Traditionally thought of as a negative, risk is an unavoidable part of doing business. And risk management has been around as long as people have conducted business transactions. But, experts say, the time has come for banks to change their views on risk.
"Risk is not something bad -- it's something that has a price tag," says Wolfgang Porada, global head of sales consulting, risk, for London-based Misys Banking Systems. "If you can earn money on taking risk, you take the risk," he adds. "You take the risk if you get the right reward."
And the rewards can be significant. "The more risk you have, the more money you can make," says Jonathan Rosenoer, global risk officer, financial services sector, for IBM (Armonk, N.Y.).
Yet, managing risk at banks tends to be duplicative and fragmented, which is expensive and inefficient. Even as the concept of enterprise risk management (ERM) becomes more widely accepted across the industry, many banks still are creating new silos of analytical capability, ending up with a potential hodgepodge of different solutions -- each of which may be high in quality but lack the capability to interact with other solutions to provide a true view of risk across the enterprise. >>
Still, to transfrom risk into opportunity, banks increasingly are turning to ERM. "As banks refine their systems and models, the benefits will come from freed-up capacity to take on risk, which creates the ability to embark on new business opportunities," says Brendan Nedzi, managing director at New York-based The Bank of New York ($108 billion in assets).
But ERM is a relatively new concept and a challenging undertaking for any institution. "Part of the challenge here is to understand what people mean by enterprise risk management," says Sandeep Vishnu, a senior manager in risk practice for McLean, Va.-based BearingPoint.
As a result, the jury is still out as to where banks are along the road to ERM. While some call it just a developing concept, others insist that it's a necessity and that banks that are not pursuing ERM are at a competitive disadvantage.
"It's absolutely a reality," says Virginia Garcia, global strategist for risk management at Brookfield, Wis.-based Fiserv. But, "It's all a matter of how you define it."
Even regulators have weighed in on the subject. During an April speech at an ERM roundtable at North Carolina State University, Federal Reserve Gov. Susan Schmidt Bies defined ERM as "a process that enables management to effectively deal with uncertainty and associated risk and opportunity, enhancing the capacity to build stakeholder value."
According to Guillermo Kopp, VP of TowerGroup's (Needham, Mass.) cross-industry practice, ERM is about integrating different types of risk as well as different products throughout an organization. It includes policies, technology solutions and IT infrastructure, he says.
"ERM is a pervasive process discipline; it's not necessarily a single technology that delivers immediate results," Fiserv's Garcia says. "That's really where a lot of the confusion comes into play."
IBM's Rosenoer, however, seems to define ERM more narrowly, adding to the potential confusion. "It's not clear that anybody has actually implemented an enterprisewide risk management system," he counters. "It's still in the design stage -- still in the stage of pulling these systems together."
Regardless, improving risk management is a top priority for financial institutions. According to TowerGroup's Kopp, banks' spending on risk management solutions will rise at a rate of 5.3 percent a year through 2009. Currently, 60 percent of that spending, or $12 billion globally in 2005, is on third-party solutions. But, Kopp notes, the percentage of spending on vendor products is on the rise. Not surprisingly, the functionality provided by vendor offerings reflects the industry's changing view of risk.
Evolving ERM Solution
According to Toronto-based Algorithmics, a provider of enterprise risk solutions for financial institutions, its ERM solution, Algo Suite, enables risk managers to measure, monitor, and manage assets and risk in real time, using portfolio/risk analytics, valuation methodologies and scenario-generation techniques. Over the past 10 years, however, Algorithmics has significantly changed the way its ERM software is developed, says Andy Aziz, managing director, risk solutions, for Algorithmics. "Ten years ago, we first started calling our solution an ERM solution," he says. The solution, which did everything from data acquisition to data management to risk analysis and reporting, delivered data to managers in a batch deployment, Aziz relates. "We were primarily addressing the needs of the middle office, [which was] seen as a police force," he says.
But Algorithmics' current ERM solution is a totally different animal, Aziz stresses. "In today's world, we need to be able to provide not only a snapshot view of exposure, but also be real time enough to assess the impact of new transactions -- sometimes in milliseconds," he says. Service-oriented architecture, Aziz explains, abstracts the engines from the reporting interfaces and allows Algo Suite to address the twin issues of performance and leveraging other technologies within an organization.
Aziz says that Algorithmics' ERM customers basically fall into two "clusters." Cluster 1 takes the Algorithmics solution out of the box, and Cluster 2 starts off using the ERM solution for a single project and then expands it throughout the bank. The first cluster probably is the most popular in smaller organizations because of speed of deployment and cost of ownership, Aziz adds.
"The holy grail is a linkage between enterprise risk management, ALM, economic capital and, ultimately, with shareholder value," Aziz says. "Some believe they are already there, but we're more on the path to moving in that direction."
