Risk management and compliance

24 April 2008

Risk management and compliance issues can seem to counter competitiveness for financial services firms; but business success lies in balancing resistance with responsiveness, says Jacqui Griffiths

With an increasing number of regulations to comply with and ever more risks to address, financial firms can be tempted to take a purely defensive approach – do the bare minimum to avoid penalties for non-compliance, and batten down the hatches to exclude threats such as fraud or data theft. But given the continuing development of both risk and regulation, ongoing flexibility is also crucial to combining successful defence with successful business – in the words of Bruce Lee: “Do not be tense, just be ready.”

The first step in achieving this is to understand the scope of risk, its relationship to both established and emerging regulations, and the conflicts and synergies involved. “Recent market events have shown that risks are harder to identify than many market participants realised,” says John Powers, president of Digipede Technologies. “Even if we restrict the definition to something like ‘exposure to price changes in financial instruments,’ the sources of risk are numerous.”

Fraud and data loss, whether criminal or accidental, must be taken into account, as well as liquidity risk. All of these have potentially disastrous effects on a company’s reputation and finances.

The addition of compliance obligations to this heady brew can leave some firms not knowing which way to turn in order to see opportunities rather than threats. “There is often a balance between security and productivity,” observes Jon Rolls, director of product management at ScriptLogic.

Tony Gratton, managing director of Fintecs, agrees: “The problem boils down to perceptions, real or otherwise, of adding value,” he says. “There is definitely a conflict between activities seen as revenue-generating and those perceived as cost-generating. Some firms may even be driven to a rational assessment of non-compliance benefits – that is, balancing revenue generated from some other activity against the costs of non-compliance. If risk management and proof of compliance are seen to add value to the business then everyone is happy. If not, there is likely to be conflict. Whether we like it or not, security and functionality tend to lie at opposite ends of the scale. We are often faced with awkward choices between what we would like and what is good for us.”

“Companies face several challenges in managing risk and proving compliance,” says Tony Moore, account director for financial services at Touchstone Group. “Among these are implementing and managing effective business processes to support compliance, and achieving visibility on those processes, as well as an alert system in case they go wrong. Transparency and consistency of information, and the 360-degree view of the customer demanded by know-your-customer regulations, all necessitate a combination of forces across business divisions, which in turn requires standardised processes across divisions and geographies. Then there’s effective reporting to create an audit trail, and finally, the effective communication and policing of new rules across the organisation, so that there can be no excuse for not sticking to them.”

But once value enters the equation, apparent conflicts appear in a more harmonious light. For, compliance is an essential part of the risk management recipe. “Regulations are there to prevent the biggest risks,” adds Moore. “In addition, there are risks attached to not understanding who your customers are, and to data protection, management and storage – these, too, entail best practice such as making formal checks on all customers, even if you think you know who they are, and balancing privacy laws with customer data and protection.”

“Some banks that we’re talking to recognise that more regulations will follow those we have now,” says Ian Warford, director of securities and capital markets at Microsoft. “They’re really trying to develop a flexible framework to address that. Instead of building spot solutions for each regulation, they’re taking a holistic view of risk across the entire bank – that will allow the bank to be much more flexible in coping with new regulations as they come and, in the long term, to reduce the costs of complying with regulations.”

In order to strike the right balance, companies need to ensure flexibility as well as control. “Advances in technology can help to ensure that we have more functionality as well as more security,” comments Gratton. “Having said this, the tighter the security, the more likely it is that response to change will be slower. Firms are thus faced with a difficult choice in terms of where to draw the line between security and functionality.”

“Measurement comes before management,” says Powers. “If you can’t get an accurate and timely picture of your exposure to various risks, there’s no hope of managing those risks. While calculation methods such as value-at-risk are generally well understood, these calculations can be very compute-intensive. Reducing the time it takes to establish an accurate view of the firm’s exposure to various risks is critical to successful risk management.”

“This is a balancing act and depends upon the business plans and risk appetite of the institution involved,” adds Brian Sentance CEO of Xenomorph. “More flexible, componentised systems can obviously assist in meeting the changing demands of clients.
Spreadsheets are often used as the press relief valve when bringing new financial products to market, which can increase risk. But even this can be ‘process-ised’ to keep the operational/model risk to a minimum. The key is to get the data right and everything else in your risk processes can flow from this solid foundation.”

