier and support more forward-looking decision-making.

The stress-testing framework is also integrated into the group’s Internal Capital Adequacy Assessment Process, with the outputs feeding into capital-planning and finance functions across the organisation.

Behavioural analytics and predictive risk management

One of the more distinctive aspects of Affin Group’s transformation has been its growing use of behavioural analytics.

The award evaluation highlighted Affin Group’s Human Behaviour Risk Management System as one of the group’s more differentiated initiatives, particularly in how it attempts to address the human layer of risk rather than treating operational risk purely as a process and control issue.

Ricky said the group implemented a human behavioural detection tool that analyses staff behavioural patterns to identify potentially suspicious or anomalous activity. The system monitors login timing, authentication behaviour and geographically inconsistent access attempts against established user baselines.

“These proactive tools are meant to prevent issues before they materialise,” Ricky said.

According to Ricky, authentication attempts occurring at unusual hours or from locations inconsistent with a staff member’s normal operating area are automatically flagged for investigation. He disclosed that the system had already helped detect and prevent at least one attempted external cyber intrusion recently.

Affin Group also developed several behavioural models linked to economic value of equity computation and balance-sheet management. These models are designed to estimate actual customer behaviour more accurately rather than relying solely on contractual assumptions.

The models cover areas such as current and savings account retention behaviour, early withdrawal of fixed deposits, early repayment patterns for fixed-rate loans and rollover behaviour for revolving products such as credit cards.

According to Ricky, the behavioural models improved the group’s ability to understand product-specific risks, liquidity requirements and repricing assumptions more accurately. The award evaluation stated that the methodology generated a 28% improvement in computation outcomes for certain internal modelling exercises.

“We know our own loans and deposits profile better,” Ricky said. “We know how they should be priced better.”

Ricky believes behavioural analytics will become increasingly important as artificial intelligence (AI) becomes more embedded within banking operations. He noted that AI systems are capable of processing large datasets, running multiple simulations and identifying behavioural patterns at much greater granularity than traditional approaches.

“A lot of it will actually be through heavy data assessment on behavioural and predictive patterns,” Ricky said.

He added that the same analytical capabilities supporting risk management could also generate broader commercial value through more targeted marketing, customer segmentation and product cross-selling.

Balancing stronger governance with agility

The transformation at Affin Group has also been shaped by evolving supervisory expectations across the banking industry.

According to the award evaluation, the group’s stronger governance integration and operational discipline contributed to measurable improvements in supervisory remediation and regulatory responsiveness. The evaluation also noted reductions in key supervisory concerns and stronger remediation discipline across the group.

Ricky said regulators increasingly expect banks not only to identify and detect risks, but also to demonstrate how risks are proactively prevented and managed before incidents occur.

“Regulators have actually raised some of the expectations by asking us how do we prevent certain risks from happening,” Ricky said.

He noted that many existing methodologies may no longer be sufficient in an environment characterised by rising cyber threats, operational interdependencies and growing technology advancements.

At the same time, Ricky acknowledged that stronger governance frameworks can create tension if business units perceive additional controls as slowing decision-making or adding unnecessary bureaucracy.

According to Ricky, Affin Group attempted to address this through earlier engagement between risk and business teams and advocating greater operational transparency.

“Generally, conventional thinking is that when you have additional layers of control this will be seen as slowing the organisation down,” Ricky said.

He argued that risk functions increasingly need to demonstrate the practical business value of controls rather than simply enforcing procedures. According to Ricky, the ability to show how controls help prevent excessive concentration, operational weaknesses or diversification issues makes business teams more willing to embrace stronger governance frameworks.

The group is continuing to expand connectivity across its risk infrastructure. Ricky said Affin Group is integrating risk, audit and compliance systems through application programming interfaces to improve information sharing, workflow management and enterprise-wide coordination.

The group is also implementing additional capabilities including workflow reminders, visualisation tools and analytical features designed to improve oversight across operational-risk and business-continuity processes.

Enterprise risk transformation as a continuing journey

Ricky believes one of the most common mistakes institutions make is treating enterprise risk transformation primarily as a technology project.

According to him, many banks invest heavily in systems without making corresponding changes to governance structures, operating models or organisational culture.

“Real transformation requires alignment across governance, infrastructure, process and people,” Ricky said.

He also believes many institutions did not sufficiently embed risk ownership into business functions. According to Ricky, risk management frequently continues to operate as a parallel function rather than an integrated part of institutional execution and resilience.

“Unless the business is accountable for the risk, it is never truly going to achieve the operational resilience that it has the potential to achieve,” Ricky said.

Ricky repeatedly described risk transformation as a continuing journey rather than a fixed destination. He argued that institutions require multi-year transformation roadmaps but must also remain flexible enough to adapt to changing market conditions, evolving regulatory expectations and emerging technologies.

The group-wide structure at Affin Group has also helped strengthen coordination across Affin Bank, Affin Islamic Bank and Affin Hwang Investment Bank. Ricky said the risk-management structure allows issues identified within one entity to be assessed more consistently across the wider group rather than remaining siloed within individual business units.

“End of the day, proper communication, strategic alignment and complementary talents enabled better synergy across the group,” Ricky said.

Affin Group’s transformation illustrates how risk management is increasingly evolving beyond governance oversight and regulatory compliance into a more integrated operating capability. While technology platforms, automation and analytics supported the transformation, Ricky repeatedly returned to the importance of culture, accountability and coordination across the organisation.

As banks continue operating in more volatile and digitally interconnected environments, risk functions are likely to become even more central to institutional execution, resilience and strategic decision-making. For Affin Group, the objective was not simply to build stronger controls, but to embed risk ownership, predictive insight and operational coordination more deeply into how the organisation operates as a whole.