The ERM Current™

Information Technology (IT) continues to play an ever larger role in the overall risk profile for major corporations across the globe.  A recent article in The Economist discusses the role IT played in the recent financial crisis.  While the financial services industry invests massive amounts in IT, the industry still does not invest enough in risk management tools that will help avert future crises.  Here is what the article noted.

No industry spends more on information technology than financial services: about $500 billion globally, more than a fifth of the total (see chart below). Many of the world’s computers, networking and storage systems live in the huge data centres run by banks. “Banks are essentially technology firms,” says Hugo Banziger, chief risk officer at Deutsche Bank. Yet most in the industry agree that its woeful IT systems have, in Mr Banziger’s words, “exacerbated the crisis”. The industry spent billions on being able to trade faster and make more money, but not nearly enough on creating the necessary transparency. “Banks had lots of tools to create leverage, but not many to manage risk,” says Roger Portnoy of Daylight Venture Partners, a venture-capital firm that invests in risk-management start-ups.

Wheelhouse Advisors provides solutions to financial services companies looking to strengthen their risk management practices with better information technology tools.  Together with our strategic partners, Wheelhouse Advisors can deliver cost-effective solutions that can be easily implemented within a complex environment.  Visit www.WheelhouseAdvisors.com, to learn more about our services and our strategic partners.

This week, Gartner Research is hosting its 2008 Annual Symposium in Orlando, Florida to discuss what is on the horizon for Information Technology professionals in the coming years.   Several Gartner analysts unveiled what they see as the nine most contentious issues for IT professionals over the next two years.  Risk management made the list as the third most contentious issue – specifically, determining the accountability for security and risk management as it relates to business applications.  Here’s what they had to say.

Issue 3 – Business Accountability for Security and Risk Management.  Security and risk management is not just an IT issue. It is essential that the IT risk manager, using effective communications skills, persuade the appropriate IT owners and line-of-business managers to accept explicit, written responsibility for residual risk impacting their systems and processes, on either a direct or a dotted-line basis. Risk managers should develop mechanisms for assignment and acceptance of residual risk and risk decisions — for example, signature forms, processes, and policies that address the requirement and execution of risk acceptance. The risk manager should also develop mechanisms to convey residual risk levels that remove reference to technology but still support good risk-based decisions at a business level that may result in the implementation of technical controls.

Understanding the risks well enough to establish the appropriate accountability structure in advance of a risk event is a key element for strong risk management.  Otherwise, energy that should be focused on proactively managing risks becomes focused on determining who should be blamed for the risk that resulted in a catastrophe. Do you agree? Please share your thoughts below.

Many people are asking about the huge technology investments made by financial institutions to provide risk management capabilities designed to prevent major market catastrophes (like the one we are currently experiencing). Well, based on a recent article in Information Week entitled “Risk Management Failings Spur Big Financial IT Investments“, huge investments were made and continue to increase.  However, simply investing more in technology is not the full answer.  Many institutions had the risk information readily available, but chose to ignore it because of greed.  According to Gregg Berman, risk management practice head at RiskMetrics, this was certainly the case.  He states,

“Given the levels of technology that we have today, this crisis we’re going through is something that was very avoidable.  This was not a natural disaster. The writing was on the wall for quite some time and people ignored it.”

So, once again, superior risk management practices hinge on the abilities of the right people creating the right culture supported by the right infrastructure.  Without all three legs of the stool (people, culture, infrastructure), well, you know what happens – someone will take the fall.