The ART of risk management
Since the 2007 global financial crisis there has been a lot of debate on potential changes across the banking services industry and the potential consequences. Recent market surveys suggest that surprisingly little progress has been made in risk and compliance management and some lack of clarity as to what to do next. Reacting to regulatory change is one thing, but the real goal is to build clarity and confidence that banks are doing the right thing in the right way at the right time, say Pierre Pourquery and Richard Powell of Ernst & Young.
The 2012 Institute of International Finance and Ernst & Young study on financial services risk management showed that there is still much to be done with nearly two-thirds predicting continued increases in risk management IT and data spend for at least the next several years. Over 80% of respondents listed data quality and availability and over 70% listed data and systems as the top challenges to complying with the new regulatory requirements. At the same time, the business models of many banks continue to be challenged and leadership demands continue to change. Priorities need to be re-aligned and operating models streamlined.
The problem is clear for all to see: global bank IT spending is high and increasing, revenues are low and falling, and there is a coming regulatory tsunami still to contend with. According to the International Monetary Fund, banks are as risky as they were before the crisis and regulators are urged to consider further direct restrictions on lenders’ business activities. The situation is set to get worse before it gets better. Banks have to become much more effective with much less.
With the unprecedented regulatory reforms and stressed economic environment optimising use of scarce capital, liquidity and collateral resources represent major challenges; change-the-bank spend is, however, limited. Banks need to improve significantly the operational effectiveness and efficiency of their operating model and optimise use of scarce transformational resources. Without doubt, the major challenge remains the adaptation of their Risk IT infrastructure.
This challenge should not be underestimated. The cost of compliance is high and likely to get higher over time, not lower. Some studies have shown that the cost of compliance may reduce ROE by up to 3%.
Delivering a Risk IT infrastructure that is compliant with the regulation will not be enough; it needs to be cost efficient and effective. Never before has the change imperative been greater and the available resources lower.
The art of risk management
While the future is uncertain and confidence is low, gaining consensus on target risk and compliance capabilities and operating models is critical. Market evidence suggests a lack of consensus, no clear delivery roadmaps linking strategy to execution and nervousness around dealing with complex and fragmented technology and data landscapes. Despite this, banks need to dramatically reduce operating costs to maintain RoE and need more effective risk management in order to steer the business.
Banks need to build a robust business case and a roadmap balancing tactical and strategic change. Transformation to date has largely disappointed due to lack of integration and consensus, poor data quality, ineffective operations, no expert judgement (over reliance on quantitative data), and poor flexibility – all adding to the challenges ahead.
There is an unprecedented need to achieve aggressive RoE and cost efficiency targets and fundamental de-risking of the businesses to enable growth with confidence. Banks must be confident about where they are headed with clear risk and compliance capability objectives and priorities based on a well defined risk maturity model:
■ Ensuring Compliance – focus on fixing immediate compliance priorities
■ Achieving Operational Effectiveness – focus on cost efficiency and reduced probability of losses
■ Enabling Business Steering – focus on ensuring that the enterprise-wide risk and support processes are well embedded into the business process of the bank and is supported by a strong risk culture (enhance strategic decision making)
There is an ART (Assess, Rationalise, and Transform) to risk management.
Banks must put first things first and assess where they really are. It is critical to baseline costs, projects and resources across the organisation. Adopting a component model based approach across businesses, products, support functions and geographies will enable like-for-like assessments of capabilities and costs from an IT, data, organisational, process and control perspective.
Armed with an inventory of projects and operating costs, banks can apply their risk and compliance priorities to ensure resources are focused on core capabilities and initiatives. Banks that fail to establish a holistic view will dig up the road more than once in efforts to achieve compliance and are unlikely to identify opportunities to transform and rationalise. Not only must banks do the right thing, they must also do it at the right time to avoid unnecessary compliance and opportunity costs. A good example of this is around “surveillance” in investment banking. Following recent unauthorised trading incidents, banks undertake many different types of surveillance. They typically approach these different types of surveillance in isolation from each other with different teams, controls, data, processes and solutions used. But there is overlap between these types of surveillance and a “holistic surveillance” approach should be considered. This will enable the consolidation of all surveillance typologies (market, trade, trader, employee, counterparty, cross market, etc) into a single platform. Benefits include the reduction in the number of surveillance platforms, cost savings on licences, hardware & resources, as well as the significant reduction in false positive rates due to a better connectivity of data and techniques.
