|
Page 2 of 2
3. Connect The Dots
Actimize's Orad also argues strongly that all warnings, aberrations and red flag alerts throughout the enterprise should all be routed immediately to a central monitoring station. "I don't care where it is just as long as it's in one place where someone is looking at the big picture," says Orad. Given the enterprise risk management systems that have come on the market over the past few years, it's now not only possible to look at the big picture but also a necessity if an organization hopes to eliminate the kind of soloed infrastructure that developed at SocGen.
4. Get Boardroom Backing
In terms of IT spending, operational and enterprise risk management have recently become top-of-mind initiatives, according to AMR Research. In late March, AMR announced the results of a survey of more than 420 line-of-business and IT executives. According to the results, companies will spend more than $32 billion on governance, risk management and compliance (GRC) this year, a jump of 7.4% over 2007. In contrast, spending on Sarbanes-Oxley (SOX) compliance is expected to grow only 2% to $6.2 billion. This is the first time since AMR Research began conducting this study in 2003 that executives have shifted their GRC budget focus to operational and risk management from SOX.
advertisement
At the same time, a number of Wall Street firms have moved to shore up the risk management systems and procedures and give risk managers more clout.
Having experienced about $11 billion in writeoffs, Morgan Stanley completely revamped its risk management procedures and appointed a senior executive, Kenneth deRegt, to oversee risk. DeRegt had served on the board of specialty finance company KKR Financial Holdings LLC and had worked for Morgan Stanley in the past but left in 2001. In what is a new position, he will report directly to the firm's chairman and CEO John Mack.
And, at Merrill Lynch, CEO and Chairman John A. Thain recently created two high level risk control positions that report directly to him. In early March he also hired former Credit Suisse CIO Thomas J, Sanzone, giving him responsibility for everything from information security to technology applications development. With a new title of executive vice president and chief administrative officer, Sanzone will report directly to Thain when he joins the firm in the second half of 2008 at an annual salary of $600,000 plus a bonus for fiscal year 2008 of $ 9.4 million, payable in cash and stock-based compensation, according to documents Merrill Lynch filed with the SEC. Sanzone, who led enterprisewide risk management initiatives at Credit Suisse, will likely oversee in the firm's IT related risk decisions and, as one of Merrill senior officers, will participate in the weekly risk meeting Thain initiated in January.
This top-down commitment to risk management is critical to success, experts believe. SAP's Sippy tells of a recent roundtable discussion at a SAP Governance, Risk and Compliance (GRC) conference for customers in Orlando, Fla. Present were a dozen or so executives, including a CIO who was involved in risk initiatives. "They were sharing opinions on what they could do to improve risk management," Sippy says, "and just about everyone agreed on two things. For risk management to work effectively senior management and the corporate board have to be involved, and risk analysis can't be seen as a once a year exercise."
In the past, Sippy says, senior management often gave risk management short shrift, meeting once or twice a year with risk officers to ensure proper procedures and solutions were in place. The problem is the risk landscape is continually in flux, especially in the financial sector where new, highly complex financial instruments such as CDOs (collateral debt obligations, which are securities comprised of mortgage loans, bonds and other debt of varying investment grades) and turbo warrants (essentially souped-up stock options) are being rolled out all the time. SocGen dealt extensively with both CDOs and turbo warrants and, in fact, introduced the first turbo warrants on the Nordic Growth Market Nordic Derivatives Exchange in 2005. On one hand SocGen was leading edge its terms of the products it dealt, while, on the other, it clearly had trouble monitoring risk.
advertisement
"Risk management today is not static, but is dynamic and should be continuously and constantly reviewed as an integral part of the business," says SAS's Rogers. In short, effective risk management needs to be somewhere high up on the senior management priority list on an ongoing basis.
5. CIOs Need To Be More Involved.
Traditionally, chief information officers and chief risk officers (CROs) have worked together in a limited way in dealing with operational and market risk. "It's a shared function," says Richard J. Brennan, who leads management recruiter Spencer Stuart's Information Officer Practice. "The CRO has the responsibility to perform the analytics, but they can't do that in a vacuum. They need technical support. The CIO is the partner who can build the appropriate data marks so the CRO can effectively analyze the data. The CIO just can't be expected to have the detailed understanding of risk to handle the function himself, but he does have the ability to give the CRO the data to do the job."
Today, though, as risk management becomes a higher priority, and CIOs become more business and strategically oriented, both the CIO and the CRO are moving into management's senior ranks, says SAS's Rogers. At the same time, the CIO is often becoming involved in risk management beyond simply providing the numbers and the IT infrastructure to minimize risk exposure, Rogers says.
Li-May Chew, a chartered financial analyst (CFA) and a senior research manager at market research company IDC's Financial Insights Asia/Pacific, envisions the emergence of what she calls a Risk Intelligent Enterprise in which enterprise risk management activities and a holistic view of risk enables senior management to strike a balance between enhancing profits and managing risk — a requisite for a successful corporation in today's complex business environment.
And what is the role of the CIO in the Risk Intelligent Enterprise?
"The CIO, in discussions with the CRO, needs to prioritize the key risks and vulnerabilities that need to be addressed," Chew say. "BFSIs [banking, financial services and insurance] are constrained by resource availability and cannot devote all of their attention (and dollars) to managing and mitigating all relevant risk. As such, vulnerability to specific risks should be weighed alongside the probability of their occurrence. Responses would vary from merely tracking a risk and keeping it on the radar screen without taking any mitigating action to identifying the mission-critical risks that would have the highest adverse impact on the organization's value and strategic objectives and creating early warning signals to recognize these risk.
"After which, to enable active cooperation from business and IT teams at the lower organizational levels, it is imperative that CIO allocates sufficient resources to implement risk projects and that the organization has implemented appropriate changes to risk policies and controls. He can illustrate commitment by actively assisting in developing risk assessment strategies, approving the action plans, and making senior risk recruitments."
Some experts like Actimize's Orad, however, believe CIOs with their combined knowledge of business and technology are ideally suited to head up enterprise risk management. Indeed, Ernst & Young's Damianides says one of his corporate clients — a multi-divisional, multinational organization — is weighing having its CIO supervise risk management across the entire company.
"Risk management needs to be part of everyday business," adds Sappy. "The
CIO may be the missing link needed to accomplish this."
Only registered users can write comments.
Please login or register.
|
