Ask the Expert
Topic: Risk and Compliance
Orren Peled is Vice President of Research and Development with the Global Risk Solutions unit of Harland Financial Solutions Worldwide. His expertise is in the area of enterprise decision support systems, with a primary focus in the banking industry. He also has extensive experience as a System Analyst and Consultant in the banking industry. For more information about how to manage credit risk, send an e-mail to moreinfo@creditquest.com.
As business continuity becomes a major focus for companies, can you explain what has fuelled the rise in its importance and can you put a price on the reputational damage that a security breach or downtime can cause?
OP: Many companies have realized that a disaster of any kind can happen at any time and they need to be ready. This has spurred companies to invest resources into business-continuity and disaster-recovery planning. However, natural disasters do not seem to be the immediate threats faced by most companies. IT-related risks are more frequent and their cost can be very significant.
Our company, Harland Financial Solutions Worldwide, is a leading provider of risk management and compliance software. One of my areas of focus is the analysis of customer information by financial institutions. We have witnessed that institutions have become far more sensitive to the inadvertent disclosure of non-public information (NPI) (i.e., customer data). In the lending area, financial institutions gain access to private companies’ and individuals’ most closely-guarded secrets, including financial statements and tax returns. You can imagine the legal and reputational consequences of a scenario in which these documents are compromised. For financial institutions, the challenge is to utilize the data provided by customers, while finding ways to control access so data remains secure.
Why is risk management so important for the financial sector in particular?
OP: Financial companies face all the common risks faced by other sectors; however, the financial sector is probably more vulnerable than other sectors to threats such as IT failures and security breaches. Modern financial services are entirely dependent on electronic transactions. In a bid to help protect the environment, even paper-based reports are fast becoming outdated. When the system goes down, the business halts. The lost deals and the reputational damage can be devastating. How many financial companies could survive 2-3 days of downtime?
However, there is another angle. Customers need to trust financial institutions with their money. If a financial institution fails to convince the public that it can take care of its market, credit and operational risks, how will it convince customers to entrust them with their money? Therefore, financial institutions have no choice–they need to prove they are all-round expert risk managers, or customers will go elsewhere.
What are some of the main challenges financial companies face when it comes to managing risk?
OP: The recent subprime crisis highlights several challenging areas. The first is the danger of holding pre-conceived ideas for too long. For some time, there were many signs of impending problems in the U.S. mortgage market. However, few acted or had the right tools in place. Financial companies need to be realistic and constantly simulate worst-case scenarios. Better portfolio management tools can help. In the credit area, this means having access to full and accurate granular credit origination data. Had this data been transparently available to all the parties, it would have been much harder to re-package and to leverage subprime portfolios as blue chip rated securities.
What advice would you offer any large customer-facing business that doesn't yet have business continuity or disaster recovery plans in place?
OP: Ask them a simple question: What are they willing to spend to ensure their business does not fail because of an unexpected event? One can argue that the Basel II regulations are an example of a grand business continuity and disaster recovery mechanism imposed by the regulators on financial institutions to ensure they will not fail. The expenditure on Basel II-related projects is an indication of how important the industry deems these efforts. Basel II has helped many financial institutions to better understand their risks and to find ways of quantifying and mitigating them. It is the responsibility of individual institutions, working together with system providers, to put substance into the regulatory recommendations and implement the systems and processes that will quantify risk and help manage it. Other businesses can definitely learn from the experiences of financial institutions that have undergone the process. To summarize with a sporting analogy: To win, you need to concentrate on revenues and income (offence) but not at the expense of ignoring the risks (defence)–it takes both.
Is it possible to cover all bases, or do you have to accept that operational risk is an unavoidable cost of doing business?
OP: Operational risk is an unavoidable cost, but it can be minimized to a level that makes economic sense. Many of the IT-related operational risks centre on managing security. With systems in place that can commit large exposures or divulge sensitive information at the click of a mouse, it is imperative that financial institutions identify these areas within their IT environment. Single-sign-on mechanisms, as an example, are widely used in the industry. Software developers now need to concentrate on providing improved functional security within enterprise applications. This will allow financial institutions to provision rights more precisely and it will support monitoring of application usage.
