Recalculating Risk: The New Rules of Risk Management

New data management and risk analytics tools are giving banks such as ING, HSBC and Union Bank insight into enterprisewide risk exposures and a head start on Basel II rules.

As governments around the world ponder new rules for banks in the wake of the global credit crisis, in the U.S. large banks face former Federal Reserve chairman Paul Volcker's campaign to shrink them and prevent them from proprietary trading, and the FDIC continues to shut down banks (15 in the month of January alone, on top of 140 in 2009). As a result, the pressure on bank risk executives and the technology they use has rarely been more intense. (Banks' desire to at least appear to be risk averse has gotten so strong that in early February a group of businessmen in Cambridge, England, announced that they were setting up a bank that would be called either Boring Bank of Cambridge or the Cambridge Boring Bank.)

"What we just went through in the past two years is nothing short of cataclysmic," notes Scott Baret, partner, governance, regulatory and risk strategies, Deloitte & Touche. "The main driver behind what happened is a lot of poor decision making because of systems that didn't support adequate risk management and didn't provide enough data about risk exposures. The regulators are on top of this issue with regard to data infrastructures and usage like you wouldn't believe."

On the technology front, while bank reform legislation meant to extract risk from the financial system is working its way through Congress (a bill is expected to pass in the summer or fall), U.S. banks are investing many of their risk technology dollars and efforts into meeting the Basel II standards that require banks to measure, monitor and allocate capital against market risk, credit risk and operational risk. At a summit this past September, all Group of 20 countries pledged to apply Basel II rules by 2011. European banks took to the new requirements more quickly than U.S. banks, but American banks are following close behind.

Observers say that although overall bank IT budgets are relatively flat, risk infrastructure is one area where banks are spending. "Risk spend and risk technology spend are definitely on the rise in the banking industry right now," says Luther Klein, head of Accenture's banking risk management team in North America. "We're seeing tremendous focus on enterprise risk capabilities, consolidation of platforms, enterprise risk platforms and risk analytics."

Klein explains that these technology investments are designed to drive better decision making, reduce cost and complexity, and integrate enterprise operations, with a particular focus on the improvement of operational risk and Basel II adherence. To comply with Basel II rules, banks are investing in risk data warehouses and tactical tools, he adds.

Operational risk -- defined by Basel II as the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events -- is a relatively new way of looking at risk for U.S. banks, and many are just getting started, according to experts. "As banks start running their parallel processes for Basel II in the first or second quarter of this year, we'll see a lot more activity around operational risk," says Deloitte's Baret, who notes that banks also benefit from avoiding operational losses, such as errors in entering transactions.

'PRUDENT' RISK MANAGEMENT

Union Bank of California ($86 billion in assets), which upgraded its credit risk program in May 2009, recently built an operational risk governance structure that addresses the four major elements of operational risk: internal loss data, external loss data, business environment and internal control factors, and scenario analysis. Data from those four areas is aggregated and used to estimate how much capital must be set aside.

Union Bank won't necessarily be required to follow Basel II advanced measurement approaches (AMA) for regulatory capital, which are targeted at the largest international banks, but it is "aligned" with the set of rules, according to Greg Jones, the bank's VP of operational risk. "It's prudent risk management to have a model to estimate capital [requirements]," he says. "Capital adequacy is something that's very basic for banks. All banks should assess capital adequacy for all their areas of risk."