Strategy Clinic: What post-crisis regulation for the financial services sector?

I am a CIO in financial services. We all know that a new wave of post-crisis regulation is heading our way. What is it likely to look like? And what should...

I am a CIO in financial services. We all know that a new wave of post-crisis regulation is heading our way. What is it likely to look like? And what should we be looking for from our suppliers?

Risk measurement will have to be reviewed

In these unprecedented times, there is no room for a business-as-usual approach or "we are too large to fail" attitude. Companies are taking acute actions to protect their businesses, customers and shareholders given the financial market turmoil, and CIOs should be looking ahead to ensure they can comply with the anticipated wave of post-crisis regulations.

Historic or statistical measures of risk and exposures are proving increasingly inadequate and regulators are likely to apply a new set of rules across business activities affecting executive compensation, depositor protection, risk management and control, capital adequacy and liquidity, valuations, accounting policies and disclosures to name but a few.

The regulatory landscape is a blend of principles, guidance and rules-based approaches. Post-crisis regulations may require rapid implementation, be targeted and prescriptive. This means greater emphasis on IT governance, the existence of good practices and robust controls to ensure the integrity of information systems, data quality and privacy, and effective resilience, capacity and disaster recovery capabilities.

Although reducing costs is a key factor in the current climate, CIOs will need to achieve regulatory compliance while achieving the right balance of IT risk, cost and control.

This is a time to increase the value provided by suppliers, strengthening and harmonising IT control environment issues that address local, international and EU regulatory requirements. Management should tighten up preventative and detective measures to tackle information security and data privacy concerns and improve management of outsourced functions through independent third party reporting.

Fundamental change will be required by many financial service organisations to comply with new regulatory requirements. Organisations that manage to balance the effectiveness of their internal controls to meet regulatory requirements alongside cost reductions could gain competitive advantage in these economically challenging times.

Erol Mustafa, financial services partner in technology and security risk services, Ernst & Young

Find the best way to manage information transparancy

All commentators agree more regulation is on its way and the majority of taxpayers are very much in favour of this happening. The cost of the rescue of large banks is, as everyone knows, many billions of pounds. Some strong views have been expressed about who is to blame for this situation including regulators, the government, banking executives and consumers. The general consensus seems to be that many organisations and individuals have not been able to understand and manage risk.

The question for CIOs, given this scenario, is what is the opportunity to be proactive in designing potential solutions. It can be argued that where problems have been caused by information transparency, the CIO has a key role to play. There are some key challenges in this area. Many financial services organisations make money as a result of exploiting information asymmetry, where one party has more or better information than others.

It appears some financial services companies opted for information ignorance, choosing not to understand the risk of certain securitised instruments prior to selling them on. One would like to believe that regulators will be addressing these types of issues but equally that financial organisations will be opting for good practices in information management and business intelligence.

Perhaps the bottom line is to discuss with the board and your suppliers the best way to manage information transparency and risk in a financial services company. This will of course depend on whether you are viewed as a key player in managing information in addition to technology. If you do succeed, hopefully the regulators will adopt a similar approach, positioning you ahead of the game.

Sharm Manwani, Henley Business School

Anticipate changes initiated by your suppliers

Physician heal thyself! What did you think has gone unregulated that ought to have been avoided or at least ameliorated the financial crisis? To a layman (me!) it strikes me as completely daft that mortgage lenders were quite happy to lend 120% mortgages, or six times applicants' combined salaries, offers which most ordinary people would say would have a very high risk of failing. So to me, some regulation in this arena would seem likely. You, in financial services, in discussion with your user colleagues will, I am sure, be able to produce a "most likely" list. Discuss with your user colleagues what might be needed so you can plan reasonable timetables to ensure compliance: you cannot get into a position where changes that may be very significant are thrown at you with impossible deadlines to meet.

What can you expect from your suppliers? Increased charges are almost a certainty as they invoke variation clauses for the work done, to ensure you meet changing compliance requirements. Not unreasonable if what they currently provide meets the specification you gave them originally. An underwriting that they will always be able to change their provision to you to meet changing compliance requirements? Not so likely: no one is going to commit to an unknown future, so you could just find yourself with applications or services that cannot be changed and significant work becomes necessary to develop applications that will comply. The earliest possible awareness of this is needed as this may dictate the speed with which you can conform. So regular, constructive meetings with your suppliers to discuss intelligence about what might be looming. There are benefits to collaboration with those in the same market as you, having to meet similar changing compliance requirements, as was done by many during the millennium change requirements. There is no point in everyone doing the same work over and over again.

Robin Laidlaw, president, CW500 Club

Return to Strategy Clinic >>

Read more on IT legislation and regulation