Better information, better decisions
The risk and compliance challenge
for financial institutions
A report from the Economist Intelligence Unit


Better information, better decisions
The risk and compliance challenge
for financial institutions

Preface
Better information, better decisions: The risk and compliance challenge for financial institutions is based
partially on The age of compliance: Preparing for a riskier and more regulated world, an Economist
Intelligence Unit briefing paper sponsored by SAP. The Economist Intelligence Unit bears sole
responsibility for this research. Our findings drew on desk research and in-depth interviews with
executives familiar with risk and compliance within their organisations. The findings and views expressed
in this report do not necessarily reflect those of the sponsor. Neil Baker was the author of this report and
Dan Armstrong was the editor.
December 2010

1

© The Economist Intelligence Unit Limited 2010


Better information, better decisions
The risk and compliance challenge
for financial institutions

Better information, better decisions:
The risk and compliance challenge

for financial institutions

“Having really
good information
about the business
combined with the
ability to get that
information quickly
to regulators and,
more importantly,
to senior
management,
helped an awful
lot [during the
crisis].”
Mark Carawan, Group Chief
Internal Auditor, Barclays plc

W

hen mortgage defaults among US sub-prime borrowers suddenly shot up late in the tenure of
Citibank’s then-CEO Chuck Prince, he was surprised to learn that the bank held mortgage-related
assets worth about US$43bn. Thomas Maheras, who oversaw trading at the bank, reassured Mr Prince that
everything was fine. But within weeks Citi was nursing losses on the assets running into billions of dollars.
The bank’s risk management was shown to have severe deficiencies: accepting ratings agency opinions
in lieu of independent reviews; relying on brittle financial models; and, according to subsequent
congressional testimony, violating internal credit policies. Within two months, Mr Prince was out of a job.
The Citi example shows how hard it is for a large, complex bank to deal with two related problems: how
to manage risk across business operations, and to ensure that top executives have access to accurate risk
information on the business issues that matter most.

Barclays Bank PLC, a major global financial services provider, successfully dealt with both problems. Its
approach to risk management is one reason the bank survived the financial crisis without a government
bailout, says Mark Carawan, the group’s chief internal auditor. “Having really good information about the
business combined with the ability to get that information quickly to regulators and, more importantly, to
senior management helped an awful lot,” he says.

The information challenge

* “Final Report of the IIF
Committee on Market Best
Practices: Principles of
Conduct and Best Practice
Recommendations. Financial
Services Industry Response to
the Market Turmoil of 20072008.” Published by the Institute
of International Finance.
/>php?id=Osk8Cwl08yw=

2

It is ironic that some of the banks whose poor risk management practices were exposed by the crisis
actually thought they were leading the pack on this issue. With hindsight, it is clear that many executives
in the financial sector were operating in the dark. They had only a partial—or just plain wrong—view of the
risks accompanying key decisions.
“This is an area where banks collectively have under-invested over the years,” says Bruce Munro, group
chief risk officer of National Australia Bank. “Some are good at it, but most lack what you might call really
quick and accurate risk information.”
Risk management is the core area where banks have to do better, according to a report on lessons
learned from the crisis published by the Institute of International Finance (IIF)*. Leading up to the crisis,
they “severely underestimated” their exposure across virtually every category of risk, had weak controls in

place, shared risk information badly, and struggled to aggregate risks across business lines and functions,
the report says. According to the report, the solution is root and branch reform: a complete rethink of the
way banks deal with risk information, from engagement at a board level to operating tools and processes.
© The Economist Intelligence Unit Limited 2010


Better information, better decisions
The risk and compliance challenge
for financial institutions

“Risk management should be our core expertise and what determines, to a large extent, our individual
success as firms,” says Rick Waugh, president and chief executive of Scotiabank and co-chair of the IIF
committee that produced the analysis. “Our industry has made mistakes, and for some this has been very
costly.”

