As new risks such as data loss and regulatory litigation continue to impact the financial services industry, what falls under the risk management umbrella is changing. Today, firms not only are worried about traditional credit, market and operational risks.
Regulatory risks, security risks and change management now are equally important. Additionally, the risk manager's job is evolving to include more enterprisewide oversight, and it has become more dependent on technology than ever. This shift, in turn, has given rise to new roles, such as the technology risk officer and head of technology controls.
New York-based JPMorgan, the investment banking arm of JPMorgan Chase, has assumed a leadership position in restructuring the way most financial institutions approach risk. Just last year, Stephen Lythe, JPMorgan's former head of technology audit, was chosen to head the investment bank's technology controls office. In his previous position, Lythe says, he had the opportunity to look at risk and how the firm controls it, essentially gaining a pragmatic view of the problems JPMorgan was facing on the risk-management front.
Lythe's most recent appointment is part of an enterprisewide effort to provide a clear picture of risk and control that can be leveraged by the firm's chief technology officers and chief information officers to create more efficiencies in its overall IT environment. "The roots of this came about from a discussion I had with the CIO of the investment bank, Mike Ashworth, where we looked at what the investment bank was doing around its controlled self-assessment program and around Sarbanes-Oxley (SOX) compliance," explains Lythe. "The idea was that although the bank was doing very good work, it could be doing so much more to capitalize on its efforts so as to have a real impact on the day-to-day activities of managing IT as a business."
Lythe, along with a team of 30 risk managers and 25 technologists, is spearheading the investment bank's efforts to use the current control programs, coupled with the metrics produced by them, to obtain an end-to-end view of risk across the IT environment. In a complex organization that relies heavily upon its systems, it is the team's job to ensure that all the right information is being pulled together in order to foresee any potential weaknesses.
"People tend to focus a lot on business continuity. But we find that 99 times out of 100, the points of failure are localized failures," says Lythe of his team's efforts. "Although you need to cope with blackouts [and other events related to business continuity], the steps that lead up to [business continuity] are the abilities to deal with events on a day-to-day basis," he adds. "Many organizations today have a knee-jerk reaction - they're complying with SOX, they're doing all the testing, they've done the self-assessment, but really they're doing it because they have to," Lythe continues. "We're at a point now [at JPMorgan] where we're doing it because it's providing value. The insights we gain today help us better manage the environment going forward."
A New View
Holistic mandates, such as SOX and Basel II, have reinforced the notion that risk management is both a core competency and a competitive factor. Although risk management always has been a large part of what firms do on a daily basis, efforts typically have been buried in the business silos and have gone mostly unnoticed by a sizeable contingent of financial services customers and employees.
"What's happening now is that Basel II and SOX are forcing institutions to instill a risk-management culture across the organization because these mandates are cross-functional and cross-departmental, and, as a result, everyone needs to be involved," says Virginia Garcia, research director of financial services strategies at Needham, Mass.-based TowerGroup. These mandates "not only go across departments, but they go from top to bottom as well. So whereas before there might have been risk management professionals that were deeply concerned about risk, and did it extremely well, it wasn't the case that all employees had this risk-management awareness, or, unfortunately, that senior executives and board members were involved in this day-to-day process."
A side effect of SOX and, on a more global scale, the international accounting standards, Garcia adds, is that firms now must find opportunities to converge processes and systems around risk management and financials. "SOX is telling financial institutions that they must report transactions in greater granularity than ever before and, also, do so in a very rapid manner," she says.
Recent news headlines on security breaches and lost data also are alerting consumers of the many weaknesses within the controls environments of U.S. financial institutions. Today, firms that want to grow their businesses are realizing that the only way they can accomplish that growth is by building customer trust, closing gaps in their processes and making consumers comfortable by instilling the risk-management discipline in areas that are visible to the customer, such as protecting personal information. Consequently, firms are looking for ways to streamline the functions around risk and finance, converge the systems and find collaborative team-building efforts on initiatives such as implementing IT projects or improving business processes. "This is a [sentiment] that's going across the industry, and it's forcing change of the risk-management tone," Garcia says.