By Sandeep Vishnu, BearingPoint Technology continues to play an increasing role in risk management as instantiated by the recent entry on the SOX technology burden by Brian Mitchell of JPMorgan. ERM poses a challenge from an expense allocation perspective in that every investment could be directed towards an underlying risk, and it becomes hard to separate out incremental risk-related investments. Some investments are, of course, straightforward. For example, implementing two-factor authentication to reduce unauthorized access is clearly a risk-related investment and should be counted as such.
However, a platform upgrade to increase capacity to reduce the number of dropped transactions is a business decision that addresses the underlying risk of transaction failure. Should this be viewed as an expense for ERM, the business, a central infrastructure group, or some combination of these or others?Risk management and compliance requirements are continuing to increase and overlap, and are creating a growing expense for firms. Regulatory guidance is not always prescriptive and firms have to interpret regulations to translate them into a set of tasks and activities. This becomes harder to do when regulations are planned, but not implemented. The subjectivity of certain regulations (e.g., Basel Pillar II) also makes it harder to define minimum compliance requirements and creates a challenge for prioritization of activities. Nonetheless, the translation of regulatory requirements into tasks and activities creates a portfolio of projects that may, at times, complement, compete or conflict with each other. This is the point at which spending can increase substantially, or it can also be the point at which rationalization begins. Several of these projects have technology components where overlaps and scaling can be addressed. A detailed evaluation of the portfolio of projects at the activity block level can yield areas of commonality and allow for the development of a portfolio implementation plan, rather than a project implementation plan. This plan would allow for the sequencing and prioritization of activities, giving preference to those with core business contribution and deferring those, if possible, with pure compliance features. An absence of such prioritization or sequencing will create a perception of "out-of-control" spend and a lack of appreciation of the business value being driven by ERM. This prioritization and sequencing is also needed to allow for current risk personnel to manage the increased scope of activity, while getting some time to acquire appropriate resources (internal or external). In summary, budgetary pressures, continuing regulatory uncertainty and subjective interpretations of regulatory requirements increase the need for rationalizing the portfolio of risk projects and for further streamlining corporate resources engaged in risk and compliance activities. The lack of such prioritization will increase the burden on enterprise risk management programs to justify their budgets and contribution. Greg MacSweeney is editorial director of InformationWeek Financial Services, whose brands include Wall Street & Technology, Bank Systems & Technology, Advanced Trading, and Insurance & Technology. View Full Bio