Webcast >> Op Risk Technology

Below is a summary of the discussion.

Q: Can Sarbanes-Oxley, op risk and enterprise-wide risk management really be combined into a single project?

Robert Graham, Datawatch product manager, Datawatch: I think SOX should be seen as an opportunity rather than a disaster waiting to happen, because if you don't think the information you need to apply to SOX is hidden summarily in a database; if you don't think it's there, look at the jobs vacant column. Ithow you get at it. I've met a lot of IT directors who were told by their CEOs that SOX was an IT problem. I told them it wasn't. It's an enterprise-wide problem, and my message is this: there's enough stress in rolling out SOX without buying a whole new system. In America, where they bought what they call 'best of breed' solutions or bespoke solutions, research shows that 80% of those solutions have been retired within two years. So the message is yes you can do it, yes the information is there. Look at a product that helps you enhance your ability to get at the information you need.

David Sherratt, Managing director UK, Raft: Our clients are divided 50:50 between group operational risk departments and business unit-focused op risk managers. In the clients we have where they have adopted a sort of department-by-department or business-unit-by-business-unit approach to operational risk management, that's where our systems have been used both for operational risk management and SOX. Where we have been in a group programme and put our system into a group risk management, they tended to have a separate group SOX management tool. But again, the big problem then is that, at a group level, it is very difficult to get buy-in from the line managers in the business to actually collect all the information and pass it back to you. If you make it part of their 'business as usual' processes then they don't see it as a big overhead. So I think it can be done, but it's very difficult to do it as a corporate group programme with this small group of people, who are trying to tell people how to manage their controls and how to manage their risks because they have been doing this for years. It's just that the information hasn't been gathered together and presented in a structured way to the regulators.

Peyman Mestchian, Head of the risk intelligence practice, SAS: Many of our customers actually see SOX as a sub-set of operational risk. So what is SOX? It's the risk of mis-statement around financial statements. Firms should have human controls, technology controls and financial controls. Definitely, businesses do not want to be assessed twice for the same risk, so having a single integrated system collecting the data as we said and reporting on it is very important. So, SOX should be embedded as part of an operational risk programme. The real challenge is actually an organisational challenge. SOX is a financial regulation often owned by the finance department, ie, the CFO's office. Operational risk is often owned by the risk department in a bank, ie, the CRO's office. Depending on the risk strategy of a corporation, sometimes these departments don't necessarily co-operate and work together as effectively as they should, hence the silo-based approach to risk management is one of the key challenges. But it has been done and we are seeing some of those silos breaking down, and the use of appropriate and flexible technology is a key facilitator to that.

Q: Is the large amount of regulation that firms are being subjected to driving an increase or delay in technology spend?

John Cant, Managing director, MPI Europe, MPI/Sun Microsystems: Our view is that, at the moment, there is no single system that you should go out and buy – firms need a combination of a series of systems that will deal with data quality issues, the analytics, dealing with getting the relevant data from the operational systems and from the operational people and getting it into a format that can then be properly digested. So, yes, I think the regulatory stick is actually steering a lot of the spend but if people are spending on a complete system then I think they are wasting their money at this stage.

Eric Sandler, Consultant Technologist, Future Route: I agree that data management is not an IT problem any more. We are actually seeing something very new happening in the risk world. We see heads of risk management identifying heads of risk data and bringing very, very senior executives in at the business level to work side by side with senior IT executives to solve data management issues, because it's becoming very apparent that data management and advanced data management techniques are part of Basel compliance. And actually I agree that there is a lot of vagueness in the Basel Committee's directives and suggestions to companies.

What they don't do is spell out what advanced data management is, but they do state clearly that it's something you need to have in order to solve risk management problems.

So there's a conundrum that a lot of banks face and that's where consulting methodologies are very, very important now to guide, more so than complete solutions.

Q: Why have firms waited until now to tackle the data issues that Basel II is raising?

Sandler: For the past 20 years banks have made way too much money and they really didn't have any large squeezes on margins. When profits are just soaring firms don't really focus on costs, they focus on revenue and business growth and they develop all their silo systems to handle the explosive growth. When the business becomes globalised, competition is becoming stiffer, margins and costs become an issue and therefore firms start focusing on business integration, data integration, and they start to realise that their whole business is information, not data. We have lots of data – banks operate entirely on data – but we don't have a lot of information because to turn data into information firms have to go through a lot of cultural changes that involve methodologies of organisational structure and the technology around it. That's something banks are focusing on now because they realise margins need to be maintained by focusing on the cost side as well.

Q: As industry solution providers, what problems/ challenges/criticisms do you think operational risk managers at financial services firms face today?

Sherratt: I think one of the problems, or challenges, is to get the business case together to actually do the operational risk management. It's very difficult to say to the CFO, 'well this is how much regulatory capital we're saving', or 'this is how much money we're saving'. First, it's very difficult to say, even at the basic level of loss reduction, "How many losses will we prevent if we do all this?" It's very difficult to say because the information isn't there. I faced this problem when I worked at ING. We were doing a programme and the reaction we were always getting from people was 'would it have stopped Nick Leeson?' Well, I'm not sure about that. The first problem is getting the budget to do the work. Once you've got the budget, particularly at group level, it's very difficult to persuade people that you know what their controls are. You tell them, 'you're going to have a standardised set of controls, and here are a standardised set of risks that you're going to analyse'. People say, 'wait a minute, you people have been in an ivory tower, we've been managing these processes for x number of years, we know exactly what our controls are, we know exactly what our risks are thank you very much. Are you trying to tell us we're not managing a control? That we don't know what our risk is?'

