The Cost and Complexity of ORM and Compliance
Operational risk management (ORM) is now a central part of every financial institution’s compliance obligations. The standards for risk management imposed by regulators worldwide mean that banks and other financial services organisations have to ensure that the operational risks they face are dealt with systematically and on a continuous basis.
The UK’s Risk Management Association highlights that external and internal fraud, business disruption, client risk and systems failure are major concerns today for financial service executives. They go on to emphasise that staff familiarity with risk management needs to improve.
From a compliance perspective, Basel II, MiFID and Sarbanes-Oxley are important regulations among many, but the problem for the financial services organisation today is not simply to become compliant or implement risk management. There is plenty of available guidance for individual controls, plus advice from the audit community, to the corporate roles or responsibilities of chief compliance officer, head of internal audit, and head of risk – who usually report in turn to the CEO and CFO.
The problem for the financial services corporation is to manage the cost and reduce the risk of sustaining governance, including operational risk and compliance monitoring and reporting. Efficiency is critical, not just to manage costs, but also to reduce risk compared with manually dependent or non-IT integrated information and control systems. A recent Morgan Stanley study found that banks that deliver superior risk management can reduce capital requirements by 40% and boost working capital.
While realisation of these benefits remains within range, in many cases institutions find themselves unable to maximise return on investment due to the limitations of a fragmented ORM strategy that focuses on the ‘siloed’ needs of lines of business.
Financial service directors, heads of internal audit, risk, security, compliance and IT decision makers are responding to these challenges by implementing an enterprise risk management (ERM) model. In a Cisco financial services study, 49% of respondents confirmed that they were adopting this integrated framework.
Fundamentally, therefore, as the second phase of risk and compliance management emerges, the objective is to reduce compliance costs and similarly reduce risk by adopting best practice and automating manual or non-integrated IT systems. These efficiencies and reduction of risk are achieved through a better-integrated approach to IT governance in support of corporate governance. For many financial services organisations, corporate governance has had minimal attention outside the traditional areas of financial risk management, for example market, credit and liquidity risk.
The goal is to reduce cost and risk by applying the principle of an ERM integrated framework, which is often the foundation for policy. By leveraging the ‘connections’ between the siloed business units and reviewing the controls that are in place to mitigate against certain risks, the network is the underlying base that brings this all together. By providing a converged platform to offer common IT risk-control services – such as security, storage and business continuity – institutions can take advantage of overlaps in areas of risk and regulation, reducing the cost of compliance in the process. Then, as new regulation comes into force, institutions are able to tap into these shared network services – increasing return on assets and reducing time to compliance. Four key areas need particular attention:
A robust and integrated business continuity strategy is needed that ensures that highly complex and distributed financial services organisations can remain operational in the event of a major incident – a key component of a rigorous ORM policy. A highly resilient IP network infrastructure maintains operations, switching seamlessly to a back-up site in the event of systems failure, and providing employees with secure access to all network resources required. Protection must be provided against service breaks with unprecedented availability, data mirroring, and virtualisation enabling sharing of network resources.
Effective information and network security is of paramount importance within the ORM policy and, of course, can represent an immensely resource-intensive challenge for organisations lacking an integrated approach to security. What is needed is a defensive, in-depth approach that secures the network at every level and thereby simplifies compliance and minimises disruption using powerful integrated security. In ORM, this will support accelerated compliance with Basel II, Sarbanes-Oxley and other regulations where data integrity is paramount by applying integrated identity management across the enterprise, and improving ‘building control’ using efficient IP video surveillance, rapidly deployed and then continuously monitored across the organisation.
The ability to store and retrieve critical information is core to any number of compliance requirements, many of which stipulate specific retention and disposition periods for different types of data. Retrieving archived information within regulator-mandated time frames can be immensely costly if appropriate processes are not already in place. Reduce the cost and risk of maintaining separate data storage systems with a single integrated intelligent storage infrastructure. Protect confidential information with a secure, centrally administered data, voice and video storage solutions, including telephone conversations.
Maintaining employee awareness of critical ORM processes and procedures is essential in the fast changing and heavily regulated financial services environment. In addition, organisations will be required to prove that training has taken place – a potentially significant challenge across extended enterprises. A converged network can support voice, data and video delivery of multimedia training to all employees across the organisation, using personalised resources via any web-enabled PC. The centralised administration of training delivery identifies and documents ‘who’ received training and ‘when’ allowing logging in their employment record.
Risk management and compliance has moved beyond ORM and is entering a second phase of ERM. Forward-thinking financial services institutions are realising that, far from simply being a means to meet mandatory requirements, ERM can offer real competitive advantage. The ultimate prize includes reduced capital requirements, increased working capital, and improved operational excellence that helps to win more new and repeat business.
The network is the platform that brings this all together. This framework can enable institutions to extract greater value by offering common IT services that take advantage of overlaps in areas of risk and regulation, in the process reducing the cost of compliance.
This approach to ERM allows institutions to tap into these shared services – increasing return on assets and, importantly, shortening the timeframe needed to meet future regulatory requirements.