Features : Taking Risk Beyond Regulation


As corporate risk systems become more sophisticated, businesses are moving beyond simple compliance
and proving that better management of risk can drive greater efficiency.

risk_mgmt_01 Over the past few years there has been a tidal wave of new regulations and legal changes that corporates are scrambling to deal with. Spanning from accounting changes—such as the move to International Financial Reporting Standards (IFRS)—to Basel II on the banking side, to financial regulations and anti-money-laundering policies, the list is seemingly endless. For corporates, all these regulatory and legal changes have spurred an increasing need to re-evaluate and better manage risk across the entire organization.

Many corporates have invested in new systems to help with increasing compliance and reporting needs—and simply to have a clearer view of risk. But corporate risk management solutions are in their infancy in some respects, and how and when to choose a system, and how to take advantage of those systems to drive efficiency, are important questions.

Much of the focus recently for corporate risk management has been on operational risk management and meeting requirements under the Sarbanes-Oxley Act of 2002 in the United States and similar regulations in Europe and Japan. “By and large most systems vendors will have some value to add with operational control,” says Scott Coffing, vice president of SunGard AvantGard. “As long as you have something in place that increases your control, that is a good basic first step toward managing operational risk. However, with any system it really depends on the culture of the corporation how deep you drive into things to look at risk.”

Managing market risk saw a big push from companies in the 1990s when value-at-risk models first came out. “This is very valuable for corporates that have fungible assets that trade on markets—for example, commodities-driven companies,” says Coffing.


Coffing: If a company’s reputation is damaged as a result of poor controls, it can have a serious impact

Reputational risk is also coming under growing scrutiny, Coffing says. “If a company’s reputation is damaged as a result of poor internal controls, it can have a serious impact; you can lose clients that way,” he points out. In addition, corporates are focused as much as ever on financial risk management and credit risk.

As a result, there is a growing awareness that risk can come in a wide range of forms. “There is more risk across corporate enterprises,” explains Folia Grace, vice president of applications marketing at Oracle. “By opening up to the Internet and going global, there is greater systemic risk.”

In the past two years managing risk effectively and having clear risk policies in place has taken on an additional urgency. In late 2005 Standard & Poor’s announced that it would incorporate the strength and weaknesses of a company’s risk management strategies into the rating process. “That is a big development,” says Cliff van Tonder, operating officer at systems supplier Lombard Risk Management. “They are now asking a lot of policy questions on risk tolerance, key measures of risk, what the top risks are in their particular business, concentration of risk, and so on. In addition, they are looking at whether the appropriate people and organizational structures are in place. They are also asking how risk management technology is involved and how they calculate exposures.”

Adding Value
With regulations driving investment, for many companies it is no longer the CFO or treasurer who is pushing for new risk systems. “Risk was traditionally managed in finance, but that is changing,” says Grace at Oracle. “More and more demand for risk management systems and solutions is coming from boards and audit committees.”


Van-Tonder: Ratings agencies are becoming much more interested in companies’ risk management efforts

According to Cubillas Ding, a senior analyst at research firm Celent, many companies are now only at the point of putting infrastructure in place for dealing with regulations and accounting. “In addition, many have put systems in place to meet the basic regulatory requirements without really looking at the linkages between these developments,” he says.

In the longer term, firms should not look at just the need to meet regulatory requirements but also how they can accrue more value from these investments from a business perspective, Ding says. “This is more easily said than achieved, however,” he adds. “In the corporate space, Sarbanes-Oxley, for example, entails good risk management within the financial reporting space. It is really about applying good risk management practices and control and ensuring data and processes are in good order.”

A lot of those principles can be applied to other areas of the organization, but the lengths to which companies will go to achieve that depends on the value they see in doing so compared with the time and effort involved. “With exacting deadlines, cumbersome legacy systems and high investment costs, it can be pretty hard separating the forest from the trees and pulling out the value-add,” says Ding. With high compliance costs, few companies are willing or able to use additional resources for such a goal, at least in the short term. But down the road, as risk management solutions continue to develop and simply reaching compliance becomes that much easier, this could indeed be a target worth reaching.

