As the saying popularized by Mark Twain goes, there are lies, damned lies, and statistics.
Too bad Wall Street didn't take that to heart. Poor risk management practices played a role in the financial industry's downturn by unnecessarily exposing companies to dangerous investments, according to observers and industry reports, and the result could translate into big new technology investments for the financial industry.
Some companies, such as Lloyds TSB, have increased their investments in risk management and the computing power needed to understand complicated risks since the downturn began.
"Because of the turmoil in the market, those what if scenarios are probably more extreme than you would have in a normal market," said Ricky Higgins, IT director of products and markets for Lloyds, adding that more complicated calculations are testing computer processing limits.
Lloyds has invested in grid systems running Windows HPC Server 2008 to perform risk analytics as much as 50% faster than it was previously able to do, a move which Higgins says quantitative analysts looking for good risk data have applauded and which allows the company to increase trading volume and therefore revenue while keeping risk down.
Managing risk doesn't come cheap for Wall Street. The hosted services RiskMetrics sells can run from the hundreds of thousands of dollars to more than $10 million, depending on what they're needed for, and the biggest firms all have their own expensive, internally developed systems. Microsoft and Sun used the financial industry's woes during a conference last week as a selling point for expensive number-crunching, risk-analyzing supercomputers, and Sun's top financial services exec said that investment in risk management technology was about to peak.
Proper risk management is a potentially critical component to solving Wall Street's woes, so those investments are necessary.
"[A] significant factor contributing to the financial turmoil was risk management weaknesses at large global financial institutions that created and held complex credit products," chairman of the Federal Reserve Ben Bernanke said in May. Still, simply employing the technology might not be enough.
Every financial institution has instituted some form of risk management tech, but it needs to be properly employed. "Given the levels of technology that we have today, this crisis we're going through is something that was very avoidable," said Gregg Berman, RiskMetrics risk management practice head. "This was not a natural disaster. The writing was on the wall for quite some time and people ignored it."
According to a SAS-sponsored survey released in July, the credit crisis has prompted 59% of companies to revisit their risk management practices.
Financial products have become radically more complex and buying volumes rose dramatically in recent years, but processes governing the use of the underlying data about risks haven't kept up, says KPMG advisory partner Jeanne Edwards. KPMG has seen evidence that many of the financial firms that have found themselves in trouble have relied too heavily on the data that risk management software and other data that data analysis software churns out without adequately questioning it.
"At the end of the day, there's a lot of technology involved, but it comes down to culture and governance," Edwards said. Skilled analysts have to be at the right place in front of the right data at the right time, rather than simply relying on what the systems tell them.
Earlier this year, senior financial supervisors from seven U.S. and international financial oversight organizations released a report evaluating the effectiveness of risk management practices at a sample of major global financial services firms and found that too often decisions were made that didn't properly take into consideration the data the firms had available to them.
"You rush out to make all the money you can and the technology picks up later," said Trent Gavazzi, CEO and founder of QuickWaters Software, whose software creates consolidated alerts for governance, risk and compliance.
There's a wider role for IT to play here to govern risk management and risk management technology, and that's in business process management, data management and improved resource planning.
"Depending on quality information, who gets it and in what time frame is what's critical," Edwards said. "IT plays a role in that in that there's a workflow piece in terms of managing the sheer volume of the information and moving it from one place to another. There's a need to reverse engineer where the decision points are in the data flow and create better business process management around that."
Some of those business processes involve getting the right data to the right people via business intelligence dashboards to show people a consolidated view of data and master data management technology to synthesize it. QuickWaters, for example, uses a desktop widget-based alerting system to notify CxOs of an array of problems, like trading limit breaches or lapses in supervisory tasks.
"If you can't bring your risk profile into context, how do you know where you stand?" Gavazzi asked.
The Counterparty Risk Management Policy Group III, which consists largely of risk management execs from a number of big banks, last month issued a report urging a shift toward more transparency and a renewed focus in risk monitoring and management and admitted that those changes may require new "costly investments" in technology. Regulators may follow suit.
"What regulators want is to make sure every player has a formal, consistent process in place," Berman said. "Part of that is going to be, certainly the regulation can be more transparent, in terms of, you must be able to say to an auditor that for a position you are taking you're adequately taking into account the risk factors."
Information governance is becoming ever more critical on Wall Street, but just because the technology is there doesn't mean people will use it correctly or bother getting all the necessary data. That's a lesson not just for Wall Street, but for all IT managers to take in.
What are the other paths to risk management? InformationWeek has published an independent analysis of the subject. Download the report here (registration required).