Better information, better decision: The risk and compliance challenge for financial institutions


Published on

Better information, better decisions: The risk and compliance challenge for financial institutions is based partially on The age of compliance: Preparing for a riskier and more regulated world. Both are Economist Intelligence Unit briefing papers sponsored by SAP. The Economist Intelligence Unit bears sole responsibility for this research. Our findings drew on desk research and in-depth interviews with executives familiar with risk and compliance within their organisations. The findings and views expressed in this report do not necessarily reflect those of the sponsor. Neil Baker was the author of this report and Dan Armstrong was the editor.

Published in: Business, Economy & Finance
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Better information, better decision: The risk and compliance challenge for financial institutions

  1. 1. Better information, better decisionsThe risk and compliance challengefor financial institutionsA report from the Economist Intelligence Unit
  2. 2. Better information, better decisions The risk and compliance challenge for financial institutions Preface Better information, better decisions: The risk and compliance challenge for financial institutions is based partially on The age of compliance: Preparing for a riskier and more regulated world, an Economist Intelligence Unit briefing paper sponsored by SAP. The Economist Intelligence Unit bears sole responsibility for this research. Our findings drew on desk research and in-depth interviews with executives familiar with risk and compliance within their organisations. The findings and views expressed in this report do not necessarily reflect those of the sponsor. Neil Baker was the author of this report and Dan Armstrong was the editor. December 20101 © The Economist Intelligence Unit Limited 2010
  3. 3. Better information, better decisions The risk and compliance challenge for financial institutions Better information, better decisions: The risk and compliance challenge for financial institutions“Having reallygood information W hen mortgage defaults among US sub-prime borrowers suddenly shot up late in the tenure of Citibank’s then-CEO Chuck Prince, he was surprised to learn that the bank held mortgage-related assets worth about US$43bn. Thomas Maheras, who oversaw trading at the bank, reassured Mr Prince thatabout the businesscombined with the everything was fine. But within weeks Citi was nursing losses on the assets running into billions of dollars.ability to get that The bank’s risk management was shown to have severe deficiencies: accepting ratings agency opinionsinformation quickly in lieu of independent reviews; relying on brittle financial models; and, according to subsequentto regulators and, congressional testimony, violating internal credit policies. Within two months, Mr Prince was out of a job.more importantly, The Citi example shows how hard it is for a large, complex bank to deal with two related problems: howto senior to manage risk across business operations, and to ensure that top executives have access to accurate riskmanagement, information on the business issues that matter most.helped an awful Barclays Bank PLC, a major global financial services provider, successfully dealt with both problems. Itslot [during the approach to risk management is one reason the bank survived the financial crisis without a governmentcrisis].” bailout, says Mark Carawan, the group’s chief internal auditor. “Having really good information about theMark Carawan, Group Chief business combined with the ability to get that information quickly to regulators and, more importantly, toInternal Auditor, Barclays plc senior management helped an awful lot,” he says. The information challenge It is ironic that some of the banks whose poor risk management practices were exposed by the crisis actually thought they were leading the pack on this issue. With hindsight, it is clear that many executives in the financial sector were operating in the dark. They had only a partial—or just plain wrong—view of the risks accompanying key decisions. “This is an area where banks collectively have under-invested over the years,” says Bruce Munro, group chief risk officer of National Australia Bank. “Some are good at it, but most lack what you might call really quick and accurate risk information.”* “Final Report of the IIFCommittee on Market Best Risk management is the core area where banks have to do better, according to a report on lessonsPractices: Principles ofConduct and Best Practice learned from the crisis published by the Institute of International Finance (IIF)*. Leading up to the crisis,Recommendations. Financial they “severely underestimated” their exposure across virtually every category of risk, had weak controls inServices Industry Response tothe Market Turmoil of 2007- place, shared risk information badly, and struggled to aggregate risks across business lines and functions,2008.” Published by the Instituteof International Finance. the report says. According to the report, the solution is root and branch reform: a complete rethink of the way banks deal with risk information, from engagement at a board level to operating tools and processes.2 © The Economist Intelligence Unit Limited 2010
  4. 4. Better information, better decisions The risk and compliance challenge for financial institutions “Risk management should be our core expertise and what determines, to a large extent, our individual success as firms,” says Rick Waugh, president and chief executive of Scotiabank and co-chair of the IIF committee that produced the analysis. “Our industry has made mistakes, and for some this has been very costly.” Impetus for change Facing the charge of being asleep on the job, regulators around the world are taking a renewed and refocused interest in the information capabilities of the financial institutions that they regulate. Whereas once they might have asked about the systems and procedures in place to manage risk, now they are putting more emphasis on the quality of information that flows around those systems. This is not simply about regulating individual firms. One of the big issues that regulators missed in the run-up to the crisis was systemic risk—the threat that the banking system itself could implode. To monitor“Risk management this better in the future, they are demanding that firms provide much more data about their risk exposuresshould be our core that, aggregated, will provide regulators a big-picture view. “The whole environment over the past 18expertise and what months has facilitated much broader thinking about risk management,” says Mark Krakowiak, chief riskdetermines, to a officer of GE, which is divided between industrial and financial services groups.large extent, our Increased scrutiny has already led to a barrage of new regulatory requirements that push firms toindividual success provide data at a remarkably detailed level. The Financial Services Authority (FSA) now requires UK firmsas firms.” to report on 10,000 data points. And there is more regulation on the way. In the US, the Dodd-Frank WallRick Waugh, president andchief executive of Scotiabank Street Reform and Consumer Protection Act created a new oversight council to evaluate systemic risk. The The exponential growth of US financial services regulation Number of pages of legislation 2010 2,500 Dodd Frank Wall Street Reform Act 2,319 pages 2,000 1,500 1,000 1966 1999 500 1913 1933 Interstate Graham 2002 Federal Glass Banking Leach Bliley Sarbanes Reserve Act Steagall Efficiency Act 145 pages Oxley 31 pages 37 pages 51 pages 66 pages 0 Source: Economist Intelligence Unit, 2010.3 © The Economist Intelligence Unit Limited 2010
  5. 5. Better information, better decisions The risk and compliance challenge for financial institutions European Commission has established its own European Systemic Risk Board. Assuring regulators that an organisation can provide huge volumes of detailed, relevant and accurate data is now an integral part of running a financial services firm. Better decisions Companies without this capability are making it a priority. Even without regulatory pressure, there is a clear business case for investments that deliver higher quality risk and compliance data. The proposition is straightforward: if executives have better access to more reliable information, in a format they can work with easily, they are more likely to make better business decisions. Financial firms find this difficult for two reasons. The first is the lack of a consistent methodology for collecting and classifying data. The second is the fragmentation of risk and compliance activities. Consistency of data collection and classification. First, the priority for regulators—and, because regulators require it, for companies as well—is to get the“We try to design data they need in order to manage systemic risk. But there is no industry-wide taxonomy for categorising,the systems and reporting or tracking such data. Wal-mart knows what its stock levels are through the supply chaintheir input and because each item has a unique bar-code; Fedex can track its parcels because they are RFID tagged. Banksoutput controls in do not have a comparable system of generating and monitoring data.such a way that you “It is really important to ensure that at a board meeting, or any internal management meeting, we arehave a high level of using the same data sources and have confidence that the data is reliable,” says Barclays’s Mr Carawan.assurance that you “Then we can focus on fixing the problem that the data has exposed, rather than debating whose data arewill catch garbage right.”going in, so you Initiatives are underway to produce industry-wide data standards to make this easier. The FSA isdon’t have garbage working on common processes and roles for companies to adopt. The Data Management Council (http://going out.” a US-based industry-funded organisation is working on its own taxonomy ofMark Carawan, Group ChiefInternal Auditor, Barclays plc data codes. The beta version of the council’s Semantic Repository, which starts with codes for financial instruments and drills down into sub-codes for contracts, formulas, processes and other components, has been posted for review. But a common solution could be a long way off. The key, in the meantime, is to define clearly and in detail what data need to be collected and how to assure their quality before they even enter a business information system, argues Mr Carawan. “It’s about being granular and well-disciplined about what you capture and then having really good conformance testing to make sure you maintain those standards,” he says. “We try to design the systems and their input and output controls in such a way that you have a high level of assurance that you will catch garbage going in, so you don’t have garbage going out.” As another line of defence, Barclays’ internal audit function puts a lot of effort into assuring the quality of business information, says Mr Carawan. “We regularly schedule information assurance into our audit work, so there is additional comfort that what is being read internally and what is being sent to regulators is good,” he says. “It’s very important.”4 © The Economist Intelligence Unit Limited 2010
