Wall Street & Technology: Blog: Enterprise Risk Management (ERM) and Technology Spending

Enterprise Risk Management (ERM) and Technology Spending

By Sandeep Vishnu, BearingPoint

Technology continues to play an increasing role in risk management as instantiated by the recent entry on the SOX technology burden by Brian Mitchell of JPMorgan. ERM poses a challenge from an expense allocation perspective in that every investment could be directed towards an underlying risk, and it becomes hard to separate out incremental risk-related investments. Some investments are, of course, straightforward. For example, implementing two-factor authentication to reduce unauthorized access is clearly a risk-related investment and should be counted as such.

However, a platform upgrade to increase capacity to reduce the number of dropped transactions is a business decision that addresses the underlying risk of transaction failure. Should this be viewed as an expense for ERM, the business, a central infrastructure group, or some combination of these or others?

Risk management and compliance requirements are continuing to increase and overlap, and are creating a growing expense for firms. Regulatory guidance is not always prescriptive and firms have to interpret regulations to translate them into a set of tasks and activities. This becomes harder to do when regulations are planned, but not implemented. The subjectivity of certain regulations (e.g., Basel Pillar II) also makes it harder to define minimum compliance requirements and creates a challenge for prioritization of activities. Nonetheless, the translation of regulatory requirements into tasks and activities creates a portfolio of projects that may, at times, complement, compete or conflict with each other. This is the point at which spending can increase substantially, or it can also be the point at which rationalization begins. Several of these projects have technology components where overlaps and scaling can be addressed.

A detailed evaluation of the portfolio of projects at the activity block level can yield areas of commonality and allow for the development of a portfolio implementation plan, rather than a project implementation plan. This plan would allow for the sequencing and prioritization of activities, giving preference to those with core business contribution and deferring those, if possible, with pure compliance features. An absence of such prioritization or sequencing will create a perception of "out-of-control" spend and a lack of appreciation of the business value being driven by ERM. This prioritization and sequencing is also needed to allow for current risk personnel to manage the increased scope of activity, while getting some time to acquire appropriate resources (internal or external).

In summary, budgetary pressures, continuing regulatory uncertainty and subjective interpretations of regulatory requirements increase the need for rationalizing the portfolio of risk projects and for further streamlining corporate resources engaged in risk and compliance activities. The lack of such prioritization will increase the burden on enterprise risk management programs to justify their budgets and contribution.

Posted by Greg MacSweeney at 09:31 AM

This is a public forum. CMP Media and its affiliates are not responsible for and do not control what is posted herein. CMP Media makes no warranties or guarantees concerning any advice dispensed by its staff members or readers.

Community standards in this comment area do not permit hate language, excessive profanity, or other patently offensive language. Please be aware that all information posted to this comment area becomes the property of CMP Media LLC and may be edited and republished in print or electronic format as outlined in CMP Media's Terms of Service.

Important Note: This comment area is NOT intended for commercial messages or solicitations of business.