Washington's Regulatory Agenda Will Shape Banks' Risk IT Strategies

Pending legislation in Congress will significantly affect banks' IT shops, and risk management will be front and center, reports Deloitte & Touche's Henry Ristuccia.

A great deal remains in play when it comes to Congress' debate around the shape of regulatory reform. There are many different views on what will become law from among the various legislative efforts now under discussion, as well as questions on the timing. Nonetheless, now is the time to examine governance, risk and regulatory compliance processes and to get your house in order so that your bank can be ahead of any requirements that may be enacted.

Regulators already are taking steps under existing authorities to tighten control of the financial system, particularly when it comes to risk management. News headlines over the past year have targeted risk management for its role in the financial crisis, thrusting the issue into the spotlight. The industry is rapidly grasping the importance of approaching risk management from a holistic perspective and driving ownership of the issue up the management food chain.

According to the October 2009 paper on risk management lessons from the Senior Supervisors Group (which comprises senior financial supervisors from the U.S., Canada, France, Germany, Japan, Switzerland and the U.K.), most financial institutions are moving to improve risk reporting to the board and senior executives, as well as increasing senior-level involvement in risk exposure decisions. The group's recommendation may spur global bank regulators, as well as the Federal Reserve and other U.S. regulators, to propose further guidelines to mitigate financial services firms' risk in hopes of avoiding a future crisis. Going forward, many organizations may need to consider -- and plan for -- the full spectrum of risk, including strategic risk, operational risk, compliance risk and financial risk.

Data, Data Everywhere

The elephant in the room is how stakeholders determine which risks matter most. It is critical for executives to refine the key data to monitor for risk factors as well as to better understand the degree of transparency into those factors that the data provides. Technology is at the heart of this issue, as a robust technology infrastructure facilitates the identification and collection of the necessary data.

According to a survey of chief risk officers at financial institutions, however, many corporations are inhibited in their ability to fully grasp their risk exposure due to outdated or poorly integrated IT systems. As a result of multiple mergers and acquisitions, many banks have disjointed IT structures in which business systems are duplicated or not included in the overall data aggregation. These disconnected and disparate systems make it more difficult to identify the information necessary to fully grasp an institution's broad spectrum of risk exposure.

Banks should look for ways to enhance their risk infrastructures, such as through a data warehousing strategy. It also is important to develop strategies to address risk infrastructure deficiencies in areas such as risk applications, hardware, architecture standards and data sourcing.

Many firms are making sizeable investments in risk management infrastructure. The majority of the work and spending, however, has yet to take place. In 2010 there most likely will be an increase in technology spending as companies update their existing systems to seamlessly integrate and evaluate data coming from all aspects of a business and standardize that data with a risk lens. n

Henry Ristuccia is a partner with Deloitte & Touche and leads the firm's governance, regulatory and risk strategies practice in the U.S.