This afternoon I conducted my first ever twitterview (a twitter interview conducted via my handle @virginieateam) with Marcus Cree, director of risk solutions for SunGard’s capital markets and investment banking business (@MarcusCreeRisk), and Michael Versace, director of global risk at analyst firm IDC-Financial Insights (@versace57). Amusingly, given the format, the topic of conversation was the challenges facing the risk function beyond technology: governance, profile raising and general cultural changes. It included lessons that could equally be adapted to the data management function, as well as risk.
The risk function (and data managers for that matter) is being asked to do much more to meet the incoming onerous requirements of new regulation, with the same resources as ever. Not only that, but many are not being granted the power to effectively carry out the sea changes required to meet this much more intense scrutiny. Cree and Versace chatted to me about how this governance challenge is shaking out and what can be done to tackle it.
For those of you that missed the #riskchat, here it is for you in full:
Are firms waking up to the need to adopt enterprise risk management (ERM) infrastructure?
Cree: Slowly, since the crisis hit, the crosshairs have moved between models and incentives, but as normality resumes, the lack of risk as a cultural imperative has been recognised. This is also reinforced by Dodd Frank and the new Basel rules (see more A-Team commentary on the subject stemming from SunGard’s recent City Day in London here).
Versace: More than 75% of the financial firms we speak with have a chief risk officer (CRO) – that’s waking up, I guess.
The challenge beyond technology is cultural for ERM to work, how are firms tackling this?
Versace: By linking risk vision and accountabilities to performance, and from performance to compensation.
Cree: It comes down to looking beyond calculations, and focusing on credibility of results, and distribution of those results. Asking traders to use risk strategically demands that they be given numbers, in context that can be trusted!
How could they improve their risk governance accordingly? Is a CRO the solution?
Cree: To an extent, but only an empowered CRO. If CRO reports directly to CEO then you have platform for better governance. The language of the firm has to evolve to include risk context, to make risk cultural.
Versace: Measuring CRO performance is crucial but data shows compensation committees are not involved yet in ERM programmes – this is a big missing link.
Where do the biggest challenges lie on a day to day basis?
Versace: Talent, demonstrating breadth and depth of understanding in ERM functions, and selling ERM competitive advantages.
Cree: The biggest challenge is cultivating a risk culture, at the expense of absolute profits. It’s easy to talk risk in a crisis, less so when it means reducing (non-risk adjusted) profits. This is why the context of success must include risk, which is the cultural rather than mathematical part.
Regulators have stepped in to mandate certain risk governance guidelines (check out A-Team coverage of recent US led op risk guidelines for example) – is this the right approach?
Cree: It is probably the only approach, given the backdrop. But be cautious. Capital regulations provide a buffer between a firm blowing up and the potential systemic effect. They’re not there to insulate the firm from itself. This requires internally driven governance.
Versace: Regulators set expectation, but businesses hold accountabilities and compliance obligations to shareholders, customers and the market.
Have the regulators gone far enough to ensure firms change their approach to risk management?
Versace: Far enough for what? In certain areas like capital adequacy and liquidity, I think so. Security, yes. Defining understanding the economic impact of Dodd Frank, probably not.
Cree: At this point, we can’t tell. They have the mandate and implied power, but until the full regulations are in place and supervision is set against them, we won’t know whether or not they’ve used their full firepower.
How could firms leverage technology to this end? If at all?
Cree: Don’t get hamstrung by bad technology choices. Calculation/production and control/distribution require specific tech solutions. Keep focus on end point goals and choose technology for each. Take an infrastructural approach to join the dots. Think about it as a risk ecosystem, rather than an application.
Versace: There are many examples: asset liability management, financial crime, credit and portfolio risk. You need the people, policy and technology to manage risk.
What would be your advice to risk management teams struggling with a lack of empowerment?
Cree: Take the bull by the horns. Be willing to expose errors and gaps, and generate firm-wide participation. Empowerment is borne from credibility, which involves evolving from a regulatory capital report into a strategic tool. Be willing to debate and validate or change your approaches. No one will empower you without you first proving why they should.
Versace: Be business people, demonstrate returns from effective ERM, and the costs of the ‘wait and see’ approach. You’ve got to be thinking this way, because your competitors are.