Last of three parts.

The economic crisis and subsequent financial regulations threw a wrench in many banks' technology plans — but risk management continued to attract interest throughout the downturn and remains a main driver of tech spending today.

New capital requirements, restrictions on certain credit card lending practices and other regulations have put pressure on banks to get a better grasp on their overall risk profile.

"In the area of risk management, we are seeing a big pickup in activity since the beginning of the crisis," David Wallace, the global financial services marketing manager at SAS Institute Inc. of Cary, N.C., said in an interview at the BAI Retail Delivery conference in Las Vegas in October.

"There are so many regulations that are affecting banks' bottom line or will affect the bottom line over time," Wallace said. "We certainly see institutions assessing what they think the impact of all that's going to be."

But in re-evaluating their approach to tracking and gauging risk, banks encounter a basic challenge: whether to build tools from scratch or buy new packaged products.

"It's always one of the fundamental questions," said Mike Stevens, the enterprise risk management, analytics and business intelligence manager at BB&T Corp. "My personal view is that … sometimes building is a good thing because you know what you've got and there's a learning experience built into building something yourself."

The Winston-Salem, N.C., banking company is a longtime SAS customer that has used the vendor's technology to value loans based on expected payments and economic conditions, and model loan portfolios for future returns and losses. With SAS' Enterprise Miner product, BB&T analyzes loan information and scores loans to help make future lending decisions.

The build-or-buy decision often hinges on the amount of customization a bank anticipates doing to a packaged solution, Stevens said. Banks that decide to buy sometimes fall into the trap of tweaking new software programs to adhere to their own processes, inadvertently spending as much money as they might have developing in-house.

"If you decide to customize, often times that customization process can become like remodeling," Stevens said. "It can be much more expensive per square foot than building from scratch."

He said that extensive customization can "create an application that the vendor no longer supports."

BB&T has gone down the build and buy paths in the past and is currently evaluating its options for new SAS tools it is considering using.

One tool would require BB&T to transfer data from an existing database to a new one.

"We've challenged SAS to show us how we can benefit from all the other components of this [product] without having to move our data," Stevens said.

It is also considering buying SAS Forecast Server, a product Stevens said could help it devise more accurate predictions and would not require it to scrap previous work.

BB&T uses a more manual process for establishing its forecast models currently. The Forecast Server product would automate the creation of models.

With multiple loan categories, it is more difficult to produce new forecasts in a timely manner, he said. An automated system would also help it produce several models for each loan category, which could help it more accurately predict outcomes.

The federally required bank stress tests have underscored the benefits of using an automated forecasting system, Stevens said.

"We realized that relying on a single model to make critical forecasts exposes you to a lot of model risk, that is, what if the model that you handcrafted is wrong," he said.

Ken Proctor, a managing director who focuses on risk management for the Scottsdale, Ariz., bank consulting firm Cornerstone Advisors Inc., said banks he works with are willing to spend money on "individual solutions to individual problems."

Stress-testing tools are at the top of the list.

"It's a little like Whack-a-Mole," Proctor said. "Whichever mole has popped up its head we take the rubber mallet and go whack."

Anticipating how much customization may be needed to install a new software product in a particular bank is one of the main exercises needed to determine whether to build or buy new, Stevens said.

"The issue is: Are you willing to live with constraints of the solution and conform your practices to what the vendor envisions the process looking like or are you going to take that vendor solution and customize it so it conforms to how you want to do things?" Stevens said. "If you're tending toward the latter, then I question why you're buying the solution in the first place."

SAS in June released SAS Enterprise GRC, a government, risk and compliance program that helps companies build digital libraries to track business objectives, policies and procedures, and other internal information.

"From a technology standpoint, the underpinnings of this is you get everything through [a] common" view, said Clark Abrahams, the chief financial architect for SAS.

The program builds on an existing operational risk measurement tool that SAS has offered for several years, Wallace said.

The idea of risk management often was relegated to specific pockets of employees inside banks. The recent economic crisis largely changed that, waking all levels of management up to the need to be involved in responding to different risk measurements but also devising models for calculating it.

Getting a consistent view, though, can be difficult because of the number of other software systems banks are using.

"Getting … a simple picture of how an institution is doing overall is going to become much more important over time," Wallace said.

Bankers and technology consultants have for years talked about how aging core processing systems are preventing many banks from easily accessing data across product lines.

Wallace said SAS works around that issue by extracting information from core systems.

"Once it's in SAS then you can report on it, you can analyze it, score it and model it, basically whatever you want to do with it," Wallace said.