Positive outlook for op risk software

Investment in operational risk technology tools looks set to accelerate over the course of 2006, with some firms getting set to spend on a vendor-based package for the first time, while other financial institutions are already putting second generation software in place.

According to this month's OpRisk & Compliance Intelligence survey – sponsored by independent internal audit and risk consulting firm Protiviti – 38% of financial services firms responding to the survey believe that technology costs relating to operational risk initiatives will rise by between 1% and 9% in 2006. Another 22% see costs rising by between 10% and 24% during the same period, and 13% expect costs to rise by more than 25%.

This compares positively against the past 24 months, during which 36% of respondents said there was no change in technology spending on op risk initiatives, and 33% said costs would rise by 1% to 9%. Some 14% each said costs would rise by either 10% and 24%, or by more than 24%. So, clearly, financial services firms are preparing to invest in op risk solutions over the coming months.

This makes sense – deadlines in Europe are rapidly approaching, with the advanced measurement approach (AMA) coming into force in January 2008. Some 37% of our financial services firm respondents said they were keen to implement the AMA, while 39% will be adopting the standardised approach. Just 8% will be taking on the basic indicator approach, while 14% will not be adopting a Basel II op risk approach.

It's not surprising then that 31% of respondents are midway through their implementation, while implementation is almost complete for 22%. Some 11% are making adjustments to their initial implementation framework, while a lucky 3% are actually assessing their implementation, post completion. Just 12% say they have not started their implementation, and 14% are in the initial stages of implementation.

Respondents also seem to have a better grip this year on which tools they will need to both manage op risk and calculate economic capital. Internal data is the favourite tool, with 74% of financial services firms responding saying they will use it to manage op risk, while 59% say they will use it to calculate economic capital. But while the use of other tools for managing op risk is fairly advanced, the use of more 'qualitative' tools for calculating economic capital seems a bit further behind. For example, while 52% of respondents said they will use key risk indicators for managing op risk, only 28% will use them for capital calculations. Similarly, 54% would use business or environmental controls information for management, but just 30% would use them for calculation.

"Given financial institutions' historic record of managing market and credit risk, quantitative analysis appears to be a more mature discipline within the industry," says Scott Gracyalny, managing director of risk technology solutions at Protiviti. "It follows then that internal loss collection is the furthest ahead in terms of risk tools implemented thus far. Combining loss data with risk assessments, KRI data and scenario analysis to calibrate the economic capital calculation is the challenge, and many open questions remain."

In fact, 60% of respondents say they have already implemented an internal loss database, while 26% say they are putting this in place. Some 51% also say they have their self-assessment tool implemented, and 29% are implementing one. Additionally, 45% of respondents say they have an internal reporting tool installed, and 33% say they are installing one. So some serious progress is being made.

Other tools, however, seem to have attracted less attention so far. Just 24% of respondents currently have an external op loss database installed, and some 26% say they have no plans to purchase one. A surprising 66% of respondents say they have no plans to install an artificial intelligence or expert system for modelling economic capital, while 34% say they are going to pass up on an external compliance reporting tool.

Somewhere in between these two extremes are KRI tools, scenario analysis products and software for statistical modelling of risk data for economic capital. KRI packages seem to have a lot of potential, with 38% saying they have one, and 27% indicating they are planning to implement one. About 24% indicated they have a statistical modelling tool, while 36% indicated plans to put one in place. And while just 21% have a scenario analysis tool, 33% say that this software was on their shopping list.

"Reflective of the trend toward utilisation of KRIs to manage risk, integrated KRI frameworks are now being released by software vendors and feature integration with KRI content databases," says Scott Wisniewski, a director within risk technology solutions at Protiviti. "Institutions and software vendors will gain experience together to make operational risk management a mature discipline. This maturity will be reflected through enhanced feature sets delivered by software vendors and improved risk management practices by financial institutions resulting in more informed decision-making by operational risk managers."

What may be inhibiting financial services executives from spending on a vendor-created op risk solution? Some 21% of respondents said that cost was the primary issue – internally created systems are less expensive. Overall, 71% said that cost was a factor in their decision to 'make' as opposed to 'buy'. Another substantial barrier to purchasing vendor software is a 'lack of understanding of op risk by boards of directors or senior management', with 20% of respondents selecting this as their first choice and 34% selecting it as one of their top three reasons. Another barrier is the desire of management to 'wait and see' how op risk evolves before investing – 56% selected this as one of their top reasons.

But while some are running into challenges while trying to invest in their first op risk system, others are already on to their second-generation software. Some 66% of respondents are either considering, or are implementing, a second-generation self-assessment tool, while 61% are either considering or are implementing a second-generation internal loss database.

"The compliance landscape has changed since many firms initially implemented operational risk software," says Wisniewski. "Initial or internally developed op risk software was more specifically aimed at op risk management. As multiple governance and compliance regulations (such as Sarbanes-Oxley, Basel II, FDICIA) demand nuanced but similar disciplines (particularly with respect to risk and control self-assessment), the market is trending towards more integrated solutions that leverage business owner responses toward multiple compliance efforts and that provide management with more holistic reporting across governance programmes."

An op risk manager based in London also points out that the rapid changes in the op risk solution provider market has meant that some firms have had to rethink their plans after they've found their software no longer supported. For example, many firms purchased JP Morgan's Horizon self-assessment package, only to find the tool dropped in late 2004.

In other cases, mergers have resulted in one tool set attaining dominance over another one – for example, in the merger between Fitch and Algorithmics, the Fitch tool was favoured for future development, although the new company says it will support users of both.

Overall, however, the outlook for op risk software spending looks good. Protiviti's Gracyalny says: "We expect risk technology spending to continue to increase over the next several years as institutions seek to institutionalise their risk management programmes, achieve more quantifiable results, and integrate their compliance software with business applications used to manage operational risk across the enterprise." OR&C