Structural risk issues within financial institutions are no different now than they were when Barings collapsed in 1995, Basel I was negotiated, Long Term Capital failed in 1998, the dot-com bubble burst in 2001 and the credit markets crashed in 2008. Yet after billions of dollars of technology, structural and deployment investment, Wall Street firms still lack uniform RSA, or "risk situational awareness" -- that is, knowing the risk exposure within operations now -- as well as a resulting lack of understanding of "horizon risk," the risk associated with potential upcoming events/surprises.
One can argue that enterprise risk is almost as opaque today as it was 20 years ago. We are better at knowing the problem and the symptoms, but we have made little progress in solving it. The approach to resolving this fundamental requirement remains flawed. It is still driven by reactive regulatory change, addressed by vertically orientated software providers or individual business unit endeavors -- that provide focused excellence but are limited in scope and breadth and do not easily illuminate enterprisewide intelligence or exposure -- and seen as a set of mathematical challenges rather than what it truly is: a business integration issue.
It's been said before: Risk management is restricted by silos of technical and organizational expertise dependent on hugely expensive and inflexible data projects. If the models are becoming standard, and if risk discipline is recognized as vital to a firm's effectiveness, then isn't effective risk management (even finding the next wave of alpha) an issue of realizing uniformity in data access, management and measurement? Instead, however, we have ended up with fragmented, distributed risk approaches that continue to miss the proactive risk management that we all seek. The components to the solution are there, but we've not succeeded in applying the solution uniformly in a simple, intuitive and efficient manner.
Defining GRC Objectives
If we start with a clean piece of paper, what objectives would we want for governance, risk and compliance?
• Give business teams the real-time agility to report, test, challenge and stress any and all GRC reporting (capital, market, counterparty, credit, Patriot, KYC, trading, fraud, HR, pricing, Dodd-Frank, capital efficiency, performance metrics and all derivations in between) to enable a proactive, competitive understanding of firm activities, but without imposing onerous costs and projects on their IT colleagues.
• Have confidence in uniform transparency across the enterprise, both near term and on the horizon, even if it remains distributed across data sources, applications, technology and infrastructure.
• Quickly and cost effectively maneuver as any regulations and business requirements change, are added or created.
• Realize the above without the need for large capital expenditures/investments in cumbersome database or system integration projects, without the need for imposing alien and abstract data models, and without the need to repeat these projects when a new regulation, new business request or new GRC vendor release is required.
• Managed at a cost that stimulates innovation rather than creating the perception of preventing it, giving the business agility in reporting, creativity in decision making and proactivity in interdiction.