Victoria Tozer-Pennington, Editor, Operational Risk & Regulation
Marcelo Cruz, Global Head of Operational Risk Analytics, Morgan Stanley
Stuart Grant, FSI Business Development Manager, Sybase
Gaurav Kapoor, Chief Operating Officer, MetricStream
Peter Knott, Group Head of Operational Risk, Standard Chartered
Enterprise risk management (ERM) has been experiencing something of a renaissance since the start of the global financial crisis. Financial institutions are looking to implement more integrated risk management systems, but some people say they are taking their time considering the lessons of the past.
What would you consider to be the drivers for financial institutions to put into place more integrated systems?
Marcelo Cruz, Morgan Stanley: Regulation is one. Banks are heavily regulated so you need to have a formal process to deal with these regulations. You need to be able to map all the risks to which you are exposed and map how you deal with them – whether you allocate capital against these risks or not and, if not, explain why. The banking industry started working on the Internal Capital Adequacy Assessment Process (ICAAP) framework as per the Federal Reserve request, but we ended up seeing great value in this process as well. The ICAAP process will make banks pay more attention to ERM as a whole.
The second is cost optimisation. Large banks have large operating costs and expenses, and these need to be optimised constantly. However, reducing these costs can be dangerous if you make controls more relaxed. If you have a very thorough ERM process, you will know exactly where and when you should focus your controls because you understand the firm’s overall risk profile. ERM can be an important tool to guide cost optimisation by indicating where you need to spend more in controls and where you are in good shape.
Peter Knott, Standard Chartered: If anybody needs persuading that a holistic approach to risk management is necessary, then the last couple of years have demonstrated that.
It has been expected by most external stakeholders – regulators, investors or rating agencies – that you can articulate clearly what your risks are, how they join up and how they interconnect. Part of that is having the right information on a consistent and timely basis to really facilitate better decision-making. This gives you more insight into making the right risk response decisions – whether you are going to avoid certain risks, reduce them or accept them. I think you get better management of boundary issues and this is an area in which we have seen some of the casualties of the last few years, where there hasn’t been the linking between credit and market risk or certain elements of operational risk. Those boundary issues are pretty important. Things falling between the gaps must be identified, and often they are not if risks are managed on a silo basis. Making more effective use of scarce resources – whether people or capital – is a benefit of a more integrated system to give you the confidence that you are looking at your risks in a more competent way and can tell the board and stakeholders that you’re within the risk appetite that you have assigned.
Stuart Grant, Sybase: I think the key thing for us at the moment is the regulatory angle, which is really just a facet of improving business agility. Risk management is now just the cost of being in business – it’s something that needs to be done on a day-to-day basis. The complexity we see, however – particularly for organisations that have multiple business activities or operate in many geographies – is how they use that risk process to make better decisions when they enter into a new line of business or move their risk appetites around.
ERM, in particular, is something we are seeing as the catalyst for a cultural change and a cultural shift for a lot of firms, because, in the past, there have been both political and non-political reasons why the risk disciplines that make up enterprise risk have had differences of opinion or different reasons for undertaking the decisions they have made. We are now starting to see this umbrella view of the world emerge, which is fundamentally changing the structure of the process – of the systems and of how organisations do business.
Gaurav Kapoor, MetricStream: The largest driver for companies to adopt integrated ERM is the ability to react rapidly to changes in the business environment and adverse events, which leads to greater confidence among their stakeholders. Integrated ERM also provides globally spread independent business functions with the capability to integrate risk information into management decisions and drive actions to resolution.
We see a lot of risk-based audit planning and risk-based compliance programmes – for example, in large banking and financial services organisations – but we are starting to see a definite trend of silo-based plans for risk management going away. An immediate response to business events and risks emerging across the organisation is gaining priority and that is one of the key reasons for companies to move towards a broad-based view of ERM.
Are the benefits worth the cost of implementing an expensive integrated platform?
Grant: That question makes the assumption it is expensive to put a platform in place. A lot of organisations already have very good data and analytics in place, it is just not necessarily lined up properly. It’s not available in a single environment – it’s fragmented, siloed and not performed on a timely and consistent basis. This is an area where an ERM approach helps to transform an organisation’s ability to capitalise on its existing capabilities. There is an opportunity to start pulling them together.
The first stage is to pull together the analytics and the capabilities that already exist within a firm, aggregate those and provide them as summary ERM-level functions. The problem most organisations face is that they leave so much granular information on the cutting-room floor, which is where the costs are likely to come from at some point in the future.
