- Jason Henrichs
Does Your Bank Have a Sandbox?
Does your bank have an innovation lab. Millennial council? Have you taken a field trip to the local incubator or co working space? Even better, a scouting expedition to Silicon Valley to observe innovation at work? What your bank really needs is a simple sandbox.
The concept of a sandbox comes from the cybersecurity world. To avoid causing system failures or creating vulnerabilities when testing new programs, the new program is executed outside of the production environment. Putting boundaries between the core systems and the unproven programs prevents unexpected consequences from bringing down operations and allows the new program to be carefully observed. A similar concept is being applied in the regulatory world, as I’ve recently written about for American Banker.
Incumbents face a particular challenge when innovating: they have an existing business. This existing business has customers who’s expectations must be met. Balances must reconcile, payments must go out and clients serviced. The business has an existing strategy that it is executing on and the success or failure is carefully monitored with projections and metrics. Month over month, quarter over quarter, year over year, the numbers are expected to improve over their historical averages. Operating the core business is about extending a line based on existing data, optimizing against a known set of inputs and engineering improvement.
What happens when we are solving an entirely new problem, when it is a blank sheet that doesn’t have any data points to extrapolate from?
Doing something new poses several challenges for incumbents. Because the existing business already has scale, only the most audacious new initiatives are likely to be impactful on a relative basis. Without an operating history, timelines, costs, revenues and usage are all at bests shots in the dark. It is an ugly paradox that to clear the investment hurdles used to operate the core, the biggest bets must be made with assumptions that are ungrounded. The traditional planning and investment metrics the core business relies upon just don’t work when applied to something completely new. Moreover, the lack of operating history makes it difficult to scope out which of the long list of risks will significantly impact the new venture. Uncertain upside, difficult to quantify costs and a myriad of things that could possibly go wrong is a difficult equation to solve. It is easy to reach the conclusion to maintain focus on the core business where results are more certain. Where it is more about engineering rather than invention. Unfortunately, inaction creates a backlog of ungrounded assumptions and an innovation deficit that eventually will be catastrophic or force the organization to make even larger leap of faith in a bid for survival.
An internal sandbox doesn’t throw out the rules or free innovators from the tyranny of results. A sandbox isn’t a blank check, it is a scaled back experiment so the risk and investment are manageable. The internal sandbox is about creating an equation ithat is both solvable and doesn’t put the core business at risk by impacting its scalability, reliability or compliance. The sandbox incorporates the investment of time and money, risk, compliance management and technology at a level of what’s appropriate relative to what is being learned. A sandbox is an acknowledgment we don’t and can’t have certainty when doing something new. Only by testing new ideas can we generate the data needed to validate whether new ideas are worth scaling. Part of managing that is recognizing not all risks can be forecast and therefore can have a procedure or control for everything that happens. The purpose of the sandbox is to bring the talented risk, compliance and security teams in early with the mandate of getting to yes, even when that means reducing the scope or having a manual review process until the true risks can be understood. With this grounding, efforts can be scaled and risk management industrialized at the appropriate time.
A sandbox is more than a new set of business practices, risk and regulatory processes, and technologies. It is also a cultural change for many institutions. The sandbox is a place where trusted, transparent conversations take place. The sandbox is where things can and should go wrong. The sandbox is the place where the future is being solved, piece by piece as experiments yield data needed to ground future tests.