You are currently browsing the tag archive for the ‘Data Governance’ tag.
The proliferation of chief “something” officer (CxO) titles over the past decades recognizes that there’s value in having a single individual focused on a specific critical problem. A CxO position can be strategic or it can be the ultimate middle management role, with far more responsibilities than authority. Many of those handed such a title find that it’s the latter. This may be because the organization that created the title is unwilling to invest the necessary powers and portfolio of responsibilities to make it strategic – a case of institutional inertia. Or it may be that the individual given the CxO title doesn’t have the skills or temperament to be a “chief” in a strategic sense.
In business, becoming a chief anything means leaving behind most of the hands-on specific skills that made one successful enough to receive the promotion. This is often the hardest requirement, especially for those coming from an administrative or a highly technical part of a business. Take the chief financial officer position. The person who gets that job often was a controller – an individual who must be able to manage the minutiae of a finance organization. Most of the detailed skills required of a great controller are counterproductive for a CFO, who must focus on the big picture, work well with all parts of the business and be the face of the company to bankers and investors. People who can’t leave the details behind are by definition not strategic CFO material. Similarly, the job of the chief information officer ultimately is not about coding, technical knowledge or project management. It’s about understanding and communicating how the most important issues facing the business can be addressed with technology, ensuring that the IT organization understands the needs of the business and delivering value for the money spent on IT.
The same distinction applies to newer C-level titles. For example, since the financial crisis a few years ago, there has been a growing recognition that banks must manage risk more comprehensively. In response, a number of banks have created the position of chief risk officer or, if they already had one, have invested a broader range of responsibilities in that office. Managing risk strategically has gained importance in financial markets as rising capital requirements and increased regulation force banks to structure their asset portfolios and manage their assets more carefully to maximize their return on equity (ROE). In most banks, optimizing risk – getting the highest return at any given level of risk – and managing risk more dynamically over a credit cycle requires a strategic CRO to lead the effort. Even so, in many organizations the office of the CRO doesn’t have the weight it needs to make such a difference. Here are the most important requirements for chief risk officers who want to transform a middle management job into something more strategic.
Approach risk management as if it were a four-dimensional chessboard. Having the proverbial “seat at the table” (a hackneyed business phrase that’s shorthand for being taken seriously by the senior leadership group) means being able to bring something of value to the table. While an appreciation of the overall business and its strategy is necessary as one rises through the ranks, a purely functional position usually doesn’t require an especially deep understanding of the other parts of the business. For a chief risk officer to play more than a titular role, however, he or she must have a solid understanding of all the major operating pieces of the business on both sides of the balance sheet and a knowledge of the industry’s competitive dynamics – three dimensions of the chessboard. This is particularly important because risk is just a constraint, not the sole consideration in decision-making. That is, the role of the CRO is not simply to enforce constraints that minimize risk – it’s about optimizing risk within the context of the corporate strategy. Stiffer capital requirements are a defining characteristic of today’s banking industry, especially in the United States. Optimizing risk is a necessary condition for optimizing return on equity and the long-term success of the bank. Moreover, the role requires thinking ahead several steps and understanding the dynamics of the business – that’s the fourth dimension. A solid grasp of credit and financial market cycles is essential in leading a risk organization. The ability to use past experience to forecast the consequences of even disparate sets of actions makes the risk organization strategic.
Learn another language. Understanding of other parts of the business goes a long way toward being able to work more effectively, and a CRO should be to translate risk jargon into words and concepts that are relevant to specific parts of the business. It works both ways, too. Understanding the objectives, objections and concerns of other executives means being able to grasp the nuances of their questions and comments. It also helps in explaining the thinking behind the trade-offs necessary to optimize a balance sheet to achieve an optimal ROE for the level and structure of the risk. It’s also essential to be able to communicate the essence of risk management to laymen, for example, by distilling the complexities of a black-box risk strategy into an elevator pitch. All risk models are translatable into easy-to-comprehend concepts. A CRO must be able to do this and even develop an institutional shorthand within the organization that everyone understands – the functional equivalent of describing a feature film as “a car-chase buddy movie.”
Assert leadership when it’s needed. Some leaders are born, but everyone else needs to unlearn habits that detract from their effectiveness as a leader. People in risk or compliance roles may have a harder time than others because the basic skills necessary to excel in this area tend to be found in less introspective souls. Those who work in a compliance function can fall into the trap of using “the rules” as a cudgel for wielding power rather than persuading and gaining assent. Joining the senior leadership team, though, transforms the CRO from a simple enforcer to one who works with others to find solutions.