Banks need to rationalise their capabilities and change portfolios in alignment with risk and compliance priorities. Once banks understand their cost base and operating model they need to think beyond incremental by applying robust transformation principles to transform the business and mature risk management. Mapping existing capabilities against agreed target states, banks can identify key transformation components.
Banks need to think big and set efficiency and effectiveness targets at 30% and up by integrating capabilities, centralising services, eliminating redundancy, removing duplication, outsourcing/offshoring non core capabilities and establishing a common set of fit-for-purpose tools and services. Banks must focus spend only on prioritised initiatives aimed at bolstering prioritised capabilities adopting an optimal granularity approach to ensure all change and expenditure is both necessary and sufficient; and no more.
Banks need to rationalise in the right way by adopting the optimal transformation approach; build on existing, start from scratch, or minimise existing. The chosen path will depend on a number of key factors including the capability and flexibility of supporting vendors, current levels of integration, required interoperability, and diversity across the organisation from a people, process, IT and data perspective.
Building on existing capabilities can deliver cost effective solutions with less disruption and enable greater integration of data and technology services. Depending on the bank component model and supporting architecture, this less radical approach may not deliver the necessary cost savings and if not executed well can reduce agility and capacity for future innovation. This approach may well be the right choice but should not be chosen solely on the basis of lower delivery risk or fears over wasting sunken capital. The challenge of dealing with increasing layers of technology and data architecture should, however, not be underestimated.
Starting from scratch may seem radical but architected correctly with a robust migration strategy represents an innovative approach which can deliver significant transformation at a reduced time to market. Once implemented the architecture can offer greater flexibility and provide the foundations for further end-to-end transformation and risk maturity. Costs and delivery risks, however, need to be carefully managed with focus on both short term and longer term benefit release. Big steps can deliver big rewards but such large scale transformation needs to be delivered with care. Current regulation on recovery and resolution planning is an important driver towards this approach as it can push banks to build autonomous IT components in their businesses and legal entities.
Minimising what you have can deliver significant operational benefits through reduced cost and risk of operations and a significant increase in effectiveness through resource optimisation and focus on prioritised IT and data service components. A minimise strategy can help banks regain focus on achieving a fit-for-purpose level of information and supporting IT and data services, demanding justification for all in scope components and resource spend. By adopting a pure minimise approach banks may be able to do more with less but may be less able to capitalise on future opportunities; lowering competitive advantage. Banks adopting this approach need to demonstrate to regulators that they are doing more than simply cutting corners.
Keep the faith
With a well defined transformation approach and execution discipline banks will crystallise significant results. At a time of such transformation it has never been more important to get back to basics:
■ Focus on excellence of execution and delivery – strong delivery teams with right mix and strong stakeholder buy-in
■ Make it global, holistic and integrated – align to global structure, identify all key costs/benefits, gaps and duplications and generate significant cost savings with new operating model and IT infrastructure
■ Focus on business steering – integrate risk, finance and treasury capabilities to meet increasingly complex capital and liquidity management requirements
■ Prioritisation – ‘Fit-for-purpose’ and not ‘best-in-class’ is what matters most
IT and data present some of the biggest challenges, and equally, opportunities to enabling successful transformation. Banks need to release significant benefit potential through effective duplication and prioritisation analysis and maximise opportunities to increase efficiency and effectiveness.
Banks that think holistically and make the right prioritisation and rationalisation calls can both deliver compliance at a lower cost and mature their risk and compliance capabilities. Banks can deliver transformation with confidence by adopting clear capability objectives and priorities and applying standard component models and tried and tested approaches to identify opportunities beyond regulatory compliance. Opportunities can be funded by ensuring a fit-for-purpose (vs. best-in-class) approach to compliance and with effective management and rationalisation of global change portfolio spend.
There is an ART to risk management and by using the risk maturity model, transformation principles, components and approach, regulatory change can be architected and delivered to maximise efficiency and deliver competitive advantage. Banks need to view transformation spend as an investment and not as a cost to minimise. Banks can be confident that they are making the right change happen in the right way at the right time. Banks can, and must, maximise the bang for their buck. BT
Pierre Pourquery is a partner and Richard Powell a senior manager in Financial Services at Ernst & Young EMEIA