  6. 6. Better information, better decisions The risk and compliance challenge for financial institutions The fragmentation of risk and compliance activities Structural issues are another reason financial institutions find it difficult to build in better access to information. Risk and compliance activities inside financial firms are typically fragmented. The professionals charged with ensuring compliance with the coming Basel III rules, for example, will use a different framework and standards than those managing operational risk controls. Each risk and compliance activity is often built up separately, frequently in response to a major event, new compliance obligation or acquisition. “Many financial services companies have a number of different divisions—often with different financial and operational risk profiles” and histories, says Matt Palmer, group information security officer at a UK lender. “As a result, in many organisations information is held in a wide range of often incompatible systems.” In some cases, it is not easy to identify the location or existence of required information. “The degree of assurance that can be obtained over different data sets also varies, making it difficult to ensure“Many financial that information brought together from multiple systems is accurate,” he companies This fragmentation is costly because there is duplication of effort. It leads to complexity because therehave a number is no common approach. And when compliance activities are splintered, business risks inevitably grow.of different For instance, the lack of a comprehensive and integrated approach to IT compliance can lead to securitydivisions—often breaches or data losses. Fragmented financial compliance can open the door to fraud or restatements.with different Compliance is often thought of as separate from risk. But in fact the two functions are tightly bound,financial and since an ad hoc approach to compliance leads to higher levels of risk.operational riskprofiles. As a Tone at the topresult, in many An effort to improve risk management and gain better information about risk has to start in theorganisations boardroom. It requires a clear message from the top of the business that the organisation’s risk culture,information is held compliance and control are integral to success, and that business information on these issues must bein a wide range of available and communicated.often incompatible Although much is said about the need to build an enterprise-wide risk culture, it is up to boards andsystems.”Matt Palmer, group executive management to define what it is. “Boards need to define what their risk culture is and frominformation security officer at there they need to define what the organisation’s risk appetite is,” says Richard Apostolik, the CEO of thea UK lender. Global Association of Risk Professionals. “Then they have to ensure that the rest of the organisation works within the definitions that they have come up with.” In general, an organisation’s risk appetite—its risk tolerance and limits across the full range of its businesses—should be clearly articulated and approved by the board. Once this has been set at the enterprise level, it can be cascaded down through the various divisions and regions to the ultimate risk owners. “We set a risk appetite at the enterprise level, then each of the business units takes that and applies it and forms their own risk appetite based on those overall settings for their line of business,” explains Mr Munro of National Australia Bank. “So you start to get commonality, a common approach and a common language. Properly done, the risk appetite statement becomes a cornerstone and becomes part of the language of enterprise risk.”5 © The Economist Intelligence Unit Limited 2010
  7. 7. Better information, better decisions The risk and compliance challenge for financial institutions “We assess any control weakness that we find both by their root causes, so we know how to fix them, and by their impact, so we know how they adversely affect the risk profile of the group,” says Barclay’s Mr Carawan. “That means we have a wealth of data and information about risk, which the regulators like.” Standardised processes Building an enterprise-wide layer of risk and compliance on top of existing processes can seem like a daunting task. When individual sources of assurance and compliance activities are run separately and rarely interface—either personally or by means of risk systems and IT infrastructure—successful integration can demand considerable time and resources. Much depends on the extent to which existing risk processes have already been standardised, says GE’s Mr Krakowiak. The company created a single framework for risk management across its entire enterprise, spanning both the financial and industrial businesses. GE’s longstanding commitment to the standardisation of business processes made this a more straightforward task than it might otherwise have been. “We already had a very process-oriented approach to the operational side of our business,” he explains. “For example, we have a standard review