The Finance Association – EPFL

The holy grail of risk management

Today, most financial institutions are involved in building enterprise risk management infrastructures with centralised data management and risk calculation. However, banks are experiencing difficulties in getting valuable returns out of these risk management systems. These difficulties fall into three main categories:


The main danger in developing risk management systems is that technology dominates the process. When technology dominates and defines the process, the risk management system becomes:

As a result, the likelihood of project success is inversely proportional to the complexity of the system. When technology dominates, risk management systems rarely generate effective risk management.

Risk reports

Risk management is coming out of isolation and being integrated into the overall financial management of the firm. Hence, there is a greater convergence between the risk and finance/customer functions of the bank, and their systems follow suit. This demands that the risk management systems have to be:

Centralised systems have encountered several problems in being integrated into the overall organisation for several reasons. For example, the poor quality of the data (“garbage in, garbage out”) plus the lack of timeliness in the generation of risk numbers leads to poor overall performance. Add to this the lack of flexibility in creating customised reports and we can understand why the business actors will never wish to incorporate risk reports into their processes.

There are a number of reasons why the take-up of risk reports from a centralised risk infrastructure is poor. Traditionally, the source information is taken from a diverse set of source systems, each with its own data model that rarely coincides with any other system’s representation. This implies that some enrichment or transformation will always be necessary, creating a need for re-mapping with complex business logic.

The larger institutions in the global finance market obviously have the largest volumes and the processing power required to support this rises exponentially for centralised risk infrastructures.

In addition, centralised risk infrastructures cannot easily be extended for new sources of information or new product categories.

Large financial operations perform trading activity across all global time zones. The risk management system must operate 24 hours a day, five days per week to keep in synchronisation with this activity. However it must appear to freeze the database at the start of the report generation, this takes hours to run, but must still guarantee data consistency.

The solution must provide reporting flexibility, allowing risk managers to analyse ad hoc subsets of the transaction data, to varying levels of detail.

More and more risk systems recognise the necessity of being closer to the front-line and are trying to adapt their architectures to reflect the new risk management paradigm. This can be difficult for a centralised risk management infrastructure simultaneously trying to move closer to the bond desk, the foreign exchange desk and the derivatives desk.

Misalignment of risk strategy

When defining their risk strategy, most banks recognise the need for building a risk function that actively supports the decision-making process of all their different functions. The emergence of CRM and the active management of economic capital within the firm (also called “Raroc”) are good examples of how risk management is becoming a key component of the decision-making process. However, centralised risk architectures do not provide the functionality to implement such a strategy, mainly for the reasons mentioned above.

However, some organisations have recognised this gap and have built risk systems that are aligned with their risk strategy. In most cases, these risk systems respond to the following business drivers:

Although this approach seems attractive, it should be accompanied by a coherent organisational structure, with the following characteristics:

Obviously, the technical and data architecture of such risk solutions are rather different from what is currently available in the market and would probably require a customised development that recognised the specificity of each banks’ infrastructure and strategy.


Although centralised risk solutions have failed to add value to the business activity, they have helped banks to comply with the Basel Accord and capital adequacy directive requirements, saving a significant amount of money through important capital relief. For banks that have already implemented a centralised system, the business and technical transformation required to become a true risk solution provider may be painful and expensive, if not done properly. The other option is to start again and apply new principles in the implementation approach, but is this really an option given the investment already made?

Skip to toolbar