Face up to non-financial risk
A rising tide of regulation has forced banks to invest in measuring all kinds of nonfinancial risk but efforts to manage those risks have often been piecemeal and inefficient. Now Protiviti has launched a new model that gives banks an efficient, repeatable process managing non-financial future risk, says European MD Giacomo Galli.
The past decade has seen the forces
of regulation drastically reshape
the banking industry and, in the
aftermath of the financial markets crisis,
that trend is set to continue for many
years to come. Banks have had to react to
new legislation including Sarbanes-Oxley
(SOX), Basel II and the Markets in Financial
Instruments Directive (MiFID) to name but
a few, and the big effort they have had to
make has understandably led to compliance
initiatives becoming disjointed.
 Separate responses to each new piece
of regulation have often left compliance
processes clumsy and cumbersome but
there has been little time between new
pieces of legislation to devise a clear path
to a coordinated response. For some, that
has to change if the industry is to deal
effectively and efficiently with the changing
demands of regulators. Nowhere is this
attitude more relevant than in the area of
non-financial risk (NFR).
‘Banks are reactive on compliance
issues amid the pressure from new
regulations and the changing requirements
of central banks,’ says Protiviti’s European
MD Giacomo Galli. ‘They have managed
compliance efforts project by project.
The regulatory environment now requires
specific evaluation of non-financial risks
but their approach is inefficient.
‘Non-financial risk means everything
except market and credit risk. It includes
operational risk, reputational risk, liquidity
and much more. Pillar 3 of Basel II requires
that all these risks be evaluated and
managed, and that is likely to be the same
kind of standard for future regulations.’
Global business consulting and internal
audit company Protiviti specialises in
risk, advisory and transaction services. Its
clients include more than a quar ter of
Fortune 500 companies, and its close ties
with the banking industry have led it to
focus closely on NFR management.
The result of its efforts, known by the
Italian acronym MIG, is an integrated
model for NFR management, born from
its efforts to help an Italian banking client
achieve coordinated and cost-efficient
compliance processes. Through working
with this client Protiviti soon perceived
that effor ts to deal with new regulation
were divided, disparate and often
duplicated.
‘We quickly saw that there were six or
seven divisions involved in managing nonfinancial
risk and that lots of IT systems
were managing the same data,’ says Galli.
‘This stratification of projects is where
the inefficiency arose. In many cases when
you ask banks who is in charge of NFR
management they will find it hard to
respond. We saw that we needed to
create a single platform to address this.’
The making of a model
When Galli talks of creating a platform,
he is not implying that an IT solution on
its own is the answer. He believes that
banks cannot simply throw software
at the problem of NFR. Protiviti’s new
model is all about getting inside a bank
and its processes to sort out problems at
a deeper level. In doing so, it can help its
clients to not only develop a coordinated
response to existing regulation but also to
design a clear process for dealing with new
legislation in the future.
‘Our intuition was that our competitors
have developed software solutions to
manage NFR but, to us, standalone software
was not the answer. You need some
software but you can’t solve the problem
with it. You need a real process, like others
within a bank, so as well as software you
need someone to own that process; you
need one integrated methodology and set
policies on how to evaluate and manage
NFR,’ believes Galli.
The MIG platform has many strands but
the early stages are all about identifying
controls that are already in place,
spotting duplication and then unifying the
methodologies for self-assessment of risk
into a single process with one language and
agreed definitions. These are the first steps
in moving to a broader, integrated model
that will be unique to each bank depending
on its starting point and structure.
Consolidating controls has a big impact
on costs but another crucial stream of
the MIG model is identifying the process
owner for NFR management, from
which point a focused effort across the
organisation can begin.
‘Usually there is not one person who
is in charge of NFR but rather a magma of different pieces managed by different
divisions,’ notes Galli. ‘This proves that
there is duplication of effort. We have
understood the cost of compliance
and control, and found ways to reduce
duplication and avoid cost. Our model
clarifies the reporting process as well as
giving a bank the tools to manage NFR,
which improves efficiency and lowers cost.
‘The responsibility of the NFR
manager should be to minimise or
manage those risks efficiently but it is
also impor tant to remember that a single
person cannot take full responsibility if the
controls fail.’
When all the strands of the MIG model
are brought together, including the right
software tools, the result is an integrated
output on NFR to the board of directors.
NFR meets ERM
The MIG model brings together the many
parts of a bank that have previously had
input into NFR management, building
on their knowledge and experience to
formalise best practice.
‘We know that with SOX there are
often a huge number of controls put in
place within the same bank. Some of those
controls could help with the management
of other kinds of risk, such as money
laundering or fraud, if they were properly
coordinated,’ notes Galli.
‘We look into a bank to see how it
works, then we deliver a real, repeatable
banking process. Future risks will then
pass through the platform. The bank
is no longer reactive but proactive. It
has integrated reporting to the board
to support its decisions about how to
manage NFR by accepting a certain level
of risk or mitigating it with a specific
process and amount of investment. Those
decisions are very hard if you are getting
six or seven pieces of information on
different things.’
Some may fear that the transition to
this integrated environment for NFR
management might be too disruptive but
the modular structure of the MIG platform
means a bank can take the long journey in
small steps.
‘As long as a bank has a global picture
of where it wants to get to then it can
implement this model step by step,’ explains
Galli. ‘Some board members in banks are
sitting in very uncomfortable chairs at the
moment because they need to understand
what is going on in their organisation and
ask about different kinds of risk. At the same
time they don’t have a lot of money to
invest. The outcome of our model is a new,
more efficient way of managing NFR that
builds on the investments they have made in
the past to measure different kinds of risk.
‘Many European banks have decided
to proceed with this kind of model. An
enterprise risk management approach needs
to be integrated to manage all risks and is
required by many regulations, especially Basel
II. Many banks at the very least want a full
catalogue of controls for review, which can
be time consuming but is a good basis for
shaping a framework of internal controls.’
Protiviti works with a number of mediumsized
banks in Europe, which have adopted
the model not only with a view to improving
risk management but also their ability to
compete effectively further down the line.
Their experience is proving the case for MIG.
‘There is always some resistance to
change but banks know they need a different
approach. Realistically, they must review their
controls as central banks push for greater
efficiency. The savings are hard to quantify as
they depend on the size and complexity of
the bank, but they are certainly in the region
of 10% to 30%. That is what we often see
with pilot programmes,’ notes Galli.
‘They should also realise that some of our
clients see our model not only as a way to
be more in line with regulations and safer
from a risk management perspective but
also more competitive on product pricing
because of the efficiency gains.’ |