Beyond these three personal and interpersonal requirements, appropriate use of information technology – data and software – is essential to strategic risk management in banks (and other financial services companies). Successfully exploiting the advantages that can be had with advanced IT is fundamental requirement of making the role of a CRO strategic. SuccessfulCROs must weigh the make-or-break information technology issues of mastering data quality and using the right software tools.
Data is the lifeblood of risk management. The credibility of the risk organization is based on accuracy and availability of data. Bad data drives bad decisions and undermines the authority of the risk organization. As data sets proliferate, grow larger and increasingly incorporate external data feeds (not just market data but news and other unstructured data), the challenge increases. The proverbial garbage-in-garbage-out (GIGO) becomes Big GIGO, as I have written. Data quality must be built into all of the systems. Speed in handling data is essential. The pace of transactions in the financial markets and the banking industry continues to increase, and their risk systems must keep up. Our benchmark research shows that financial services has to deal with more sources of data than other industry sectors.
Yet beyond these maxims is the reality that all large financial institutions fall short in their ability to handle data. “You can have your answers fast or you can have them accurate,” is often said in jest, but it reflects the business reality that analyses often are not black-and-white – utterly reliable or completely false. They may have to be based on information that to varying degrees is incomplete, ambiguous, dated or some combination of these three. Adapting to this reality, new tools utilizing advanced analytical techniques can qualify the reliability of a bit of analysis. It’s better to get some assessment and see that it’s 33 percent reliable than to get no answer or – worse – get an answer without qualification. In most cases, it’s better to get an approximate answer now than to wait for an ironclad answer in a day or two. The decision-makers have an idea of the risk they’re taking if they act on the result, or they can take a different approach to look for a way to get an answer that is more reliable.
Software is essential to risk management and optimization. Technology can buy accuracy, speed, visibility and safety. Many banks ought to do more dynamic risk management. Analytical applications using in-memory processing can substantially reduce the time it takes to run even complex models that utilize very large data sets. This not only improves the productivity of risk analysts but it makes scenario analysis and contingency planning more accessible to those outside the risk organization. If you can run a complex, detailed model and immediately get an interactive report (one that enables you to drill back and drill around), you can have a business conversation about its implications and what to do next. If you have to wait hours or days as you might using a spreadsheet, you can’t.
Desktop spreadsheets have their uses, but in risk management the road to hell begins in cell A1. Spreadsheets are the right tool for prototyping and exploratory analysis. They are a poor choice for ongoing risk management modeling and analytics. They are error-prone, lack necessary controls and have limited dimensionality. The dangers of using spreadsheets in managing risk exposure were laid bare by the internal investigation conducted by JP Morgan, which I commented on at the time. There are many alternatives to desktop spreadsheets that are affordable and require limited training. For example, many financial applications for planning and analysis have Excel as their user interface. There are more formal tools, such as a multidimensional spreadsheet, that are relatively easy for risk modelers to use and offer superior performance and control compared to desktop spreadsheets.
Automate and centralize. Information technology delivers speed, efficiency and accuracy when manual tasks are automated. The payoff from automating routine reporting and analytics may seem trivial, but this is usually because people – especially managers – underestimate the amount of time spent as well as the routine errors that creep into manual tasks (especially if they are performed in a desktop spreadsheet). The need for automation and centralization especially applies to regulatory and legal activities, such as affirmations, attestations, signoffs and any other form of documentation. Especially in highly regulated industries such as financial services, there is no strategic value in meeting legal requirements, but there is some in doing so as efficiently as possible and limiting the potential for oversights and errors. Keeping all such documentation in a central repository and eliminating the use of email systems as a transport mechanism and repository for compliance documentation saves time of highly compensated individuals when inevitable audits and investigations occur and limits the possibility that documents cannot be found when needed.
Senior executive sponsorship is also a critical need if the chief risk officer is to be a strategic player. If the CRO has done all of the above, that’s not going to be a problem because the CRO’s objectives and the CEO’s objectives will be largely aligned. True, that’s not always a given. Some organizations will not embrace the notion that managing risk can be strategic. CROs who find themselves in an organization where their aspirations to serve a strategic role are not met should find another one that appreciates the value they can bring to the table.
