Untangling the risk information knot

Risk management executives – including enterprise and operational risk executives – cite a lack of data about the risks their firms face as the most important challenge. However, these same executives present a more mixed picture when probed about what they should be doing to improve their overall approach to handling risk data, including collection, analysis, storage and reporting.

In a new OpRisk & Compliance Intelligence survey, sponsored by BearingPoint Management & Technology Consultants, data issues rank high on the risk executive's list of problems. While a lack of data was cited as the top challenge, poor data quality/unreliable data ranked second, followed by a lack of adequate business intelligence tools and applications.

These data challenges seem to lead to substantial cultural issues, with a lack of ownership over risk management issues and actions, and the fact that risk management is not a part of the organisational culture earning places four and five in the ranking.

These data challenges seem to be, in part, the result of risk management information architectures that have grown up over the past decade or so within corporate silos, without co-ordination from the centre. Individual divisions of firms often implement their own software and data procedures, with the result that it is difficult for information to be aggregated across the firm for comparison at senior levels of risk management.

"We believe that risk executives/managers have a reasonable grasp of their critical risks and the information that's necessary to manage those risks, especially when they are well defined, driven by mandates, etc," says Sandeep Vishnu, managing director, financial services at BearingPoint. "Credit risk and financial statement compliance risks are instances where tremendous energy has been spent on designing and implement information systems to track and maintain the critical data. However, this is not pervasive across risk types, and a substantial number of organisations are not leveraging the data being collected formally and informally across a spectrum of risk and non-risk tools. Specifically, more than 75% of the respondents are not using core technologies such as data warehousing, business intelligence tools, data mining, analytics and modelling."

Other challenges also suround data. The survey shows the vast majority of data risk managers collect about the issues and challenges facing their firms is not in the form of databases, formal reporting, or other structured information frameworks. Instead, it comes as ad hoc phone calls, emails or meetings.

Larry Taylor, senior manager, financial services says this ad hoc data is very important for risk executives, but formalising it is not the answer to improving the risk data picture. "Data availability to key stakeholders, scalability, a common data model, etc are important to have," he says. "However, data in systems is not the only source a risk manager should rely on, especially based on the cost/benefit and return-on-investment (ROI) questions. It is equally important to build and rely on a social network that puts risk managers in touch with the key stakeholders or individuals within the organisation who have access to information that would help improve identification and management of risks. We need to provide focus on both the 'system' in which data is collected, stored and maintained formally, as well as the informal network that is a significant source of information for risk managers."

In fact, areas risk managers consider to be a significant source of weakness – including development of new products, services or entry into new markets, and strategic transactions including mergers, acquisitions and divestitures – are also larger areas of discomfort for risk managers around data, with more than 60% of executives saying they believed the information available to them was only "somewhat" sufficient to prevent or manage a major loss event.

"In cases such as new product development and innovation, strategic transactions (such as mergers, acquisitions, divestitures) or employment/discrimination-related activities, we often find the most critical information is 'sensitive' or not tracked formally in any systems," says Vishnu. "The nature of the information doesn't lend itself to tracking. Often, those risk managers/executives who are successful in collecting this type of information have a strong social network that they leverage to be 'in the loop' when it comes to such information and data. Raw data in a repository will not meet the needs in many cases. Timing is also a factor: by the time the data is captured and integrated, it may be too late to deal with the risks (such as in the case of innovation or the actions of a disgruntled employee). So, a key question points to 'in lieu of raw data found in systems, how do successful risk managers extract from and codify their social networks so they can do their jobs successfully?'"

This last point seems to be a core question facing risk management executives, especially operational risk executives faced with the challenge of collecting operational risk data in some form, and turning it into useable, actionable and modellable material.

Another interesting theme that emerged from the survey focuses around the relationship between risk management data and the risk culture of firms. Certainly, most executives in the risk space acknowledge that data can be a key tool to help build a risk management culture. Data can be used to track and understand risks, and also to help change behaviour through incentives and other human resources tools.

But respondents to the survey indicated that the data they currently had was not being used effectively to build a risk management culture within firms. Some 42% of respondents said their organisation was "not at all effective" in helping enterprise risk managers use data to understand, communicate and mitigate/manage the risks they faced. Another 51% said their firms were only "somewhat effective" at doing this.

Even more distressingly, 88% of respondents said their firms were either not at all effective or only somewhat effective at providing the appropriate information to meet the organisation's business requirements – that is, providing the right people with the right information at the right time.

Only 9% of respondents said their firms were "able to trace the ROI of our information management initiatives; we understand the economic value of well-managed data". Some 35% of respondents said their firms were not able to do this.

What these results seem to show is that one of the most profound consequences of not having enough data – or the right kind of data – is that it is difficult to build an effective risk management culture within a firm.

Taylor says: "A distinct set of factors create these problems, including incomplete and inconsistent data capture, poor translation of data into information, and the fact that the data is not always integrated and available to the stakeholders who need it." He uses "the analogy of being stranded on a desert island in the middle of the ocean, with no water to drink."

So, clearly, there is some way to go in building a robust risk information architecture in most firms. However, it seems that, from this survey, there is a recognition of the problem within the industry, and solutions are being sought.