Ashley Lobo, chief risk architect at IQ Financial Systems, explains why most global risk systems, including those that meet regulatory requirements, may soon become obsolete.

Ever since 1988, when the Basel Capital Accord required banks to develop enterprise-wide risk management systems, banks have been scrambling to implement systems to measure market risk and credit risk.

The cramped timeframes and nightmarish data integration challenges forced many banks and software vendors to develop one-dimensional systems to meet minimum regulatory requirements. These systems produce value-at-risk and stress-test statistics based on summary information from disparate systems.

But the quick-and-dirty techniques used to consolidate data from diverse systems inevitably mean that significant information gets lost, limiting the effectiveness and accuracy of the results. Consequently, many global risk systems fail to meet day-to-day risk management needs.

These days, regulators and senior managers are demanding more timely and detailed data to improve the accuracy and timeliness of risk analysis results. Now that the dust has settled from the first round of enterprise-wide risk management system implementations, it is time for CEOs, risk managers and chief information officers on both the buy-side and sell-side to reexamine their systems to meet the new risk standards just around the corner.

Global data

The most difficult challenge of enterprise risk management is consolidating data in a consistent format. Banks have had some success developing consistent trading applications in their major trading centers in North America, Europe and the Far East. But they continue to experience problems integrating data from their smaller branches, where older back-office and accounting systems are the norm, and where low volumes make it financially impossible to install state-of-the-art systems.

To be effective, enterprise-wide risk systems must integrate all of a bank's local positions into a global risk portfolio—and must do so by the close of the business day. If they can do this, the systems will provide timely feedback on positions and risks across the enterprise, which can then be used to make informed adjustments to positions and hedges. In many institutions, however, it takes days or even weeks to extract and aggregate the data for all branches and activities.

The core problem is the architecture of the risk management database. Most risk systems require banks to import trade data from legacy databases in fixed data structures. But creating and maintaining fixed data structures for an institution's myriad instruments is a gargantuan task. Consequently, it is extremely difficult and expensive to integrate risk data for all portions of a bank's portfolio.

Many institutions compute risk statistics locally and aggregate the results into firm-wide risk numbers. This process strips out critical transaction and cash-flow granularity and limits the system's effectiveness as a management tool.

As a shortcut, many institutions compute risk statistics locally using spreadsheets and other desktop tools, and then aggregate the results into firm-wide risk numbers. This process is manual, time-consuming and subject to human error. Worst of all, it strips out critical transaction and cash-flow granularity and limits the system's effectiveness as a management tool.

The result: risk statistics that are too old and too vague to be useful. In fact, most enterprise-wide risk management systems are used to generate statistics necessary for regulatory reporting—and not as tools that support interday risk management decisions.

The multibillion-dollar losses at Daiwa Bank and Barings Bank might not have occurred if managers had been able to consolidate daily transactional data in a consistent and timely manner. Without this data, it is difficult or impossible for risk managers to spot disastrous cash-flow-related exposures and raise red flags to senior management. It's also likely that strong risk management control systems could have discouraged traders from aberrant behavior in the first place.

Drilling down

Data is the key to effective risk management. Risk systems architecture should capture transaction data with enough granularity to allow the user to track a risk statistic back to its exact cause at the individual portfolio, trader and transaction levels. Working back to the cash-flow level allows managers to develop business strategies that can enhance returns on capital with reduced risk.

But risk systems based on summary sensitivities make it difficult to track the cause of a significant change in a risk statistic back to its source. To determine which portfolios and transactions are causing significant changes in the institution's risk on an interday basis, managers are often forced to query their disparate source systems individually—a lengthy and onerous task.

Summary-based systems typiclaly extrapolate the risk associated with wild market scenarios using sensitivities computed in relatively smooth non-volatile environments. The results are usually unreliable and misleading.

Moreover, summary-based risk systems don't capture enough data to perform accurate scenario analysis. Risk managers need to simulate market events for large market movements, such as the crash of 1987, the Gulf War, or the emerging-market crisis of 1998. Summary-based systems typically extrapolate the risk associated with these wild market scenarios using sensitivities computed in relatively smooth non-volatile environments. The results are usually unreliable and misleading, particularly for derivatives portfolios, since they typically contain large exposures to gamma and volatility risk.

