Better information, better decision: The risk and compliance challenge for financial institutions

Better information, better decisions The risk and compliance challenge for fi nancial institutions A report from the Economist Intelligence Unit

© The Economist Intelligence Unit Limited 20101

Better information, better decisionsThe risk and compliance challenge for fi nancial institutions

Preface

Better information, better decisions: The risk and compliance challenge for fi nancial institutions is based partially on The age of compliance: Preparing for a riskier and more regulated world, an Economist Intelligence Unit briefi ng paper sponsored by SAP. The Economist Intelligence Unit bears sole responsibility for this research. Our fi ndings drew on desk research and in-depth interviews with executives familiar with risk and compliance within their organisations. The fi ndings and views expressed in this report do not necessarily refl ect those of the sponsor. Neil Baker was the author of this report and Dan Armstrong was the editor.

December 2010



2

Better information, better decisions: The risk and compliance challenge for fi nancial institutions

When mortgage defaults among US sub-prime borrowers suddenly shot up late in the tenure of Citibank’s then-CEO Chuck Prince, he was surprised to learn that the bank held mortgage-related

assets worth about US$43bn. Thomas Maheras, who oversaw trading at the bank, reassured Mr Prince that everything was fi ne. But within weeks Citi was nursing losses on the assets running into billions of dollars.

The bank’s risk management was shown to have severe defi ciencies: accepting ratings agency opinions in lieu of independent reviews; relying on brittle fi nancial models; and, according to subsequent congressional testimony, violating internal credit policies. Within two months, Mr Prince was out of a job.

The Citi example shows how hard it is for a large, complex bank to deal with two related problems: how to manage risk across business operations, and to ensure that top executives have access to accurate risk information on the business issues that matter most.

Barclays Bank PLC, a major global fi nancial services provider, successfully dealt with both problems. Its approach to risk management is one reason the bank survived the fi nancial crisis without a government bailout, says Mark Carawan, the group’s chief internal auditor. “Having really good information about the business combined with the ability to get that information quickly to regulators and, more importantly, to senior management helped an awful lot,” he says.

The information challenge It is ironic that some of the banks whose poor risk management practices were exposed by the crisis actually thought they were leading the pack on this issue. With hindsight, it is clear that many executives in the fi nancial sector were operating in the dark. They had only a partial—or just plain wrong—view of the risks accompanying key decisions.

“This is an area where banks collectively have under-invested over the years,” says Bruce Munro, group chief risk offi cer of National Australia Bank. “Some are good at it, but most lack what you might call really quick and accurate risk information.”

Risk management is the core area where banks have to do better, according to a report on lessons learned from the crisis published by the Institute of International Finance (IIF)*. Leading up to the crisis, they “severely underestimated” their exposure across virtually every category of risk, had weak controls in place, shared risk information badly, and struggled to aggregate risks across business lines and functions, the report says. According to the report, the solution is root and branch reform: a complete rethink of the way banks deal with risk information, from engagement at a board level to operating tools and processes.

“Having really good information about the business combined with the ability to get that information quickly to regulators and, more importantly, to senior management, helped an awful lot [during the crisis].” Mark Carawan, Group Chief Internal Auditor, Barclays plc

* “Final Report of the IIF Committee on Market Best Practices: Principles of Conduct and Best Practice Recommendations. Financial Services Industry Response to the Market Turmoil of 2007-2008.” Published by the Institute of International Finance. http://www.iif.com/download.php?id=Osk8Cwl08yw=



“Risk management should be our core expertise and what determines, to a large extent, our individual success as fi rms,” says Rick Waugh, president and chief executive of Scotiabank and co-chair of the IIF committee that produced the analysis. “Our industry has made mistakes, and for some this has been very costly.”

Impetus for change Facing the charge of being asleep on the job, regulators around the world are taking a renewed and refocused interest in the information capabilities of the fi nancial institutions that they regulate. Whereas once they might have asked about the systems and procedures in place to manage risk, now they are putting more emphasis on the quality of information that fl ows around those systems.

