September 01, 2003

Jim Rohr loves one kind of risk-taking the chance that if he lends you money, you'll pay him more back. But there are other kinds of risk that the CEO of PNC Financial Services Group Inc. (Pittsburgh) would just as soon do without, like the possibility of someone writing fake checks or an ATM network going down or a flood in a data center.

So a year ago, Rohr appointed Tom Whitford as chief risk officer. His office has four managers, each working within PNC lines of business to implement risk-management programs, and Rohr keeps a close watch. "It all rolls into one person in our organization, the CRO, and he reports directly to me," he says.

PNC's IT department is among those most closely scrutinized as part of this system of checks and balances provided. CIO Tim Shack and his team are expected to take risk into account when deploying technology, and the risk-management team constantly evaluates how well they're doing. "When the CIO comes to me and tells me he has the telecom back-up site all set up, I have a risk person who then goes out and evaluates it," Rohr says.

The banking industry has been focusing more attention than ever on risk management. At the same time, banking regulators from around the world are working out a complicated set of rules for governing global banks, called the Basel II Accord, part of which looks at how much money banks must set aside for emergencies (see story, p. 42). What banks and regulators are doing hasn't been widely attempted, and it has dramatic implications for business technology: to regularly measure the risks a company faces and put price tags on them. While the largest banks are leading the effort, their success will be monitored by smaller banks-and likely other industries. By closely measuring risks, executives may look differently at the cost of technology-intensive investments to avoid those risks. "Supervisors expect the advanced measurement approach to provide the incentives to invest in new systems and practices that will reduce the potential for serious losses from operational risk," Federal Reserve vice chairman Roger Ferguson said in a February speech.

Basel II takes into account that globalization, consolidation and real-time information have changed the risks in the financial-services industry. From a business-technology standpoint, the industry is more dependent than ever on electronic transactions and more responsive to real-time information. At the same time, industry consolidation has left fewer banks in control of more money. These banks' "operations are increasingly complex and sophisticated," Ferguson said. "At the same time, significant weaknesses in one of these entities, let alone failure, has the potential for severely adverse macroeconomic consequences." In other words, if one bank takes a bad gamble and loses, the entire industry and global economy could suffer.

Business technology plays a dual role in this risk picture. IT innovations make it easier to calculate the risks and mitigate the dangers of doing business, but each technology deployment also brings new risk of outages or mistakes. Simply doing business over a Web site opens a range of potential problems, from security issues to lost customers if the site is down. "The Internet opens a whole new area of risk for us," PNC's Rohr says.

SPENDING IT DOLLARS ON RISK

Technology spending for risk management will account for 9 percent of the average IT budget in financial services, according to a report from IT advisory firm Gartner (Stamford, Conn.). The report predicts that building risk-management infrastructures will remain an IT investment priority through 2005. Still, getting firm return-on-investment measures or benchmarks for spending is tough. "Regulators and analyst firms have been working hard to put the pieces together to justify operational-risk-mitigation investment, and it sounds good, but it's hard to prove that any one bank is taking the right steps for operating risk," says Susan Cournoyer, principal analyst at Gartner.

The potential failure points in Basel II fall into three categories: credit risk, market risk, and operational risk. Credit risk is the easiest to understand: It's the risk of not getting paid back. Market risk involves investment decisions and broader financial market trends. But it's operational risk-from check-kiters to ATM failures-that's getting increased attention. It's also a big reason that banks make sure they choose chief risk officers who understand IT. "It used to be that risk management was with the CFO or economist types because it was a financial matter," says Catherine Allen, CEO of BITS, a Washington, D.C.-based technology and strategy group for the 100 largest U.S. financial institutions. "But in operational risk there are consistent technology themes-cybersecurity, business continuity, transaction risk-that traditional econometric models don't address, and most of the financial people don't understand the technology behind it."

The definition of operational risk can be hard to nail down. Theoretically, it's any loss calculated as operating expense that could have been saved had proper preventive measures been in place.

The movement to categorize and measure operational risk has its doubters. The Fed's Ferguson notes that some bankers believe money spent on IT systems and procedures to measure operational risk would be better spent on systems to prevent problems. And Basel II policy makers face the challenge that there's no standard for identifying and quantifying the risk. But they recognize that operational-risk losses can devastate institutions. Take Allied Irish Bank, which last year lost nearly $750 million-and took a considerable hit to its reputation-when a trader at a U.S. subsidiary forged records of options purchases, either to conceal losses or to skim fees paid for the options. Or there's check fraud, which has spiked as the economy has faltered. Then there's the Sept. 11, 2001, terrorist attacks, which still weigh heavily on the industry's disaster-recovery and business-continuity plans.

What proponents of the operational-risk elements of Basel II, such as Ferguson, propose is the "advanced measurement approach," which lets banks develop their own methodologies for calculating operational risk and the capital they'll set aside to prepare for it, within certain guidelines established in Basel II. Those will be subject to auditing and regulatory oversight, but the result should be that banks that invest to reduce their risks will get the financial return of lower capital requirements. "For example, if a bank invests in improved contingency procedures and approaches, we would expect such an investment to be reflected in a reduction in the need for operational-risk capital" under the advanced measurement approach, Ferguson said.

Technology can help companies understand their risk. As part of the post-merger integration with First Union Bank, Charlotte, N.C.-based Wachovia Corp. built a Web-based risk-capture application that each business unit used as it prepared and executed the integration. Using the system, managers evaluated their production environment based on criteria such as compliance, fragility of customer relationships, or disaster recovery, and they rated themselves against that criteria. The application rolled up the scores from all managers working on that project to produce a risk rating on the overall project. It then tallied all projects' risk ratings to a total line-of-business score. If the risk level was high, executives gave extra attention to that line of business during the integration. "We have embedded a technology and process where we're looking at the readiness of projects prior to implementation," says Joe Hanssen, VP in the operational-risk group at Wachovia. "It's a good risk-management and change-management tool."

Hanssen says the tool will be used beyond the First Union integration, becoming part of the bank's process for any major change, from another merger to an enterprisewide application deployment.

The other two areas of risk for banks-credit and market risk-are better defined and have more established measurement tools. But they remain major spending initiatives, and quite often the areas of risk and the technologies overlap with operational risk.

SAFELY BALANCING RISKS

Market risk, which rose in prominence with a revision to the Basel I Accord during the 1990s, can also help amplify operational risk. For instance, if a broker promises a client that a stock will be sold at $15 per share, but when the trade is executed the share price has dropped to $14, the brokerage may have to cover the difference. Automating trading is a big part of the solution, and the industry is working toward adopting standard practices, such as straight-through processing and workflow-automation technologies, to prevent such losses.

Another area of crossover between market and operational risk comes from investment companies helping clients understand their choices in a volatile market. During the recent boom, investors became easily enamored of certain stocks or sectors and would overconcentrate their portfolios. "So when they failed, the impact from that stock was disproportionate from what it should have been," says Chet Helck, president and COO at Raymond James Financial (St. Petersburg, Fla.). It's more important than ever to give smart guidance to customers-and document it. "The world has become far more litigious, and there are unprecedented numbers of cases...where investors are attempting to get even from market losses by suing the firm they bought the shares from," says Helck.

Raymond James uses software from Comprehensive Software Systems Inc. (Golden, Colo.) to store customer profiles with data such as age and net worth, and it has developed in-house software to match that information with systems for account tracking and performance reporting. The data is reported to managers so they can review portfolios. Brokers get early identifications of heavy losses or abnormal trading, and the reporting software flags that for managers, giving the brokerage a head start on reacting to and reducing the damage. "The software will make sure on a metrics level that the activity performance and holdings on the account are suitable for that customer's profile and objectives," Helck says. "By identifying...that they were overconcentrated, a broker could convince them to be more moderate."

Operational and market risk are important and will get increasing attention going forward. But where banks make their money is in lending to the right people, and that's where they've spent the most on IT.

Among those looking closely at credit risk is Harris Bank (Chicago, $28 billion in assets). Harris' answer to credit-risk assessment came when the company implemented a PeopleSoft (Pleasanton, Calif.) financial management application suite to manage accounting, cost-allocation and financial-reporting processes to calculate profitability for specific lines of businesses and products. The PeopleSoft app takes data feeds on everything from mortgages to commercial loans from each of the bank's back-end systems-at least 50 sources of data running on anything from Unix to NT platforms to legacy mainframe systems-and collects the data in the PeopleSoft Enterprise Performance Management Warehouse.

But whatever data a company uses for accounting by nature can be used for risk assessment as well, says Adam Schabes, Harris' VP of financial information systems. Harris went live with the system in October, including a risk-assessment module from PeopleSoft that collects data from the warehouse, analyzes it, and reports it in a risk-management-friendly format. "Before, risk-management (staff) would go and get data from each individual application, and there was manual effort to massage it into standard format," Schabes says. Since each application stored and named data points differently, risk managers spent lots of time manually creating spreadsheets. "It wasn't a clean process," he says.

Having that data in a comprehensive format changes how the company manages products and customers, because the bank can use formulas to more accurately determine the risk versus profitability of the customer. "It's had a heavy influence in our product pricing, like on the loan side," Schabes says. It lets the bank customize loans and that gives the bank an advantage over banks judging a customer within a broad market segment, he says.

Dresdner Bank AG (Frankfurt) is also building a tighter relationship with its customers, which makes it easier to sort out the bad apples that will do the bottom line wrong. Dresdner, with more than 1,100 branches in 70 countries, uses business intelligence tools from Business Objects SA (San Jose, Calif.) that provide a comprehensive view of its customer relationships and risk exposure. Traditionally, collecting data and then reviewing and analyzing a customer portfolio for risk could take weeks. Using the business intelligence tools, employees can create ad-hoc queries and reports on a customer. The customer data is checked against 50 or more risk factors and the results are used to calculate a credit-risk indicator. That indicator can be analyzed and aggregated along many dimensions, including customer segment, branch and region to isolate and track credit risk.

Though credit risk gets most of the IT budget today, Gartner's Cournoyer predicts that by the end of the year, spending on tools to measure and mitigate operational risk should grow at a faster rate as regulators clarify Basel II guidelines. As these three risk categories vie for attention and budget, experts say financial institutions will need to build a holistic risk management architecture based on real-time data that's collected on a transactional level, notes Guillermo Kopp, director of financial-services strategies and IT investments at the advisory firm TowerGroup (Needham, Mass.). "What (institutions) want is to integrate information from all product systems, credit systems, account systems, fund-transfer systems in a way that reflects credit, market and operational risk at the enterprise level," Kopp says.

That's easier said than done for an industry that continually struggles with data-integration issues. But a deadline is on the horizon, since Basel II will likely require that banks be able to access three years' worth of data related to risk when the regulation goes into effect in 2006.

As a result, banks will grow more dependent on business technology to keep from being overwhelmed with risks, regulations and competition. "There are a lot of issues coming down that we have to comply with," says Raymond James' Helck. "The CIOs in the financial services world have a great opportunity here to add value to their organizations by creating risk management, compliance, and sales-management tools."

Financial services, as one of the most heavily regulated industries, often pioneers rules and guidelines that are quickly picked up by other verticals. "This isn't just about Basel. This is about everyone," according to BITS' CEO Allen. Regulation or, more likely, market pressures will force every institution to adopt some flavor of the risk- management policies in time.

Allen believes most public companies ultimately will have documented operational-risk programs. Says Allen, "It's important to give a heads up to everyone that, whether you're manufacturing or pharmaceuticals, in your industry you have operational risks, and your business is going to be impacted by that."

Editor's Note: This article originally appeared in InformationWeek, a sister publication of Bank Systems & Technology.

THE UPSHOT
- Financial-services companies are becoming more sophisticated about how they track and value the risks they face.

- Business technology plays two roles in this assessment: making it easier to evaluate risks while increasing the risks of technology failure as banks become more dependent on IT.

- Basel II, an accord being worked out among the world's top bankers and national financial regulators, will put greater emphasis on operational risks such as technology failure. And it will likely offer lower reserve requirements for banks that invest in IT to lower their risks.