Better information, better decisions The risk and compliance challenge for financial institutions A report from the Economist Intelligence Unit Better information, better decisions The risk and compliance challenge for financial institutions Preface Better information, better decisions: The risk and compliance challenge for financial institutions is based partially on The age of compliance: Preparing for a riskier and more regulated world, an Economist Intelligence Unit briefing paper sponsored by SAP The Economist Intelligence Unit bears sole responsibility for this research Our findings drew on desk research and in-depth interviews with executives familiar with risk and compliance within their organisations The findings and views expressed in this report not necessarily reflect those of the sponsor Neil Baker was the author of this report and Dan Armstrong was the editor December 2010 © The Economist Intelligence Unit Limited 2010 Better information, better decisions The risk and compliance challenge for financial institutions Better information, better decisions: The risk and compliance challenge for financial institutions “Having really good information about the business combined with the ability to get that information quickly to regulators and, more importantly, to senior management, helped an awful lot [during the crisis].” Mark Carawan, Group Chief Internal Auditor, Barclays plc W hen mortgage defaults among US sub-prime borrowers suddenly shot up late in the tenure of Citibank’s then-CEO Chuck Prince, he was surprised to learn that the bank held mortgage-related assets worth about US$43bn Thomas Maheras, who oversaw trading at the bank, reassured Mr Prince that everything was fine But within weeks Citi was nursing losses on the assets running into billions of dollars The bank’s risk management was shown to have severe deficiencies: accepting ratings agency opinions in lieu of independent reviews; relying on brittle financial models; and, according to subsequent congressional testimony, violating internal credit policies Within two months, Mr Prince was out of a job The Citi example shows how hard it is for a large, complex bank to deal with two related problems: how to manage risk across business operations, and to ensure that top executives have access to accurate risk information on the business issues that matter most Barclays Bank PLC, a major global financial services provider, successfully dealt with both problems Its approach to risk management is one reason the bank survived the financial crisis without a government bailout, says Mark Carawan, the group’s chief internal auditor “Having really good information about the business combined with the ability to get that information quickly to regulators and, more importantly, to senior management helped an awful lot,” he says The information challenge * “Final Report of the IIF Committee on Market Best Practices: Principles of Conduct and Best Practice Recommendations Financial Services Industry Response to the Market Turmoil of 20072008.” Published by the Institute of International Finance http://www.iif.com/download php?id=Osk8Cwl08yw= It is ironic that some of the banks whose poor risk management practices were exposed by the crisis actually thought they were leading the pack on this issue With hindsight, it is clear that many executives in the financial sector were operating in the dark They had only a partial—or just plain wrong—view of the risks accompanying key decisions “This is an area where banks collectively have under-invested over the years,” says Bruce Munro, group chief risk officer of National Australia Bank “Some are good at it, but most lack what you might call really quick and accurate risk information.” Risk management is the core area where banks have to better, according to a report on lessons learned from the crisis published by the Institute of International Finance (IIF)* Leading up to the crisis, they “severely underestimated” their exposure across virtually every category of risk, had weak controls in place, shared risk information badly, and struggled to aggregate risks across business lines and functions, the report says According to the report, the solution is root and branch reform: a complete rethink of the way banks deal with risk information, from engagement at a board level to operating tools and processes © The Economist Intelligence Unit Limited 2010 Better information, better decisions The risk and compliance challenge for financial institutions “Risk management should be our core expertise and what determines, to a large extent, our individual success as firms,” says Rick Waugh, president and chief executive of Scotiabank and co-chair of the IIF committee that produced the analysis “Our industry has made mistakes, and for some this has been very costly.” Impetus for change “Risk management should be our core expertise and what determines, to a large extent, our individual success as firms.” Rick Waugh, president and chief executive of Scotiabank Facing the charge of being asleep on the job, regulators around the world are taking a renewed and refocused interest in the information capabilities of the financial institutions that they regulate Whereas once they might have asked about the systems and procedures in place to manage risk, now they are putting more emphasis on the quality of information that flows around those systems This is not simply about regulating individual firms One of the big issues that regulators missed in the run-up to the crisis was systemic