30 October 2008

The recent volatility of the economy has made it important for an organisation to be able to manage financial risks

In a tumultuous economic environment, risk and compliance practices are more important than ever. Jacqui Griffiths looks at how financial firms can find safe harbour in a sea of uncertainty

Globalisation has changed the way many businesses operate. As their market place swells and diversifies with a growing number of channels and cross-border transactions, risk management and compliance have become top strategic priorities for many financial firms. But recently, the situation has been intensified by crises in financial markets the world over, and no one is safe.

“This really was a tsunami of systemic risk, on an unprecedented scale,” says Sai Sireesh Pachava, director of governance, risk management and compliance solutions for worldwide financial services at Microsoft. “It was triggered by a credit crunch which totally overwhelmed the risk management capabilities of the institutions that were directly impacted. The underlying fault line of this tsunami will take months or years to fully analyse and attribute.”

Clearly, financial firms need to be better prepared to handle such events, and as the industry works to repair the damage, it can expect a transformation of the competitive landscape. “There will be fall-out from recent events such as Lehman Brothers collapsing and mergers between large banks such as Lloyds and HBOS,” says Mike Bush, head of product development at Business Control Solutions (BCS). “A lot of today’s situations – such as the creation of these ‘superbanks’ – would never have been allowed to happen five years ago on a pure antitrust basis, let alone operational risk and control.”

Indeed, the superbanks are something of an unknown quantity, as Bush explains: “These mergers may have saved financial markets from a credit risk and capital exposure perspective, but they’re also introducing a lot more operational risk in the sheer size of the operations that are being merged. Leaving aside any questions over competition, will combining any existing operational risk issues of two major organisations create an even bigger problem, or will it create something that’s a lot more efficient, streamlined and resilient to market conditions? It’s more important than ever to get it right now – for example, the merger of HBOS and Lloyds has effectively created a superbank with around 40 per cent market share in UK domestic mortgages. If that goes down in five years time, then there really is no recovery.”

Looking within
“Many risks, such as credit risk, fraud and foreign exchange risk, are not new,” says Tim Shaw, global product manager at currency and travel money solutions specialist, IMX Software. “However, the recent volatility of foreign exchange markets, for example, and the increasing costs of borrowing money have made it more important than ever for an organisation to be able to manage these financial risks. Compliance is the area where most change is taking place, and given recent events in the financial industry, will more than likely continue to be a prominent issue. The fines being imposed by regulators on organisations that breach compliance guidelines have become extremely harsh, and there are many examples of organisations discovering inadvertent compliance breaches within their own processes, reporting them in good faith, and still being severely fined by regulators.”

So, not only are more and tighter regulations on the horizon, but companies also need to look at their own existing risk management strategies, as these are also falling short. “The current crisis, with its threat of a global domino effect, has forced all financial institutions into a crisis management mode to proactively manage their risk exposures,” observes Pachava. “Really, the question on everyone’s mind is, ‘how well did our existing risk management culture help us withstand this crisis, and where must we improve?’”

“More regulations will appear, and there will be more enforcement of existing regulations,” says Alan Kiraly, chief executive officer of Enterprise Informatics. “CEOs and others who run organisations will have to ensure that they looked at all aspects of any investment, project or financial deal to properly assess the risk, and that they’ve documented those risks and their analysis. They need to be able to show later that they did their due diligence, and that it was available to everybody who needed to see it during the process. Traditionally, that hasn’t been done. Companies might have implemented systems and stored their contracts in them, so they know the contract is the version that was signed, but they haven’t linked it to all the other pieces of information that relate it and pulled it together into a controlled set of information that can be tracked. That’s something that highly regulated industries such as nuclear learnt they had to do, and we’re now seeing it crossing over to the financial community.”

Nigel Lee, chief commercial officer at Financial Architects (FinArch), agrees that there is far more to this than the isolation of sensitive documents. “It is no longer possible to view risk as a discrete component of enterprise performance measurement,” he says. “Today, the issues of risk management and compliance must entail a holistic approach to risk assessment, with compliance an integral part of that. Whether looking at profitability or regulatory reporting, risk is now an important element. Risk- adjusted performance measures are key, not only to an effective capital management strategy, but also to an effective accounting procedure. The adoption by most banking regimes of Basel II and IFRS now makes such assessments a feature of regulatory obligation.”

People power
Technology is key to an effective risk culture, but there is more to it than that. “In general, software systems are not compliant – organisations are,” says Shaw of IMX. “But if an organisation is aware of the compliance it wishes to achieve, then technology can support it in achieving its goals.”

“The encompassing nature of risk management means that there are many dimensions to consider,” adds Pachava. “Corporate governance standards, risk management practices, culture, people, their behaviour and technology, as an enabler for real-time risk management, all play a part. The institutions that have managed their risk well in this crisis, and even benefited, obviously have higher standards for risk management, corporate governance, loan/mortgage origination business, and tighter oversight of the credit derivatives business.”

