Jim Rohr loves one kind of risk--taking the chance that if he lends you money, you'll pay him more back. But there are other kinds of risk that the CEO of PNC Financial Services Group Inc. would just as soon do without, like the possibility of someone writing fake checks or an ATM network going down or a flood in a data center.
So a year ago, Rohr appointed Tom Whitford as chief risk officer. His office has four managers dedicated to specific risk areas. Each works within PNC lines of business to implement risk-management programs, and Rohr keeps a close watch. "It all rolls into one person in our organization, the CRO, and he reports directly to me," he says.
PNC's IT department is among those most closely scrutinized as part of this system of checks and balances that the risk-management group provides. CIO Tim Shack and his team are expected to take risk into account when deploying technology, and the risk-management team constantly evaluates how well they're doing. "When the CIO comes to me and tells me he has the telecom backup site all set up, I have a risk person who then goes out and evaluates it," Rohr says.
The financial-services industry has been focusing more attention than ever on risk management. At the same time, regulators from around the world are working out a complicated set of rules for governing global banks, called the Basel II Accord, part of which looks at how much money banks must set aside for emergencies. What banks and regulators are doing hasn't been widely attempted, and it has dramatic implications for business technology: to regularly measure the risks a company faces and put price tags on them. While the largest institutions are leading the effort because they'll be the first regulated, their success will be monitored by smaller ones--and likely other industries. By closely measuring risks, executives may look differently at the cost of technology-intensive investments to avoid those risks. "Supervisors expect the advanced measurement approach to provide the incentives to invest in new systems and practices that will reduce the potential for serious losses from operational risk," Federal Reserve vice chairman Roger Ferguson said in a February speech.
Basel II takes into account that globalization, consolidation, and real-time information have changed the risks in the financial-services industry. From a business-technology standpoint, the industry is more dependent than ever on electronic transactions and more responsive to real-time information. At the same time, industry consolidation has left fewer banks in control of more money. These banks' "operations are increasingly complex and sophisticated," Ferguson said. "At the same time, significant weaknesses in one of these entities, let alone failure, has the potential for severely adverse macroeconomic consequences." In other words, if one bank takes a bad gamble and loses, the entire industry and global economy could suffer.
Business technology plays a dual role in this risk picture. IT innovations make it easier to calculate the risks and mitigate the dangers of doing business, but each technology deployment also brings new risk of outages or mistakes. Simply doing business over a Web site opens a range of potential problems, from security issues to lost customers if the site is down. "The Internet opens a whole new area of risk for us," PNC's Rohr says.
Technology spending for risk management will account for 9% of the average IT budget in financial services, according to a report from IT advisory firm Gartner released last month. The report predicts that building risk-management infrastructures will remain an IT investment priority through 2005. Still, getting firm return-on-investment measures or benchmarks for spending is tough. "Regulators and analyst firms have been working hard to put the pieces together to justify operational-risk-mitigation investment, and it sounds good, but it's hard to prove that any one bank is taking the right steps for operating risk," says Susan Cournoyer, principal analyst at Gartner. The potential failure points in Basel II fall into three categories: credit risk, market risk, and operational risk. Credit risk is the easiest to understand: It's the risk of not getting paid back. Market risk involves investment decisions and broader financial-market trends. But it's operational risk--from check-kiters to ATM failures--that's getting increased attention. It's also a big reason that banks make sure they choose chief risk officers who understand IT. "It used to be that risk management was with the CFO or economist types because it was a financial matter," says Catherine Allen, CEO of Bits, a technology and strategy group for the 100 largest U.S. financial institutions. "But in operational risk there are consistent technology themes--cybersecurity, business continuity, transaction risk--that traditional econometric models don't address, and most of the financial people don't understand the technology behind it."
The very definition of operational risk can be hard to nail down. Theoretically, it's any loss calculated as operating expense that could have been saved had proper preventive measures been in place.
