Corporate risk management is not what it was five years ago—or even a year ago. The financial crisis exposed the fact that the complexity of the financial services industry had outpaced the ability of traditional risk management practices to provide a comprehensive view of a company's true risk exposure. Risk management processes and systems have historically been focused on specific aspects of risk (e.g., credit, market, and operational risk). But since the financial crisis, regulatory and supervisory bodies have been placing an increased emphasis on companies managing their risk holistically.
In a December 2010 report, Observations on Developments in Risk Appetite Frameworks and IT Infrastructure, the Senior Supervisors Group, comprising senior financial supervisors from seven countries, noted that, "Most firms have made progress in developing risk appetite frameworks and have begun multi-year projects to improve IT infrastructure. These steps are clearly in the right direction, but considerably more work is needed to remediate risk management practices that were revealed as particularly weak during the height of the crisis." This undertaking will require greater collaboration between business and technology and a change in mindset, governance, processes, and systems.
Both as a business management strategy and to support regulatory requirements, senior executive and board-level leadership must have a consistent enterprise-wide view of the overall risk the company is taking. Executives must manage the company's risk position in the context of a well-defined, recognized, and monitored risk appetite—that is, the amount of risk exposure or potential adverse impact the firm is willing to accept.
This need for the organization to actively and independently manage risk has given rise to a new role for the chief risk officer, who is now responsible for understanding all risk areas and working with functional leadership to manage and report on enterprise risk. While CROs have traditionally reported to the chief financial officer, we are increasingly witnessing a shift in reporting to the chief executive officer or board of directors.
Furthermore, the Dodd-Frank Act mandates that public bank holding companies with $10 billion or more in assets form a board-level risk committee to ensure that enterprise risk is well understood and that effective risk strategies are in place. The act also emphasizes the importance of technical expertise in risk management—it requires that the risk committee "include at least one risk management expert with experience identifying, assessing and managing risk exposures of large, complex firms." To fulfill its mission, this committee will require an integrated and complete view of risk and risk management information.
For financial services firms, the need to address the changing nature of risk management presents a unique opportunity to transform their risk management approach from a fragmented, siloed effort to one that's more holistic, transparent, and effective—and less costly. Technology will play a critical role in achieving this vision.
Build a risk framework
The first step toward changing an organization's mindset is building a comprehensive risk management framework—a structured view of threats and an assessment of their probability of occurrence and potential impact. A well-constructed risk management framework provides the context for risk identification and aggregation and helps management define the company's risk appetite.
The risk management framework should take into account both internal and external risk considerations. Doing so will enable organizations to assess the cumulative nature of risks and the potential for the contagious or cascading impacts of risk, which were seen in the recent crisis.
Spreadsheets won't work
The Dodd-Frank Act is a key driver of the transformation in risk management. While much work still remains to fully define the regulatory landscape through rule-making, predominant themes are clear.
One core requirement is the capability to monitor, detect, and react to systemic risk in the financial services industry. The new Office of Financial Research (OFR) is charged with gathering and analyzing information in support of the Financial Stability Oversight Council. It has started to consult with the industry to set standard data definitions and taxonomies (structured models showing data relationships) that will permit the aggregation of trading and risk information industry-wide.
OFR has broad authority to request data, and the early indications are that it will take a proactive and expansive approach to data collection and analysis. It has shown its intent to require granular risk exposure and transaction-level reporting at a frequency and speed that cannot be achieved with spreadsheets and manual manipulation. As a result, financial firms will need to enhance the quality and consistency of their data and be prepared to correlate information. Example: the requirement to integrate trading and financial data to enable reporting on exposure to a particular legal entity.
Seize the opportunity
Risk management evolution should be seen as more than a compliance exercise. In fact, many firms are leveraging the developments for competitive gain. Here are four steps financial firms can take:
1. Take a strategic view of potential risk management process and technology improvements
In the recent Ernst & Young survey, Recover, adapt, advance: Back to business in an uncertain world, banking executives cited poor data quality; inconsistent information from disparate systems; and sheer volume of data as a challenge to obtaining actionable information.
