As 2003 wraps up and investment-management firms shift their attention to the coming year, one of the top issues on their plate is reducing operational risk.
That's according to a survey from software-solutions provider Trema, which interviewed 100 asset managers and found more than 50 percent ranked reduction of operational risk as of medium to high importance. Only five percent said it was not.
Improving risk management in the middle office scores particularly high, with 55 percent of respondents saying it was of notable importance. Overall, reducing operational risk ranked second only to automating internal processes, in terms of the main issues investment firms face.
It's not surprising operational risk has jumped to the forefront. A spate of legislative change in the past two years - ranging from corporate governance laws in the form of Sarbanes-Oxley (SOX) to tougher anti-money-laundering regulations under the USA Patriot Act - has focused more attention on compliance and operational risk.
Suzanne Labarge, vice chairman and chief risk officer at RBC Financial Group, says as investment firms head into 2004, operational risk will be front and center.
Labarge was recently elected chair of the Risk Management Association, a Philadelphia-based group that focuses on risk issues in the financial-services industry. "The regulatory bar keeps getting lifted. Practices that were tolerated five years ago are no longer tolerated," she says. Risk managers "need to get ahead of that and understand the elements that are driving (the change)."
The result is that there's been such an "increase in transparency, you can't hide your mistakes. They are likely to show up on the front page," she says. So the challenge for risk managers moving forward, says Labarge, is to minimize the chance an operational or compliance issue will blow up. "People will make mistakes," she says, the trick is to ensure it is not "endemic and symptomatic of something more serious."
Compliance is a cultural issue, says Labarge, and for risk managers that means "trying to get a common culture across the organization."
In an industry seeing rapid consolidation and mergers among competing organizations, ensuring consistency across the organization is no easy task, especially in a diverse organization with many subsidiaries.
The key, she says, is to set up a centralized reporting system that can "get things to the center very quickly" and catch problems before they get out of control.
Labarge notes the investment-banking division tends to be one of the most sophisticated operations where the biggest potential for trouble lies. That's where things like special purpose entities - a key issue in the Enron scandal - get cooked up, so it's important to have sound operational controls and procedures. She says if "somebody gets a wonderful, creative idea or product that doesn't go through the process," then the whole operation can get tripped up.
To combat that, RBC has centralized its governance structure for more than 400 subsidiaries, which includes a number of recent U.S. acquisitions. It has also built a Web-accessible database housing a range of information that compliance officers can call upon to make sure the company is in lockstep with laws like SOX.
"Technology is essential for us," and, "We've spent a lot on what I call operational-risk reporting," says Labarge. It's essentially a records or knowledge-management system that contains up-to-the-minute information about policies, procedures and the directors who run the enterprise.
Basel II, the international risk agreement that covers large integrated financial institutions, will also play a role in operational risk in 2004, Labarge says, and preparing for it is an ongoing job. However, most of the technology spend for Basel II, which in RBC's case was $75 million, has taken place over the last three to four years, and was "justified on business grounds."
Basel II is so broad she says, "We're all still grappling with it. We hope to have an answer by 2007, but I don't think anybody's got an answer right now."
The Basel II committee recently decided to stick with a proposed 2006 deadline for the accord to take effect.
While regulatory changes like Basel II and SOX are on the agenda for 2004, so too are everyday operational issues, particularly as they pertain to ensuring disaster-recovery and continuity systems are up to speed.
At Tullett Liberty, a diversified inter-dealer broker that focuses on fixed income and equities, the technology staff has spent the past year fine-tuning its disaster-recovery and business-continuity systems, says Mark Thomas, a senior vice president of technology, whose responsibilities include infrastructure and project management.
Those responsibilities include setting up a contingency site in White Plains, N.J. and enhancing communications plans around disasters. Now, says Leon Fischer, a senior vice president of technology for applications development at the firm, the goal in 2004 will be to leverage its new technology and facilities to help the firm drive down costs and better manage risk.
One area that will garner a lot of attention in 2004 is systems' security, both say. That's because of the growing incidence of viruses and the need to constantly plug the holes that are being exposed and exploited by hackers.
In the past, Fischer says, it took time before viruses were developed to exploit any holes. That gave firms breathing room. Now, that time lag has "really narrowed," making patch management a priority.
In terms of improving security and reducing risk going forward, Thomas says Tullett is looking at "behavioral-type systems that are not signature based." They guard systems and detect unusual activity based on user behavior and patterns and can shut down systems and alert managers.
Thomas says he's "not totally convinced how well they work," compared to systems based on user identity, but he thinks it's technology worth watching.
While operational risk is a concern for 2004, credit risk should also be on the radar screens, says Martha Sellers, managing director for client solutions at Moody's KMV in San Francisco.
On the plus side, she says, "We've seen improvement in credit quality across the board," from small to large issuers. However, the challenge for risk managers in 2004, she says, will be coping with "information overload."
Sellers says when it comes to looking at credit, there is "lots more information out there than there used to be 10 years ago." The question, she says, is how do firms deliver data to "the guy on the trading desk and the guy in risk management who need to know, without overwhelming them?"
From a technology standpoint, says Sellers, the key lies in building better filtering tools and systems that can push the right information to the right people, which she thinks will be a priority in 2004.
As well, she says, "There will be a lot of interest in (building) credit benchmarks, because the right ones don't exist yet."
Sarbanes-Oxley - Requires the CEO and CFO of each public issuer to prepare a statement accompanying the audit report. The statement is to certify the appropriateness of the financial statements and disclosures contained in the periodic report.
USA Patriot Act - Securities brokers and dealers, as well as commodity merchants, advisers and pool operators, must file suspicious-activity reports (SARs). They must also establish customer-identification standards and recordkeeping, as well as anti-money-laundering (AML) programs.
Basel II - A proposal for a new Capital Adequacy Framework, due to be finalized in the fourth quarter of 2003. Currently under development, this framework, known as Basel II, affects all internationally active banks, fund managers, brokers and custodians.