Robert Kugel – SVP Research
Integrated risk management (IRM) was a major theme at IBM’s recent Smarter Risk Management analyst summit in London. In the market context, IBM sees this topic as a means to differentiate its product and messaging from those of its competitors. IRM includes cloud-based offerings in operational risk analytics, IT risk analytics and financial crimes management designed for financial institutions and draws on component elements of software that IBM acquired over the past five years, notably from Algorithmics for risk-aware business decisions, Open Pages for compliance management, SPSS for sophisticated analytics, Cognos for reports, dashboards and scorecards, and Tivoli for managing all of this in a Web environment. Putting its software in the cloud enables IBM to streamline integration and maintenance, offer more flexible deployment and consumption options and potentially lower the total cost of ownership.
From a competitive standpoint, IRM is an attempt to change today’s highly fragmented financial services software market by emphasizing an integrated approach to managing risk and the often intertwined regulatory compliance. Although in concept this could apply to any risky, highly regulated business, the greatest payoff today is in financial services. IRM focuses the value proposition at a high level in the organization and shifts the objective from a narrow functional or business silo-based approach to a more strategic one. Beyond fully exploiting its applications portfolio, IBM is trying to capitalize on an important trend in global finance: the need to optimize the use of capital to achieve a higher risk-adjusted return on equity than one’s competitors. This has several implications:
- Deploying bank capital in areas that offer the best risk/return characteristics in a way that matches the organization’s strategy. Since business and financial market conditions are in constant flux, optimization must be an ongoing process and the systems that support it must be fast and efficient.
- Striving for fewer “unforced errors” in trading and lending and mitigating the impact when loss situations develop. According to IBM’s tracking of incidents, 45 percent of the biggest losses incurred by financial institutions in 2013 occurred at the boundary between credit and operational risks – an area that unintegrated risk management systems may not be able to track.
- Integrating regulatory compliance into the risk management environment. Our research shows that financial services companies are far more regulated than other businesses. Nearly eight in 10 participants from this industry sector described themselves as heavily regulated compared to 58 percent of government, education and nonprofits, 40 percent of services companies and just 19 percent of those in manufacturing according to our benchmark research on governance, risk and compliance. Today, because the economics of managing financial services business are shaped by a micromanaged regulatory structure, it’s increasingly valuable to incorporate compliance into risk management systems.
More effective risk management will be among the three top strategic objectives of all financial institutions in open financial market systems for the next decade. The ability of these organizations to balance risk and return across their entire asset portfolio in a way that matches their institutional strengths, minimizes avoidable losses and responds quickly to changing market conditions will be a critical determinant for long-term success. The importance of optimizing trade-offs between risk and return in structuring financial institution assets – in daily trading-desk decisions as well as longer-term strategic portfolio ones – reflects a fundamental change in the financial services environment. For the three decades leading up the 2008 financial crisis, capital was relatively more abundant (in the sense that regulators permitted higher leverage), and in a relatively benign, liquidity-driven environment returns were high enough to compensate for mistakes. That has not been the case since the crisis. Rather, returns on capital have been constrained by a systematic deleveraging of financial institutions, increasing regulation and constraints on how these companies operate, especially in deposit-taking institutions. Given the severity of the crisis and its aftermath, it’s unlikely that this stringency will lessen soon.
To be sure, other strategic elements – such as having sufficient critical mass in one or more segments of the capital markets or retail brand equity – will continue play roles in differentiating individual companies’ strategies. In many instances those may be more important than integrated risk management, but the latter will be a capability essential to ensuring the competitiveness of all banking, capital markets and insurance organizations for at least the next decade. As well, the full impact of this sea change has not yet taken effect. In the United States, for example, the fiendishly complex Dodd-Frank Act is still a work in progress. Some of the provisions of new regulations have altered the economics of business and rendered some seemingly plain-vanilla offerings unattractive or even unprofitable. New rules governing risk capital and liquidity (such as the Net Stable Funding Ratio) have yet to go into effect. It now appears that under the Volcker Rule bank executives may be responsible for attesting to their compliance environment. This means at the least that U.S.-regulated institutions must have sufficiently effective enterprise-wide compliance monitoring and reporting that goes a step beyond a plausible deniability standard. As well, over the past five years governments in many developed nations have been coddling the balance sheets of local financial institutions (directly or indirectly) to preserve and/or rebuild their balance sheets. This period is coming to an end, and the pressure on senior executives to eke out even basis-point measures of performance will intensify.
