November 29, 2004

Todd Gibbons knows risk. He is responsible for managing credit, market and operational risk at The Bank of New York (BoNY; $93.2 billion in assets). As chief risk policy officer, he's the point man for the organization's efforts to prepare for Basel II, from the technology and the compliance angles. Gibbons heads a group of approximately 195 employees in the risk management sector, including 45 staff members who are dedicated solely to Basel II.

From a technology standpoint, Basel II preparation requires two main components: massive databases and flexible risk-modeling systems. With regard to data, BoNY has taken a disciplined approach to its acquisitions by avoiding the trap of multiple legacy systems. "Fortunately, we had historically made the decision to integrate the data and go onto a single database whenever possible," Gibbons says.

Under the hood, The Bank of New York operates on an IBM (Armonk, N.Y.) infrastructure with a PeopleSoft (Pleasanton, Calif.) data warehouse for risk management, and the bank is experimenting with Linux and distributed computing technology as part of its risk management solution set. Also, the bank has been codeveloping a Basel II credit risk management architecture in conjunction with Toronto-based Algorithmics.

Other banks, however, haven't been as disciplined with their risk management approaches. "Some of the larger financial institutions in America have grown up through a series of acquisitions," notes Andrew Wilson, partner in the New York-based financial services group of Accenture. "In many instances, they're having to go after hundreds of subsystems to get [risk] information."

Given the availability of middleware solutions, the presence of multiple subsystems does not in itself pose an insurmountable problem. However, it does raise the issue of data quality and efficiency. "Each of those subsystems might capture a piece of information either slightly differently or not at all," says Wilson. "A lot of cost and complexity really lies in that integration equation."

In fact, TowerGroup's (Needham, Mass.) Virginia Garcia estimates that $10 billion dollars per year, or 30 percent of IT spending associated with compliance in the financial services industry, consists of "wasteful duplication," she says. "If that isn't enough to force institutions to adopt a different view of how to manage risk, then we don't know what is."

The wasteful duplication stems from the decision at many banks to invest in risk management at the business-unit level instead of enterprisewide. Making matters worse, the business units in question also have tended to select data warehouses, data access software and data management tools independently.

Such organizational dysfunction has begun to change, especially with the large volume of new compliance investments that banks are being called upon to make. "More and more, we're seeing institutions analyzing IT investments that are needed for a particular mandate, and then going back to analyze whether those investments have been made somewhere else in the organization," Garcia says. "If there are two or three mandates that they have to deal with simultaneously, they can devise a strategy to identify the technology investments and make them once, instead of two or three times."