Regulatory risk management – the new watchword

To ensure the accuracy of information provided to internal risk and compliance managers and external regulators, an unerring focus on data quality is critical in today’s business scenario.

Regulatory risk management, always a critical challenge for financial services firms, has assumed heightened importance in the aftermath of the recent banking crisis.

While credit and market risk have always featured on senior management’s agenda, external regulatory developments focused on greater capital adequacy, liquidity, transparency and consumer protection are placing greater emphasis on effective risk-management frameworks.

The banking crisis exposed glaring deficiencies in bank strategies and risk management. A consequence is the changing focus of the basic business model, which is less driven by product profitability and more around customer needs. Financial stability is the new watchword, and gaps identified in regulatory oversight and management are being plugged through enhanced frameworks and guidelines.

Financial services firms are under mounting pressure to manage regulatory compliance and associated risk more effectively. Much greater attention needs to be given to risk appetite and mitigation both at enterprise and service-line levels, the fundamental data underlying record-keeping and the risk associated with their retention.

Experience shows that the quality and integrity of data can by no means be taken for granted, and getting it wrong could prove costly. The cost of poor compliance is usually both financial and reputational as evinced by the recent record fines and strictures imposed on major banking institutions primarily by US regulators.

With the new Basel III capital adequacy and liquidity framework on course for implementation in the next few years, as well as evolving restrictions being laid down by western national politicians and regulators (for example, the Financial Industry Regulatory Authority and Dodd-Frank Wall Street Reform and Consumer Protection Act in the US), the process of correctly capturing as well as utilising the “right data” for controlling risks has become a critical one.

Information technology and data analytics have a big part to play in highlighting risk concentrations and exposures for management and regulatory action.

Although banks in the UAE were largely unaffected by the global banking crisis, the property market downturn of 2009 exposed the need for local banks to have better data on industry related concentrations so that the capacity of the institution to absorb shocks and the adequacy of financial buffers are capable of more accurate assessment under various scenarios.

To comply with regulatory requirements today, firms need to increase their governance in ways which conform to the new compliance requirements, improve the quality of data and optimise accumulation of new risk data.

Assessments of risk depend fundamentally on data, including data on counterparties, markets and internal operations. Thus far, data quality issues have been low on senior management’s priorities. The new emphasis on regulatory risk management means that the governance of reference data utilised for holistic risk calculations has become a critical issue.

The challenge today is ever more acute. The volume of relevant data is soaring exponentially and much of this is unstructured and unmanaged. At the same time, retention requirements associated with regulation and litigation are compounding the problem. The potential business benefit from better data governance and management is clear. Firms can achieve improved risk management and reduced data storage costs, as well as a substantial increase in regulatory compliance, with more effective data retention and quality assurance strategies.

A successful data life cycle governance programme can help organisations contain costs, retain the right data and address regulatory compliance requirements. Equally important, it can increase the business value of data by providing a sounder platform for decision-making.

When aggregated across hundreds or thousands of systems, applications and databases, individually small benefits can create significant benefits overall. The main areas of potential benefit include:

• Eliminating redundancy: very commonly, multiple copies of reference data are held at different points in the organisation and copies of transaction data are duplicated in different environments. Unrestricted end-user rights result in both duplication and inconsistency. Rationalisation of data and applications within an overall data strategy can yield substantial savings. KPMG analysis suggests typical benefits of US$500 to $1,000 per application server, and up to $10,000 per database.

• Minimising over-retention: typically, organisations hold on to data for too long as a result of retention limits not being enforced, overprotective interpretation of legal requirements and over-engineered business assurance systems. Streamlined dispositions frameworks, workflow processes and assurance strategies can cut the cost of over-retention dramatically. Analysis by KPMG suggests potential savings in the range of 30 to 50 per cent of storage costs. Collateral business benefits include reduced expenditure in the context of legal action, document discovery and assurance.

Examining the existing legal, regulatory and business requirements for data alongside the people, process and technology controls in place will allow gaps to be identified in the performance of different functions within the organisation. There is a competitive advantage to be enjoyed by those institutions that have this agenda embedded as a business priority. Alas, in the UAE, this has so far not been a high priority for senior management or regulatory oversight.

In conclusion, it can be said that regulatory risk management depends critically on the value of the data underlying produced records, its analysis and evaluation. Where data quality is inadequate, risk and compliance management lacks a strong foundation. Responsible oversight by senior management and boards requires that these issues are given appropriate attention.

Ian Gomes is partner, head of advisory and markets, KPMG Lower Gulf

Follow The National's Business section on Twitter