process for our compliance, and we use standard processes for budget planning and strategy planning. So we already had a pretty good framework that we could take up a level in terms of looking at enterprise risk.” A successful enterprise-wide view of risk and compliance depends on managing the opposing requirements for centralisation and decentralisation. On the one hand, there needs to be a central function that can aggregate risk and compliance information from the business. Without it, senior executives cannot effectively make business decisions regarding how to manage risk and take advantage of potential business opportunities. Yet at the same time, risk needs to be owned by the business, within an established framework. “It’s really important to have risk people close to the business so that they can help managers with a specific set of risks that need to be managed,” notes Mr Munro. “You need to walk that fine line between collaboration and independence.” Open dialogue Frequent dialogue between risk functions and the lines of business is essential. The relationship should be symbiotic: managers should be confident that the risk management process adds value to their role, while risk professionals should be able to use their dialogue with business leaders to gain a better picture of overall enterprise risk. In some firms, this requires a shift in perceptions of the risk function. Rather than being seen as a “preventer” of business whose role is to impose limits and controls, it needs to be perceived as an “enabler” that can offer valuable advice. To gain the confidence of business managers, risk professionals should demonstrate commercial understanding and a willingness to provide constructive input to help managers meet their objectives.6 © The Economist Intelligence Unit Limited 2010
  8. 8. Better information, better decisions The risk and compliance challenge for financial institutionsUntangling GRC A key metric for the success of this dialogue is theIn many organizations, GRC practices multiply throughout the firm andbecome disorganized, fragmented and overly complex. extent to which heads of business units and business managers proactively seek out the risk function Board of Directors to engage them in discussion about their plans. CEO Business managers will be more willing to listen to a risk or compliance function that is willing to roll up its sleeves and work with them to mitigate risks, rather than just waiving red flags. Getting away from silos Companies are increasingly focusing not only on risk management within their organisation, but on interdependencies with other companies within their network as well as the broader economy. “Companies are finally realising that there is a need to determine how an organisation can look at its risks from a Manual Multiple data inputs formats holistic perspective and figure out how those can be managed and monitored,” says Mr Apostolik. Poor data Duplication Little By aggregating risks at an enterprise level, institutional quality memory a company has a much better understanding of potential threats that could cause serious financial, Unnecessary Missed Inconsistent liquidity or reputational damage. GE’s new complexity handoffs terminology enterprise-wide risk approach is a good illustration. “We wanted to make sure that when we looked across Poor security Inflexibility the entire portfolio, we understood clearly the key things that could potentially put the franchise at risk,” reports Mr Krakowiak. “To get high returns, you have to take a certain level of risk, and we just wanted to make sure that we understood completely the risk we were taking, what some of the external factors were that could impact us, and what could prevent us from achieving our strategic objectives.” Aggregation of risk and compliance at the enterprise level also provides senior executives with the oversight they need to assess interdependencies and correlations across the business, and make adjustments accordingly. “You might find that you want to put in different limits or constraints, or adjust your capital allocation because what looks okay in one silo doesn’t necessarily look the same once you aggregate it at the enterprise level,” argues Mr Munro. People and technology Technology plays a vital role in automating the collection and analysis of data as well as the monitoring of key risk indicators. When implemented properly, it can help companies assess the impact of a risk against a particular objective, and increase visibility into the effectiveness of compliance efforts.7 © The Economist Intelligence Unit Limited 2010
  9. 9. Better information, better decisions The risk and compliance challenge for financial institutions Problems with gaining access to accurate, high-quality data hamper the quantification and analysis process. “The question of appropriate data and the analysis of that data is probably the biggest issue that companies face,” says Mr Apostolik. “Putting the systems in place to collect the data that you can analyse and report from is a huge undertaking.” And roles are just as important in the process. It is important to think through any solution and ensure that it is carefully tailored to roles rather than individuals, since individuals move from job to job, while roles are more consistent. By carefully defining the informational requirements of different roles, to enable the people in the roles to make better decisions, financial institutions can become more