Better information, better decisions: The risk and compliance challenge for fi nancial institutions is based partially on The age of compliance: Preparing for a riskier and more regulate
Trang 1for fi nancial institutions
A report from the Economist Intelligence Unit
Trang 2Better information, better decisions: The risk and compliance challenge for fi nancial institutions is based
partially on The age of compliance: Preparing for a riskier and more regulated world, an Economist
Intelligence Unit briefi ng paper sponsored by SAP The Economist Intelligence Unit bears sole responsibility for this research Our fi ndings drew on desk research and in-depth interviews with executives familiar with risk and compliance within their organisations The fi ndings and views expressed
in this report do not necessarily refl ect those of the sponsor Neil Baker was the author of this report and Dan Armstrong was the editor
December 2010
Trang 3Better information, better decisions:
The risk and compliance challenge for fi nancial institutions
Citibank’s then-CEO Chuck Prince, he was surprised to learn that the bank held mortgage-related assets worth about US$43bn Thomas Maheras, who oversaw trading at the bank, reassured Mr Prince that everything was fi ne But within weeks Citi was nursing losses on the assets running into billions of dollars The bank’s risk management was shown to have severe defi ciencies: accepting ratings agency opinions
in lieu of independent reviews; relying on brittle fi nancial models; and, according to subsequent congressional testimony, violating internal credit policies Within two months, Mr Prince was out of a job The Citi example shows how hard it is for a large, complex bank to deal with two related problems: how
to manage risk across business operations, and to ensure that top executives have access to accurate risk information on the business issues that matter most
Barclays Bank PLC, a major global fi nancial services provider, successfully dealt with both problems Its approach to risk management is one reason the bank survived the fi nancial crisis without a government bailout, says Mark Carawan, the group’s chief internal auditor “Having really good information about the business combined with the ability to get that information quickly to regulators and, more importantly, to senior management helped an awful lot,” he says
The information challenge
It is ironic that some of the banks whose poor risk management practices were exposed by the crisis actually thought they were leading the pack on this issue With hindsight, it is clear that many executives
in the fi nancial sector were operating in the dark They had only a partial—or just plain wrong—view of the risks accompanying key decisions
“This is an area where banks collectively have under-invested over the years,” says Bruce Munro, group chief risk offi cer of National Australia Bank “Some are good at it, but most lack what you might call really quick and accurate risk information.”
Risk management is the core area where banks have to do better, according to a report on lessons learned from the crisis published by the Institute of International Finance (IIF)* Leading up to the crisis, they “severely underestimated” their exposure across virtually every category of risk, had weak controls in place, shared risk information badly, and struggled to aggregate risks across business lines and functions, the report says According to the report, the solution is root and branch reform: a complete rethink of the way banks deal with risk information, from engagement at a board level to operating tools and processes
“Having really
good information
about the business
combined with the
ability to get that
information quickly
to regulators and,
more importantly,
to senior
management,
helped an awful
lot [during the
crisis].”
Mark Carawan, Group Chief
Internal Auditor, Barclays plc
* “Final Report of the IIF
Committee on Market Best
Practices: Principles of
Conduct and Best Practice
Recommendations Financial
Services Industry Response to
the Market Turmoil of
2007-2008.” Published by the Institute
of International Finance
http://www.iif.com/download.
php?id=Osk8Cwl08yw=
Trang 4“Risk management should be our core expertise and what determines, to a large extent, our individual success as fi rms,” says Rick Waugh, president and chief executive of Scotiabank and co-chair of the IIF committee that produced the analysis “Our industry has made mistakes, and for some this has been very costly.”
Impetus for change
Facing the charge of being asleep on the job, regulators around the world are taking a renewed and refocused interest in the information capabilities of the fi nancial institutions that they regulate Whereas once they might have asked about the systems and procedures in place to manage risk, now they are putting more emphasis on the quality of information that fl ows around those systems
This is not simply about regulating individual fi rms One of the big issues that regulators missed in the run-up to the crisis was systemic risk—the threat that the banking system itself could implode To monitor this better in the future, they are demanding that fi rms provide much more data about their risk exposures that, aggregated, will provide regulators a big-picture view “The whole environment over the past 18 months has facilitated much broader thinking about risk management,” says Mark Krakowiak, chief risk offi cer of GE, which is divided between industrial and fi nancial services groups
Increased scrutiny has already led to a barrage of new regulatory requirements that push fi rms to provide data at a remarkably detailed level The Financial Services Authority (FSA) now requires UK fi rms
to report on 10,000 data points And there is more regulation on the way In the US, the Dodd-Frank Wall Street Reform and Consumer Protection Act created a new oversight council to evaluate systemic risk The
0 500 1,000 1,500 2,000 2,500
The exponential growth of US financial services regulation
Number of pages of legislation
1913
Federal Reserve Act
31 pages
1933
Glass Steagall
37 pages
1966
Interstate Banking Efficiency Act
51 pages
1999
Graham Leach Bliley
145 pages
2002
Sarbanes Oxley
66 pages
2010
Dodd Frank Wall Street Reform Act
2,319 pages
Source: Economist Intelligence Unit, 2010.
