Spotlight On Risk - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Government // Enterprise Architecture

Spotlight On Risk

New regulations and threats are broadening the definition of risk and heightening the interest in enterprisewide management approaches. We look inside initiatives at three financial services firms and a utility company to learn how they're addressing Basel II, Sarbanes Oxley Act and other compliance demands.

Risk management isn't new. "Businesses are always choosing what to do, how to spend their money, making decisions on ROI and so forth, all while knowing these decisions carry risks," says Fred Cohen, principal analyst in security and risk management strategies at Burton Group.

What has changed in recent years are regulations and best-practices standards that require better risk management. Also new are the types of risk being managed, particularly threats related to technology and information security. As a result, risk analysis and management are pervading the enterprise, and technologies associated with risk management — embedded anywhere from in-process workflow to post-process business intelligence applications — are increasingly important to put information in the hands of people who can act on it.

"With the volume of risks you need to [manage], technology must be used to monitor it, measure it, control it and report on what's happening," says Cal Braunstein, CEO and executive director of research of Robert Frances Group.

This article profiles four businesses that are taking a broader perspective on risk. Consider the European bank that's graduating from credit risk management to Basel II compliance or the financial services conglomerate addressing operational risk alongside conventional credit and market concerns. There's also the Dutch financial services firm implementing reporting best practices as part of a compliance initiative and the U.S. utility managing information security threats as well as more obvious physical plant risks. If you follow these examples, you won't look at new line-of-business needs and compliance demands in isolation. Rather, you'll move toward an enterprisewide approach, combining technology with business practice to effectively manage a range of business risks.

Make Risky Business Routine

For some companies, risk is the raison d'etre. The core competency of property insurance carriers, for example, is assessing risk both at the individual account level and, using catastrophe modeling tools against entire databases of policies, at the portfolio level. This ensures — in theory at least — that a Hurricane Katrina won't completely bankrupt a company.

The trend among insurers, banks and other risk-focused businesses is to streamline and standardize the risk management process. This often involves the use of rules engines and rules-enabled workflow systems. For instance, Caixa Catalunya, Spain's third-largest savings bank, wanted to automate credit risk assessment for loans and mortgages on an individual account basis, thereby developing a better understanding of the bank's overall portfolio.

"We had used [conventional] systems of risk management," says Ricard Climent, Caixa Catalunya's director of global risk management. At the branch level, staff evaluated applications and third-party credit information, calculated various debt ratios and made the approval or declination decision.

To automate this process, Caixa Catalunya chose Fair Isaac's Triad predictive scoring and decisioning system, first installing it in November 2000 and upgrading the system in December 2004. The system compiles data from three primary sources: the bank's loan application system, third-party credit bureaus and the transaction activity of existing customers. The system creates an application score and a behavior score that combine to create a credit risk assessment and corresponding maximum credit limit for each customer. As the bank develops more customer information over time — products purchased, payment history and so on — the credit limit may be raised or better terms extended.

Caixa Catalunya is satisfied with its return on investment, says Climent, pointing to benefits including shorter loan processing times and standardization of the underwriting process. The bank is currently working on integrating the system with its online banking application so Web-originated new credit applications, which are currently passed to branches for approval, are handled by the same automated process.

Add Value to Compliance

In many respects, Caixa Catalunya's deployment and practices are typical, but its scoring and decisioning system is becoming an important part of calculating credit risk under New Basel Capital Accord (Basel II) requirements. "We use it to calculate the portfolio's probability of default," using models to calculate expected and unexpected losses and aggregating the probabilities of individual loan default, Climent says. "Without [this system in place], it would be much more difficult to calculate that. Now we can better manage our reserves and our capital needs."

Pending Basel II credit, market and operational risk management requirements have been a top-of-mind challenge for financial services firms, but many companies are looking beyond compliance. Forward-thinking organizations want to leverage current investments, find multiple uses for new investments and derive broader benefits from compliance.

These objectives are playing out at Netherlands-based De Lage Landen (DLL), a subsidiary of the Dutch Rabobank Group, which provides asset-based financing to businesses in Europe, the Americas, Asia Pacific, Australia and New Zealand. In 2001, the company started planning for Basel II reporting requirements, intending to leverage the Hyperion Enterprise financial reporting system it already had in place. As work progressed, however, DLL believed the Enterprise platform couldn't handle other best-practices reporting standards, such as International Financial Reporting Standards (IFRS) and economic capital (eCap) calculations. So in 2004, DLL migrated to Hyperion Financial Management (HFM) for financial reporting and risk-adjusted return on capital (RAROC) calculations, and in 2005, the company deployed Hyperion Essbase for ECap calculations. The reporting systems are fed by two data warehouses that store information from seven transactional systems and six general ledger systems — one in the United States for the Americas, Southeast Asia, Australia, and New Zealand and one in Europe.

DLL's ongoing project isn't just a matter of compliance, but also a source of competitive advantage, says says Daan Greven, manager of DLL's Basel II and RAROC programs. Under Basel I, banks must reserve 8% of issued loans to absorb losses, but Basel II lets firms reduce reserves as their process for managing risk becomes more precise. "Our cost of capital is already going down, which gives us a great advantage," Greven explains.

Currently, DLL is working with Hyperion to integrate HFM and Essbase as well as an operational performance scorecard via Hyperion Hub, a move that will enable the bank to distribute risk management data to a larger user community. "Key operational risk control indicators will be measured, reported on and will go to the same managers in the same way as credit risk does," Greven says.

Expand the Definition of Risk

Financial services firms have long focused on credit and market risks, but Basel II calls for a broader perspective that also considers operational risk.

"We've been serious about [operational risk] all along, but Basel II gives it more weight," says Jeffrey Hempstead, vice president of operational risk and enterprise risk reporting at RBC Financial Group, a Canadian banking, insurance, investment and transaction processing services firm. "Now [risk reporting] is a broader activity, to the point where a good chunk of our enterprise risk report focuses on issues that are operational and regulatory in nature."

RBC is considering new tools to better support operational risk assessment. The company currently uses a scorecard-based self-assessment tool, and operational risk staff from each of the firm's five divisions record possible causes of loss, impacts and likelihoods, controls and action plans. RBC also has a loss event database for compliance with Basel guidelines as well as an OLAP reporting tool over both systems.

The loss event database has evolved to meet RBC's needs, according to Hempstead, but the heavily customized self-assessment system has not. The firm is looking for a better solution, but Hempstead says "we don't believe that tool exists at this point, either in the market or internally."

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
1 of 2
Comment  | 
Print  | 
More Insights
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

Remote Work Tops SF, NYC for Most High-Paying Job Openings
Jessica Davis, Senior Editor, Enterprise Apps,  7/20/2021
Blockchain Gets Real Across Industries
Lisa Morgan, Freelance Writer,  7/22/2021
Seeking a Competitive Edge vs. Chasing Savings in the Cloud
Joao-Pierre S. Ruth, Senior Writer,  7/19/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
Monitoring Critical Cloud Workloads Report
In this report, our experts will discuss how to advance your ability to monitor critical workloads as they move about the various cloud platforms in your company.
Flash Poll