Rather than point fingers, however, many financial services executives simply want to find solutions to the problems that caused the meltdown in the first place. One theme commonly expressed among experts is that an infrastructure that gives banks a broader view of risk could have helped avoid much of the calamity of 2008. Has enterprise risk management's (ERM) time finally come?
Many believe that with the pressures brought on by the financial meltdown, the industry has finally gotten the kick in the pants it needs to approach its ERM initiatives in earnest. Even in Canada, where the effects of the housing crisis have been somewhat muted compared to the mess that has engulfed the United States, ERM is gaining momentum.
"Canadian banks are generally more highly capitalized [than their U.S. counterparts]," notes Bill Kasali, managing director, risk analytics, reporting and Basel projects, enterprise risk, and portfolio management, with Bank of Montreal (US$341 billion in assets). "However, the ongoing economic crisis is a global one. As such, any bank with global operations is likely to be impacted. The issue is the degree to which your risk management practices help you as a bank to prepare and/or anticipate the marketplace."
"I don't see any other way for things to evolve other than ERM," Kasali adds. "The business of risk begets everything else."
Morten Friis, chief risk officer with Toronto-based Royal Bank of Canada (US$580.4 billion in assets), says ERM, or the concept of looking at a bank's risk holistically rather than in silos, is not a new idea, pointing out that the major global banks have been on the road to ERM for several years. But, he adds, the crisis "provided a bit more impetus" for banks to start taking ERM more seriously.
"We've been on the ERM journey for at least a decade," Friis asserts. "This is an evolution where you're bringing all your risk together and allowing people to collaborate on full enterprise risk."
That evolution has been slowed largely by the enormous task banks face in deciphering the volumes of data they house, according to Steve Adler, chairman of the IBM Data Governance Council (Armonk, N.Y.). "It's a matter of normalizing the data," he says. "Will every part of the company describe the data in the same way? How do you know it's accurate? It's how you treat the data, analyze it and distribute it so it gets in the right hands at the right time and will be acted upon properly."
The immediacy of the data is a critical component to good risk management, stresses Mary Tuuk, chief risk officer with Fifth Third Bank ($116 billion in assets), which has had a formal ERM division since 2003. Tuuk recalls the manner in which the bank was able to better view its exposures to many of the failing institutions in late 2008: "Fifth Third has systems to monitor these exposures on a real-time basis," she says, declining to provide specifics on the solutions used by the Cincinnati-based bank. "Other companies didn't have the capability in place to do this. Looking at data in aggregate and in real time is very important."
Real-time or, at least, same-day data access is vital to effective risk management, agrees Damian Shaw Williams, a senior analyst with Datamonitor in New York. "Risk shouldn't be about 'X number of breaches occurred this month and we did this to fix them.' You need to be able to see information on that very day," he contends.
IBM's Adler suggests that achieving this greater visibility might require the creation of a new "data supply chain" that spans from the collection of data to regulatory reporting. "The data has to be in real time, and it has to be at people's fingertips," he says. "There will still be mistakes, but you can at least do more to mitigate their frequency and severity."
Bringing Data Analysis to the Front Office
More than simply marshaling data, banks need to rethink how they analyze data in order to improve risk management, according to Accenture's Ed Grau, who runs the firm's risk management practice for financial services and capital markets for North America. The way risk data is analyzed in most organizations is backward, he asserts, explaining that analytics tools need to be moved into the front office rather than handled in the back office.
"Risk management must focus on creating a unified set of positions and transactions," he says. "Move all the analytics into the front-office systems rather than re-creating it in the back office. Calculate the price sensitivities in the front-office systems and just bring back the results. You're eliminating redundancies and it creates a more real-time, realistic evaluation of the records as they stand."
Grau maintains that banks can spend 80 percent of their time re-creating this environment in the back office -- time that could be better spent actually analyzing the data and their portfolios. "Move the calculations to the data," he says, adding that Accenture is beginning to work with vendors to help them create applications that support this approach.
Similarly, infrastructure considerations can go a long way toward enabling ERM. Straight-through processing (STP), for example, is inherent to an ERM strategy, notes Douglas McKibben, research VP with Gartner (Stamford, Conn.). STP, he explains, enables banks to automate processes and better share information across lines of business, which goes hand in hand with enabling ERM.
In adopting Oracle's (Redwood Shores, Calif.) Reveleus risk management platform enterprisewide, Bank of Montreal (BMO) sought not only to standardize the organization's risk management approach for efficiency and effectiveness, but also to future-proof the bank's risk management systems, according to BMO's Kasali. While the Montreal-based bank initially deployed Reveleus to help it comply with Basel II requirements, BMO is finding other ways to broaden the system's use throughout the financial institution, he says. "As an organization, we are always looking at opportunities to maximize and leverage our investments," Kasali explains. (Read about BMO's implementation of Reveleus.)