risk—the threat that the banking system itself could implode To monitor this better in the future, they are demanding that firms provide much more data about their risk exposures that, aggregated, will provide regulators a big-picture view “The whole environment over the past 18 months has facilitated much broader thinking about risk management,” says Mark Krakowiak, chief risk officer of GE, which is divided between industrial and financial services groups Increased scrutiny has already led to a barrage of new regulatory requirements that push firms to provide data at a remarkably detailed level The Financial Services Authority (FSA) now requires UK firms to report on 10,000 data points And there is more regulation on the way In the US, the Dodd-Frank Wall Street Reform and Consumer Protection Act created a new oversight council to evaluate systemic risk The The exponential growth of US financial services regulation Number of pages of legislation 2010 Dodd Frank Wall Street Reform Act 2,319 pages 2,500 2,000 1,500 1,000 500 1913 Federal Reserve Act 31 pages 1933 Glass Steagall 37 pages 1966 Interstate Banking Efficiency Act 51 pages 1999 2002 Graham Leach Bliley Sarbanes 145 pages Oxley 66 pages Source: Economist Intelligence Unit, 2010 © The Economist Intelligence Unit Limited 2010 Better information, better decisions The risk and compliance challenge for financial institutions European Commission has established its own European Systemic Risk Board Assuring regulators that an organisation can provide huge volumes of detailed, relevant and accurate data is now an integral part of running a financial services firm Better decisions Companies without this capability are making it a priority Even without regulatory pressure, there is a clear business case for investments that deliver higher quality risk and compliance data The proposition is straightforward: if executives have better access to more reliable information, in a format they can work with easily, they are more likely to make better business decisions Financial firms find this difficult for two reasons The first is the lack of a consistent methodology for collecting and classifying data The second is the fragmentation of risk and compliance activities “We try to design the systems and their input and output controls in such a way that you have a high level of assurance that you will catch garbage going in, so you don’t have garbage going out.” Mark Carawan, Group Chief Internal Auditor, Barclays plc Consistency of data collection and classification First, the priority for regulators—and, because regulators require it, for companies as well—is to get the data they need in order to manage systemic risk But there is no industry-wide taxonomy for categorising, reporting or tracking such data Wal-mart knows what its stock levels are through the supply chain because each item has a unique bar-code; Fedex can track its parcels because they are RFID tagged Banks not have a comparable system of generating and monitoring data “It is really important to ensure that at a board meeting, or any internal management meeting, we are using the same data sources and have confidence that the data is reliable,” says Barclays’s Mr Carawan “Then we can focus on fixing the problem that the data has exposed, rather than debating whose data are right.” Initiatives are underway to produce industry-wide data standards to make this easier The FSA is working on common processes and roles for companies to adopt The Data Management Council (http:// www.edmcouncil.org/) a US-based industry-funded organisation is working on its own taxonomy of data codes The beta version of the council’s Semantic Repository, which starts with codes for financial instruments and drills down into sub-codes for contracts, formulas, processes and other components, has been posted for review But a common solution could be a long way off The key, in the meantime, is to define clearly and in detail what data need to be collected and how to assure their quality before they even enter a business information system, argues Mr Carawan “It’s about being granular and well-disciplined about what you capture and then having really good conformance testing to make sure you maintain those standards,” he says “We try to design the systems and their input and output controls in such a way that you have a high level of assurance that you will catch garbage going in, so you don’t have garbage going out.” As another line of defence, Barclays’ internal audit function puts a lot of effort into assuring the quality of business information, says Mr Carawan “We regularly schedule information assurance into our audit work, so there is additional comfort that what is being read internally and what is being sent to regulators is good,” he says “It’s very important.” © The Economist Intelligence Unit Limited 2010 Better information, better decisions The risk and compliance challenge for financial institutions “Many financial services companies have a number of different divisions—often with different financial and operational risk profiles As a result, in many organisations information is held in a wide range of often incompatible systems.” Matt Palmer, group information security officer at a UK lender The fragmentation of risk and compliance activities Structural issues are another reason financial institutions find it difficult to build in better access to information Risk and compliance activities inside financial firms are typically fragmented The professionals charged with ensuring