These systems are also incapable of generating independent mark-to-market statistics on global portfolios. To check the accuracy of their data, managers need to compare mark-to-market, risk and other calculations from disparate source systems at the global and local levels. They also need access to detailed cash-flow data from source systems to make comparisons across instrument types and geographical locations using consistent rates and scenarios.

Two-way view

Many systems are simply unable to look at risk from both a local and global currency perspective. A global risk manager at a Tokyo-based financial institution, for example, might discover that the bank's New York operations have significant exposure to a change in U.S. dollar rates. He will see risk statistics expressed in yen, which includes currency risk for U.S. dollar-denominated positions, but no currency risk for the yen-denominated positions.

This exposure is meaningless to the bank's New York-based risk manager. She will see risk statistics expressed in U.S. dollars, which includes currency risk for yen-denominated positions but no currency risk for U.S. dollar-denominated positions.

A well-designed enterprise system would allow both risk managers to perform analyses appropriate for their individual perspectives. This is particularly important for regulatory purposes, since local bank entities must report to regulators in their local currency, and the parent needs to report to a different regulatory body in the institution's reference currency. Global and local VAR and risk statistics therefore need to be computed twice.

Many enterprise risk systems, however, only look at currency risk from the global perspective. Local managers can't see risk numbers from the perspective of their own currency, and, as a result, often dismiss the risk reports as irrelevant. These systems also take a dangerous shortcut when they assess global risk by converting local VAR and risk statistics into the home reference currency using the foreign currency spot rate. This shortcut fails to acknowledge the correlation effects of different currencies in a global portfolio.

Local needs

Since most risk systems are not able to support local and global valuation models simultaneously, system developers and senior management often mandate the use of a specific set of global models to achieve a consistent set of risk numbers. But local trading desks inevitably prefer to work with their own models. For this reason as well, local desks frequently ignore the global risk statistics coming from headquarters.

The architecture of an enterprise risk system should be flexible enough to allow local managers to select the models they prefer while still allowing the consistent valuation necessary for global risk management. Local models should be able to be used globally. The system should be flexible enough to allow for the rapid addition, replacement or modification of valuation models as state-of-the-art methodologies change.

Risk systems should be able to correct results as discrepancies in transaction and market data are discovered. These discrepancies occur frequently, but summary-based risk systems can't easily drill down to the flawed transaction and correct the raw input data. Risk managers are thus forced to make manual adjustments to the VAR statistics—without audit controls. These inaccuracies can be significant, and can lead to capital allocation decisions that have a disastrous impact on a firm's capital adequacy. These shortcuts and their resulting inaccuracies often remain hidden from senior management.

Enterprise risk systems should be able to store historical data on-line for at least one year to meet regulatory mandated back-testing requirements and to provide risk managers with an efficient mechanism for finding anomalies in results, correcting bad data, recomputing previous risk statistics and re-performing all subsequent back-tests in an auditable manner.

Summary-based risk systems can't easily drill down to flawed transactions and correct the raw input data. Risk managers are thus forced to make manual adjustments to the VAR statistics—without audit controls.

Although accurate VAR numbers are critical to measuring a bank's risk exposure, VAR numbers can't help senior management allocate capital to individual business units to optimize the risk-adjusted return on capital for the overall enterprise. Most summary-based systems don't store VAR, market value and profit-and-loss statistics through time for all business units within the organization, and thus can't perform full RAROC analysis at any level within the organization.

Risk management, at any rate, is more than VAR numbers and sensitivity metrics. To get a comprehensive view of the institution's overall risk across multiple dimensions, an enterprise system should be able to measure and manage settlement amounts, cash-flow gap analysis and asset/liability management. Ultimately, the consolidated transaction and cash-flow data should also be used to measure credit and liquidity risk and to integrate market with credit risk in a single unified model. And this must all be done within a time frame that is short enough to permit adjustments to the positions and risk.

Current risk systems may be able to meet regulatory requirements. But regulators are well aware of the limits of current systems and will soon be requiring more accurate, timely and sophisticated standards. Summary-based risk management systems do not capture the data necessary to meet these new standards, and will soon prove to be hopelessly obsolete. Financial institutions must begin rebuilding their data architectures now—or will soon be forced to start again from scratch.

Ashley Lobo can be reached at ashley.lobo@iqfinancial.com.