Page 1 of 2
5 Measures To Minimize Risk
Today, the CIOZone posts the fifth and final part of our investigation into the subprime credit crisis and the Societe Generale trading scandal. The fall-out of these incidents has laid bare glaring failures in risk management technology, controls, procedures and processes. But the question for CIOs: If the technology had been better, or better managed, could the mess have been avoided? In our attempt to answer that question, we published Part 1: Behind the Subprime Collapse, Part 2: Inside the Societe Generale Trading Scandal, Part 3: How SocGen Managed Risk, and Part 4: What SocGen Says About Its Risk Management. In this installment, we cap off the series by listing the five measures that the experts say CIO should enact to minimize their company's exposure to risk.
Part 5: Five Measures to Minimize Risk Exposure
In putting together this five-part series, CIOZone interviewed numerous risk management consultants, analysts, IT-based risk management solutions vendors, government regulators and financial sector technology officers. Granted some progress has definitely been made in closing dangerous loopholes that have contributed to the still unfolding financial meltdown. As an example, before the subprime meltdown, some financial institutions didn't rely on stress-testing — the use of various "what-if" scenarios to determine the likely impact on capital from various fluctuations in interest rates, housing prices, etc. — as much as necessary. The exception, notes David Rogers, the U.K.-based global product marketing manager for SAS, was Goldman Sachs, which placed a premium on consistently stress testing as well as backtesting — the process of testing a trading strategy on prior time periods — factors that Rogers and others believe helped Goldman minimize the fallout from the mortgage meltdown.
Subsequently, Rogers says, many other financial firms have become "true believer" in the sophisticated financial engineering that's required to do effective stress and backtesting.
In general, however, the consensus among experts is that many banks, brokerage houses and financial services firms have yet to make many of the changes that are essential to extend effective, robust, risk management systems and procedures across the enterprise.
What still needs to be done?
That varies, of course, from one organization to another, but here are five steps that are essential to securing your organization from risk exposure.
1. Take A Broader, More Integrated Approach To Risk Management.
Many organizations view risk management as having to do with a single element like fraud detection, but in the wake of the SocGen scandal and the subprime disaster, tech executives are beginning to view risk on an enterprise level, says Samir Kapuria managing director of Symantec Advisory Consulting Services, part of Symantec Global Services. At the same time, software companies such as SAS and SAP are offering enterprise risk management (ERM) products that cover compliance credit risk; fraud detection and prevention; market risk management that can be used by financial service firms and banks to manage uncertainties, to develop hedging strategies, and to measure and manage the risk of derivative instruments; and, finally, operational risk, which protects organizations from loss resulting from inadequate or failed internal processes, people and systems, or from external events.
"Companies need to take a more integrated and broader perspective in how they manage risk in order to ensure standardization and optimization of the process," says Marios Damianides, a partner in the Risk Advisory Services for Ernst & Young in New York.
An integrated, enterprisewide approach is also critical to overcoming the multiple technology silos that exist in many banks and financial services firms, Damianides and others say. SocGen is a case in point. At one time or another the French bank was using different risk-management solutions from at least a half dozen vendors, including Tibco, SAS (an initiative that was aborted), Accurate Software (now Fiserv) and Algorithmics, which since 2000 has provided SocGen with software for measuring and managing counterparty credit risk and was brought in last October to help manage risk in the bank's asset servicing department. Typically, these solutions were brought into the bank by a business unit or department - such as the bank's IT risk department, the debt finance group, the corporate and investment banking arm and asset servicing. None of these solutions were implemented on an enterprise level.
As a result, the bank was only able to gauge segments of risk exposure. "As an example," says Amir Orad, executive vice president of Actimize, which provides software for brokerage compliance, anti-money laundering, and fraud prevention. "SocGen had purely market driven risk controls. They could check to see if they were winning or losing but not how much they bet." This is why the bank was unaware of the staggering amounts rogue trader Jerome Kerviel was wagering in 2007 and early 2008 - which resulted in a $7 billion loss for SocGen.
These integrated, or holistic, risk solutions rely heavily on business intelligences, which integrates data from across the enterprise and delivers reporting and analysis. Algo Suite, Algorithmics' enterprise risk software, for example, incorporates business intelligence software from Business Objects. SAS takes this approach several steps further with its Enterprise Intelligence Platform, which incorporates data management, business intelligence, analytics and regulatory reporting and disclosure capabilities. SAP's IT risk management solutions for banking are designed to manage risk across the enterprise, unifying corporate strategy, risk management and control initiatives, says Narina Sippy, SAP's senior vice president and general manager of Governance, Risk and Compliance (GRC).
Sippy points out, however, that even with an enterprisewide risk management system in place, that system "has to be tied to controls." SAP's product in this space, GRC Access Controls, is a comprehensive set of access controls that identify and prevent access and authorization risks in cross-enterprise systems. It's designed to prevent fraud and reduce the cost of continuous compliance and control. In SocGen's case, Sippy notes, the risk management solutions weren't tied to controls. As a result, when Kerviel exceeded his authorized trading limits, no authorization controls kicked in.
2. Safeguard The Database
In seeking to secure the bank after the incident with Kerviel, SocGen initiated a number of new security measures. At the top of the list: biometric verification, meaning an employee would have to provide a fingerprint to get into the bank's system.
The more serious threat, however, is not unauthorized access but the damage that can be done to the company's database once the intruder has breached the system. "Ensuring database security is what's really critical," says Slavik Markovich, CTO of Sentrigo, an Israeli database security company with U.S. offices in Boston. "That's the exact point where there will be the greatest risk. If someone tries to manipulate data on the database that should trigger an alert."
There are a variety of database security offerings on the market including database encryption tools; tools that provide real time and historical measurements compared against preconfigured metrics; and tools that afford full visibility into all database activity and allow enterprises to enforce security policy and comply with regulatory requirements while providing virtual patching.
That kind of risk prevention is not as visible as say, biometrics, but it's equally, if not more, important, Markovich claims. "The database is where the company keeps its crown jewels."