Today, most financial services organizations achieve a unified view of risk and make determinations of how to deploy bank capital by cobbling together information from multiple systems. The process consumes a great deal of employee time, is slow and uses data that is not always trustworthy. While the process integrates data and analyses, it is far from integrated. In today’s environment for financial services organizations, IBM’s challenge is to create a market for integrated risk management largely from scratch. It’s a concept likely to get enthusiastic endorsement at the executive level but then founder on the practical problems of rolling it out – especially in the sort of complex organizations that could utilize it best. Two sets of issues – one related to data and the other to people – are key obstacles.
For the former, IBM is advocating the adoption of an integrated risk platform (IRP) to better address risk management. The platform integrates three broad pieces: A data repository with data management capabilities, a unified risk modeling approach supported by risk information governance to ensure commonality in performing planning and analysis to be able to frame risk policy and highlight issues on an enterprise-wide basis. These must be supported by reporting and other communications capabilities.
Integrating risk data is a significant challenge for financial institutions. Historically, risk data has been collected and managed close to its source. Consequently, financial services firms have multiple silos of risk processes, risk systems and risk data. Our research on information management shows that data fragmentation is a bigger issue for financial services than other businesses: On average, they source data from about twice as many systems as manufacturing and services companies (39% vs. 22% and 19%, respectively) according to our information management benchmark research. On top of that, each part of the business may use different terminology, apply its own rules for quantifying and qualifying risk and have different governance procedures. Those operating in multiple jurisdictions must conform local operations to local regulations but also at parent levels that may be in different regulatory regimes. Thus companies have multiple risk management systems and data stores, each structured for the specific needs of individual business silos. It’s therefore difficult for them to aggregate risk data into an enterprise view in a meaningful way and report on risk in a comprehensive and timely fashion. Similarly, like many businesses, few financial institutions have a unified view of their customer data. Parts of the organization may be dealing with different legal entities of the same organization, and this can have an impact on risk and compliance issues. From both risk management and compliance standpoints, it’s vital that the organization maintain accurate master client data that contains data hierarchies that reflect the structure of the clients’ business.
As for people issues, IBM insists on the need to have an integrated risk management platform and broad, cross-functional compliance management capabilities to support an effective chief risk officer (CRO). Our research finds that two in three (66%) financial services companies have a CRO. Yet this person often lacks a strategic mandate to manage and quantify the full spectrum of risk and returns from front-office risk intelligence, to operational governance processes and strategic capital planning. Instead, the CRO acts as a point person who has responsibility for overseeing a wide array of atomized, silo-based sets of risk management operations. It’s an aggregation of administrative responsibilities rather than a reimagined, integrated approach that transforms what today is a cost-minimization effort into something that promotes long-term competitiveness. To be truly strategic, a CRO must have an accurate, unified view of risk and compliance. It’s essential that financial services companies be able to automate the assembly of this information to facilitate rapid risk management cycles, enable full drill-down and drill-around analysis and increase the reliability the data and analyses while reducing the amount of staff time required to do all of this.
The data and people issues are mutually reinforcing. Support for IRM is essential to developing a truly strategic CRO position for financial services companies. Such a CRO will be able to drive improvements in managing risk and compliance in an integrated fashion that produces data and analyses that are reliable and timely. This approach is necessary to provide more trustworthy risk and compliance information to senior executives to enable them to confidently make consistently good decisions faster. Thus, establishing a more effective CRO role and the systems to support that function will be essential in the industry’s new environment. Having this connection recognized at the most senior levels of an organization is important because absent a top-level mandate for a CRO, the process of achieving a unified view of risk and compliance probably will be painfully slow. And unless they address their fragmented systems and data, financial services companies will find it increasingly difficult to manage risk and compliance well in the challenging business and regulatory climate.
Making major changes to enterprise data structures and making the role of a CRO more strategic are not going to happen overnight. IBM executives are well aware of that, describing the process of getting to integrated risk management as a journey. Fortunately, this is not the sort of initiative that requires a “big bang” to produce results. Data management and data integration efforts can produce measurable results if they are handled in a piecemeal yet steady fashion. Assembling a unified risk management platform can be performed on a step-by-step basis, allowing financial services companies to minimize deployment and disruption risk while developing skills for managing the implementation process. Risk and regulatory management are more important than ever to the success of financial services companies. They should being their journey to an integrated view of both as soon as possible.
Robert Kugel – SVP Research