Enterprise Risk Management – ERM, as it’s come to be known – is today a concept that’s roughly where 'CRM' was a decade ago: a developing discipline that's subject to a lot of hyperbole and a term that can mean something different to everyone that uses it.

CRM – customer relationship management – turned out to be one of the biggest busts of the 90s. The problem wasn’t a failure of concept or lack of need, but unrealistic and unrealisable expectations. The fact remains that taking good care of your customers – and understanding them well – is a critical business discipline.

The same must be said of operational risk management – OpRisk for short – no matter how much hype it might be getting. For today’s financial services institutions – especially the global custodian – the growing complexity of their business is driving exponential growth in operational risk.

The most successful global custodians will not only manage OpRisk smartly – but use new tools, processes and skills to develop new revenue streams.

What is OpRisk?

A better question might actually be – what isn’t it? When you view the complex, integrated worldwide transactions of the global custodian, it is evident that virtually every activity includes some probability for going off into the ditch.

One case in point: a working committee of Basel II charged with cataloging operational risks recently produced a list of approximately 1400. And it’s still counting.

OpRisk is generally defined as the risk of loss or regulatory action due to clerical errors, organisational deficiency, delays, fraud, system failure, misperformance, nonperformance by third-party service providers and similar incidents (ISSA Report on Global Custody Risks).

OpRisk is real. Our firm assisted a large Midwestern US bank whose regulators stalled its acquisition and growth strategy for months while it resolved an $80 million tracking gap. While $80 million is no small sum, it was a relatively small amount for an institution that was processing billions of dollars every day. The opportunity cost and reputation cost of the action vastly outweighed any fines or penalties the regulators assessed. When viewed in this light, the hundreds of millions of dollars in penalties being assessed by regulators appear to be only the tip of the iceberg of true OpRisk costs.

Why more money isn't helping

For many FSIs, ERM so far has been a matter of throwing money at the problem with little success to show for it (not unlike CRM).

TowerGroup estimated in an August 2004 report that nearly one-third of the $34 billion global IT spend on compliance – about $10 billion – is simply wasted on redundant technology such as databases, storage, analytics and reporting tools. That waste balloons to $40 billion when counting the associated business process inefficiencies – manual operations that involve exception processing, work-arounds, reconcilements and adjustments.

The picture that comes to mind is one of islands of automation surrounded by a sea of manual processes. As TowerGroup’s Virginia Garcia notes: "ERM is not a technology; it is a culture, a strategy and a combination of processes consequently requiring a combination of technologies that grease the wheels of the integrated framework."

The role of technology in OpRisk management

While ERM is not technology in and of itself, there is no argument that effective approaches require smart deployment of appropriate technology. For the global custodian, there are simply too many moving parts, too many transactions and too much complexity to ever think otherwise.

The waste identified by TowerGroup is a result of independent business units making independent investments to solve discrete problems. The result is ever more complexity and risk – as these new “moving parts” are integrated into the machine.

Given the risks inherent in OpRisk management – what results must the successful OpRisk strategy deliver? With apologies to Toltec wisdom-writer Don Miguel Ruiz, I call these:

The four agreements of OpRisk management

First. Do no harm: The first rule of medicine is the first agreement (or principle) of OpRisk management. Any solution that creates new integration issues, creates new data or creates closed, proprietary systems also creates new potentials for risk. Obviously, counter-productive.

The first agreement will drive decisions toward solutions that are open, flexible, scalable and seamlessly applicable across the enterprise. Such solutions must be capable of providing a comprehensive data structure that can extract, validate, cleanse and transform data in any format from any system. They must scale both up and down – enabling line of business analysts to get at and operate on data easily and send results anywhere in the world in any format. Better yet, let people from across the enterprise get at the data and perform these operations without having to write a single line of code.

Second, Move from reactivity to proactivity: At the heart of ERM technologies is the capability to identify anomalies or “exceptions” in the data and events that trigger some action. For example, having systems that recognize in real-time that a trade for 1000 shares actually posted as 100.

Sufficiently early action means such exceptions can be corrected before the transaction fails. And to use the previous example, the most advanced OpRisk solutions will not only recognise that the incorrect shares were posted; it will be capable of sending a correcting transaction back to the system of record. Now you’re not only managing risk, you’re controlling it. You’re not just staying out of trouble with regulators and customers; you’re increasing productivity, smoothing operations and eliminating costlier interventions or corrections.

Third. Catalyse increasingly powerful business results: Your OpRisk technology must not only identify and fix errors. It must enable your line managers and executive team to understand, evaluate and improve the business itself.

For instance, you may have as a benchmark that 90 percent of A-Pac transactions are settled by end-of-business (local time) daily. Your OpRisk technology should provide visibility into operations such that you can continually improve the surrounding business processes and move that benchmark to 95, 98, even 100 percent.

In similar fashion, your solution must allow line managers and executives to monitor the organisation’s exposure to departmental or enterprise risks. For example, say that due to highly volatile foreign currency markets, asset managers pile into Japanese securities. In a matter of hours, your global operations are responsible for settling billions of dollars of transactions that are highly dependent on the dollar-to-Yen exchange rate. Your operations may also need to execute billions of dollars of foreign exchange transactions to support these underlying trades. Currency risk must be assessed, appropriate managers notified of risk management actions to take, and insights into the data must be provided so that they may make timely and effective decisions. Besides addressing the immediate risks, your solution must provide the analytics and reporting necessary to mitigate similar scenarios in the future.

Fourth. Move from proactivity to new profitability: As odd as it might first appear, future-looking ERM tools and solutions will actually spur new profit centers in your organisation.

Global custodians are already beginning to craft outsourcing relationships with their asset management partners. This simply plays to each party’s strengths – asset managers are great at choosing and allocating investment assets while custodians are great at processing and tracking them.

ERM solutions that meet the first three agreements will allow you to craft more aggressive performance contracts and capture bonus or performance payments by setting and hitting higher and higher benchmarks. Likewise, they will increase the confidence of both provider and client in more comprehensive outsourcing relationships. As highly scalable and flexible ERM technologies are implemented in the global custodial organisation, tremendous creative energies will be unleashed to create new products and services built on the platform.

As Datamonitor mentioned in 2004, with strong competencies, OpRisk departments stand to create growing value to their organisations – working with teammates to "discover ways to reduce capital charge, improve efficiency and maximize earnings potential".

Delivering on these promises will mean that ERM does not become the CRM of the 2000s.