Justified expense

OpRisk & Compliance: What return on investment can be anticipated from compliance initiatives?

Substantial return. Unfortunately, without strong business participation, compliance initiatives often become tick-box exercises. This just reinforces preconceptions that they are 'all cost and no gain'. No wonder the common response is 'how long can we delay?' In reality, good control initiatives can deliver reduced risk and increased efficiency, plus new business insight, justifying the investment many times over - the compliance element essentially comes for free. This sounds like the holy grail but we have seen it many times when replacing manual, error-prone controls. This saves many hours of employee time and eliminates one of the biggest causes of operational losses recorded in Basel registers.

It has been suggested by US regulators that greater scrutiny of derivatives, starting with credit derivatives, is needed. What changes to your technology does this mean?

ClusterSeven technology has been used to manage derivatives for several years. Their explosive evolution shows how big control problems are often associated with the fastest-moving and most profitable lines of business. The problem is therefore rooted in combining business agility with control, rather than trying to add control after the fact. At ClusterSeven we see our role as providing control until the point that traditional technology solutions can catch up - usually when the new financial process or product has become vanilla. Of course, with budgets too tight for such replacement systems, we expect to be managing many more derivatives for longer.

How long do you think it will take for the necessary changes to your software to be implemented?

This is really a question for traditional software - it does not apply to a technology like ClusterSeven. We are designed from the bottom up to systemise unstructured and semi-structured financial data and processes. Clients can adapt immediately to new requirements - however they arise - instead of waiting years or paying out large sums to implement new modules. We fill the business management gap between what central applications can do and what business requires, ensuring controlled business agility even in the most cost-conscious times. So for us no are changes required and we can be sure that will continue to be the case whatever new regulations emerge this year.

The UK Financial Services Authority (FSA) has announced an intention to apply greater scrutiny to the use and integrity of valuation models (its 'Dear CEO' letter of mid-August 2008). How can companies prepare for this?

This letter expressed concern about the way valuation processes have become stretched to the point of failure, as seen by a large number of material mismarking incidents. The FSA also recommended that any headcount reductions should avoid negative impact on valuation control functions. The US Securities and Exchange Commission echoed this sentiment in early December 2008, telling firms they must keep up compliance programmes despite undertaking cost-cutting measures. Such demands create dilemmas for firms looking to reduce costs. ClusterSeven clients have been able to solve both sides of this problem - eliminating control breaks but also making time savings of up to 30% in some of the manually intensive spreadsheet activities that dominate the middle and back office. For example, our dashboard views of illiquid variables rapidly highlight when marking is off-trend. In the words of one of our clients: "We gave the middle office control of its own destiny."

Where is the money going to come from for the big-ticket systems to implement control?

The obvious approach is to delay expenditure on business development in favour of expenditure on control. But this might be the equivalent of cutting your legs off in order to fund better spectacles - the business can see more clearly but cannot go anywhere. The solution is to establish control with technology that can be re-used as business requirements change. I agree with recent comments by Accenture, which promotes the concept of a cost-efficient flexible infrastructure where control is embedded within an agile business platform. Transition into other systems can be smoothly accelerated when funds permit, but control is not compromised if delays are necessary to save money. We call this the ClusterSeven conveyor belt.

Should auditors adopt a more proactive role towards addressing control deficiencies within their clients?

Definitely more proactive. One requirement of the Sarbanes-Oxley Act is a clear separation of audit and consultancy services. As a result, auditors now highlight problems without suggesting solutions. This slows the propagation of best practice. It also extends the cycle to close the control gap as new service providers must be selected and brought up to speed before any solution can be endorsed. The solution becomes defined by negotiations around the audit point, rather than the wider benefits that may be available. Looking forward, it is clear that recent corporate control failings will lead to more demanding audits. Clients will be expected to resolve failings more quickly but from limited funds. All of this demands a fuller, faster audit conversation, such as 'you have a spreadsheet control problem - here is a fast solution that pays for itself and here is a bank that has done it'

OpRisk & Compliance: What return on investment (ROI) can be anticipated from compliance initiatives?

This has always been, and always will be, a thorny issue. I do not believe that you will ever be able to generate a ROI number for compliance initiatives in the traditional sense. This is analogous to the current credit risk problems for depositors. You could work up an ROI for moving your deposit between banks for an extra 50 basis points in interest and that would trump the ROI for moving it to another institution for a lower 50 basis points, however you would feel pretty bad if that higher-paying institution then collapsed and you lost your principal. We should not necessarily be trying to find ROIs for things that provide for the long-term health of our companies or industries. The search for ROI has - to my mind - blinded too many senior executives to the importance of managing risk for the long term.

It has been suggested by US regulators that greater scrutiny of derivatives, starting with credit derivatives, is needed. What changes to your technology does this mean?

Our technology is focused on ensuring that the operations surrounding the trading, settling and risk management of derivatives are carried out according to the policies set out by senior management. It is clear that in many institutions these policies need to be updated and, more importantly, that the policies should be rigorously followed. Should the regulators force more prescriptive polices on institutions or the institutions take on that role themselves, our software will enable them to ensure that the policies are being followed. There will only be a requirement for new content within the software and no changes to the software itself.

The UK FSA has announced an intention to apply greater scrutiny in the use and integrity of valuation models (its 'Dear CEO' letter of mid-August 2008). How can companies prepare for this?

Many companies have excellent models for market and credit risk, however the management of the input data to models, the controls around model parameters and the use of the data they produce is not subject to strong controls. Even the best models in the world require high-quality data, intelligent setting of parameters and well-contextualised reporting of outputs. Companies will need to produce clear and extensive policies and procedures surrounding the use of their models and, thereafter, ensure these procedures are followed. The FSA will be looking for positive assurance that the policies are in place, have been read and understood by the relevant staff and have been operated effectively.

How long do you think it will take for the necessary changes to your software to be implemented?

There are no changes required to our software. We can work with our clients to help them define the procedures and control points and then add this as content to the Sword system.

Where is the money going to come from for the big-ticket systems to implement control?

Many studies over the years have proven good corporate governance and risk control adds value to the overall shareholder value of an institution. Given this fact and the ratings agencies increased interest in enterprise risk management reviews as part of the rating process, no right-minded executive or shareholder should fail to see the long-term benefit of spending on their control environment, in terms of increased shareholder value and/or lower cost of capital. Therefore, the money should come from core operating costs and is simply a cost of doing good business.

Should auditors adopt a more proactive role towards addressing control deficiencies within their clients?

Auditors are being increasingly asked to change their work practices in two fundamental ways.

One, they are being asked to ensure they share data with their other assurance colleagues (compliance and risk) to increase the effectiveness of assurance and enable efficiencies to be identified concerning testing and risk assessments. The other benefit of sharing data across the three lines of defence is that senior management and board reporting can show how the different defence teams view any one process or risk.

Two, auditors are also being asked to share processes across the assurance functions. We are seeing clients using auditors to do compliance testing tasks as part of their audits rather than have the compliance team bother the business a second time. We are also seeing auditors being asked to use compliance and risk tests, and assessments as the basis for audits, again to limit the intrusion on the business.

Sponsored content