The movement to categorize and measure operational risk has its doubters. The Fed's Ferguson notes that some bankers believe money spent on IT systems and procedures to measure operational risk would be better spent on systems to prevent problems. And Basel II policy makers face the challenge that there's no standard for identifying and quantifying the risk. But they recognize that operational-risk losses can devastate institutions. Take Allied Irish Bank, which last year lost nearly $750 million--and took a considerable hit to its reputation--when a trader at a U.S. subsidiary forged records of options purchases, either to conceal losses or to skim fees paid for the options. Or there's check fraud, which has spiked since the economy faltered. Then there's the Sept. 11, 2001, terrorist attacks, which still weigh heavily on the industry's disaster-recovery and business-continuity planning.
What proponents of the operational-risk elements of Basel II, such as Ferguson, propose is the "advanced measurement approach," which lets banks develop their own methodologies for calculating operational risk and the capital they'll set aside to prepare for it, within certain guidelines established in Basel II. Those will be subject to auditing and regulatory oversight, but the result should be that banks that invest to reduce their risks will get the financial return of lower capital requirements. "For example, if a bank invests in improved contingency procedures and approaches, we would expect such an investment to be reflected in a reduction in the need for operational-risk capital" under the advanced measurement approach, Ferguson said.
Technology can help companies understand their risk. As part of the post-merger integration with First Union Bank, Wachovia Corp. built a Web-based risk-capture application that each business unit used as it prepared and executed the integration. Using the system, managers evaluated their production environment based on criteria such as compliance, fragility of customer relationships, or disaster recovery, and they rated themselves against that criteria. The application rolled up the scores from all managers working on that project to produce a risk rating on the overall project. It then tallied all projects' risk ratings to a total line-of-business score. If the risk level was high, executives gave extra attention to that line of business during the merger integration. "Most importantly, we have embedded a technology and process where we're looking at the readiness of projects prior to implementation," says Joe Hanssen, VP in the operational-risk group at Wachovia. "It's a good risk-management--and change-management--tool."
Hanssen says the tool will be used beyond the First Union integration, becoming part of the bank's process for any major change, from another merger to an enterprisewide application deployment.
The other two areas of risk for banks--credit and market risk--are better defined and have more established tools for dealing with them. But they remain major spending initiatives, and quite often the areas of risk and the technologies to address them overlap with operational risk. Market risk, which rose in prominence with a revision to the Basel I Accord during the 1990s, can also help mitigate operational risk. For instance, if a broker promises a client that a stock will be sold at $15 per share, but when the trade is executed the share price has dropped to $14, the brokerage may have to cover the difference. Automating trading is a big part of the solution, and the industry is working toward adopting standard practices, such as straight-through processing and workflow-automation technologies, to prevent such losses. Straight-through processing gives brokers real-time access to market data and automates the buying and selling of stocks. That also reduces the potential for human error.
Another area of crossover between market and operational risk comes from investment companies helping clients understand their choices in a volatile market. During the recent boom, investors became easily enamored of certain stocks or sectors and would overconcentrate their portfolios. "So when they failed, the impact from that stock was disproportionate from what it should have been," says Chet Helck, president and chief operating officer at Raymond James Financial, a financial-services firm. It's more important than ever to give smart guidance to customers--and document it, since courtrooms are filled with evidence of big risks in market trading. "The world has become far more litigious, and there are unprecedented numbers of cases in our industry where investors are attempting to get even from market losses by suing the firm they bought the shares from," Helck says. "Some they win and some they lose, but the cost of managing the process and the legal bills alone are a big risk to the firm."
Raymond James uses software from Comprehensive Software Systems Inc. to store customer profiles with data such as age and net worth, and it has developed in-house software to match that information with systems for account tracking and performance reporting. The data is reported to managers so they can review portfolios. Brokers get early identifications of heavy losses or abnormal trading, and the reporting software flags that for managers, giving the brokerage a head start on reacting to and reducing the damage. For instance, if a client in an age group that should have been in low-risk investments was loading up on Pets.com, the software would alert a manager who could work with the broker to address the problem. "The software will make sure on a metrics level that the activity performance and holdings on the account are suitable for that customer's profile and objectives," Helck says. "By identifying early that they were overconcentrated, a broker could convince them to be more moderate."
Operational and market risk are important and will get increasing attention going forward. But where banks make their money is in lending to the right people, and that's where they've spent the most on enabling technology.
Among those looking closely at credit risk is Harris Bank, which has $28 billion in assets. Harris' answer to credit-risk assessment came when the company implemented a PeopleSoft Inc. Financial Management application suite to manage accounting, cost-allocation, and financial-reporting processes to calculate profitability for specific lines of businesses and products. The PeopleSoft app takes data feeds on everything from mortgages to commercial loans from each of the bank's back-end systems--at least 50 sources of data running on anything from Unix to NT platforms to legacy mainframe systems--and collects the data in the PeopleSoft Enterprise Performance Management Warehouse.
Harris' risk-assessment module puts data in a comprehensive format, changing how the bank manages products and customers, Schabes says. But whatever data a company uses for accounting by nature can be used for risk assessment as well, says Adam Schabes, Harris' VP of financial information systems. Harris went live with the system in October, including a risk-assessment module from PeopleSoft that collects data from the warehouse, analyzes it, and reports it in a risk-management-friendly format. "Before, risk-management staff would go and get data from each individual application, and there was manual effort to massage it into standard format," Schabes says. Since each application stored and named data points differently, risk managers spent lots of time manually creating spreadsheets. "It wasn't a clean process," he says.
Having that data in a comprehensive format changes how the company manages products and customers, because the bank can use formulas to more accurately determine the risk versus profitability of the customer. "It's had a heavy influence in our product pricing, like on the loan side," Schabes says. It lets the bank customize loans, and that gives the bank a competitive advantage over banks judging a customer within a broad market segment, he says. Dresdner Bank AG is also building a tighter relationship with its customers, which makes it easier to sort out the bad apples that will do the bottom line wrong. Dresdner, a German bank with more than 1,100 branches in 70 countries, uses business-intelligence tools from Business Objects SA that provide a comprehensive view of its customer relationships and risk exposure. Traditionally, collecting data and then reviewing and analyzing a customer portfolio for risk could take weeks. Using the business-intelligence tools, including at the branch level, employees can create ad hoc queries and reports on a customer. The customer data is checked against 50 or more risk factors, and the results are used to calculate a credit-risk indicator. That indicator can be analyzed and aggregated along many dimensions, including customer segment, branch, and region to isolate and track credit risk over time.
Though credit risk gets most of the IT budget today, Gartner's Cournoyer predicts that by the end of the year, spending on tools to measure and mitigate operational risk should grow at a faster rate as regulators clarify Basel II guidelines and the industry develops best practices and technologies. As these three risk categories vie for attention and budget, analysts say financial institutions will need to build a holistic risk-management architecture based on real-time data that's collected on a transactional level, says Guillermo Kopp, director of financial-services strategies and IT investments at the advisory firm TowerGroup. "What institutions want is to integrate information from all product systems, credit systems, account systems, fund-transfer systems in a way that reflects credit, market, and operational risk at the enterprise level," Kopp says.
That's easier said than done for an industry that continually struggles with data-integration issues. But a deadline is on the horizon, since Basel II will likely require that banks be able to access three years' worth of data related to risk when the regulation goes into effect in 2006. Kopp recommends a bottom-up approach, where transaction-level data is monitored and captured in real time and a rules engine associates transactions with events and losses.
Financial-services companies will grow more dependent on business technology to keep from being overwhelmed with risks, regulations, and competition. "There are a lot of issues coming down that we have to comply with," says Raymond James' Helck. "The CIOs in the financial-services world have a great opportunity here to add value to their organizations by creating risk-management, compliance, and sales-management tools."
That value could extend beyond their companies, or even the industry. Financial services, as one of the most heavily regulated industries, often pioneers rules and guidelines that are quickly picked up by other vertical industries. "This isn't just about Basel. This is about everyone," Bits CEO Allen says. While Basel will affect the 20 or so largest U.S. institutions, with another 20 or 30 likely to opt in to the requirements because it gives them an edge in competition or reputation, it'll open the discussion on measuring and putting a value on operational risks. Regulation or, more likely, market pressures will force every institution to adopt some flavor of the policies in time. Allen believes most public companies ultimately will have documented operational-risk programs. Says Allen, "It's important to give a heads up to everyone that, whether you're manufacturing or pharmaceuticals, in your industry you have operational risks, and your business is going to be impacted by that."