Touchstone’s Moore agrees: “There are two major ways to control security and processes while remaining flexible. One is to ensure customer data is safe – not just from external hackers, but also from internal errors or threats. Layer authorisation, and track who accesses what data. Secondly, create an effective system that allows a single view of the customer – you can still layer authorisation within this. So if you’re selling an investment fund to a customer, you can see they have a wealth management programme with you and you have all the appropriate checks on that customer are already in place, as well as being able to up-sell or cross-sell products and services.”

“A great risk management system requires both the ability to incorporate new risk measurements rapidly and access to the computing power needed to run risk measurement algorithms quickly and easily. Familiar development tools and techniques provide the former, and grid computing infrastructure provides the latter,” says Powers.

The technologies at the centre of this approach, says Moore, are business process management, data storage and security, document and record management, and customer relationship management. Rolls points out the value of many technologies that customers already have: “We concentrate on making proper use of Windows’ built-in security controls – permissions, Access Controls lists, security policies and passwords,” he says. “These are highly effective tools if managed correctly. We’re seeing an increasing use and interest in SharePoint as a centralised document repository and management system.”

“People can do many things with Microsoft technologies to help fulfil the compliance obligation and generate revenue in the process,” adds Warford. “We see a lot of interest in things like SQL Server, for storing vast quantities of data, and SharePoint for customer tracking and workflow.”
“Our goal is to provide the administrator with highly granular, policy-based control of security so that access controls can be targeted at areas that need the most protection, without inconveniencing the productivity of other workers,” adds Rolls. “Centralised management and ongoing review of access control policies is unavoidable in order to remain compliant while maintaining a competitive edge.”

“One relatively young but tremendously promising technology is visualisation,” says Gratton. “That is, the communication of complex information visually. Both risk management and regulatory compliance are complex, yet rapidly changing. While visualisation has historically been associated with communicating large volumes of data, recent advances allow us to use it in other imaginative and productive ways. For instance, it can help us to see the association of complex ideas we might face in a compliance scenario. By visualising the compliance terrain, this complex context can be maintained for us, so that rather than waste effort establishing and maintaining this, we are freed to concentrate on becoming compliant or maintaining compliance.”

The benefits of taking a flexible yet steady approach extend beyond simply ensuring compliance and reducing risk – it can help prepare the business for growth. “Data transparency and ease of access to consistent data is a benefit that applies across the business, not just risk management,” says Sentance. “If the data is good, people will want to use it.”

“A firm with accurate risk assessments updated frequently can free up more assets for profitable trading opportunities,” says Powers. Warford agrees: “Banks could actually make money from complying with MiFID by offering best execution and having better reporting mechanisms for their customer base.”

“Increased visibility into a customer has huge benefits in terms of understanding what the customer requires from you, and therefore how you can cross-sell or up-sell products or services,” adds Moore. “In addition, rationalised processes and accountability lead to reduction in duplication across departments or geographies, while increased security and data protection systems should lead to a drop in breaches and therefore, ultimately to cost savings – many banks currently have contingency funds set aside against liability for data breaches.” Rolls agrees, highlighting the importance of reputation: “Compliance with security and risk management regulations ultimately leads to increased customer and shareholder satisfaction in the security and honesty of the business,” he says.

One thing is certain, creating a firm basis for flexible risk and compliance measures now will enable financial firms to stay ready for future developments. “Regulations are clearly continuing to move in a principles-oriented direction,” says Gratton. “Regulators prefer to establish what they see as good process, with firms being obliged to show that they have established such process and are in control of it.”

Sentance agrees that regulation follows trends in risk: “Liquidity risk seems to be the flavour of the month given the recent Northern Rock affair, so I expect more regulation to follow in this area.”

And as the risk and regulation landscapes continue to develop, the companies that are ready to respond, flexible and responsive rather than tensed up, will benefit the most. “Regulation will only get deeper,” predicts Moore. “New compliance laws usually follow major issues, so as new risks to financial services emerge, further regulation will follow. Systems put into place now must be resilient enough to cope with further regulation and control mechanisms.”

“Quantitive risk analysis is a rapidly evolving field,” adds Powers. “Recent disruptions in credit markets have led to an increased focus on disciplined, detailed risk assessment. This trend is continuing, and tighter integration of risk management with pricing and trading functions seems inevitable. Complexity of analysis is increasing, while executives are demanding greater visibility into the entire firm’s positions on a near-real-time basis. These factors are combining to drive more asset managers to look at new technology offerings that dramatically improve the performance of their risk management applications.”