The good news is that the means of achieving this is already part of the company. “Nothing needs to be thrown away,” adds Bush. “It’s more about what’s missing. For a long time, risk management has revolved around numbers and complex simulations. What’s been left out of the equation is the people who actually run the business, and their views as to whether there might be a problem. Even if the numbers aren’t suggesting it, there are people in operations functions who do the same job day in, day out – if anyone’s going to spot that something’s out of the ordinary, it’s those people. But few institutions seem to have a mechanism in place that allows that subjectivity to lend context to the numbers.”

Thus, in a successful risk culture, technology and operations are two sides of the same coin. “Technology is there to empower the delivery of information from the line up the management chain,” continues Bush. “Instead of using technology purely as a horsepower reservoir to crunch numbers and spit out reports, there’s a fantastic ability with technologies such as distributed computing, Web-based applications and mobile devices to get a lot of information to a very diverse co-located organisation. People in New York and Asia can communicate about the same issue quite easily, whereas in the past that would have been difficult.”

An integrated approach
One key lesson is that there is no point in implementing the best, most up-to-date technologies if they are unpopular with the people who need to use them. Pachava points out: “Microsoft recently commissioned a global risk management survey with the Professional Risk Management International Association, which benchmarks the role of enterprise risk management in current and future business processes and assesses best practices. It highlights the top three issues as user training, ease of use of tools, and familiarity with tools.”

It is clear that any successful risk management and compliance ‘system’ must be made up of every person, process and piece of technology in the organisation. Perhaps unsurprisingly, Microsoft technologies have a huge role to play here. “Some people may think it sounds trivial, but it’s a big deal,” says Kiraly. “That’s why Enterprise Informatics uses the Microsoft stack and Office tools – if someone is comfortable with their technology, the information is accessible and they get value from it, then they use it. In addition, nobody can touch the cost of ownership of a Microsoft technology platform. Compliance becomes part of your process, not something that you do as an extra overhead cost.”

“Familiarity breeds acceptance and high rates of adoption,” adds FinArch’s Lee. “Any technology has to be familiar to the tools already pervasive in the chief financial officer/chief risk officer function. Microsoft technology plays an important part in that respect. Reporting Services provide end users with Excel, arguably their number one tool.”

“The way technology has evolved gives us the ability to embed it in a line process without making that process or function more difficult to perform,” says Bush. “The prevalence of Web-based applications, for example, means that collating information across multiple locations doesn’t require software to be installed on anybody’s machine. As long as they have a network connection and a browser, they can connect to a centralised system and transfer data quickly. That has a huge impact, because it no longer ties workers to a physical location – they can do exactly the same job, and follow the same processes, wherever they are. The Windows server platforms have enabled new Web applications to be developed that are easy to distribute, and costs for the underlying architecture and platform can be kept low.”

Plotting a course
As financial firms navigate the choppy waters of today’s global economy, one thing is clear –they can’t afford to ignore their organisational risk management culture. “The crisis has been a game changer in terms of redefining the global financial sector landscape, and will have long-term, wide ranging ramifications for the risk management practices and profession,” says Pachava. “Given the dynamic environment, it’s certainly difficult to predict what will happen. Broadly speaking, though, we can expect a higher bar for risk management; new and tighter regulations around credit discipline, credit derivatives, capital adequacy and so on; more centralisation of risk management functions; revisions to risk-based approaches to supervision; strict enforcement of a CRO role (often played by the CFO), and a review of government-sponsored entity-type institutions around the world. As investment banks convert to banks, there will also be increased focus on banking book exposure management.”

Looking forward, there will be an increasing need for a coherent, flexible approach. “The future will be about convergence between risk and finance,” says Lee. “The volume of regulatory change will increase, but it will also become less prescriptive and more subject to supervisory review of process and understanding.”

“The need is stronger than ever for flexible systems that can match both the organisational and regulatory policies,” adds Shaw. “Systems must continue to evolve to meet emerging legislation.”

“Completing the picture by creating a fully integrated risk management and compliance culture will undoubtedly bring benefits, but it will also increase information management challenges,” says Bush. “As subjective judgement is brought in line with the numbers, a lot more data will become available. Eventually, the information dashboard that’s so useful now will become overpopulated. A term that will become more prevalent in the future is ‘active management information reporting’ – systems will have to suggest to people where problems might be, rather than giving them the same reports and information every day. There will have to be more emphasis on looking for patterns and changing dashboards according to operational risk health. In order for that to be possible, there must at least be recognition of what the baseline of operational health is, and that all ties in with the concept of mapping your process, mapping the control over the top, and defining what tolerances you’re prepared to operate in.”

“The financial industry is getting very close to other regulated industries,” observes Kiraly. “It’s realising the global effects of any single incident, and companies are beginning to take control of processes so that, in case of an adverse event elsewhere in the industry, they can at least prove that they followed the correct processes and that their customers can trust them.”

In the longer term, by marrying objectivity with subjectivity, technology with people, financial firms can enable themselves to live side-by-side with risk. “Nobody will ever want to get rid of all risk,” concludes Bush. “If you get risk of risk, you get rid of opportunity, so there will always be a risk and reward balance to be measured. But at least if you know what your risk is and you can quantify it, you can then measure your actual process against that.”

This article first appeared in the Winter 2008 edition of Finance on Windows magazine.

Add a comment