This is not simply about regulating individual fi rms. One of the big issues that regulators missed in the run-up to the crisis was systemic risk—the threat that the banking system itself could implode. To monitor this better in the future, they are demanding that fi rms provide much more data about their risk exposures that, aggregated, will provide regulators a big-picture view. “The whole environment over the past 18 months has facilitated much broader thinking about risk management,” says Mark Krakowiak, chief risk offi cer of GE, which is divided between industrial and fi nancial services groups.

Increased scrutiny has already led to a barrage of new regulatory requirements that push fi rms to provide data at a remarkably detailed level. The Financial Services Authority (FSA) now requires UK fi rms to report on 10,000 data points. And there is more regulation on the way. In the US, the Dodd-Frank Wall Street Reform and Consumer Protection Act created a new oversight council to evaluate systemic risk. The

0

500

1,000

1,500

2,000

2,500

The exponential growth of US financial services regulationNumber of pages of legislation

1913FederalReserve Act31 pages

1933GlassSteagall37 pages

1966InterstateBankingEfficiency Act51 pages

1999GrahamLeach Bliley145 pages

2002SarbanesOxley66 pages

2010Dodd Frank Wall Street Reform Act2,319 pages

Source: Economist Intelligence Unit, 2010.

“Risk management should be our core expertise and what determines, to a large extent, our individual success as fi rms.”Rick Waugh, president and chief executive of Scotiabank



4

European Commission has established its own European Systemic Risk Board. Assuring regulators that an organisation can provide huge volumes of detailed, relevant and accurate data is now an integral part of running a fi nancial services fi rm.

Better decisions Companies without this capability are making it a priority. Even without regulatory pressure, there is a clear business case for investments that deliver higher quality risk and compliance data. The proposition is straightforward: if executives have better access to more reliable information, in a format they can work with easily, they are more likely to make better business decisions.

Financial fi rms fi nd this diffi cult for two reasons. The fi rst is the lack of a consistent methodology for collecting and classifying data. The second is the fragmentation of risk and compliance activities.

Consistency of data collection and classifi cation.First, the priority for regulators—and, because regulators require it, for companies as well—is to get the data they need in order to manage systemic risk. But there is no industry-wide taxonomy for categorising, reporting or tracking such data. Wal-mart knows what its stock levels are through the supply chain because each item has a unique bar-code; Fedex can track its parcels because they are RFID tagged. Banks do not have a comparable system of generating and monitoring data.

“It is really important to ensure that at a board meeting, or any internal management meeting, we are using the same data sources and have confi dence that the data is reliable,” says Barclays’s Mr Carawan. “Then we can focus on fi xing the problem that the data has exposed, rather than debating whose data are right.”

Initiatives are underway to produce industry-wide data standards to make this easier. The FSA is working on common processes and roles for companies to adopt. The Data Management Council (http://www.edmcouncil.org/) a US-based industry-funded organisation is working on its own taxonomy of data codes. The beta version of the council’s Semantic Repository, which starts with codes for fi nancial instruments and drills down into sub-codes for contracts, formulas, processes and other components, has been posted for review. But a common solution could be a long way off.

The key, in the meantime, is to defi ne clearly and in detail what data need to be collected and how to assure their quality before they even enter a business information system, argues Mr Carawan. “It’s about being granular and well-disciplined about what you capture and then having really good conformance testing to make sure you maintain those standards,” he says. “We try to design the systems and their input and output controls in such a way that you have a high level of assurance that you will catch garbage going in, so you don’t have garbage going out.”

As another line of defence, Barclays’ internal audit function puts a lot of effort into assuring the quality of business information, says Mr Carawan. “We regularly schedule information assurance into our audit work, so there is additional comfort that what is being read internally and what is being sent to regulators is good,” he says. “It’s very important.”