Milan-based Banca Intesa (US$347 billion in assets) has been operating on Algorithmics' Algo Suite, which is based on a Sun Solaris environment, since 1996, relates Paolo Sironi, head of market risk models and architecture for the bank. "The backbone of our [risk management] technology is Algorithmics. The ERM system was built in 1996 and has evolved ever since," he says. "By focusing on an enterprise risk infrastructure based on the Algo Suite, we have been able to leverage the achievements, models, market data, processes and methodologies developed and traditionally calibrated to support trading activities, and extend all of these to other business units -- retail business, international branches and subsidiaries -- keeping the bank's market risk management at the cutting edge."
Taking Bites Out of ERM
While some banks have taken the big-bang approach to ERM, most will tackle the project in phases, according to Fiserv's Garcia. "There's going to be a lot of process transformation that will need to occur -- automation of processes," she says. "Those are specific bite-size chunks that may look very different from one institution to the next."
Technologies common to successful ERM implementations, BearingPoint's Vishnu says, include a flexible data warehouse and specific analytic tools that are user-friendly. But, he stresses, while technology is important, it is just one component of an overall risk management strategy. "Technology doesn't get leveraged in isolation," Vishnu adds.
"Risk management is a highly IT-oriented framework that needs stability and design in an ever-changing environment," Banca Intesa's Sironi explains. "The risk architecture is not an IT process but an analytical one that requires structure and flexibility to support a long-term vision."
As with any major change, ERM comes with hurdles that stand in the way of the transformation. "Cultural hurdles are the No. 1 concern," Fiserv's Garcia says. "ERM is going to require significant change. No longer will it be managed in business silos; it will be managed at the enterprise level, and that will require new people and new ways of thinking. It's also going to require substantial investments in technology, and that's not always an easy thing for an organization to digest. Bite-sized things will be tackled on a case-by-case basis."
The Bank of New York is among the financial institutions that are well on their way to achieving ERM, relates the bank's Nedzi, who oversees the financial institution's credit portfolio management division and Basel II compliance efforts. "We have the systems and governance framework covering the various risk silos in place, and the next step is trying to identify and model the correlation that exists across those silos of risk," he describes.
The bank has implemented two primary technology platforms for its Basel II compliance effort, Nedzi says. It worked with Algorithmics to develop a credit rating system and with BearingPoint to create a credit risk data warehouse. "We're probably ahead of the game relative to others," Nedzi asserts. "A distinct advantage to what we've had is that our recent acquisitions have been largely product-line acquisitions, which have not required significant integration of risk management technology platforms," he notes.
"The hardest part of everything you do in risk management is demonstrating the benefits," Nedzi continues. "Looking back and testing the benefits is one of the constant challenges we have."
While there are no direct metrics to measure the success of ERM, banks that have effective and integrated risk management will be more operationally efficient, leading to an improved cost-to-income ratio, and they also should be able to stem the cost of fraud, Fiserv's Garcia contends. "Those are two areas where you can measure success," she says, adding that banks that effectively manage risk should also be able to streamline the number of people who are tapped to manage risk and compliance.
Compliance as a Catalyst
Of course, operational efficiency is not the only driver behind ERM. Improved risk management, at least in part, is the goal of several regulations. "Basel II has driven a lot of funding over the last few years when it comes to risk management; so has Sarbanes Oxley," says BearingPoint's Vishnu.
A lot has happened in the past seven years that has led to increased efforts in risk management, IBM's Rosenoer relates, pointing to Sept. 11, 2001, and the bursting of the dot-com bubble. "What the federal regulators and regulators of international banking said is that there wasn't enough transparency in the system to provide the public with the insight it needed to decide what the risks were; and the regulators also did not have a clear view," he says. As a result, the regulators have moved to a risk-based supervision approach. They are charging financial institutions with putting together programs that will assess risk and ensure appropriate controls are in place given that risk, Rosenoer explains.
Federal Reserve Gov. Mark W. Olson told the Financial Services Roundtable in May that an "enterprisewide approach to compliance risk management has become mission- critical for large, complex banking organizations."
"Enterprise risk management is certainly something that has been adopted globally by financial institutions, particularly the larger institutions that understand what Basel II means to their businesses, what Sarbanes-Oxley means to the business," says Fiserv's Garcia, who formerly was a research director at TowerGroup. But, she asserts, "The fact of the matter is that unless there is a regulator breathing down your neck or an urgent deadline, it's hard to mobilize the organization to orchestrate change."
While compliance is one of the key catalysts of ERM adoption, there clearly are other drivers behind it. If an ERM system is used effectively, it can increase shareholder value in an organization by maintaining rating and reputation, lowering cost of capital, reducing the burden and cost of compliance, improving decision making and pricing, and enhancing overall efficiency, according to IBM.
But the main benefit of ERM may be the ability to leverage existing investments to create business value. "In banking, it's all about bringing in more capital and dealing with it more efficiently than your competitor," IBM's Rosenoer says. "If you don't [put ERM in place] when everyone else is doing this, you don't have an efficient operation. Once you put a system like this in place, you'll make a lot more money."
"As technology investments are considered by financial institutions, the question will be asked more and more, 'How can these investments be leveraged across the business?'" Fiserv's Garcia says. Going forward, risk and compliance will be embedded in the business process instead of being an add-on later, she predicts. *