efficient. “You get to the point where you recognise that things like risk appetite statements, scenario planning and responses to regulatory changes require an enterprise view,” says Mr Munro. “It’s difficult to ask people in their particular areas of risk expertise to do that, so you’ve got to invest in people that can do it on a full-time basis.” Solvency II: Importantly, regulators will not be content to receive masses of data Transparency and insight for European insurers generated from internal systems.They will want access to timely risk information that gives insights into the drivers and key risk indicators that executives use when making decisions about the tradeoff between Insurance companies didn’t emerge from the financial crisis risk and capital. That puts huge pressure on any insurer with duplicate with glowing risk management credentials. However, European or stale information and inconsistent data quality. They will have to regulators in this sector had already spotted the need to improve raise their game, and quickly. risk management industry-wide. The new Solvency II rules, set to The objective, according to the Professional Risk Managers take effect in November 2012, require firms to demonstrate that they International Association, a global, non-profit body of risk have an “adequate system of governance”, which includes effective professionals with local groups in 200 countries, should be an systems to identify and manage risks. enterprise risk management program that covers both defensive The rules require all European insurers—as well as North American and proactive risk management—in other words, an approach that carriers with operations in Europe—to have four separate functions doesn’t just seek to reduce the risks that the business takes, but one to cover risk management, compliance, internal audit and actuarial that leverages judicious risk-taking for better returns. Regulators issues. Detailed rules set out what each of these functions should will also expect insurers to benchmark the quality of their risk do. There are also rules aimed at ensuring that each unit has the management policies, methodologies and infrastructure. resources it needs to do its job. The bottom line is that risk management must deliver transparency Establishing data quality is at the heart of Solvency II compliance. and insight. Insurers will need to understand their risk profile across Insurance companies will be expected to set a board-level policy on their business operations and product lines, and across their different data use and quality. They will also have to show to regulators that risk categories—feeding any significant changes to the right level the data they use in governance, and for management decision- of management, fast. An integrated, comprehensive and strategic making, is “fit for purpose”. approach to risk information is the only way of achieving that.8 © The Economist Intelligence Unit Limited 2010
  10. 10. Better information, better decisions The risk and compliance challenge for financial institutions Conclusion A n integrated approach to risk and compliance is a Holy Grail that many financial firms have searched for yet have failed to find. They know that with better, more reliable and more accessible information about how their business is performing, they can make far better decisions. The financial crisis—its causes and the regulatory response—should encourage them to renew their quest. The obstacles they will face along the way are as challenging as ever. But the benefits are difficult to dispute. Nothing will happen without a champion at the top. Whether it is a board member, the CEO or the CFO, someone at the highest level needs to connect the strategy of the enterprise with the risk and compliance activities of each line of business, right down to the operational level. Additional suggestions to emerge from the interviewees include: l Taking a proactive approach in identifying, assessing, measuring and communicating risk. Establish priorities, and decide how you’ll use your limited resources to get the biggest improvements. l Make sure executives see spending on compliance and risk management as investments that add value and support business objectives. l Automate data management activities to the extent feasible, but do not rely on data to tell the whole story. Periodically evaluate and adjust how you identify, verify, measure and report on risk. Test your findings and make continuous improvements. l Create a single architecture for compliance and risk management stakeholders across the organization.9 © The Economist Intelligence Unit Limited 2010
  11. 11. Design: Cover: Illustration: Linda Olliver Whilst every effort has been made to verify the accuracy of this information, neither the Economist Intelligence Unit Ltd nor the sponsors of this report can accept any responsibility for liability for reliance by any person on this report or any other information, opinions or conclusions set out herein.
  12. 12. LONDON26 Red Lion SquareLondonWC1R 4HQUnited KingdomTel: (44.20) 7576 8000Fax: (44.20) 7576 8476E-mail: london@eiu.comNEW YORK750 Third Avenue5th FloorNew York, NY 10017United StatesTel: (1.212) 554 0600Fax: (1.212) 586 0248E-mail: newyork@eiu.comHONG KONG6001, Central Plaza18 Harbour RoadWanchaiHong KongTel: (852) 2585 3888Fax: (852) 2802 7638E-mail: hongkong@eiu.comGENEVABoulevard des Tranchées 161206 GenevaSwitzerlandTel: (41) 22 566 2470Fax: (41) 22 346 93 47E-mail: