The Benefits of an Integrated Risk Management Framework within Banks

During the financial crisis, banks struggled to pull together data and information that was critical to understanding the extent of the exposures that threatened their existence.

Today, risk management is the focus of intense regulatory scrutiny and has become central to senior management decision-making and strategy setting. Risk management within banks is evolving and the integration of risk management processes is at the heart of this evolution.

This article reviews the regulatory pressures driving change and some of the challenges that banks face in their quest to improve processes and meet ongoing demands. It also looks at the benefits that more integrated data and risk management processes can bring. To arrive at the conclusions in this article, Moody’s Analytics has consulted with a number of global financial institutions who have shared how they are working through these challenges today.

In the aftermath of the financial crisis, banking regulation grew substantially, and today is extremely demanding and constantly changing. National governments and international standard setting bodies relentlessly tightened the framework in which banks are operating, including: Dodd-Frank, CCAR, DFAST, Basel III, Basel 3.5, CRD IV, BCBS 239, AQR, EBA stress tests, and PRA FDSF. Fundamentally, each regulatory exercise asks the same things of banks – do more to demonstrate that they are resilient enough to absorb stress and ultimately withstand the next financial crisis.

For example, regulatory stress tests are being imposed on banks as a means to test their capital adequacy. The stress test processes required by the Comprehensive Capital Analysis and Review (CCAR) in the US, the Prudential Regulation Authority (PRA) in the UK, or the European Banking Authority (EBA) in the European Union are all very similar. They all look for banks to provide granular data via prescribed templates, define a frequency by which they would like to receive data submissions, challenge the banks’ modeling approaches, and prescribe scenarios on which banks are to stress their model outputs. Regulators are also beginning to challenge infrastructure and process governance. Moreover, in each case, banks face corrective measures if they are not deemed to be robust enough following the stress testing exercise.

Looking more closely, however, each regulator asks for the exercise to be completed in a slightly different way. This is enormously complex for banks, who have to run multiple programs in parallel to respond to each of these requests in a timely manner.

Specifically, regulators and supervisory authorities are expressing a need for the reporting of granular data. Under the PRA, it is the Firm Data Submission Framework (FDSF). Under the Federal Reserve, it is CCAR and DFAST reporting. This reporting regime requires banks to access, validate, and reconcile data across their enterprise – requiring the connection of data points across all risk types, typically stored in multiple systems across multiple locations, and with varying degrees of accuracy, granularity, and completeness. Not only is it a challenge for banks to collect and streamline data flows, the process, in its very nature, has created a “granular entanglement” between data points across risk and finance silos that banks are now being asked to disclose.

In January 2013, the Basel Committee on Banking Supervision (BCBS) issued a document, Principles for effective risk data aggregation and risk reporting, with the objective of addressing the inadequacy of many banks’ information technology and data architectures as a means of supporting the broad management of financial risks.¹

This document outlines the importance that the supervisor places on the need for banks to enhance data and IT infrastructures and increase the automation of processes. The principals ask for improved governance, accuracy and completeness of data, timeliness, adaptability, and completeness and clarity of reporting.

Once again, effective adherence to the demands of this regulation requires the interconnection of a bank’s data, infrastructure, process, and people.

This long list of demands creates enormous challenges for banks, not only because they are obliged to keep up with the volume and frequency of recurring requests, but also because the regulators are asking banks to operate across silos, which until now have been able to act independently. However, today's regimes – such as stress testing, regulatory reporting, and BCBS 239 – all urge banks to move away from operating exclusively in silos.

Banks now have to manage the multiple regulatory demands at the level of frequency desired by regulators. At the same time, they have to make processes more affordable, efficient, sustainable, and repeatable. The only way to achieve this is through the integration of multiple data flows, architectures, and teams.

The transformation to an integrated risk framework should not be underestimated. It is incredibly complex and is met with challengers and skeptics. Banks are used to operating in silos, such as risk and finance, which have different cultures and speak different “languages.” There is a lack of trust and familiarity of one another’s systems and processes. There are skeptics who believe that such change is an unrealistic ideal that cannot be achieved. As a result, these banks manage to “get through” regulatory fire drills with patched together systems and manual processes that are labor-intensive and often carry a high risk of error.

Operational transformation within a bank requires strong leadership and backing from the most senior levels of management. In many cases, banks have appointed a senior leader to manage the coordination across business and IT teams. This role tends to be closely aligned with senior management at a bank. This central and transversal leadership role has the ability to assess systems and processes and coordinate the regulatory demands, business needs, and architectural feasibility of a transformation program.

In spite of the challenges, integration of risk management systems and processes can present a number of benefits. Centralization and integration create clear ownership, increase standardization of processes, and improve efficiency – reducing the time spent on generating results. In addition, by streamlining risk and regulatory compliance functions across silos, banks can scale down from multiple, disparate teams to fewer, more central teams and competence centers. This integration will also enable banks to reconcile data and results across teams and regions, and can lead to a reduction in internal IT expenditures and support costs associated with running multiple teams. Banks can also reduce external IT costs. For example, by choosing a vendor that provides a comprehensive offering covering all aspects of regulatory requirements – from data management, regulatory compliance for capital, liquidity and ALM, stress testing, and reporting – significant cost savings can be achieved.

In addition, firms that have more transparent risk management processes can increase performance, improve governance, and boost revenue as a result of risk-aware decision-making and strategic planning.

In our research for this article, we asked banks if an integrated risk management approach was something they were realistically trying to work toward in response to the regulatory demands.

We found that the majority have recognized the need to change and confirmed that the integration of data, systems, and people across risk and finance silos was deemed an absolute necessity. We also observed that the frequency and intensity of constantly evolving regulatory demands leave little time for banks to pause for reflection, confront the issues, and plan effectively for change – thus often leaving banks with no choice but to look for tactical solutions rather than strategic change. Banks that place a priority on streamlining processes have the sponsorship and investment to carry out tactical projects to meet both immediate regulatory needs and plan strategically to meet longer term goals.

Making better and more informed business decisions should, of course, be the strategy for any business. For many years, banks have perceived of integrated risk management as a possibility, but not a must. Something that banks could do, but have not done. Today, regulation is driving the issue. Banks have no choice but to keep up with the ad hoc nature of the regulatory demands and the frequency of reporting dates.

When banks can get to the point where they can see beyond the myriad of regulation, however, they will begin to look at their business and appreciate the internal benefits of that transformation. Banks will be stronger and more efficient. Senior management will have better access to information that will help inform their strategic decisions, enabling them to plan more effectively. Ultimately, this integrated view is a best practice that because of, and in spite of, regulation, the world’s banks should be striving toward.