compliance with the coming Basel III rules, for example, will use a different framework and standards than those managing operational risk controls Each risk and compliance activity is often built up separately, frequently in response to a major event, new compliance obligation or acquisition “Many financial services companies have a number of different divisions—often with different financial and operational risk profiles” and histories, says Matt Palmer, group information security officer at a UK lender “As a result, in many organisations information is held in a wide range of often incompatible systems.” In some cases, it is not easy to identify the location or existence of required information “The degree of assurance that can be obtained over different data sets also varies, making it difficult to ensure that information brought together from multiple systems is accurate,” he says This fragmentation is costly because there is duplication of effort It leads to complexity because there is no common approach And when compliance activities are splintered, business risks inevitably grow For instance, the lack of a comprehensive and integrated approach to IT compliance can lead to security breaches or data losses Fragmented financial compliance can open the door to fraud or restatements Compliance is often thought of as separate from risk But in fact the two functions are tightly bound, since an ad hoc approach to compliance leads to higher levels of risk Tone at the top An effort to improve risk management and gain better information about risk has to start in the boardroom It requires a clear message from the top of the business that the organisation’s risk culture, compliance and control are integral to success, and that business information on these issues must be available and communicated Although much is said about the need to build an enterprise-wide risk culture, it is up to boards and executive management to define what it is “Boards need to define what their risk culture is and from there they need to define what the organisation’s risk appetite is,” says Richard Apostolik, the CEO of the Global Association of Risk Professionals “Then they have to ensure that the rest of the organisation works within the definitions that they have come up with.” In general, an organisation’s risk appetite—its risk tolerance and limits across the full range of its businesses—should be clearly articulated and approved by the board Once this has been set at the enterprise level, it can be cascaded down through the various divisions and regions to the ultimate risk owners “We set a risk appetite at the enterprise level, then each of the business units takes that and applies it and forms their own risk appetite based on those overall settings for their line of business,” explains Mr Munro of National Australia Bank “So you start to get commonality, a common approach and a common language Properly done, the risk appetite statement becomes a cornerstone and becomes part of the language of enterprise risk.” © The Economist Intelligence Unit Limited 2010 Better information, better decisions The risk and compliance challenge for financial institutions “We assess any control weakness that we find both by their root causes, so we know how to fix them, and by their impact, so we know how they adversely affect the risk profile of the group,” says Barclay’s Mr Carawan “That means we have a wealth of data and information about risk, which the regulators like.” Standardised processes Building an enterprise-wide layer of risk and compliance on top of existing processes can seem like a daunting task When individual sources of assurance and compliance activities are run separately and rarely interface—either personally or by means of risk systems and IT infrastructure—successful integration can demand considerable time and resources Much depends on the extent to which existing risk processes have already been standardised, says GE’s Mr Krakowiak The company created a single framework for risk management across its entire enterprise, spanning both the financial and industrial businesses GE’s longstanding commitment to the standardisation of business processes made this a more straightforward task than it might otherwise have been “We already had a very process-oriented approach to the operational side of our business,” he explains “For example, we have a standard review process for our compliance, and we use standard processes for budget planning and strategy planning So we already had a pretty good framework that we could take up a level in terms of looking at enterprise risk.” A successful enterprise-wide view of risk and compliance depends on managing the opposing requirements for centralisation and decentralisation On the one hand, there needs to be a central function that can aggregate risk and compliance information from the business Without it, senior executives cannot effectively make business decisions regarding how to manage risk and take advantage of potential business opportunities Yet at the same time, risk needs to be owned by the business, within an established framework “It’s really important to have risk people close to the business so that they can help managers with a specific set of risks that need to be managed,” notes Mr Munro “You need to walk that fine line between collaboration and independence.” Open dialogue Frequent dialogue between risk functions and the lines of business is essential The relationship should be symbiotic: managers should be confident that the risk