“Risk management
should be our core
expertise and what
determines, to a
large extent, our
individual success
as fi rms.”
Rick Waugh, president and
chief executive of Scotiabank
Trang 5European Commission has established its own European Systemic Risk Board Assuring regulators that an organisation can provide huge volumes of detailed, relevant and accurate data is now an integral part of running a fi nancial services fi rm
Better decisions
Companies without this capability are making it a priority Even without regulatory pressure, there is a clear business case for investments that deliver higher quality risk and compliance data The proposition
is straightforward: if executives have better access to more reliable information, in a format they can work with easily, they are more likely to make better business decisions
Financial fi rms fi nd this diffi cult for two reasons The fi rst is the lack of a consistent methodology for collecting and classifying data The second is the fragmentation of risk and compliance activities
Consistency of data collection and classifi cation.
First, the priority for regulators—and, because regulators require it, for companies as well—is to get the data they need in order to manage systemic risk But there is no industry-wide taxonomy for categorising, reporting or tracking such data Wal-mart knows what its stock levels are through the supply chain because each item has a unique bar-code; Fedex can track its parcels because they are RFID tagged Banks
do not have a comparable system of generating and monitoring data
“It is really important to ensure that at a board meeting, or any internal management meeting, we are using the same data sources and have confi dence that the data is reliable,” says Barclays’s Mr Carawan
“Then we can focus on fi xing the problem that the data has exposed, rather than debating whose data are right.”
Initiatives are underway to produce industry-wide data standards to make this easier The FSA is working on common processes and roles for companies to adopt The Data Management Council (http:// www.edmcouncil.org/) a US-based industry-funded organisation is working on its own taxonomy of data codes The beta version of the council’s Semantic Repository, which starts with codes for fi nancial instruments and drills down into sub-codes for contracts, formulas, processes and other components, has been posted for review But a common solution could be a long way off
The key, in the meantime, is to defi ne clearly and in detail what data need to be collected and how to assure their quality before they even enter a business information system, argues Mr Carawan “It’s about being granular and well-disciplined about what you capture and then having really good conformance testing to make sure you maintain those standards,” he says “We try to design the systems and their input and output controls in such a way that you have a high level of assurance that you will catch garbage going in, so you don’t have garbage going out.”
As another line of defence, Barclays’ internal audit function puts a lot of effort into assuring the quality
of business information, says Mr Carawan “We regularly schedule information assurance into our audit work, so there is additional comfort that what is being read internally and what is being sent to regulators
is good,” he says “It’s very important.”
“We try to design
the systems and
their input and
output controls in
such a way that you
have a high level of
assurance that you
will catch garbage
going in, so you
don’t have garbage
going out.”
Mark Carawan, Group Chief
Internal Auditor, Barclays plc
Trang 6The fragmentation of risk and compliance activities
Structural issues are another reason fi nancial institutions fi nd it diffi cult to build in better access
to information Risk and compliance activities inside fi nancial fi rms are typically fragmented The professionals charged with ensuring compliance with the coming Basel III rules, for example, will use
a different framework and standards than those managing operational risk controls Each risk and compliance activity is often built up separately, frequently in response to a major event, new compliance obligation or acquisition
“Many fi nancial services companies have a number of different divisions—often with different fi nancial and operational risk profi les” and histories, says Matt Palmer, group information security offi cer at a
UK lender “As a result, in many organisations information is held in a wide range of often incompatible systems.” In some cases, it is not easy to identify the location or existence of required information “The degree of assurance that can be obtained over different data sets also varies, making it diffi cult to ensure that information brought together from multiple systems is accurate,” he says
This fragmentation is costly because there is duplication of effort It leads to complexity because there
is no common approach And when compliance activities are splintered, business risks inevitably grow For instance, the lack of a comprehensive and integrated approach to IT compliance can lead to security breaches or data losses Fragmented fi nancial compliance can open the door to fraud or restatements Compliance is often thought of as separate from risk But in fact the two functions are tightly bound, since an ad hoc approach to compliance leads to higher levels of risk
Tone at the top
An effort to improve risk management and gain better information about risk has to start in the boardroom It requires a clear message from the top of the business that the organisation’s risk culture, compliance and control are integral to success, and that business information on these issues must be available and communicated
Although much is said about the need to build an enterprise-wide risk culture, it is up to boards and executive management to defi ne what it is “Boards need to defi ne what their risk culture is and from there they need to defi ne what the organisation’s risk appetite is,” says Richard Apostolik, the CEO of the Global Association of Risk Professionals “Then they have to ensure that the rest of the organisation works within the defi nitions that they have come up with.”