Graham: I think in terms of challenges, the best organisations are going to have executives who are brave enough to speak to the board truthfully. If I were a board member of a large institution, I'd hope that I had a head of operational risk who was brave enough to tell me what they needed to complete the job. So they need a strategy, they need everyone to buy into the strategy, they need a definition of what their role is and they certainly need a budget. So I think the simple answer to the question is that bravery is required, honesty is required, and then a definition of the problem must be understood and a budget agreed. I think those are the challenges.

Cant: There's a lack of technology standards to assess against in some places we've seen. Customers have come to us and said, 'surely you've got something we can assess against'. The other big aspect, which is something we've talked about and is one of the big challenges, is very much around that data and data management, and how you understand what is hidden within the data that you do have. We've had various discussions about the fact that the data you need to be able to control this is in your organisation somewhere; the problem is how on earth do you find it? How do you make sure it's right, and can you say hand on heart that it's right, not just it's probably right.

Mestchian: One of the key questions is 'what are the key obstacles to success?' I think, first of all, there is a pre-budget problem in terms of selling the concept of operational risk to the board, and I actually don't think it should be as difficult as people think. The problem with risk is that it's in the future, and you are trying to convince someone now to spend some money if something might happen in the future. So that's a tough sell. The way executives can explain it is reverse engineer from your existing losses and show that if we catch x percent early enough, that gives us the business case to make the investment. That's the business case and that will vary from organisation to organisation. That's pre-budget.

Once you've got the budget, I think there are some practical implementation problems and challenges that people face, and I would divide those problems into three areas. One is what is the data? How do you access the data? How do you translate it into information and so on? The other thing is people. Consistently in the surveys we've done, customers comment that you can have the best systems in the world, and the best processes and procedures, but you need people to actually buy into the process, because without their co-operation a lot of the qualitative data needed to make this work is not going to be there.

The final area, I would say, in terms of practical challenge, is that a lot of organisations are struggling with whether they should go with a centralised approach, ie, driven by group. Then there's a de-centralised approach where you give autonomy to the local business units and business clients to manage operational risk the way they want with some common standards so that it can be aggregated up at the group level. Which is better is very much specific to the organisation. I've seen both work very well. Those are the key strategic and practical problems I've seen in the market.

Q: What is the next generation of software tools that operational risk managers will require?

Cant: We've had the first wave of solutions, and you either bought into that or you didn't. I think we more or less all agreed that until a customer understands their matrix for risk, purchasing a solution would probably be the wrong decision, and statistics show that probably most of those solutions will be retired within two years.

So, for the minute, operational risk managers must have the best tools available to understand and have direct access to the data they've got. I suspect that until this method has matured, and until the overseers finally come up with a 'design for living', that would prove the best strategy.

Then in the fullness of time, with all the wonderful creative minds in the software world, there will be another wave of products that will respond to that mature market-place.

Sherratt: In theory, the next generation of software tools are the data mining tools, where you can really get to the data that underlies the operational risk and try and start to do some sort of prediction about where your risks are, and where your losses are going to be, and really to enable you to move into more and more complicated and sophisticated modelling of it.

The problem, I think, is that at the moment we're not even at the first stage. Even the systems that allow you to go and collect data on a more regular and more comprehensive basis are not being used.

At the moment, many firms are still effectively at the spreadsheet stage. They do not have embedded processors for collecting information. They do not know exactly what they should be measuring, where, and how. Already, the tools we have are more advanced than the majority of firms need. It's easy for software people to say, 'logically, the next step should be this'. We're way ahead as software providers of where people are in their management of operational risk and their collection of information. So I think it's difficult to say how the industry should evolve to supply these products when in fact the current products are more than people need at the moment.

The key issue at the moment is trying to get standard ways of measuring and managing operational risk to get buy-in in the organisations and to get people actually collecting the basic information rather than thinking about what sophisticated tools they can use to actually get the information and display the information. People at the ground level are still not always bought-in to operational risk management.

Mestchian: I actually think the next generation is already here; it's just not being used. In some of the more advanced organisations we're seeing some demand for technologies that I think are the next generation of operational risk management. This is not new technology or new innovation as such; it's using existing technology but applied to operational risk management – which hasn't previously been applied to operational risk management.

One area we have seen demand for is linking, in an automated way, risk-specific technologies, ie, linking the op risk management system to your fraud management system, like credit card fraud systems for retail banks, making sure that that data is coming in in a visible way, in a managed way; anti-money laundering systems coming in; HR systems-management systems coming in, because all of these disparate systems also provide the key risk indicators required for the calculation at the end of it.

Sandler: I agree that the next generation software is here, however, the main reason for next-generation software to exist actually is to enable methodologies to solve these problems and to allow the governance and risk culture to take place and for technologies to be almost invisible. And what does it mean for technologies to disappear into the background, to let business people basically manage risk – that means, as was previously said, we need to achieve smoother integration. There are a number of leaders out there who are well positioned to integrate a lot of components to create an enterprise solution, but to get the technology to be invisible for the business of risk management to take place, you need better integration, better automation of difficult tasks that are mundane, difficult to maintain and manage, and take a lot of peoples' time needlessly; people who are talented and shouldn't be dealing with data quality issues – they shouldn't be spending 70% of their time being 'data gardeners'. They should focus their energy and their skills and education on something that could better the institution.

Operational Risk

Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.

To access these options, along with all other subscription benefits, please contact info@risk.net or view our subscription options here: http://subscriptions.risk.net/subscribe

You are currently unable to copy this content. Please contact info@risk.net to find out more.

You need to sign in to use this feature. If you don’t have a Risk.net account, please register for a trial.

Sign in
You are currently on corporate access.

To use this feature you will need an individual account. If you have one already please sign in.

Sign in.

Alternatively you can request an individual account here