Today, most financial institutions are involved in building enterprise risk management infrastructures with centralised data management and risk calculation. However, banks are experiencing difficulties in getting valuable returns out of these risk management systems. These difficulties fall into three main categories:
- Risk processes are too expensive and too complex because they are dominated by technology
- Risk reports are not usable by the business actors
- There is a misalignment of the risk strategy, risk appetite and risk solutions.
The main danger in developing risk management systems is that technology dominates the process. When technology dominates and defines the process, the risk management system becomes:
- Too expensive (technological sophistication creates complexity and that demands a high cost premium)
- Too complex to manage and maintain (for example, complex cross-project issues, many people involved, clash of cultures’, balancing resource constraints and business needs)
- Too resource intensive with little left to spare for the analysis of business needs and validation of figures.
As a result, the likelihood of project success is inversely proportional to the complexity of the system. When technology dominates, risk management systems rarely generate effective risk management.
Risk management is coming out of isolation and being integrated into the overall financial management of the firm. Hence, there is a greater convergence between the risk and finance/customer functions of the bank, and their systems follow suit. This demands that the risk management systems have to be:
- First, accepted and validated
- Then, used and made relevant for decision-making, and;
- Finally, integrated into the overall organisation.
Centralised systems have encountered several problems in being integrated into the overall organisation for several reasons. For example, the poor quality of the data (« garbage in, garbage out ») plus the lack of timeliness in the generation of risk numbers leads to poor overall performance. Add to this the lack of flexibility in creating customised reports and we can understand why the business actors will never wish to incorporate risk reports into their processes.
There are a number of reasons why the take-up of risk reports from a centralised risk infrastructure is poor. Traditionally, the source information is taken from a diverse set of source systems, each with its own data model that rarely coincides with any other system’s representation. This implies that some enrichment or transformation will always be necessary, creating a need for re-mapping with complex business logic.
The larger institutions in the global finance market obviously have the largest volumes and the processing power required to support this rises exponentially for centralised risk infrastructures.
In addition, centralised risk infrastructures cannot easily be extended for new sources of information or new product categories.
Large financial operations perform trading activity across all global time zones. The risk management system must operate 24 hours a day, five days per week to keep in synchronisation with this activity. However it must appear to freeze the database at the start of the report generation, this takes hours to run, but must still guarantee data consistency.
The solution must provide reporting flexibility, allowing risk managers to analyse ad hoc subsets of the transaction data, to varying levels of detail.
More and more risk systems recognise the necessity of being closer to the front-line and are trying to adapt their architectures to reflect the new risk management paradigm. This can be difficult for a centralised risk management infrastructure simultaneously trying to move closer to the bond desk, the foreign exchange desk and the derivatives desk.
Misalignment of risk strategy
When defining their risk strategy, most banks recognise the need for building a risk function that actively supports the decision-making process of all their different functions. The emergence of CRM and the active management of economic capital within the firm (also called « Raroc ») are good examples of how risk management is becoming a key component of the decision-making process. However, centralised risk architectures do not provide the functionality to implement such a strategy, mainly for the reasons mentioned above.
However, some organisations have recognised this gap and have built risk systems that are aligned with their risk strategy. In most cases, these risk systems respond to the following business drivers:
- The information required for decision-making at a top-management level (eg CEO) is different from the one required at the lower level of the organisation (eg front office). Therefore, there is no need to send all the information from one level to the upper level (only the relevant one)
- The sophistication of the risk information is inversely proportional to its level of aggregation within the firm. Top management will usually require less detailed information than the lower level
- The risk information is directly usable by the business actors and is translated in an equivalent hedging position of the most liquid instruments (eg a VaR of $2m can be hedged by 1000 EuroFut3m covering 95% of the total risk).
Although this approach seems attractive, it should be accompanied by a coherent organisational structure, with the following characteristics:
- The centralised level of the organisation accepts not to control everything (which is not achieved by today’s centralised approach)
- Sophisticated audit and product control functions that ensure that best practices are followed at each level of the firm (this requires talented staff for functions that are usually viewed as secondary for the firm). Having talented staffs in the team will also ensure that the regulators and external bodies believe fully in the risk management functions and the results it generates
- Presence of experienced risk managers that work closely with the traders to ensure an efficient connection with the daily business issues
- Active reconciliation of risk numbers from one level to the next and strong emphasis on validation of results across different levels.
Obviously, the technical and data architecture of such risk solutions are rather different from what is currently available in the market and would probably require a customised development that recognised the specificity of each banks’ infrastructure and strategy.
Although centralised risk solutions have failed to add value to the business activity, they have helped banks to comply with the Basel Accord and capital adequacy directive requirements, saving a significant amount of money through important capital relief. For banks that have already implemented a centralised system, the business and technical transformation required to become a true risk solution provider may be painful and expensive, if not done properly. The other option is to start again and apply new principles in the implementation approach, but is this really an option given the investment already made?