In general, an organisation’s risk appetite—its risk tolerance and limits across the full range of its businesses—should be clearly articulated and approved by the board Once this has been set at the enterprise level, it can be cascaded down through the various divisions and regions to the ultimate risk owners
“We set a risk appetite at the enterprise level, then each of the business units takes that and applies it and forms their own risk appetite based on those overall settings for their line of business,” explains Mr Munro of National Australia Bank “So you start to get commonality, a common approach and a common language Properly done, the risk appetite statement becomes a cornerstone and becomes part of the language of enterprise risk.”
“Many fi nancial
services companies
have a number
of different
divisions—often
with different
fi nancial and
operational risk
profi les As a
result, in many
organisations
information is held
in a wide range of
often incompatible
systems.”
Matt Palmer, group
information security offi cer at
a UK lender
Trang 7“We assess any control weakness that we fi nd both by their root causes, so we know how to fi x them, and by their impact, so we know how they adversely affect the risk profi le of the group,” says Barclay’s Mr Carawan “That means we have a wealth of data and information about risk, which the regulators like.”
Standardised processes
Building an enterprise-wide layer of risk and compliance on top of existing processes can seem like
a daunting task When individual sources of assurance and compliance activities are run separately and rarely interface—either personally or by means of risk systems and IT infrastructure—successful integration can demand considerable time and resources
Much depends on the extent to which existing risk processes have already been standardised, says GE’s Mr Krakowiak The company created a single framework for risk management across its entire enterprise, spanning both the fi nancial and industrial businesses GE’s longstanding commitment to the standardisation of business processes made this a more straightforward task than it might otherwise have been
“We already had a very process-oriented approach to the operational side of our business,” he explains
“For example, we have a standard review process for our compliance, and we use standard processes for budget planning and strategy planning So we already had a pretty good framework that we could take up
a level in terms of looking at enterprise risk.”
A successful enterprise-wide view of risk and compliance depends on managing the opposing requirements for centralisation and decentralisation On the one hand, there needs to be a central function that can aggregate risk and compliance information from the business Without it, senior executives cannot effectively make business decisions regarding how to manage risk and take advantage
of potential business opportunities
Yet at the same time, risk needs to be owned by the business, within an established framework
“It’s really important to have risk people close to the business so that they can help managers with a specifi c set of risks that need to be managed,” notes Mr Munro “You need to walk that fi ne line between collaboration and independence.”
Open dialogue
Frequent dialogue between risk functions and the lines of business is essential The relationship should
be symbiotic: managers should be confi dent that the risk management process adds value to their role, while risk professionals should be able to use their dialogue with business leaders to gain a better picture
of overall enterprise risk
In some fi rms, this requires a shift in perceptions of the risk function Rather than being seen as
a “preventer” of business whose role is to impose limits and controls, it needs to be perceived as an
“enabler” that can offer valuable advice To gain the confi dence of business managers, risk professionals should demonstrate commercial understanding and a willingness to provide constructive input to help managers meet their objectives
Trang 8A key metric for the success of this dialogue is the extent to which heads of business units and business managers proactively seek out the risk function
to engage them in discussion about their plans Business managers will be more willing to listen to
a risk or compliance function that is willing to roll
up its sleeves and work with them to mitigate risks, rather than just waiving red fl ags
Getting away from silos
Companies are increasingly focusing not only on risk management within their organisation, but on interdependencies with other companies within their network as well as the broader economy “Companies are fi nally realising that there is a need to determine how an organisation can look at its risks from a holistic perspective and fi gure out how those can be managed and monitored,” says Mr Apostolik
By aggregating risks at an enterprise level,
a company has a much better understanding of potential threats that could cause serious fi nancial, liquidity or reputational damage GE’s new
enterprise-wide risk approach is a good illustration
“We wanted to make sure that when we looked across the entire portfolio, we understood clearly the key things that could potentially put the franchise at risk,” reports Mr Krakowiak
“To get high returns, you have to take a certain level of risk, and we just wanted to make sure that we understood completely the risk we were taking, what some of the external factors were that could impact
us, and what could prevent us from achieving our strategic objectives.”
Aggregation of risk and compliance at the enterprise level also provides senior executives with the oversight they need to assess interdependencies and correlations across the business, and make adjustments accordingly “You might fi nd that you want to put in different limits or constraints, or adjust your capital allocation because what looks okay in one silo doesn’t necessarily look the same once you aggregate it at the enterprise level,” argues Mr Munro
People and technology
Technology plays a vital role in automating the collection and analysis of data as well as the monitoring of key risk indicators When implemented properly, it can help companies assess the impact of a risk against
a particular objective, and increase visibility into the effectiveness of compliance efforts
Board of Directors
CEO
Manual inputs
Poor data
quality
Multiple data formats
Inconsistent terminology
Poor security
Missed handoffs
Little institutional memory
Unnecessary
complexity
Inflexibility Duplication
Untangling GRC
In many organizations, GRC practices multiply throughout the firm and
become disorganized, fragmented and overly complex.
Trang 9Problems with gaining access to accurate, high-quality data hamper the quantifi cation and analysis process “The question of appropriate data and the analysis of that data is probably the biggest issue that companies face,” says Mr Apostolik “Putting the systems in place to collect the data that you can analyse and report from is a huge undertaking.”
And roles are just as important in the process It is important to think through any solution and ensure that it is carefully tailored to roles rather than individuals, since individuals move from job to job, while roles are more consistent By carefully defi ning the informational requirements of different roles, to enable the people in the roles to make better decisions, fi nancial institutions can become more effi cient
“You get to the point where you recognise that things like risk appetite statements, scenario planning and responses to regulatory changes require an enterprise view,” says Mr Munro “It’s diffi cult to ask people in their particular areas of risk expertise to do that, so you’ve got to invest in people that can do it
on a full-time basis.”
Solvency II:
Transparency and insight for European insurers
Insurance companies didn’t emerge from the fi nancial crisis
with glowing risk management credentials However, European
regulators in this sector had already spotted the need to improve
risk management industry-wide The new Solvency II rules, set to
take effect in November 2012, require fi rms to demonstrate that they
have an “adequate system of governance”, which includes effective
systems to identify and manage risks
The rules require all European insurers—as well as North American
carriers with operations in Europe—to have four separate functions
to cover risk management, compliance, internal audit and actuarial
issues Detailed rules set out what each of these functions should
do There are also rules aimed at ensuring that each unit has the
resources it needs to do its job
Establishing data quality is at the heart of Solvency II compliance
Insurance companies will be expected to set a board-level policy on
data use and quality They will also have to show to regulators that
the data they use in governance, and for management
decision-making, is “fi t for purpose”
Importantly, regulators will not be content to receive masses of data generated from internal systems.They will want access to timely risk information that gives insights into the drivers and key risk indicators that executives use when making decisions about the tradeoff between risk and capital That puts huge pressure on any insurer with duplicate
or stale information and inconsistent data quality They will have to raise their game, and quickly
The objective, according to the Professional Risk Managers International Association, a global, non-profi t body of risk professionals with local groups in 200 countries, should be an enterprise risk management program that covers both defensive and proactive risk management—in other words, an approach that doesn’t just seek to reduce the risks that the business takes, but one that leverages judicious risk-taking for better returns Regulators will also expect insurers to benchmark the quality of their risk management policies, methodologies and infrastructure
The bottom line is that risk management must deliver transparency and insight Insurers will need to understand their risk profi le across their business operations and product lines, and across their different risk categories—feeding any signifi cant changes to the right level
of management, fast An integrated, comprehensive and strategic approach to risk information is the only way of achieving that
Trang 10An integrated approach to risk and compliance is a Holy Grail that many fi nancial fi rms have searched for yet have failed to fi nd They know that with better, more reliable and more accessible information about how their business is performing, they can make far better decisions The fi nancial crisis—its causes and the regulatory response—should encourage them to renew their quest The obstacles they will face along the way are as challenging as ever But the benefi ts are diffi cult to dispute
Nothing will happen without a champion at the top Whether it is a board member, the CEO or the CFO, someone at the highest level needs to connect the strategy of the enterprise with the risk and compliance activities of each line of business, right down to the operational level Additional suggestions to emerge from the interviewees include:
priorities, and decide how you’ll use your limited resources to get the biggest improvements
and support business objectives
l Automate data management activities to the extent feasible, but do not rely on data to tell the whole story Periodically evaluate and adjust how you identify, verify, measure and report on risk Test your
fi ndings and make continuous improvements
organization
Conclusion