Choosing a System
The systems that any corporate chooses will naturally depend on the industry and region within which the company operates. UK group Orbian, for example, is a forfaiting company that handles reverse factoring for companies. The treasury risk management for Orbian centers on funding and investment requirements, interest rate and foreign exchange risk and the management of the company’s bank relationships. “Orbian is a privately owned company and has a strong risk-averse focus,” says Andrew Notman, treasurer at Orbian. “Financial risk is managed by the centralized treasury department, and when evaluating any risk, treasury first identifies any individual company risks and then evaluates the global position.”

Where possible, internal hedging occurs, with any residual net position being placed with Orbian’s banks, Notman says. “This approach allows Orbian’s treasury to efficiently control and maintain pricing,” he explains. The company uses a highly specialized treasury management system (TMS) to manage financial risks. Choosing the right TMS system to manage risk was an important decision for Orbian, as it needed to interface directly with its other systems. In addition, it needed to be fully flexible so that the TMS functionality could be developed to keep pace with growth and needs of the company.

The costs—in terms of price, time and internal resources—of building such a system in-house would have been quite exorbitant. This is a route that few but the very largest companies can now afford to consider. “After completing an RFP [request for proposal] process, the decision was taken in mid-2006 to install an outside-vendor treasury management system rather than further develop our internal TMS system,” Notman says. “Installation was completed within a six-week time frame with fully functional interfaces with Orbian’s proprietary system, the SAP accounting system, as well as our house bank.” The group chose SimCorp’s IT/2 system.

Two-layer Approach
Coffing says that many companies tend to take a two-layer approach when it comes to risk management solutions. “They go for best-of-breed systems for areas that are of particular focus and then have an umbrella system that would aim to consolidate information from the best-of-breed and other systems,” he says.


Aziz: A company whose business risk is driven by market factors often will look for an all-in system

How a system is chosen will depend on the type and structure of the corporation, as well. “If it is a company whose business risk is driven by market factors—for example, energy companies—then often they are looking for an all-in system,” explains Andrew Aziz, executive vice president of risk solutions at Algorithmics. “They can see consistency across businesses as well as financing activities.” Adds Coffing: “The ideal would be to find one overarching system that does everything really well, but that is a pretty tall order. Most vendors are good at a few things but also have areas where they are not so good.”

While many companies have invested in new systems to meet compliance and reporting needs, many more still manage treasury and risk exposures very simply, often in Excel. “The importance of having a good risk management TMS solution, with automation of processes and STP capability, is that it gives treasury the ability to receive access to information and reports in a timely manner, which is vital in today’s changing regulatory environment,” says Notman.

“If treasury is proactive in its role rather than reactive, it greatly reduces the financial risks that an organization faces—thereby making the treasury role easier,” Notman adds. “As a consequence of not having the right information, flows can be quite costly to an organization’s bottom line.”

Enterprise risk management (ERM) is increasingly the goal of corporates around the globe. The purpose of ERM is to look at risk from a firm-wide, global perspective and to create comprehensive risk measurements that can be used to aid in executive decision-making and budgeting. As corporate treasury traditionally has taken responsibility for managing financial risk, many companies are looking to treasury to enhance existing risk management strategy by bringing a quantitative approach to broad-based enterprise-wide risk management.

While the process of engineering an ERM strategy can be complex, it can bring other benefits. With the need to bring in new systems to meet increasingly complex regulatory regimes, it provides an opportunity to drive change throughout an organization and develop a global risk-assessment solution. In order to do this, companies must go beyond simply initiating risk-transfer via insurance and meeting compliance requirements. The next step is to be able to recognize and quantify specific risks within the organization and measure and aggregate risks effectively. Then it is possible to begin to add value by defining the risk appetite—and growth appetite—of the company and maximize value by linking decision-making to risk-adjusted resource distribution.

Denise Bedell