Impetus for change

“Risk management
should be our core
expertise and what
determines, to a
large extent, our
individual success
as firms.”
Rick Waugh, president and
chief executive of Scotiabank

Facing the charge of being asleep on the job, regulators around the world are taking a renewed and
refocused interest in the information capabilities of the financial institutions that they regulate. Whereas
once they might have asked about the systems and procedures in place to manage risk, now they are

putting more emphasis on the quality of information that flows around those systems.
This is not simply about regulating individual firms. One of the big issues that regulators missed in the
run-up to the crisis was systemic risk—the threat that the banking system itself could implode. To monitor
this better in the future, they are demanding that firms provide much more data about their risk exposures
that, aggregated, will provide regulators a big-picture view. “The whole environment over the past 18
months has facilitated much broader thinking about risk management,” says Mark Krakowiak, chief risk
officer of GE, which is divided between industrial and financial services groups.
Increased scrutiny has already led to a barrage of new regulatory requirements that push firms to
provide data at a remarkably detailed level. The Financial Services Authority (FSA) now requires UK firms
to report on 10,000 data points. And there is more regulation on the way. In the US, the Dodd-Frank Wall
Street Reform and Consumer Protection Act created a new oversight council to evaluate systemic risk. The

The exponential growth of US financial services regulation
Number of pages of legislation

2010
Dodd Frank
Wall Street
Reform Act
2,319 pages

2,500

2,000

1,500

1,000

500


1913
Federal
Reserve Act
31 pages

1933
Glass
Steagall
37 pages

1966
Interstate
Banking
Efficiency Act
51 pages

1999
2002
Graham
Leach Bliley Sarbanes
145 pages Oxley
66 pages

0
Source: Economist Intelligence Unit, 2010.

3

© The Economist Intelligence Unit Limited 2010



Better information, better decisions
The risk and compliance challenge
for financial institutions

European Commission has established its own European Systemic Risk Board. Assuring regulators that an
organisation can provide huge volumes of detailed, relevant and accurate data is now an integral part of
running a financial services firm.

Better decisions
Companies without this capability are making it a priority. Even without regulatory pressure, there is a
clear business case for investments that deliver higher quality risk and compliance data. The proposition
is straightforward: if executives have better access to more reliable information, in a format they can work
with easily, they are more likely to make better business decisions.
Financial firms find this difficult for two reasons. The first is the lack of a consistent methodology for
collecting and classifying data. The second is the fragmentation of risk and compliance activities.

“We try to design
the systems and
their input and
output controls in
such a way that you
have a high level of
assurance that you
will catch garbage
going in, so you
don’t have garbage
going out.”
Mark Carawan, Group Chief

Internal Auditor, Barclays plc

4

Consistency of data collection and classification.
First, the priority for regulators—and, because regulators require it, for companies as well—is to get the
data they need in order to manage systemic risk. But there is no industry-wide taxonomy for categorising,
reporting or tracking such data. Wal-mart knows what its stock levels are through the supply chain
because each item has a unique bar-code; Fedex can track its parcels because they are RFID tagged. Banks
do not have a comparable system of generating and monitoring data.
“It is really important to ensure that at a board meeting, or any internal management meeting, we are
using the same data sources and have confidence that the data is reliable,” says Barclays’s Mr Carawan.
“Then we can focus on fixing the problem that the data has exposed, rather than debating whose data are
right.”
Initiatives are underway to produce industry-wide data standards to make this easier. The FSA is
working on common processes and roles for companies to adopt. The Data Management Council (http://
www.edmcouncil.org/) a US-based industry-funded organisation is working on its own taxonomy of
data codes. The beta version of the council’s Semantic Repository, which starts with codes for financial
instruments and drills down into sub-codes for contracts, formulas, processes and other components, has
been posted for review. But a common solution could be a long way off.
The key, in the meantime, is to define clearly and in detail what data need to be collected and how to
assure their quality before they even enter a business information system, argues Mr Carawan. “It’s about
being granular and well-disciplined about what you capture and then having really good conformance
testing to make sure you maintain those standards,” he says. “We try to design the systems and their
input and output controls in such a way that you have a high level of assurance that you will catch garbage
going in, so you don’t have garbage going out.”
As another line of defence, Barclays’ internal audit function puts a lot of effort into assuring the quality
of business information, says Mr Carawan. “We regularly schedule information assurance into our audit
work, so there is additional comfort that what is being read internally and what is being sent to regulators
is good,” he says. “It’s very important.”


© The Economist Intelligence Unit Limited 2010


Better information, better decisions
The risk and compliance challenge
for financial institutions

“Many financial
services companies
have a number
of different
divisions—often
with different
financial and
operational risk
profiles. As a
result, in many
organisations
information is held
in a wide range of
often incompatible
systems.”
Matt Palmer, group
information security officer at
a UK lender.

5

The fragmentation of risk and compliance activities

Structural issues are another reason financial institutions find it difficult to build in better access
to information. Risk and compliance activities inside financial firms are typically fragmented. The
professionals charged with ensuring compliance with the coming Basel III rules, for example, will use
a different framework and standards than those managing operational risk controls. Each risk and
compliance activity is often built up separately, frequently in response to a major event, new compliance
obligation or acquisition.
“Many financial services companies have a number of different divisions—often with different financial
and operational risk profiles” and histories, says Matt Palmer, group information security officer at a
UK lender. “As a result, in many organisations information is held in a wide range of often incompatible
systems.” In some cases, it is not easy to identify the location or existence of required information. “The
degree of assurance that can be obtained over different data sets also varies, making it difficult to ensure
that information brought together from multiple systems is accurate,” he says.
This fragmentation is costly because there is duplication of effort. It leads to complexity because there
is no common approach. And when compliance activities are splintered, business risks inevitably grow.
For instance, the lack of a comprehensive and integrated approach to IT compliance can lead to security
breaches or data losses. Fragmented financial compliance can open the door to fraud or restatements.
Compliance is often thought of as separate from risk. But in fact the two functions are tightly bound,
since an ad hoc approach to compliance leads to higher levels of risk.

Tone at the top
An effort to improve risk management and gain better information about risk has to start in the
boardroom. It requires a clear message from the top of the business that the organisation’s risk culture,
compliance and control are integral to success, and that business information on these issues must be
available and communicated.
Although much is said about the need to build an enterprise-wide risk culture, it is up to boards and
executive management to define what it is. “Boards need to define what their risk culture is and from
there they need to define what the organisation’s risk appetite is,” says Richard Apostolik, the CEO of the
Global Association of Risk Professionals. “Then they have to ensure that the rest of the organisation works
within the definitions that they have come up with.”
In general, an organisation’s risk appetite—its risk tolerance and limits across the full range of its

businesses—should be clearly articulated and approved by the board. Once this has been set at the
enterprise level, it can be cascaded down through the various divisions and regions to the ultimate risk
owners.
“We set a risk appetite at the enterprise level, then each of the business units takes that and applies it
and forms their own risk appetite based on those overall settings for their line of business,” explains Mr
Munro of National Australia Bank. “So you start to get commonality, a common approach and a common
language. Properly done, the risk appetite statement becomes a cornerstone and becomes part of the
language of enterprise risk.”
© The Economist Intelligence Unit Limited 2010


Better information, better decisions
The risk and compliance challenge
for financial institutions

“We assess any control weakness that we find both by their root causes, so we know how to fix them,
and by their impact, so we know how they adversely affect the risk profile of the group,” says Barclay’s Mr
Carawan. “That means we have a wealth of data and information about risk, which the regulators like.”

Standardised processes
Building an enterprise-wide layer of risk and compliance on top of existing processes can seem like
a daunting task. When individual sources of assurance and compliance activities are run separately
and rarely interface—either personally or by means of risk systems and IT infrastructure—successful
integration can demand considerable time and resources.
Much depends on the extent to which existing risk processes have already been standardised, says
GE’s Mr Krakowiak. The company created a single framework for risk management across its entire
enterprise, spanning both the financial and industrial businesses. GE’s longstanding commitment to the
standardisation of business processes made this a more straightforward task than it might otherwise have
been.
“We already had a very process-oriented approach to the operational side of our business,” he explains.

“For example, we have a standard review process for our compliance, and we use standard processes for
budget planning and strategy planning. So we already had a pretty good framework that we could take up
a level in terms of looking at enterprise risk.”
A successful enterprise-wide view of risk and compliance depends on managing the opposing
requirements for centralisation and decentralisation. On the one hand, there needs to be a central
function that can aggregate risk and compliance information from the business. Without it, senior
executives cannot effectively make business decisions regarding how to manage risk and take advantage
of potential business opportunities.
Yet at the same time, risk needs to be owned by the business, within an established framework.
“It’s really important to have risk people close to the business so that they can help managers with a
specific set of risks that need to be managed,” notes Mr Munro. “You need to walk that fine line between
collaboration and independence.”

Open dialogue
Frequent dialogue between risk functions and the lines of business is essential. The relationship should
be symbiotic: managers should be confident that the risk management process adds value to their role,
while risk professionals should be able to use their dialogue with business leaders to gain a better picture
of overall enterprise risk.
In some firms, this requires a shift in perceptions of the risk function. Rather than being seen as
a “preventer” of business whose role is to impose limits and controls, it needs to be perceived as an
“enabler” that can offer valuable advice. To gain the confidence of business managers, risk professionals
should demonstrate commercial understanding and a willingness to provide constructive input to help
managers meet their objectives.

6

© The Economist Intelligence Unit Limited 2010


Better information, better decisions

The risk and compliance challenge
for financial institutions

Untangling GRC
In many organizations, GRC practices multiply throughout the firm and
become disorganized, fragmented and overly complex.
Board of Directors
CEO

A key metric for the success of this dialogue is the
extent to which heads of business units and business
managers proactively seek out the risk function
to engage them in discussion about their plans.
Business managers will be more willing to listen to
a risk or compliance function that is willing to roll
up its sleeves and work with them to mitigate risks,
rather than just waiving red flags.

Getting away from silos

Manual
inputs

Poor data
quality

Unnecessary
complexity

Poor security


Companies are increasingly focusing not only on
risk management within their organisation, but on
interdependencies with other companies within their
network as well as the broader economy. “Companies
are finally realising that there is a need to determine
how an organisation can look at its risks from a
Multiple data
holistic perspective and figure out how those can be
formats
managed and monitored,” says Mr Apostolik.
By aggregating risks at an enterprise level,
Little
Duplication
institutional
memory
a company has a much better understanding of
potential threats that could cause serious financial,
liquidity or reputational damage. GE’s new
Inconsistent
Missed
terminology
handoffs
enterprise-wide risk approach is a good illustration.
“We wanted to make sure that when we looked across
the entire portfolio, we understood clearly the key
Inflexibility
things that could potentially put the franchise at
risk,” reports Mr Krakowiak.
“To get high returns, you have to take a certain level of risk, and we just wanted to make sure that we

understood completely the risk we were taking, what some of the external factors were that could impact
us, and what could prevent us from achieving our strategic objectives.”
Aggregation of risk and compliance at the enterprise level also provides senior executives with
the oversight they need to assess interdependencies and correlations across the business, and make
adjustments accordingly. “You might find that you want to put in different limits or constraints, or adjust
your capital allocation because what looks okay in one silo doesn’t necessarily look the same once you
aggregate it at the enterprise level,” argues Mr Munro.

People and technology
Technology plays a vital role in automating the collection and analysis of data as well as the monitoring of
key risk indicators. When implemented properly, it can help companies assess the impact of a risk against
a particular objective, and increase visibility into the effectiveness of compliance efforts.
7

© The Economist Intelligence Unit Limited 2010


Better information, better decisions
The risk and compliance challenge
for financial institutions

Problems with gaining access to accurate, high-quality data hamper the quantification and analysis
process. “The question of appropriate data and the analysis of that data is probably the biggest issue that
companies face,” says Mr Apostolik. “Putting the systems in place to collect the data that you can analyse
and report from is a huge undertaking.”
And roles are just as important in the process. It is important to think through any solution and ensure
that it is carefully tailored to roles rather than individuals, since individuals move from job to job, while
roles are more consistent. By carefully defining the informational requirements of different roles, to
enable the people in the roles to make better decisions, financial institutions can become more efficient.
“You get to the point where you recognise that things like risk appetite statements, scenario planning

and responses to regulatory changes require an enterprise view,” says Mr Munro. “It’s difficult to ask
people in their particular areas of risk expertise to do that, so you’ve got to invest in people that can do it
on a full-time basis.”

Solvency II:
Transparency and insight for European insurers
Insurance companies didn’t emerge from the financial crisis
with glowing risk management credentials. However, European
regulators in this sector had already spotted the need to improve
risk management industry-wide. The new Solvency II rules, set to
take effect in November 2012, require firms to demonstrate that they
have an “adequate system of governance”, which includes effective
systems to identify and manage risks.
The rules require all European insurers—as well as North American
carriers with operations in Europe—to have four separate functions
to cover risk management, compliance, internal audit and actuarial
issues. Detailed rules set out what each of these functions should
do. There are also rules aimed at ensuring that each unit has the
resources it needs to do its job.
Establishing data quality is at the heart of Solvency II compliance.
Insurance companies will be expected to set a board-level policy on
data use and quality. They will also have to show to regulators that
the data they use in governance, and for management decisionmaking, is “fit for purpose”.

8

Importantly, regulators will not be content to receive masses of data
generated from internal systems.They will want access to timely risk
information that gives insights into the drivers and key risk indicators
that executives use when making decisions about the tradeoff between

risk and capital. That puts huge pressure on any insurer with duplicate
or stale information and inconsistent data quality. They will have to
raise their game, and quickly.
The objective, according to the Professional Risk Managers
International Association, a global, non-profit body of risk
professionals with local groups in 200 countries, should be an
enterprise risk management program that covers both defensive
and proactive risk management—in other words, an approach that
doesn’t just seek to reduce the risks that the business takes, but one
that leverages judicious risk-taking for better returns. Regulators
will also expect insurers to benchmark the quality of their risk
management policies, methodologies and infrastructure.
The bottom line is that risk management must deliver transparency
and insight. Insurers will need to understand their risk profile across
their business operations and product lines, and across their different
risk categories—feeding any significant changes to the right level
of management, fast. An integrated, comprehensive and strategic
approach to risk information is the only way of achieving that.

© The Economist Intelligence Unit Limited 2010


Better information, better decisions
The risk and compliance challenge
for financial institutions

Conclusion

A


n integrated approach to risk and compliance is a Holy Grail that many financial firms have searched
for yet have failed to find. They know that with better, more reliable and more accessible information
about how their business is performing, they can make far better decisions. The financial crisis—its causes
and the regulatory response—should encourage them to renew their quest. The obstacles they will face
along the way are as challenging as ever. But the benefits are difficult to dispute.
Nothing will happen without a champion at the top. Whether it is a board member, the CEO or the CFO,
someone at the highest level needs to connect the strategy of the enterprise with the risk and compliance
activities of each line of business, right down to the operational level. Additional suggestions to emerge
from the interviewees include:

l Taking a proactive approach in identifying, assessing, measuring and communicating risk. Establish
priorities, and decide how you’ll use your limited resources to get the biggest improvements.
l Make sure executives see spending on compliance and risk management as investments that add value
and support business objectives.
l Automate data management activities to the extent feasible, but do not rely on data to tell the whole
story. Periodically evaluate and adjust how you identify, verify, measure and report on risk. Test your
findings and make continuous improvements.
l Create a single architecture for compliance and risk management stakeholders across the
organization.

9

© The Economist Intelligence Unit Limited 2010


Design: Cover: shutterstock.com Illustration: Linda Olliver

Whilst every effort has been made to verify the accuracy
of this information, neither the Economist Intelligence
Unit Ltd nor the sponsors of this report can accept any

responsibility for liability for reliance by any person
on this report or any other information, opinions or
conclusions set out herein.


LONDON
26 Red Lion Square
London
WC1R 4HQ
United Kingdom
Tel: (44.20) 7576 8000
Fax: (44.20) 7576 8476
E-mail:
NEW YORK
750 Third Avenue
5th Floor
New York, NY 10017
United States
Tel: (1.212) 554 0600
Fax: (1.212) 586 0248
E-mail:
HONG KONG
6001, Central Plaza
18 Harbour Road
Wanchai
Hong Kong
Tel: (852) 2585 3888
Fax: (852) 2802 7638
E-mail:
GENEVA

Boulevard des Tranchées 16
1206 Geneva
Switzerland
Tel: (41) 22 566 2470
Fax: (41) 22 346 93 47
E-mail: