Beyond the crisis


OpRisk & Compliance: What kinds of regulatory challenges will firms be facing in 2009 and where will regulators be focusing their efforts at reform?

Scott Kwarta, OpenPages: I think initially, when examining the financial institutions, regulatory agencies and supervisors will focus on where firms are from a capital standpoint, what they are doing to assess capital adequacy, against the risks they have identified. So I think there will be certainly be immediate heightened scrutiny regarding financial institutions and what they are doing.

I think from a regulatory standpoint, we are probably going to see some swift action in various countries, as they start to address some of the areas that have led to the crisis we are facing. The exact areas the regulators will be focusing on might vary, but I think there's going to be many different touch points. Certainly we are going to see greater focus in the credit area, as well as regulation regarding financial instruments and derivatives, really enabling more transparency within financial institutions.

I would expect the regulators also to focus on disclosure requirements, so that it will be clear to stakeholders and investors what types of instruments financial institutions are invested in and have on their books. I also expect we will see a lot of focus in the area of risk management. Certainly there is a lot of discussion going on in the industry about the role risk management should play within the crisis, and lessons have been learned. I think there will be greater pressure from the regulatory agencies to ensure more strict guidance relating to risk management practices as we go forward.

Avi Eyal, Cura Software: Given what we have seen happening globally, the contagion, so to speak, has started with the financial services and insurance firms. Capital adequacy can be taken care of, and there are formulae to take care of these things, such as Basel II and Solvency II, that are being rolled out. What we haven't started seeing yet is the downstream effects of this contagion, and the resultant recession that will no doubt be with us for a while.

I think one of the big challenges or risks facing us today will be in the areas of credit default swaps, bonds and things like that in the financial services environment, which naturally affects all downstream businesses and any large company that has outstanding bonds or debt, and so on. In terms of the regulators, if they want to focus in an area, obviously that would be a good start. One of the interesting things to come out of this crisis recently related to the CDO [collateralised debt obligation] of big insurance firms in Europe. It was noted that the main use of Solvency II is to help regulate insurance firms, but it is the lack of internal controls and operational risks that have resulted in some of the big losses. In the financial services arena, a lot of the risks and resulting events that have happened have been related to the operational risks or to the lack of controls, or the lack of adherence to controls that were on paper but weren't enforced.

Unfortunately, what's ended up happening is that regulators will move away from a principles-based approach, which is well known in Australasia, Europe and Africa, and move towards a toughened approach based less on principles and more on rules. This seems to be what will happen in the US and certainly has already been written into some of the bail-out conditions for firms. What we are seeing is the tip of the iceberg in terms of the financial services firms and insurance, but this will have a wider effect in the regulatory environment. I don't think the regulatory environment will change, per se. It will just get a bit stricter and certainly regulators in different countries will not even look at reform, I think they'll look at the opposite of that.

OpRisk & Compliance: What kinds of system and control breakdowns led to the crisis? How can financial services firms improve their system and control environments?

Scott Kwarta, OpenPages: I think there are potentially a couple of areas, which that will continue to be the subject of debate and discussion across many organisations. Some organisations, such as JP Morgan and others, were able to identify the impending risks and the exposure they had, and although they did suffer losses, they were able to reduce their positions and get out before they suffered serious consequences. The question comes, were they doing anything differently than other organisations? I think breakdowns occur in systems and controls that help to monitor risk positions, the exposure of an organisation, and all the various other factors such as economics, market factors that could affect the risks an organisation faces. It then also goes along the line of structures that were either not in place, or were not working effectively, so were not able to look at different scenarios and stress testing of various risk positions the organisation was in.

This whole crisis is an example, not of a single area of risk exposure that an organisation faced, but multiple areas of multiple exposures, and multiple events happening in the market simultaneously. The question is what type of activities organisations are going to do to monitor different types of events, to understand the correlations in the effect these events could have. I think from a control standpoint as well there are probably areas of reporting an escalation that were not working effectively in some organisations. There is a lot of questioning over whether senior management in some of these firms have true visibility and understanding of risks. Were they informed on a timely basis about the various things that were happening in the increased risk exposure we face?

Another thing that has come up is, did they know about the risks and just decide not to take action? Was there greed involved in the upside of the money that was being made and a decision made not to liquidate positions? Because the organisations that did not suffer the tremendous losses that I mentioned earlier did take hits, they did suffer losses, and it was a decision on management's part to take that loss in order to reduce positions. There will be a lot of questioning of senior management teams in these companies on what information they had and whether they had an exit strategy, or whether they were too focused on the end prize and by the time they realised they needed to take action it was too late.

Avi Eyal, Cura Software: I agree with that to some degree. The challenge of course is that a lot of what has happened could be put down to a lack of basic risk management on the side of credit committees and risk committees of these organisations. You will note that organisations that have renowned knowledge, and that focus on people sitting around the table and discussing risks and really challenging the assumptions, have suffered less. You will also see that the organisations that were less fuelled by commissions and aspects of individual remuneration also suffered less.

I think, lastly, you need to look at it from a perspective of a portfolio approach. Many times organisations look at risk in isolation, or risk by department or risk by year, or something like that, and if one took a portfolio approach, one could see a heavy weighting in one specific asset class, and hopefully that would raise alarm bells. I was sitting with the chief risk officer of an investment bank in Europe, and he said to me: "You cannot regulate greed!" So one should not underestimate that when greed is at play, people do what they can to get around systems as well.

OpRisk & Compliance: How will the crisis help operational risk and GRC - governance, risk and compliance - to evolve as disciplines?

Avi Eyal, Cura Software: Well, I think operational risk is a known item. I think governance, risk and compliance as a whole is a known entity. They continue to evolve in terms of including additional items, additional processes, additional disciplines within an organisation, but I think the GRC systems as a whole, the operational risk systems as a whole, are well evolved, and do the bulk of the things that need to be done to help prevent these sort of crises happening.

The challenge is really the will of the business to adopt them, which I think is very immature, mainly driven by a documentation approach, or by an approach that 'we have to do it, so we'll reluctantly do it', rather than 'this can actually help our business. This can give us competitive advantage'. That needs to change. The adoption of the right policy statements at the top of organisations and driving that down into the organisation structure, coupled with a real ownership by management in all organisations, will help prevent these crises. The systems really follow the frameworks that are put in place; the methodologies put in place.

And so, generally across organisations, what we see is that they really need to take ownership of these things. Risk needs to be a core organisational process. It cannot be a bunch of guys sitting in a corner office, collating some information and presenting it once a month to a management committee. It has to be owned by every manager in the business, and every agenda and every minute that has been taken. We need to get to a cultural adoption of these things so that, in these organisations, at the end of every meeting, at the end of every opportunity that one looks at, one asks: What are the risks, what are the opportunities, what are the compliance issues? Are we breaching any governance process issues? Or how do we make use of the environment that has been created for us in the organisation to help us achieve our objectives?

Scott Kwarta, OpenPages: Certainly. I agree with Avi in a lot of what was just mentioned. If we look at Basel II, for example, there is an expectation. Basel II is very principles-based. One of the things that it looks for within organisations in their adoption of Basel II is the 'use test'. To Avi's point: Are the risk management practices around operational risk, around governance, risk and compliance, embedded into the DNA of the organisation? Are they embraced by management and viewed as part of the management process? I think that's the true test here. I think that the crisis is going to help focus in that area.

From the supervision standpoint of the regulatory agencies and other parties, and from that of shareholders, stakeholders and investors in these organisations, they are not going to be happy with just the fact that an organisation has a risk management framework in place and that it has got some technology and processes in place. They are going to want to know that management is making informed decisions, and those decisions are being made through the visibility and understanding of risks within organisations. So I think we might start to see the evolution of more accountability being enforced throughout organisations.

What is needed is a shift in the area of incentives and compensation within an organisation. Compensation still tends to be geared towards revenue and profits and there is not enough focus on operational risk aspects, understanding risks and managing against those risks. So I think we will start to see a shift there in organisations, which will help take these governance, risk and compliance practices and really make people accountable for them within all levels of an organisation and embed them within its DNA. So it is not enough that you are making money for the company, but you should be making money in a cost-efficient way, understanding and managing risks, so that the long-term capital position of the organisation is being preserved, maintained and positioned effectively for growth. We have already seen some discussions at a lot of different levels about what the role of a chief risk officer is going to be. Is there a need for more independence within risk management functions, such as we have within internal audit functions today? Is that independence in reporting to the board level, or also independence of selection of that individual within that organisation? There is going to be a lot of responsibility to say that these practices are truly part of the organisation's management structure.

OpRisk & Compliance: What types of initiatives should operational risk and compliance executives be focusing on in 2009 to help add the most value to their organisations?

Scott Kwarta, OpenPages: I think there are a couple of areas. I think certainly, initially, the op risk, compliance and governance executives in organisations need to focus on what their current risk profile is, as it stands today, and make sure they have a good understanding of the current risk exposures they're facing, and that they have good processes in place to make sure they can manage them effectively. Then I think the next issue is that we will probably see a lot of investigation. Why did our organisation suffer what we are suffering? What are some of the breakdowns? What were some of the issues? Where were some of the pitfalls or the gaps that we have in our programmes? Firms could really use it as a learning experience, and then based on that, try to formulate what areas within the organisation, whether it's governance, risk or compliance, need to change or need to be reemphasised and focused, as with many different things that happened to organisations, as well as things that are happening to competitors. It's that learning experience that the compliance and risk executives need to take on board, so that they can start to push a value in those directions.

I think one of the areas we will see is the area of scenario analysis: understanding what can go wrong and really trying to think outside of the box, and understanding all the different driving forces - all the different correlations and causal events - that could come together. And running those scenarios to understand whether the organisation is positioned to weather those storms.

I think another area we might see is a focus on not just understanding risks that an organisation is engaging in, but whether management has an exit strategy. So as management is moving in certain business decisions, in understanding the risks the firm faces, do they also have an understanding of what an exit strategy would be? Should the risk and exposure that an organisation faces start to surpass their tolerance and appetite? I think some organisations were shy in taking action as the credit crisis started to build. They were afraid to take the losses. They did not have an exit strategy, and by the time they started to identify an exit strategy, the losses were too significant for the organisation to bear.

Avi Eyal, Cura Software: The first thing to address is the way this question is structured - it should not be an initiative in the first place. The key thing here, as I said before, is to focus on making this a core organisational process. Initiatives die, initiatives end. Executives need to look at their businesses and organisations, and start embedding this risk and compliance information and processes into the core of what they do. They need to educate their staff, the employees of their organisation, in how to manage it, in how to run it, in how to report on it, and to really make it part of everything they do. If that is done, then as a result there will be a significant improvement in the risk data, in the compliance information that is circulated and a real adoption of the treatments or optimisation strategies that are used in the organisations.

I also think that by starting to standardise an existing glossary of terms - understanding that we all mean a risk to be what it is - will make a big difference to organisations. If you look at the ratified ISO 31000 risk standards that have been published and are now enforced, you will find that these glossaries of terms do not need to be uniquely defined by each organisation. The meaning of 'risk' is standard; a risk treatment, a control and objective. So, one can very quickly adopt these international standards within the organisation to help educate staff and get things done in a clear way that makes sense internally and externally. I think the rest will follow. I think that the very idea of embarking on an initiative is bound to fail before it starts, because it will not get the desired effect in an organisation.


Avi Eyal co-founded a software development, systems, outsourcing and business consulting firm in 1992 while completing his engineering degree. He sold the company to a public global technology corporation in 1997 and served on its board for a year.

Eyal established and participated as general partner and manager of a private equity and venture capital fund between 1997 and 2004. He co-founded Cura through his investment activities and joined as chief executive officer in the third quarter of 2004.

Over the past eight years, Eyal has acted on the risk and compliance committees of global private and public entities, and brings his wealth of experience to Cura both from a management and thought leadership perspective.


As director of professional and advisory services, Scott Kwarta is responsible for providing risk management advisory services to OpenPages customers. With a focus on helping customers develop and implement effective risk management frameworks while leveraging OpenPages technology, he has more than 15 years' experience in audit, risk and control management.

Kwarta joined OpenPages from Citizens Financial Group, a wholly-owned subsidiary of the Royal Bank of Scotland, where as senior vice-president and director of operational risk and Basel II, he was responsible for the corporate-wide development, implementation, and oversight of an operational risk management framework and an underlying technology solution. Before his risk management role, Kwarta was a vice-president of internal audit.

Kwarta began his career at KPMG in New York and then Rhode Island. As a senior audit manager, he specialised in community, commercial and international banking.

- To listen to the webinar in full, visit: or go to: and click on "Beyond the crisis".

You need to sign in to use this feature. If you don’t have a account, please register for a trial.

Sign in
You are currently on corporate access.

To use this feature you will need an individual account. If you have one already please sign in.

Sign in.

Alternatively you can request an individual account here