management process adds value to their role, while risk professionals should be able to use their dialogue with business leaders to gain a better picture of overall enterprise risk In some firms, this requires a shift in perceptions of the risk function Rather than being seen as a “preventer” of business whose role is to impose limits and controls, it needs to be perceived as an “enabler” that can offer valuable advice To gain the confidence of business managers, risk professionals should demonstrate commercial understanding and a willingness to provide constructive input to help managers meet their objectives © The Economist Intelligence Unit Limited 2010 Better information, better decisions The risk and compliance challenge for financial institutions Untangling GRC In many organizations, GRC practices multiply throughout the firm and become disorganized, fragmented and overly complex Board of Directors CEO A key metric for the success of this dialogue is the extent to which heads of business units and business managers proactively seek out the risk function to engage them in discussion about their plans Business managers will be more willing to listen to a risk or compliance function that is willing to roll up its sleeves and work with them to mitigate risks, rather than just waiving red flags Getting away from silos Manual inputs Poor data quality Unnecessary complexity Poor security Companies are increasingly focusing not only on risk management within their organisation, but on interdependencies with other companies within their network as well as the broader economy “Companies are finally realising that there is a need to determine how an organisation can look at its risks from a Multiple data holistic perspective and figure out how those can be formats managed and monitored,” says Mr Apostolik By aggregating risks at an enterprise level, Little Duplication institutional memory a company has a much better understanding of potential threats that could cause serious financial, liquidity or reputational damage GE’s new Inconsistent Missed terminology handoffs enterprise-wide risk approach is a good illustration “We wanted to make sure that when we looked across the entire portfolio, we understood clearly the key Inflexibility things that could potentially put the franchise at risk,” reports Mr Krakowiak “To get high returns, you have to take a certain level of risk, and we just wanted to make sure that we understood completely the risk we were taking, what some of the external factors were that could impact us, and what could prevent us from achieving our strategic objectives.” Aggregation of risk and compliance at the enterprise level also provides senior executives with the oversight they need to assess interdependencies and correlations across the business, and make adjustments accordingly “You might find that you want to put in different limits or constraints, or adjust your capital allocation because what looks okay in one silo doesn’t necessarily look the same once you aggregate it at the enterprise level,” argues Mr Munro People and technology Technology plays a vital role in automating the collection and analysis of data as well as the monitoring of key risk indicators When implemented properly, it can help companies assess the impact of a risk against a particular objective, and increase visibility into the effectiveness of compliance efforts © The Economist Intelligence Unit Limited 2010 Better information, better decisions The risk and compliance challenge for financial institutions Problems with gaining access to accurate, high-quality data hamper the quantification and analysis process “The question of appropriate data and the analysis of that data is probably the biggest issue that companies face,” says Mr Apostolik “Putting the systems in place to collect the data that you can analyse and report from is a huge undertaking.” And roles are just as important in the process It is important to think through any solution and ensure that it is carefully tailored to roles rather than individuals, since individuals move from job to job, while roles are more consistent By carefully defining the informational requirements of different roles, to enable the people in the roles to make better decisions, financial institutions can become more efficient “You get to the point where you recognise that things like risk appetite statements, scenario planning and responses to regulatory changes require an enterprise view,” says Mr Munro “It’s difficult to ask people in their particular areas of risk expertise to that, so you’ve got to invest in people that can it on a full-time basis.” Solvency II: Transparency and insight for European insurers Insurance companies didn’t emerge from the financial crisis with glowing risk management credentials However, European regulators in this sector had already spotted the need to improve risk management industry-wide The new Solvency II rules, set to take effect in November 2012, require firms to demonstrate that they have an “adequate system of governance”, which includes effective systems to identify and manage risks The rules require all European insurers—as well as North American carriers with operations in Europe—to have four separate functions to cover risk management, compliance, internal audit and actuarial issues Detailed rules set out what each of these functions should There are also rules aimed at ensuring that each unit has the resources it needs to its job Establishing data quality is at the heart of Solvency II compliance