The emerging regulatory requirements to produce a more comprehensive view of risk exposure give banks a compelling reason to rationalize, modernize, and better integrate their risk and finance infrastructures. By developing a future-state systems blueprint and creating an internal design authority that reviews systems proposals and evaluates whether they are in line with the blueprint, firms can achieve greater consistency, flexibility, and long-term cost reduction. Common elements of the design include straight-through processing engines and workflow tools. Using these technologies, a firm can automate process flow, implement controls, and enable the exchange of model results and data between systems.
Such capabilities provide value not only in their ability to control risk by reducing manual touch-points, but also by supporting emerging business functions like customer aggregation and management of clearing and netting agreements.
Similarly, by encoding regulations into a common rules engine and referencing those rules from all risk systems, a firm can enhance integration, provide a valuable control point for consistent rule implementation, and reduce overall operational and maintenance costs. Further benefits are available by coordinating enterprise stress testing through a common system to standardize scenarios and parameters.
2. Enhance the consistency of data and develop/adhere to taxonomies and controls to improve aggregation capabilities.
Risk management data should be rationalized to provide a common, consistent, and reliable source and presented so managers from any part of the firm can understand it.
Banks, particularly those that have experienced a number of mergers and acquisitions, likely have multiple system platforms that often contain different data taxonomies. The data transformation required to integrate these taxonomies is inefficient and difficult to control and complicates risk data aggregation across business lines and disciplines. Consolidating risk platforms and data warehouses and using common taxonomies enables fast data transfer and presents a single view of risk. The process should include deploying unified naming conventions to provide a consistent approach to risk data.
3. Examine data quality and data governance capabilities.
For risk management data to be of real value, it must be accurate, timely, and consistent. The importance of data quality can't be overstated, and firms need to evaluate the quality of their risk data to ensure that they have the proper data governance policies and standards in place.
To maintain the integrity of data throughout the information's life cycle, data management and governance policies must be clearly defined and effectively executed.
Many institutions are beginning to evaluate how legislation like Dodd-Frank will affect data quality, reporting, and governance and are taking necessary steps to ensure that quality requirements are met. To guide their efforts, these banks are monitoring rulemakings and harvesting lessons learned from responding to Basel and other regulatory requirements. [ABA's Dodd-Frank Tracker can assist. Find it at aba.com.] One large bank is seeking to improve data management by establishing committees based on primary subject areas like "customer."
4. Invest in source-system improvements to enhance reporting capabilities.
Regulatory and management requirements for new information are generating demands for improved reporting capabilities. Rather than respond with tactical patches, banks should address information gaps by investing in enhancements to the systems in which the data is originally created. For instance, banks should consider integrating the systems used to support identical processes—like customer acquisition—and standardizing the associated business rules wherever possible to achieve greater consistency.
By simplifying the application environment and adopting rigorous data governance practices, companies can gather the right information up front in a more coordinated manner, maintain data integrity through the information life cycle, and increase traceability back to the data source.
Don't just comply. Gain an edge
Clearly, change in risk management is inevitable, but financial services firms can gain an edge by simplifying the technology and information landscape and addressing shortcomings that have long impeded the risk management process. A holistic approach to risk management can integrate risk processes into normal daily operations, create a risk culture, and clearly define risk appetite.
Improvements in risk management can also help firms achieve greater transparency. Transparency is improved internally by allowing the risk management committee and others involved in risk management to exchange information not previously widely shared. Externally, transparency is improved by providing more detailed, complete, and consistent risk information to the marketplace, more quickly.
Finally, this new approach gives financial firms greater flexibility to respond to evolving regulatory reporting requirements and requests. Increased agility is vital.
The changes occurring in risk management—stemming from developments both inside and outside the business—can be daunting. But at the same time, they present an unprecedented opportunity for financial services firms to completely rethink how they manage risk and how technology and data can be transformed to better support the process.
The banks that embrace this opportunity stand to greatly improve their ability to manage risk and comply with the latest regulations, enhance internal processes, and make competitive gains in the marketplace.