Poor data risk management threatens to reignite risk in finance, says EIU

An EIU report shows that inadequate data management continues to undermine effective risk management in financial services firms worldwide.

Inadequate data management continues to undermine effective risk management in financial services firms worldwide, according to a recent Economist Intelligence Unit (EIU) report, sponsored by SAS. Too good to fail? New challenges for risk management in financial services suggests financial services firms are showing renewed laxity around risk. In February and March this year, the EIU surveyed 315 executives globally. Respondents were primarily focused on risk management in banks, capital markets firms and insurers.

Thirty-four percent of respondents said insufficient data was a barrier to effective risk management, up from 32% in 2010. Only 9% had invested significantly more in data quality and integrity in the past 12 months. And only 27% had introduced or planned to introduce a data governance council.

The study quotes Tim Brooke, managing director of Protiviti, a risk advisory firm: “Most organisations, particularly large ones, have very dispersed technology that is spread across multiple platforms. The whole management of that infrastructure is a major headache for bank CIOs [chief information officers] and CROs [chief risk officers].”

Too good to fail’s authors commented that this “patchwork ... is compounded by ongoing problems with data. Just 40% of respondents say that their firm is effective at collecting, standardising and storing data. Insufficient data is also seen as one of the key barriers to effective risk management after regulatory uncertainty and poor communication between departments.”

And they cite Neil Buckley, CEO of Fintrans: “Until financial institutions get to the stage where there’s real clarity around the data they’re using for their risk modelling and their analytics, completeness and consistency will always be a problem.”

However, James Martin, former Lehman Brothers director and IT chief operating officer at several banks, said data management norms around risk reporting are sound. “Risk reporting is so important that the data, in my experience, was managed very carefully. Regulated firms can lose licences or be fined if they don't do this properly, so I've always felt risk data was in reasonably good shape.

“Data that was less well managed was around single-customer views across multiple business units and connecting different data together to make best use of it, or ensuring there was only one source of data. Mistakes could happen, but the focus on holding good risk data was always there.”

Alessandro Moretti, a member of the board of directors of the information security certification organisation known as (ISC)2 and a senior risk and security executive at a large financial services company, underlined the importance of getting the data right in risk reporting in a recent interview.

“Poor data management will imply an organisation has immature security processes, is potentially in breach of regulatory and data protection requirements, and has impending financial problems due to loss of intellectual property," he said. "The extent of these risks will not be measureable, and risk reporting will be worse-case, costing the organisation penalties, especially in the financial sector. For risk data management, in organisations like health, government and finance, risk reporting becoming ineffective could have more serious implications to both the public and economy.”

According to the EIU report, some financial institutions are creating chief data officer (CDO) roles to deal strategically with data management. In 2006, Citigroup became one of the first to appoint a CDO. However, few institutions have followed suit. Just 17% of respondents to the EIU survey said that their institution had appointed one.

Of this role, Martin said: “There have been one or several ‘chief data roles’ in all the banks I've worked at. It is not normally called CDO, but there is usually a global reference data manager or someone appointed per business unit, product, country and so on. It can be part of an existing role, for example, the CFO [chief financial officer] normally has a team making sure financial data is managed properly. Equities trading will usually have a team looking after product and customer data.

“A ‘chief’ role is less common, but more often than not, it is associated with either the head of human resources or compliance function. More commonly associated is the role of CIO [chief information officer] or CISO [chief information security officer], but these may not be the business owners of the data. There is increasing representation of a data officer, information owner aligned to the department or function who is empowered with day-to-day management of data, but an overall title of chief data officer is less common.”

Should organisations, then, look to their information security functions in order to make data management for financial risk reporting as fit for purpose as feasible?

Moretti said that security professionals are “still behind the curve” when it comes to understanding the full range of data risk, especially in the context of emerging threats around cloud and mobile. More promisingly, however, financial services firms have, in 2011, been applying the levels of the assurance model being promulgated by the US National Institute of Standards and Technology, he said.

But the overall context, according to Too good to fail, is set by a “nascent economic recovery and the relatively strong performance of the financial sector,” which is emboldening firms to take on greater risk.

Martin though, is sceptical. “Financial firms' main business is buying and selling risk, so all they do is adjust the level depending on economic conditions,” he said. “The crash in 2008 was a mixture of risk combined with massive leverage. I would say leverage was the killer, not the risk itself.

“I would say the big banks are now totally risk averse, and that won't change for years despite what they might like to say in their marketing. European bank exposure to Greek bond default risk alone could take more countries down, not just their banks. I bet some banks wish right now they could just shut the doors for 10 years and see how the global economy looks then! So, no, I don't think any of them have any appetite for risk whatsoever.”

Read more on Business intelligence and analytics