“We try to design the systems and their input and output controls in such a way that you have a high level of assurance that you will catch garbage going in, so you don’t have garbage going out.”Mark Carawan, Group Chief Internal Auditor, Barclays plc



The fragmentation of risk and compliance activitiesStructural issues are another reason fi nancial institutions fi nd it diffi cult to build in better access to information. Risk and compliance activities inside fi nancial fi rms are typically fragmented. The professionals charged with ensuring compliance with the coming Basel III rules, for example, will use a different framework and standards than those managing operational risk controls. Each risk and compliance activity is often built up separately, frequently in response to a major event, new compliance obligation or acquisition.

“Many fi nancial services companies have a number of different divisions—often with different fi nancial and operational risk profi les” and histories, says Matt Palmer, group information security offi cer at a UK lender. “As a result, in many organisations information is held in a wide range of often incompatible systems.” In some cases, it is not easy to identify the location or existence of required information. “The degree of assurance that can be obtained over different data sets also varies, making it diffi cult to ensure that information brought together from multiple systems is accurate,” he says.

This fragmentation is costly because there is duplication of effort. It leads to complexity because there is no common approach. And when compliance activities are splintered, business risks inevitably grow. For instance, the lack of a comprehensive and integrated approach to IT compliance can lead to security breaches or data losses. Fragmented fi nancial compliance can open the door to fraud or restatements.

Compliance is often thought of as separate from risk. But in fact the two functions are tightly bound, since an ad hoc approach to compliance leads to higher levels of risk.

Tone at the top An effort to improve risk management and gain better information about risk has to start in the boardroom. It requires a clear message from the top of the business that the organisation’s risk culture, compliance and control are integral to success, and that business information on these issues must be available and communicated.

Although much is said about the need to build an enterprise-wide risk culture, it is up to boards and executive management to defi ne what it is. “Boards need to defi ne what their risk culture is and from there they need to defi ne what the organisation’s risk appetite is,” says Richard Apostolik, the CEO of the Global Association of Risk Professionals. “Then they have to ensure that the rest of the organisation works within the defi nitions that they have come up with.”

In general, an organisation’s risk appetite—its risk tolerance and limits across the full range of its businesses—should be clearly articulated and approved by the board. Once this has been set at the enterprise level, it can be cascaded down through the various divisions and regions to the ultimate risk owners.

“We set a risk appetite at the enterprise level, then each of the business units takes that and applies it and forms their own risk appetite based on those overall settings for their line of business,” explains Mr Munro of National Australia Bank. “So you start to get commonality, a common approach and a common language. Properly done, the risk appetite statement becomes a cornerstone and becomes part of the language of enterprise risk.”

“Many fi nancial services companies have a number of different divisions—often with different fi nancial and operational risk profi les. As a result, in many organisations information is held in a wide range of often incompatible systems.”Matt Palmer, group information security offi cer at a UK lender.



6

“We assess any control weakness that we fi nd both by their root causes, so we know how to fi x them, and by their impact, so we know how they adversely affect the risk profi le of the group,” says Barclay’s Mr Carawan. “That means we have a wealth of data and information about risk, which the regulators like.”

Standardised processes Building an enterprise-wide layer of risk and compliance on top of existing processes can seem like a daunting task. When individual sources of assurance and compliance activities are run separately and rarely interface—either personally or by means of risk systems and IT infrastructure—successful integration can demand considerable time and resources.

Much depends on the extent to which existing risk processes have already been standardised, says GE’s Mr Krakowiak. The company created a single framework for risk management across its entire enterprise, spanning both the fi nancial and industrial businesses. GE’s longstanding commitment to the standardisation of business processes made this a more straightforward task than it might otherwise have been.

“We already had a very process-oriented approach to the operational side of our business,” he explains. “For example, we have a standard review process for our compliance, and we use standard processes for budget planning and strategy planning. So we already had a pretty good framework that we could take up a level in terms of looking at enterprise risk.”

A successful enterprise-wide view of risk and compliance depends on managing the opposing requirements for centralisation and decentralisation. On the one hand, there needs to be a central function that can aggregate risk and compliance information from the business. Without it, senior executives cannot effectively make business decisions regarding how to manage risk and take advantage of potential business opportunities.

