Risking danger

The current state of the market is a clear indicator of the difficulties that lie ahead after a serious risk and compliance issue. In such a complex industry, how can the challenges of security risks be overcome? Two industry insiders tell us more.

FST. As business continuity becomes a major focus for companies, can you explain what has fuelled the rise in its importance and can you put a price on the reputational damage that a security breach or downtime can cause?
OP. The terrorist events of 9/11 boosted the preoccupation with business continuity and disaster recovery planning. However, terrorism and natural disasters do not seem to be the immediate threats faced by most companies. IT-related risks are more frequent and their cost can be very significant, as we saw recently at the French bank Société Générale.

Harland Financial Solutions Worldwide, is a leading provider of risk management and compliance software. One of my areas of focus is the analysis of customer information by financial institutions. We have witnessed that institutions have become far more sensitive to the inadvertent disclosure of non-public information (NPI). In the lending area, financial institutions gain access to private companies and individuals’ most closely-guarded secrets, including financial statements and tax returns. You can imagine the legal and reputational consequences of a scenario in which these documents are compromised. For financial institutions, the challenge is to utilize the data provided by customers, while finding ways to control access so data remains secure.

HJ. Banks, insurance companies and securities firms have long placed a high priority on business continuity, and recently more and more industrial corporations are following suit. As data and transaction volumes grow and evolve from batch processing to continuously flowing, disruptions will become ever more costly. At Accuity, we have seen a tremendous rise not only in continuity protection but also data security – which is a related but separate issue.  The costs associated with downtime are very different than the costs of security breaches. Downtime costs tend to escalate exponentially depending on how long the business stream is out of commission. Security breaches, on the other hand, have a significant cost up front that can sting even if the breach lasts mere moments. Once data is compromised by a breach, the disclosure of such requires enormous capital to restore levels of customer trust. If it is not handled properly, a breach can destroy a business.

FST. Why is risk management so important for the financial sector in particular?
HJ. The financial sector has long operated on the principle of trust. At its core, a financial institution must always have enough liquidity to cover customer withdrawals in whatever shape that might take.  Lack of a comprehensive risk management program, which in the event of business disruptions is designed to provide stability, can easily lead to a violation of that trust, causing a run on the bank in particular and the financial sector in general. The financial sector is particularly vulnerable, because a ‘run’ on one bank can easily cascade to the next and so on, and that sets the financial sector apart from others.

OP. Financial companies face all the common risks faced by other sectors; however, the financial sector is probably more vulnerable than other sectors to threats such as IT failures and security breaches. Modern financial services are entirely dependent on electronic transactions. In a bid to help protect the environment, even paper-based reports are fast becoming outdated. When the system goes down, the business halts. The lost deals and the reputational damage can be fatal. How many financial companies could survive 2 to 3 days of downtime?

However, there is another angle. Customers need to trust financial institutions with their money. If a financial institution fails to convince the public that it can take care of its market, credit and operational risks, how will it convince customers to entrust them with their money? Therefore, financial institutions have no choice – they need to prove they are all-round expert risk managers, or customers will go elsewhere.

FST. What are some of the main challenges financial companies face when it comes to managing risk?
OP. The recent sub-prime crisis highlights several challenging areas. The first is the danger of holding pre-conceived ideas for too long. For some time, there were many signs of impending problems in the U.S. mortgage market. However, few acted or had the right tools in place. Financial companies need to be realistic and constantly simulate worst-case scenarios. Better portfolio management tools can help. In the credit area, this means having access to full and accurate granular credit origination data. Had this data been transparently available to all the parties, it would have been much harder to re-package and to leverage sub-prime portfolios as blue chip rated securities.

HJ. Put simply, financial companies must balance risk with the prohibitive cost of doing business in a risk-free setting.  Inherently the definition of risk is subjective compared to the cost of doing business where personnel and other hard costs can be easily calculated.  For example, most financial companies are required to screen transactions and entities in compliance with anti-terrorist legislation and other AML regulations. Watch list filtering such as UN, EU, HM Treasury and OFAC requires a risk-based approach and typically interdiction screening causes ‘false positive’ hits. These false positive hits need to be reduced in order to lower operational costs. However, techniques to reduce these hits need to be balanced against increased risk that a true positive sneaks through. A solution that allows for zero false positives probably is not screening effectively and one that has too many false positives is too burdensome and costly to be useful. Managing that balance effectively is a hallmark of a world-class institution and certainly a daily challenge for financial companies when managing risk.

FST. What advice would you offer any large customer-facing business that doesn’t yet have business continuity or disaster recovery plans in place?
HJ. Seriously consider implementing such a plan.  In order to remain competitive, businesses need to maintain continuous operations including 24x7x365 support.  Any real or perceived downtime will cause customers to go elsewhere. Having said that, there are best practices for going down that path. Some lessons learned include identifying an internal senior-level project sponsor who will champion the project because effective scoping and implementation will take a lot of time away from each of your business units and functional areas. Create a cross-functional team with the heads of business units and/or functional areas and assemble a list of the various tasks your business performs and prioritise those tasks in terms of importance to business continuity. Pilot a smaller portion of the organisation before taking on the largest area and capture learnings throughout the process by establishing a project management office to ensure good ideas are never lost and efficiencies are captured for future roll-outs. Hire a consultant who has done this process before who can direct the team and help them uncover the areas of greatest vulnerability. 

OP. Ask them a simple question: What are they willing to spend to ensure their business does not fail because of an unexpected event? One can argue that the Basel II regulations are an example of a grand business continuity and disaster recovery mechanism imposed by the regulators on financial institutions to ensure they will not fail. The expenditure on Basel II-related projects is an indication of how important the industry deems these efforts. Basel II has helped many financial institutions to better understand their risks and to find ways of quantifying and mitigating them. It is the responsibility of individual institutions, working together with system providers, to put substance into the regulatory recommendations and implement the systems and processes that will quantify risk and help manage it. Other businesses can definitely learn from the experiences of financial institutions that have undergone the process. To summarize with a sporting analogy: To win, you need to concentrate on revenues and income (offence) but not at the expense of ignoring the risks (defence) –it takes both.

FST. Is it possible to cover all bases, or do you have to accept that operational risk is an unavoidable cost of doing business?
OP. Operational risk is an unavoidable cost, but it can be minimized to a level that makes economic sense. Many of the IT-related operational risks centre on managing security. With systems in place that can commit large exposures or divulge sensitive information at the click of a mouse, it is imperative that financial institutions identify these areas within their IT environment. Single-sign-on mechanisms, as an example, are widely used in the industry. Software developers now need to concentrate on providing improved functional security within enterprise applications. This will allow financial institutions to provision rights more precisely and it will support monitoring of application usage.

HJ. Risk can never be entirely eliminated. The challenge is to create a risk management plan that is flexible, relevant and quick to implement to ensure maximum business uptime no matter the cause of the disruption.

Hugh Jones, President of Accuity, is responsible for the overall financial growth of the company and creation of world-class payment and compliance solutions for its diverse customer base. Mr. Jones has over 15 years of experience building corporate value by creating rich data streams that provide new solutions to difficult business challenges.

Orren Peled is VP of Research and Development with the Global Risk Solutions unit of Harland Financial Solutions Worldwide. His expertise is in the area of enterprise decision support systems, with a primary focus in the banking industry. He also has extensive experience as a System Analyst and Consultant in the banking industry.

For more information about how to manage credit risk, visit www.creditquest.com or send an e-mail to moreinfo@creditquest.com.