In the Complex World of Enterprise Risk, It's All about the Data

At the time of this March interview, Ismail Pishori was with Hewlett-Packard serving as the worldwide director of risk management and compliance for the financial services industry. He's since left the company. HP spokespersons say his comments--presented below--still reflect the organization's position about how to best enhance a risk management practice. HP offers a data warehouse and application suite that simplifies much of the set-up work associated with developing data models. Complex risks have always been with the banking industry, but automation is increasingly required. Why? There's more information to track. I would argue that each category of risk is more complex. When combined, they interplay to create enterprise risk. While banks have always been in the business of arbitraging market and credit risk and running efficient operations, they do need to work differently now--to detail risks down to specific aspects of operations. They also need to see how factors would interplay to affect the overall risk profile. Leaders in the field--Citi, JPMorganChase, Duestche, and their ilk--are advancing their abilities to create detailed measures and putting a tot of pressure on those who follow to improve. Where are banks in their risk management learning curve? Despite the progress we've made in the U.S., I'd say you still have a scenario where a few "standouts" are working inventively with people, process, and technology to develop a feasible risk management business process and tool set. Many others are struggling with the data and to populate a data warehouse, or struggling to create data models that can give them a view of the enterprise. I'd give banks an A for effort, but a C minus on implementation right now. The truth is, everyone is just getting started. What do banks need to do to improve their risk management practices? Banks will need to be increasingly proactive over time. To do this well, banks will need to improve analysis and data gathering and normalization processes, especially when it comes to handling credit risk and figuring out portfolio concentrations and the like. With operational risk, it isn't so much that there are more outliers--by definition there aren't--despite more awareness of the possibility of terrorism here. However, a given firm needs to know how its automation may be vulnerable because IT is so intertwined in at[ business process. Meanwhile, those outliers get more press coverage. What other pressures are out there? Base II is still a factor--even though U. …