Yet at the same time, risk needs to be owned by the business, within an established framework. “It’s really important to have risk people close to the business so that they can help managers with a specifi c set of risks that need to be managed,” notes Mr Munro. “You need to walk that fi ne line between collaboration and independence.”

Open dialogue Frequent dialogue between risk functions and the lines of business is essential. The relationship should be symbiotic: managers should be confi dent that the risk management process adds value to their role, while risk professionals should be able to use their dialogue with business leaders to gain a better picture of overall enterprise risk.

In some fi rms, this requires a shift in perceptions of the risk function. Rather than being seen as a “preventer” of business whose role is to impose limits and controls, it needs to be perceived as an “enabler” that can offer valuable advice. To gain the confi dence of business managers, risk professionals should demonstrate commercial understanding and a willingness to provide constructive input to help managers meet their objectives.



A key metric for the success of this dialogue is the extent to which heads of business units and business managers proactively seek out the risk function to engage them in discussion about their plans. Business managers will be more willing to listen to a risk or compliance function that is willing to roll up its sleeves and work with them to mitigate risks, rather than just waiving red fl ags.

Getting away from silos Companies are increasingly focusing not only on risk management within their organisation, but on interdependencies with other companies within their network as well as the broader economy. “Companies are fi nally realising that there is a need to determine how an organisation can look at its risks from a holistic perspective and fi gure out how those can be managed and monitored,” says Mr Apostolik.

By aggregating risks at an enterprise level, a company has a much better understanding of potential threats that could cause serious fi nancial, liquidity or reputational damage. GE’s new enterprise-wide risk approach is a good illustration. “We wanted to make sure that when we looked across the entire portfolio, we understood clearly the key things that could potentially put the franchise at risk,” reports Mr Krakowiak.

“To get high returns, you have to take a certain level of risk, and we just wanted to make sure that we understood completely the risk we were taking, what some of the external factors were that could impact us, and what could prevent us from achieving our strategic objectives.”

Aggregation of risk and compliance at the enterprise level also provides senior executives with the oversight they need to assess interdependencies and correlations across the business, and make adjustments accordingly. “You might fi nd that you want to put in different limits or constraints, or adjust your capital allocation because what looks okay in one silo doesn’t necessarily look the same once you aggregate it at the enterprise level,” argues Mr Munro.

People and technology Technology plays a vital role in automating the collection and analysis of data as well as the monitoring of key risk indicators. When implemented properly, it can help companies assess the impact of a risk against a particular objective, and increase visibility into the effectiveness of compliance efforts.

Board of Directors

CEO

Manualinputs

Poor data quality

Multiple data formats

Inconsistentterminology

Poor security

Missedhandoffs

Littleinstitutional

memory

Unnecessarycomplexity

Inflexibility

Duplication

Untangling GRCIn many organizations, GRC practices multiply throughout the firm andbecome disorganized, fragmented and overly complex.



8

Problems with gaining access to accurate, high-quality data hamper the quantifi cation and analysis process. “The question of appropriate data and the analysis of that data is probably the biggest issue that companies face,” says Mr Apostolik. “Putting the systems in place to collect the data that you can analyse and report from is a huge undertaking.”

And roles are just as important in the process. It is important to think through any solution and ensure that it is carefully tailored to roles rather than individuals, since individuals move from job to job, while roles are more consistent. By carefully defi ning the informational requirements of different roles, to enable the people in the roles to make better decisions, fi nancial institutions can become more effi cient.

“You get to the point where you recognise that things like risk appetite statements, scenario planning and responses to regulatory changes require an enterprise view,” says Mr Munro. “It’s diffi cult to ask people in their particular areas of risk expertise to do that, so you’ve got to invest in people that can do it on a full-time basis.”

Solvency II: Transparency and insight for European insurers

Insurance companies didn’t emerge from the fi nancial crisis with glowing risk management credentials. However, European regulators in this sector had already spotted the need to improve risk management industry-wide. The new Solvency II rules, set to take effect in November 2012, require fi rms to demonstrate that they have an “adequate system of governance”, which includes effective systems to identify and manage risks.

