There is a saying that history doesn't repeat itself, but it rhymes. And that is the dilemma for risk managers. It's very unlikely a new crisis will look exactly like a predecessor since banks build those scenarios into their risk models. But new crises are inevitable, and they will always share similarities with previous disruptions.

Given how quickly new risks are piling up there is an urgency to respond to this dilemma by implementing risk management platforms that can sense risk as well as see it clearly. Speaking at SIFMA's Systemic Risk Regulation Summit in June, the evp and head of enterprise-wide market risk at Bank of NY Mellon, Robert Rupp, said the uncertainty around global banks' exposure to Greek debt and other European government bonds reminded him of the early days of the financial crisis when banks and markets were uncertain how they were exposed to each other and the mortgage market. He warned: "You need to see the unseeable."

Seeing the unseeable may be impossible, but risk experts contend it is possible to install technology that can sense when risks are getting out of kilter and empower managers to back away from those risks quickly. This sensing mechanism requires a comprehensive view of risk, linking risk management to long-term strategic business objectives, deploying new risk tools without undue cost and delay, and reacting quickly to the first inklings that risks threaten those business objectives.

There is general agreement on the broad outlines of an effective risk management system and the need to spend on it. A recent survey by OpenPages, an ERM vendor, found that 88 percent of managers across industries say that enterprise risk management spending will increase or remain the same this year. "When you're looking at risk in four or five or six different ways, you have a fractured view of risk to pass along to the board of directors, and that's just not flying anymore," says Todd Cooper, vp and general manager of Wolters Kluwer Financial Services' Enterprise Risk Compliance business, which recently released a new ERM offering called ARC Logics for Financial Services.

Banks' ERM solutions must incorporate different types of risk-such as market, credit, and operational-from throughout the enterprise. These systems should look across silos and show how different risks impact each other, keep tabs on the risk profile of the institution as a whole, and they must allow managers to make refinements on a frequent basis. "Data has to be aggregated across the enterprise," says Dana Wiklund, a research director for IDC Financial Insights. "In the future the challenge is defining and understanding risk interdependencies."

John Whittaker, the group head of operational risk at Barclays, explained that with an ERM solution from OpenPages the bank now has a single database that holds its operational risk and Sarbanes-Oxley reporting mechanisms. "This is a single database that holds all elements of our operational risk framework; whether that be internal events, risk and control assessments, key risk scenarios or metrics. It allows us, through the workflow that is included within the system, to link all elements of our framework together and ensure that it is an integrated framework." He made his comments during a recent Web seminar sponsored by OpRisk & Compliance Magazine.

Stephen Davey, svp of risk management at Valley National Bank, a $14 billion institution in Wayne, NJ that recently began to implement the Wolters Kluwer platform says: "We need to be able to benchmark ourselves against peer groups over time, and benchmark ourselves against our own policy limits. We need to remind ourselves where we are and see the overall trends versus a point in time."

While banks generally agree on the need for converged risk management and the broad outlines of what that should look like, analysts say banks need to spend more time altering cultural attitudes toward risk by linking risk management to long-term strategic business objectives, considering new ways to deploy technology faster and more cheaply, and empowering managers to react quickly to the first signals that risks could be mounting and threatening those business objectives.

French Caldwell, vp of research for Gartner, says executives must tighten the relationship between risk management and the bank's key strategic business objectives. He argues a bank should define the top five or six key strategic business objectives, describe the underlying business processes, and identify the risks to those processes. Since not all banks' strategic business objectives will be the same, their approach to risk will be slightly different. This itself will help alleviate systemic risk since not all banks will react the same way to events.

Neglecting to consider the risk inherent in the execution of business strategy can cost a bank dearly. Caldwell knows of one bank that articulated growth through M&A as a key strategic business objective, but was set back when it unexpectedly found the IT systems of a Latin American acquisition difficult to integrate, a delay that quickly ate away at anticipated savings. Another bank that depended heavily on its leasing and finance business was caught off guard when the vendor of a critical piece of software went bankrupt. Says Caldwell, "Suddenly the software was not going to be supported anymore and yet it was absolutely critical to the ongoing organization,"

A recent survey indicates this shift in mindset toward linking risk to business goals may be occurring. A survey of more than 1,100 finance executives across industries worldwide conducted this spring by leading researchers at the Wharton School, Johns Hopkins University, and Duke University ranked the top four goals of corporate risk management programs: avoid a large loss, fulfill shareholder expectations, increase future cash flows, and increase the firm's value. (As of late June, the survey had not yet been published in full.)