Insurance companies will be expected to set a board-level policy on data use and quality They will also have to show to regulators that the data they use in governance, and for management decisionmaking, is “fit for purpose” Importantly, regulators will not be content to receive masses of data generated from internal systems.They will want access to timely risk information that gives insights into the drivers and key risk indicators that executives use when making decisions about the tradeoff between risk and capital That puts huge pressure on any insurer with duplicate or stale information and inconsistent data quality They will have to raise their game, and quickly The objective, according to the Professional Risk Managers International Association, a global, non-profit body of risk professionals with local groups in 200 countries, should be an enterprise risk management program that covers both defensive and proactive risk management—in other words, an approach that doesn’t just seek to reduce the risks that the business takes, but one that leverages judicious risk-taking for better returns Regulators will also expect insurers to benchmark the quality of their risk management policies, methodologies and infrastructure The bottom line is that risk management must deliver transparency and insight Insurers will need to understand their risk profile across their business operations and product lines, and across their different risk categories—feeding any significant changes to the right level of management, fast An integrated, comprehensive and strategic approach to risk information is the only way of achieving that © The Economist Intelligence Unit Limited 2010 Better information, better decisions The risk and compliance challenge for financial institutions Conclusion A n integrated approach to risk and compliance is a Holy Grail that many financial firms have searched for yet have failed to find They know that with better, more reliable and more accessible information about how their business is performing, they can make far better decisions The financial crisis—its causes and the regulatory response—should encourage them to renew their quest The obstacles they will face along the way are as challenging as ever But the benefits are difficult to dispute Nothing will happen without a champion at the top Whether it is a board member, the CEO or the CFO, someone at the highest level needs to connect the strategy of the enterprise with the risk and compliance activities of each line of business, right down to the operational level Additional suggestions to emerge from the interviewees include: l Taking a proactive approach in identifying, assessing, measuring and communicating risk Establish priorities, and decide how you’ll use your limited resources to get the biggest improvements l Make sure executives see spending on compliance and risk management as investments that add value and support business objectives l Automate data management activities to the extent feasible, but not rely on data to tell the whole story Periodically evaluate and adjust how you identify, verify, measure and report on risk Test your findings and make continuous improvements l Create a single architecture for compliance and risk management stakeholders across the organization © The Economist Intelligence Unit Limited 2010 Design: Mikekenny@me.com Cover: shutterstock.com Illustration: Linda Olliver Whilst every effort has been made to verify the accuracy of this information, neither the Economist Intelligence Unit Ltd nor the sponsors of this report can accept any responsibility for liability for reliance by any person on this report or any other information, opinions or conclusions set out herein LONDON 26 Red Lion Square London WC1R 4HQ United Kingdom Tel: (44.20) 7576 8000 Fax: (44.20) 7576 8476 E-mail: london@eiu.com NEW YORK 750 Third Avenue 5th Floor New York, NY 10017 United States Tel: (1.212) 554 0600 Fax: (1.212) 586 0248 E-mail: newyork@eiu.com HONG KONG 6001, Central Plaza 18 Harbour Road Wanchai Hong Kong Tel: (852) 2585 3888 Fax: (852) 2802 7638 E-mail: hongkong@eiu.com GENEVA Boulevard des Tranchées 16 1206 Geneva Switzerland Tel: (41) 22 566 2470 Fax: (41) 22 346 93 47 E-mail: geneva@eiu.com [...]... Mikekenny@me.com Cover: shutterstock.com Illustration: Linda Olliver Whilst every effort has been made to verify the accuracy of this information, neither the Economist Intelligence Unit Ltd nor the sponsors of this report can accept any responsibility for liability for reliance by any person on this report or any other information, opinions or conclusions set out herein LONDON 26 Red Lion Square London... newyork@eiu.com HONG KONG 6001, Central Plaza 18 Harbour Road Wanchai Hong Kong Tel: (852) 2585 3888 Fax: (852) 2802 7638 E-mail: hongkong@eiu.com GENEVA Boulevard des Tranchées 16 1206 Geneva Switzerland Tel: (41) 22 566 2470 Fax: (41) 22 346 93 47 E-mail: geneva@eiu.com .. .Better information, better decisions The risk and compliance challenge for financial institutions Preface Better information, better decisions: The risk and compliance challenge for financial institutions. .. risk and compliance challenge for financial institutions Better information, better decisions: The risk and compliance challenge for financial institutions “Having really good information about the. .. © The Economist Intelligence Unit Limited 2010 Better information, better decisions The risk and compliance challenge for financial institutions Conclusion A n integrated approach to risk and compliance