Laura Houston: The goal is achievable but it must be approached in the correct way. Traditional thinking has always been to create a data warehouse that aims to bring all company data from the various silos together into one place. But the reality is that this approach is both expensive and takes a lot of time. Instead, a solution that enables data from across the organization to be ‘joined up’ across regions, asset classes and risk control areas, without the need for a warehouse, enables this goal to become a reality in a timely manner.
Only by creating a holistic picture across all the silos will organizations truly be able to identify and prevent risk across their business. Furthermore, this approach offers the flexibility of tailored views of risk to differing roles across the global investment bank.
TF: What needs to change for that to happen? How can you improve risk management and risk prioritization without drowning your team in Excel spreadsheets? And speaking of Excel spreadsheets – in this day and age, are they still effective and appropriate for the task at hand?
LH: While existing rules-based transactional and event controls identify high risk activity, they also generate vast quantities of false positives as a result of acceptable ‘business as usual’ behavior and process. The impact for managers is huge; drowned under spreadsheets (some desk heads describe receiving up to 20 reports a day), their approach becomes one of process with little ability to identify the true exceptions or understand the overall risk profile of their business.
However, a number of banks are now approaching risk management from a new direction. By taking a step back and through the implementation of advanced systems that look at risk holistically, an organization can take a two-tiered approach.
First, they can apply risk knowledge across a trader’s entire historical activity across asset, region and control area, enabling earlier identification and prioritization of true exceptions. For example, a trader who has cancelled a trade today is a considerably lower risk than one who has persistently cancelled trades, say, t+1 days over the last 10 days, is logging in at strange times of the day, hasn’t taken annual leave and has booked and cancelled three trades to dummy counterparties.
Furthermore, with a holistic view of each and every trader and all his or her associated relationships (for example, books or counterparties), banks are able to apply a range of more sophisticated analytics techniques such as social network analysis, outlier and peer group analysis. The key advantage is that this data-driven approach helps reveal hidden behaviors, offering a solution that enables a bank to find both the known patterns of high risk activity as well as the unknown.
TF: For global organizations, is there an added layer of complexity with having to meet different requirements for different jurisdictions/regulators?
LH: Absolutely – but unfortunately one size does not fit all. Whether it is due to different rules across jurisdictions/regulators or the impact of different data privacy law, organizations must be able to adapt and provide custom solutions for their many different locations.
The mistake that’s frequently made is to implement a tactical point solution that only satisfies a specific set of requirements. Banks that think more strategically and implement solutions that offer broader, holistic views, structure them in such a way that change is enabled which facilitates evolution and cross-jurisdiction differences. This in-built flexibility is key for any global organization.
TF: Let’s dig into one specific area of risk management: Trading. How do you accurately differentiate appropriate trading behavior from the inappropriate?
LH: Identifying what is inappropriate in a trading environment can be daunting – not least due to the differences across desks, the huge volumes of data generated and the ‘noise’ that pollutes almost every control framework we have seen. However, data, if used in the right way, plays a central role in the solution.
We've spoken about the need for a holistic view – this is imperative for the identification and detection of inappropriate behaviors.
Traditional and conventional methodologies analyze risk at a transaction level; take our example of a cancelled trade. While a cancelled trade can be a sign of a fake trade, it is also representative of business as usual or sometimes weaknesses in booking systems (e.g., cancel and re-book). To eliminate the noise and identify the true inappropriate trading, we need to take a step back.
First, make effective use of the depth and breadth of existing data over time, across asset classes and indeed control areas. With this approach, an organization now has the ability to effectively identify and aggregate a series of ‘yellow’ warning flags that in isolation probably look harmless but in combination may be toxic.
Second, use a trader’s entire trading footprint across all books and counterparties with whom he or she trades. This ‘footprint’ can then be analyzed over time to look for movements away from the norm and indeed be compared with peers. These techniques enable an organization to find unusual or abnormal activity without necessarily knowing what that abnormality is.
TF: And how can you do this before it impacts your business?
LH: Existing control frameworks are dominated by traditional systems based on reactive rules and models that largely describe “the things we know.” However, sophisticated individuals frequently understand and evade traditional controls. The key differentiator for this new holistic approach is that it enables an organization to proactively reveal the abnormal activity that was previously hidden. The key is frequently identifying an issue or activity while it has a relatively low business impact, before it grows to become a major financial or reputational risk.
Furthermore, the correct tools must be provided to the people who are managing the output of such a system so that they can manage the risk effectively – efficient intuitive investigation tools as well as bespoke reporting for different users.
TF: Other than trading, what are the major areas of risk/risk management that firms need to focus on today?
LH: I think there are multiple strands to this.
In general, given the financial environment in which we operate, reputational risk must be nearing the top. The market is volatile and reactionary. Any story hitting the press, whether it’s a rogue trader, a compliance fine, a poorly hedged position or a banker who speaks out on poor culture, has long lasting financial implications for an organization. Investors loose trust, the regulators look more closely and the business is forced into a defensive position.
In addition, ever evolving regulatory compliance requirements are becoming increasingly rigid. It is ever more important for organizations to move away from inflexible point solutions to flexible holistic approaches that can accommodate these ever changing, multi-jurisdictional needs.
Furthermore, I believe that organizations must focus far more on who they do business with. Improved customer on-boarding and on-going monitoring are critically important in providing a deeper understanding of the customer, thus reducing subsequent risk.
TF: Given the complexities we’ve just discussed, can risk management ever become a profit generator rather than a cost center? How?
At a basic level, inefficient risk management solutions lead to unnecessary work. Build a solution that tackles these inefficiencies and managers can be used for profit-making activities as opposed to risk-based ones – allow a desk head to actually trade and to manage their team’s performance as opposed to sifting through multiple Excel spreadsheets.
However, it goes further. The mistake is to believe that risk and compliance management is ‘money down the drain.’ The reality is that if risk management is approached effectively, the output provides multiple usages, not only for the identification of fraud, risk and non-compliance, but also for enhanced profit making.
By way of example, take KYC or the latest FATCA requirements. One approach is to take the smallest steps possible to become compliant. The alternative is to be far more strategic.
Through the creation of holistic views, looking both internally and externally, both at the point of on-boarding and on-going monitoring, one can satisfy the KYC and FATCA determination requirements. At the same time, this approach enables risk managers to identify client fraud and relationship managers to upsell and enhance customer service, therefore maximizing the value of your best clients.