The first of those goals is no surprise, but Caldwell says the other three could represent a significant cultural shift in attitude toward risk management's role in attaining business objectives. "They're seeing the upside potential of risk management and are focused on the business objectives. They see risk management as a profit center and are focused on improving business performance."

Buttressing Caldwell's argument are comments from Barclays' Whittaker: "Our system is not only used by operational risk staff. It is also used extensively by the business....As op risk professionals, we should make sure that we are not seen as purely a compliance function and that we can actually, at the end of the year, answer the question of 'What are we doing to help the bank run better?'."

To meet business objectives banks should keep risk platforms cutting edge, analysts say, which means avoiding technologies that are difficult and costly to upgrade. IDC's Wiklund, says: "One of the issues is how do you effectively take advantage of new solutions without dealing with complicated products and without long implementation times." The answer, he predicts, is cloud computing. By leveraging the cloud to deploy risk management technologies quickly as they emerge, banks can avoid solutions that require complicated, time-consuming, costly installations.

In particular, Wiklund sites the kind of solutions offered by Riskonnect as the way of the future. Riskonnect's suite of risk management applications are built on the Force.com platform by Salesforce.com. The company layers the platform with business intelligence technology and reporting capabilities delivering the complete range of business intelligence capabilities powered by IBM Cognos solutions: reporting, analysis, dashboarding and scorecards so companies can integrate risk management and corporate performance management. "Deploying our solution takes [about] a day," says CEO and co-founder Bob Morrell. "We do stuff so fast compared to the old-school installation of software; that's like a distant memory for me. I almost can't relate. This is like signing up for Facebook."

Although Riskonnect's clientele is confidential, Morrell says the company is strong in retail and energy; it currently has no financial services clients, but that may change. "When we started (in 2007) we assumed financial services companies had figured it out." Now, however, he sees an opportunity. "We're thinking about starting to edge into that space this year or next."

Still, even after an ERM solution is in place, after risks are linked to strategy, and even if a bank can upgrade technology easily, all will be for naught if managers can't react quickly. Given that the most extreme threats will be ones that haven't occurred before, risk managers need to read the tea leaves and judge when too many risks seem to be piling up or are intersecting in ways that might threaten business objectives, and then ratchet back that risk quickly. In other words, good risk management can be as much an art as a science.

Nurturing a corporate culture that empowers and encourages managers to dial back risk on what can amount to an educated hunch is no easy matter. Banks are in a competitive business and the need to outperform their peers requires risk taking. The net effect of this competition is that banks often mimic each other's most successful and profitable business practices and drive each other in the same direction-the kind of classic herd mentality that creates and worsens systemic risk.

This tendency makes finding the power to step back from the cliff all the more vital. "If we're running with the pack and the pack is in danger, how do you get out?" asks Gartner's Caldwell. "One way is deciding that we're not going to follow the pack, but I don't know if that's viable given the competitive environment. So what do you do WHEN the next crash happens, not if?" Prior to the past financial crisis "banks weren't looking at or considering the overall picture, and everyone was following the same risk strategies-such as VAR [value at risk]-so they were all subject to the same unknown risks."

Since competition is fact of life, it will take courage among leaders to break away from the pack, especially when others don't see the dangers signs flashing and are charging ahead, Caldwell says. "Banks need to break the peer pressure mentality. It takes leadership to say 'Look this is going too far, and then ratchet things down. If everyone did that, that would alleviate systemic risk."

IDC's Wiklund agrees that technology and leadership should go hand in hand. "One way to respond to this type of systematic risk is to make an institution's decision support technologies more flexible. The ability to implement credit policy changes quickly, along with the alignment of data and analytics to evaluate the risk trends of new and existing customers, enables institutions to rapidly fuel a decision process," according to Wiklund. "Many times human capital is the "X" factor in responding to systematic risk events. All the data and analytical systems can be in place, but if an organization cannot effectively move through risk process cycles of knowing its business objectives, identifying the risks to them, putting mitigations in place and then monitoring those risks effectively, it will be treading water in a rip tide. The message is that systems and people are equally important."

While the imperative to pursue these ERM solutions is clear, risk managers at the SIFMA conference said there is an immediate, significant distraction: the shape of financial reform and the worry that once passed regulators will spend two to three years interpreting the new law. Conference attendees said uncertainty around what type of data regulators will want and in what form makes implementing risk management all the tougher. "There are two levels of unknowables," says Rupp of Bank of NY Mellon. "Will they want the same data or new data, and will they want a small amount or a gigantic amount? We just don't know. Unfortunately, simplicity and streamlining were not a priority" in designing the regulation, he says.

This article can also be found at AmericanBanker.com.

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access