Many organisations run their day-to-day practice on pre-aggregated information or summary-level data, which means they have a lack of efficiency and consistency across functions or the analytics process. People have taken their own interpretation of the underlying information that was used to produce those reports in the first place.
One thing we have seen on a regular basis is a single basic trade record from a front-office system being duplicated and replicated 10, 20 or 30 different times in different directions, and then the downstream recipients of that data look at it from their point of view. If they update, correct or augment that information, then the analytics or decisions they make based on that information are going to be different from other organisations or other functions throughout those organisations. At the moment, I don’t think there is a prohibitive cost reason for moving ahead with an ERM project. I think the problem is actually coming in and unwinding the systems that are in place at the moment to get to that granular-level information. This can automatically flow from the level-one information down to the more granular depths in levels two, three or four.
Kapoor: Companies are already spending a lot of money on managing risk, compliance and assurance functions that surround the ERM programme. So, there is not necessarily a need to set aside a big budget to create an ERM programme, irrespective of whether it is a programme itself or involves putting a technology solution in place. The key thing – as Stuart mentioned – is to unwind. We are definitely starting to see that processes are being designed within companies to get a common scenario – for example, how the same risk is defined in the organisation by different groups, functions or geographies. In some companies, we have seen one control being tested multiple times when it could have been tested once to manage a particular risk. The ability to have a common information model and to drive extensive collaboration is more of a cultural initiative than the budget issue.
Cruz: I would have to disagree. It is more expensive. The data you need to measure in order to make analytics work in a reliable and robust way is pretty much spread out in silos. Getting this data is something that will demand a lot of time from people, so cost in terms of information technology people, human resources, key budget and software is not cheap, especially when budgets are very tight this year.
There is also the problem that a lot of people inside the firm, even market risk or credit risk managers, don’t know exactly what ERM means. They ask if it is it something related to operational risk, which is why operational risk managers are so concerned about it. They think it does not involve them, but there will be a number of situations in credit risk – such as concentration risk – that are not covered by their methodologies, so they need some more measurement or better analytics to be understood and mapped. This process involves people and getting data from the credit risk systems, so it is not cheap and not easy. I also disagree that it is readily available – I think it’s a progress and an evolution. I definitely think ERM is now key, especially as regulators are pushing for this. Call it different names, such as the ICAAP, but they are pushing and driving this process.
Grant: I would agree it is definitely not simple, but there is an obvious need for it. A recent statistic suggested that financial services organisations in Europe spend nearly 90% of their technology budgets on maintaining existing systems. The assumption that cost is a prohibitive factor in the case of ERM is made because many firms – traditionally larger global firms – tend to have systems that have been built up and developed over the last 10, 20 or 30 years. These systems tend to take traditional technology approaches to solving the problem as opposed to newer techniques or innovations to grab the data in a noninvasive manner, without disrupting existing business activities or putting any undue pressure on the resources that are already in place.
We are seeing a small number of organisations shift their budgets so they are operating more on newer innovative technologies and they are achieving far more than the traditional approaches. But one of the complexities is the culture of the firm. There can be a bit of a chasm between the business and technology people in terms of the requirements and expectations of how long it would take to deliver the same. There have been a number of cases where the business lines have been told that a particular project to provide integrated intra-daily views of risk and risk analytics would take many years to complete and cost tens, if not hundreds, of millions of dollars. Some of those organisations have made the decision to go outside their traditional development approach in order to solve those problems, and have successfully delivered those projects inside a year for a fraction of the cost.
Knott: One thing that probably none of us are short of is data. The challenge is to find a smart way of using that data through superior analytics. There are some quite cheap and cheerful ways of accessing the richness of the data and it doesn’t necessarily have to be a very expensive all-encompassing system. In fact, I’m suspicious of any sort of single solution and I’m very much in favour of finding smarter ways to access and link what you already have sitting in data warehouses and legacy systems.
There are clearly a lot of new requirements for regulatory reporting and budgets are being channelled to satisfy these requirements. The trick is being able to leverage what we are doing – the way we are using data and storing data – and being able to apply proper analytics to that data to really add the value, to help us understand our risks and how we are managing them.
Grant: Peter is absolutely right. One of the areas that we see firms getting frustrated with is the regulatory reporting landscape. One of the unfortunate aspects of operating in financial services is that, if you participate in many different types of financial business activity and operate in different geographies, then you have potentially got 10,000 different regulatory borders that you need to deal with. And those regulators don’t necessarily co-ordinate the contents of their regulations, the reports that are required and the release of that information. We’ve definitely seen budgets moving towards integration of regulatory reporting capabilities as firms struggle to keep up with the volume of reports that are required.