The rules require all European insurers—as well as North American carriers with operations in Europe—to have four separate functions to cover risk management, compliance, internal audit and actuarial issues. Detailed rules set out what each of these functions should do. There are also rules aimed at ensuring that each unit has the resources it needs to do its job.

Establishing data quality is at the heart of Solvency II compliance. Insurance companies will be expected to set a board-level policy on data use and quality. They will also have to show to regulators that the data they use in governance, and for management decision-making, is “fi t for purpose”.

Importantly, regulators will not be content to receive masses of data generated from internal systems.They will want access to timely risk information that gives insights into the drivers and key risk indicators that executives use when making decisions about the tradeoff between risk and capital. That puts huge pressure on any insurer with duplicate or stale information and inconsistent data quality. They will have to raise their game, and quickly.

The objective, according to the Professional Risk Managers International Association, a global, non-profi t body of risk professionals with local groups in 200 countries, should be an enterprise risk management program that covers both defensive and proactive risk management—in other words, an approach that doesn’t just seek to reduce the risks that the business takes, but one that leverages judicious risk-taking for better returns. Regulators will also expect insurers to benchmark the quality of their risk management policies, methodologies and infrastructure.

The bottom line is that risk management must deliver transparency and insight. Insurers will need to understand their risk profi le across their business operations and product lines, and across their different risk categories—feeding any signifi cant changes to the right level of management, fast. An integrated, comprehensive and strategic approach to risk information is the only way of achieving that.



An integrated approach to risk and compliance is a Holy Grail that many fi nancial fi rms have searched for yet have failed to fi nd. They know that with better, more reliable and more accessible information

about how their business is performing, they can make far better decisions. The fi nancial crisis—its causes and the regulatory response—should encourage them to renew their quest. The obstacles they will face along the way are as challenging as ever. But the benefi ts are diffi cult to dispute.

Nothing will happen without a champion at the top. Whether it is a board member, the CEO or the CFO, someone at the highest level needs to connect the strategy of the enterprise with the risk and compliance activities of each line of business, right down to the operational level. Additional suggestions to emerge from the interviewees include:

l Taking a proactive approach in identifying, assessing, measuring and communicating risk. Establish priorities, and decide how you’ll use your limited resources to get the biggest improvements.

l Make sure executives see spending on compliance and risk management as investments that add value and support business objectives.

l Automate data management activities to the extent feasible, but do not rely on data to tell the whole story. Periodically evaluate and adjust how you identify, verify, measure and report on risk. Test your fi ndings and make continuous improvements.

l Create a single architecture for compliance and risk management stakeholders across the organization.

Conclusion

Whilst every effort has been made to verify the accuracy of this information, neither the Economist Intelligence Unit Ltd nor the sponsors of this report can accept any responsibility for liability for reliance by any person on this report or any other information, opinions or conclusions set out herein.De

sign

: Mik

eken

ny@

me.

com

C

over

: shu

tter

stoc

k.co

m

Illu

stra

tion

: Lin

da O

llive

r

LONDON26 Red Lion SquareLondon WC1R 4HQUnited KingdomTel: (44.20) 7576 8000Fax: (44.20) 7576 8476E-mail: [email protected]

NEW YORK750 Third Avenue5th FloorNew York, NY 10017United StatesTel: (1.212) 554 0600Fax: (1.212) 586 0248E-mail: [email protected]

HONG KONG6001, Central Plaza18 Harbour RoadWanchai Hong KongTel: (852) 2585 3888Fax: (852) 2802 7638E-mail: [email protected]

GENEVABoulevard des Tranchées 161206 GenevaSwitzerlandTel: (41) 22 566 2470Fax: (41) 22 346 93 47E-mail: [email protected]

Better information, better decision: The risk and compliance challenge for financial institutions

Business

Transcript of Better information, better decision: The risk and compliance challenge for financial institutions