The Federal Deposit Insurance Corporation (FDIC) and the Board of Governors of the Federal Reserve recently released the public sections of the annual resolution plans for eleven systemically important financial services firms. The plans1 describe the companies' strategy for rapid and orderly resolution in the event of material financial distress or failure.
While the plans vary widely in their approach and level of specificity, the framework provided by the regulators requires each institution to provide a "Description of material management information systems" as a separate section of the public summary. This allows an interesting opportunity to find out how these firms are approaching complex issues like risk management, management reporting and data governance through the lens of planning for worst-case scenarios. In the first article in this series, I highlighted the submission of Citi. Here, I summarize interesting aspects of some of the remaining filings.
One common theme among the remaining filings is the creation and/or reuse of detailed IT asset inventories (including applications, systems, infrastructure and interfaces) to develop dependency mappings to the business entities, business lines and critical business operations defined in the plans.
JPMorgan ChaseJPMorgan Chase claims to maintain "a comprehensive set of management information surrounding its risk, liquidity, financial and regulatory reporting and monitoring" and that its "risk management framework and governance structure are intended to provide comprehensive controls and ongoing management of the major risks inherent in its business activities." The filing highlights the nine major risk types identified in the business activities of the bank: liquidity risk, credit risk, market risk, interest rate risk, country risk, private equity risk, operational risk, legal and fiduciary risk, and reputation risk. Details on liquidity risk management are provided.
In addition, JPMorgan references its IT services model as a way to "create scale, increase control and reduce duplication and cost."
Goldman SachsGoldman's filing is possibly strongest in its statement of the architectural advantages of its data management platform. In the filing, Goldman claims "In most cases, a single application or information system supports a given function across businesses, product lines and entities; this allows for a significant level of consistency in the functionality and reporting available."
Goldman notes that the majority of the software applications used by the firm are internally developed proprietary applications and that they "devote significant time and resources to our risk management and financial reporting technology to ensure that it consistently provides us with complete, accurate and timely information, not only on an aggregated GS Group view, but also at an entity and a business line level."
Goldman further claims: "Our MIS have extensive ad hoc reporting capabilities, and most of our systems include legal entity information as part of the data they manage. As a result, we do not believe that there are material gaps or weaknesses in our ability to provide relevant data in a crisis scenario. Our MIS are overseen by an extensive governance framework, with documented policies, standards and procedures."
Goldman Sachs also emphasizes its business resilience program, designed to ensure that all critical applications are available for use in crisis scenarios.
UBSUBS followed the common practice described above in the preparation of their response: "…the UBS Group identified the key management information systems and applications used for risk management, accounting, and financial and regulatory reporting. The UBS Group has compiled detailed inventories identifying the systems or applications and mapped these systems to Material Entities, Core Business Lines and Critical Operations."
Another interesting aspect of UBS's filing is that its has "included processes and protocols designed to permit regulators direct access to … key management information systems in partnership with the UBS Group at a time of financial crisis."
Morgan StanleyMorgan Stanley states that its plan "leverages … business continuity and disaster recovery plans to help identify systems and applications deemed important to the ongoing operation of the Firm's businesses and MIS capabilities. These systems and applications are classified by tier ratings indicating the order in which they should be returned to service in the event of a failure."
Morgan Stanley also cites its policies and procedures that govern the IT control environment including information security requirements and infrastructure, application infrastructure, software development lifecycle, change management, security of systems and applications and business continuity.