Banks' confidence in their ability to manage risk, especially technology and operations risk, is shaky at best, a global survey released Monday by Deloitte Touche Tohmatsu Limited (DTTL) confirms. According to the survey, fewer than half of the firms surveyed rated themselves as extremely or very effective at operational and technology risk. Eighty-six financial institutions around the world were queried.
"Challenges on the operational risk and technology side, like cyber threat activity, the acceleration of speed in the capital markets and overall risk management issues, are causing organizations to look at their systems and infrastructure capability," says Edward Hida, global leader of Deloitte's risk and capital management services practice. "Those that were complacent now feel the need to step up."
Technology or operations risk software (technology risk is often lumped under the label "operational risk") provides a single window into the work of the many point solutions banks use to handle security and tech risk issues — application security, network monitoring, intrusion detection, anti-virus, anti-malware, patch management, access control, and database monitoring, to name just some. It's a program to mastermind the others, so that you can see which security defenses are working and which aren't, where an organization is vulnerable and where it needs to invest in better technology. RSA (with its Archer Risk Management product) and Brinqa are among the vendors in the space.
This type of software "gives you an understanding of your conditions, like patch management and app security; it helps you get an up-to-date, current view of the controls that would protect you from ethical hackers or from actual hackers," says Joe Bernik, a senior bank risk executive who did not want his company mentioned. For instance, log monitoring would send up a red flag when there are a high number of failed login attempts, which could indicate rogue software at work.
Bernik has used Brinqa's risk analytics in the past to monitor the state of security across a large bank. The software's agentless connectors that gather data from all the security software programs in place.
Such software helps the IT team press the business side for the budget needed for new security fixes.
"Unless you can motivate the business and make it their priority, give them context from a business perspective, the CIO can't do anything," Bernik says.
But if software shows, for instance, that the foreign exchange platform is woefully insecure compared to other systems on the bank's network, with missing patches or antivirus updates, or a lack of access monitoring, that business leader can be pressured to pay for a solution. "He can't say it's not his problem," Bernik says.
Amad Fida, CEO of Brinqa, says the software is sometimes used for predictive analysis to help with decisionmaking - for instance, to assess the risks of outsourcing an IT function such as mainframe database administration to China or Brazil, he says. Others use it to prioritize risk problems that need to be fixed, say from a list presented by a regulator. But often, as Bernik suggested, it's used by heads of technology or operations risk to wrestle funds from heads of finance, credit or market risk.
The Deloitte survey also found increased attention to other areas of risk. About 40% of institutions are concerned about their ability to manage risk data.
"A big trend is the recognition that the underlying data organizations use in risk management systems needs to be improved," Hida says. "This came out during and after the credit crisis - the underlying data is not strong or timely enough." Banks are remediating and establishing enterprise data, reference data, and customer data programs, he says. Data principles put forward by a Basel paper and national regulators are starting to be enforced. "Although this applies to a handful of organizations in the U.S., it will cascade down to domestic systemically important banks," he says.
The use of institution-wide enterprise risk management programs is continuing to grow, the study found. Today, 62% of financial institutions have such a program in place, up from 52% in 2010, while a further 21% are building one.
Spending for risk management software is way up, according to the survey — about two-thirds of financial institutions (65%) reported an increase in spending on risk management and compliance, up from 55% in 2010. The majority (58%) plan to increase their risk management budgets over the next three years, with 17% anticipating annual increases of 25% or more. For large financial institutions, a risk management budget of several million dollars is not uncommon, Hida says.
One more sign of the importance of risk management: 94% of company boards now devote more time to risk management oversight than five years ago and 80% of chief risk officers report directly to either the board or the CEO.