Accessing the vast amount of internal data that firms have is a problem. We are at a point – I think almost a crisis point – in terms of the way organisations operate on a day-to-day basis in that the volume of data that is flowing around firms can become the prohibitive factor – there will be a tipping point where, if you go beyond that volume of data, you won’t be able to operate on an efficient basis.
Risk systems now regularly pump out up to a terabyte of data as well as the underlying granular transactional information. The traditional approach that many firms employ is to move that data to the end-user function, which can lead to duplicating that information and moving it in several different directions. This means that firms have got to maintain the synchronicity and accuracy of that data, which is an extremely complex and costly role to undertake. The systems and capabilities of technology now mean that firms no longer have to duplicate and move that data in many different directions. They can actually perform analytics on the data in situ, which means you can have one version of the truth in many different environments.
Some firms argue that ERM can be done through the chief risk officer (CRO) and does not require technology to do it effectively. Does this view have some merit?
Knott: There is usually a heavy reliance on technology in one shape or form. Whether this requires a totally integrated platform or not is the question here. I would argue that a CRO will use various tools in the toolkit to manage the risk on an enterprise-wide basis. I guess the question then is: how complex and integrated do those technology solutions need to be in order to do that?. The CRO’s job is to ensure the risks being taken are identified, understood and reported in a way that will allow the CRO, along with senior management, to make appropriate decisions on a timely basis and make sure those risks are managed in line with the board strategy. I would argue that, with the right governance structure and with a strong confidence in data integrity, effective risk management can be achieved without having a single integrated ERM platform. It is a question of having the right information available to facilitate the discussion and to challenge decisions appropriately. With a strong governance process, ERM can be achieved without a single platform, but it is obviously facilitated by better information and strong data linkages.
Cruz: It is very difficult for one person, the CRO, to oversee risk in an organisation, with all their complexities, without tremendous technological support, so you need to have outstanding IT support to help the CRO. There is also a lot of correlation between risks and, identifying that, we need access to good-quality data and good analytical techniques as well. Running stress tests for regulators is a big job – there’s a lot to do, so it does require technology and some investment to do it well with an ERM framework.
Grant: Focusing on whether or not the CRO can perform the ERM role is underplaying the role of ERM. It is really a framework for policy, control and the aggregation of information from multiple systems. But it’s not just about the inputs to that. It’s also about the outputs – the communications to the boards, the risk committee and the directors – as well as actions that need to be taken by lines of business to control their risks and monitor or change their risk profiles accordingly. Is the CRO an appropriate aggregation point for all of that information and process? Probably not. Rather, the office of the CRO is an environment in which that can be built out and developed. The whole role of ERM is to look at risk capabilities, but the decisions and change are a cultural process.
Kapoor: The opinions of the firms that we deal with depend on how the organisation defines ERM and the role of the CRO. We see that the CRO’s role is more to create a culture of risk awareness, drive the whole risk management strategy of the company and create an environment to enable risk mitigation and reporting.
Why have ERM projects failed in the past and do you have any examples of success stories?
Grant: There are definitely examples of firms that have managed to make some success of ERM. We have seen two, maybe three, examples that were a success, which were mid-tier organisations with a limited geographical focus or a single primary business activity. But the real cost benefits of ERM are to be found in those global organisations that operate in multiple business activities and geographies. However, this is also where the projects fail, partly due to the fact that an organisational and cultural process hasn’t been undertaken first.
As with most things of this scale, for these kinds of projects to be a success they need to start at the top of an organisation and flow throughout. Unless there is a clear single definition of what is expected and what the ultimate goals are, then it is going to fail. It needs one figurehead to take these things forward.
Kapoor: The moment you start calling it ‘an ERM project’, it will inevitably fail. In my opinion, ERM is really an ongoing process, which has long-term implications. As Stuart pointed out, it requires complete top-level executive commitment – not just from the C-level executives, but also the board. Lack of executive commitment is one of the main reasons why some ERM programmes fail. I have also seen a lack of synergy between different groups – people are still either politically or functionally very disparate and are not agreeing on how to define, view and measure risk. Where companies have successes, we have clearly seen a link between what I would call ERM and performance. But, most importantly, it is really an ongoing process.
Click here to view the article in PDF format
The week in Risk.net, February 10-16 2017Receive this by email