When we talk about risk various things spring to mind. After all, risk means different things to different people. Right now, many of us associate risk with what's happening with the global economy, natural disasters and incidents of terrorism. At a time where business risk is increasing and the margin for error being shaved, Mark Dye, FSNs contributing editor, finds out just where firms should be looking to steady the ship.
To date most firms appear to have prioritised credit and market risk over operational risk. However, as AMR Research sees it, there are five basic risks firms should be guarding against this year: brand reputation, technology risk, global talent shortage, supply chain complexity, and lastly and most obviously, the economy.
Indeed, the company suggests businesses will spend a whopping $32bn on governance, risk management and compliance (GRC) this year, up 7.4 percent on the last. Spending on Sarbanes-Oxley (SOX) compliance is expected to slow though, growing by just two percent to $6.2bn.
This represents a shift in thinking towards operational and enterprise risk management, and away from SOX, with over 31 percent of companies revealing that getting a hold on and mitigating against business risk was the influential issue driving their GRC investment in 2008.
As such, John Hagerty, vice president and research fellow at AMR Research, believes that companies can no longer just focus solely on reactive spending to meet each new regulation.
"As executives are becoming aware of how different business and IT risks affect their bottom line, their spending focus is shifting toward approaching risk strategically, not just tactically," he says.
In the profitable years prior to the credit crunch, explains Mike Bush, head of product development at Business Control Solutions, companies primarily focused their risk programmes on optimising their capital adequacy numbers so that they could hold the minimum capital required to comply with the regulations and their internal credit policies. However, Bush says this actually resulted in more focus being placed on risk calculation than on risk management.
"IT budgets were spent on Basel II systems, limit management systems, and complex risk scenario calculations – all of which are very important tools for any risk manager but, ultimately, useless if they are not anchored to the fundamental business checks and balances that would have been performed in the days before automation," he adds.
According to Bush, the current market demands a 'back-to-basics' approach to risk management with more emphasis being placed upon the subjective interpretation of the numbers by those who have been active in the market for years and are able to get a sense when something is not right.
"It's time to focus back on cash reconciliations and balance sheet reconciliations, ensuring that the line function certifies all the key controls required to keep the business in control, establishing clear ownership and accountability of processes, control points and the results of any automation," he says.
"The financial services community needs to seriously focus on operational risk, leverage tactical investments they may already have made in an operational risk management infrastructure, and determine how to optimise profitability and create competitive advantage using that infrastructure," adds John Pfuhler director, product strategy at CheckFree.
Indeed, many now recognise the ability to manage and mitigate IT risk as being a critical element to their overall success. "IT is a key component of any sustainable process given the volume and complexity of the risk data being analysed," explains Paul Beach, partner, Atos Consulting financial services.
He explains many tactical approaches, even those utilising modern data management tools as opposed to a consistent and unified architecture, bring additional levels of reconciliation.
"At a simple level this can result in a proliferation of data warehouses and, sometimes even, middleware platforms," he says. "Often businesses don't realise they have neglected IT until a problem arises," adds David Turner, group marketing director, CODA Group.
Tuner is just one of those industry watchers who believes that we all need to be that bit more mindful of harmonizing IT risk programmes with broader risk management processes."Getting an integrated and global view across such shared services is a holy grail that not many firms achieve," laments Judith Graham, chief operating officer, Optial.
Of course, automation, as you would expect, is the key to smoothly executed processes time after time, particularly in those areas of high risk. But just where do you look?
Graham suggests that one sensible approach might start by taking an inventory of your risk types before getting a 60,000 foot view of what your firm's status is for each of them, using sensible measures dependent on risk type.
So with operational risk for example, you'd want to see an immediate overview of results of risk assessments compared with effectiveness of control environments and corresponding loss event profile.
"If there are risk areas where you can't get that information pretty much right away, then there's the information gap you need to focus on," she says.
Theoretically good regulations are supposed to help introduce clarity around a firm's risk profile, but for many firms Graham says this tends to resemble a trip to the dentist. "Preventative maintenance is far preferable to the pain and expense that are the consequences of neglect," she says.
In all this, finance's role as guardian of data accuracy and control has become more important.
"In addition, market conditions have made regulatory capital a scarce resource, which the finance function must optimise through higher quality analysis and reporting," adds Beach.
According to Beach, harmonising IT risk programmes is clearly a positive. However, he believes there is also a need to look at coordinating risk programmes with finance programmes and middle office developments.
"Having said this," he says, "we must all be wary of the programme to deliver the universal solution. Pragmatic delivery against a strategic vision defined in terms of core standards has a far better chance of success than the 'mega programme.'"
It is clear that IT remains a key component of a sustainable process and that it is also critical in terms of risk management processes in the front office.
However, as Beach points out, the greatest inhibitor to effective harmonisation of risk programmes and the delivery of these against a strategic vision is confusion over governance and the lack of buy-in from executives to ensure that the differing priorities of finance, risk, operations and business management do not force inconsistent decision making.
"Take a practical approach based around ownership. Identify clearly your organisation structure including the definition of roles and where the responsibilities lie,' says Graham. "Taking the inventory of risk and ownership might sound trivial but it's actually the key to being able to measure what your risk profile is, because otherwise you'll never even start to capture the data you need at the right level."
