New threats, old foibles prompt banks to switch GRC vendors
Op Risk Benchmarking: more than half of participants are reviewing or switching systems
Switching from one software vendor to another can be painful. It can also be unavoidable.
More than half of the participants in a new Risk.net (a sibling publication of WatersTechnology) survey are now either considering that wrench – or living through it – for their governance, risk and compliance (GRC) systems.
The reasons vary. In one case, a bank chose to upgrade from an in-house system because of the changing nature of the information security (infosec) threats it faces.
“Due to geopolitical tensions, more and more, you need to evolve to meet the threat with more metrics and more risk documentation – you need to have better GRC to work,” says a senior risk and cyber manager at one European bank. “I don’t think it’s that people are immature: I think the world is evolving, and we need to keep up.”
In another case, one bank reports pushing the business to shoulder more risk management responsibility, so is switching to a system that is easier for front-line staff to use. There are also complaints of being let down by an incumbent provider.
The findings are part of the second round of Risk.net’s Op Risk Benchmarking service, which will be published over the next couple of weeks. After data on op risk management at the largest global banks was published in July’s first round, the new batch of data comes from 12 somewhat smaller banks – mostly regional and domestic players (jump to box: Mini-methodology).
The list of participants is diverse, crossing five continents and taking in sizeable global markets banks alongside High Street lenders, regional commercial banking champions and one development bank. One trait they have in common is a surprising willingness to review and change the GRC vendors they are using – although policies and actions vary by risk type.
For information security, half of the banks review vendor provision at least annually, potentially reflecting the rapidly mutating nature of these threats – it may be easier for a vendor to fall behind the curve here (see figure below). Two banks are planning to increase spending, one on its incumbent vendor – IBM OpenPages – in order to use it more widely across other risk types.
Another firm benefiting from the winds of change is MetricStream, which was chosen as the replacement vendor by two banks that are cutting ties with their current providers. One of these banks will apply the new system to infosec; the other, to both infosec and execution and process errors.
For execution and process risk, incumbent vendors can rest a little easier. Only three banks review provision annually, and all appear happy with their existing systems – one bank is planning to increase spend with its current vendor – although another bank admits its solution still “requires development” (see figure below).
The two banks in the process of switching to MetricStream are very different animals in terms of business mix and risk profiles. For one of them, the decision to switch was driven by its attempts to push more responsibility for risk ownership down to first-line business units, including a drive to capture more risk data. The user-friendliness of its outgoing system was a barrier to progress.
“We received a lot of feedback from the business units that the current system is not that user-friendly,” says a senior op risk manager at the firm. “Also, there were lots of promises on the reporting side – but we never got to where we really expected. We want the business units to use the system more, and to take the lead on preparing the risk and control matrix – but when they say the system is not user-friendly, then it’s hard to impose that.”
There are pros and cons to any change, though. This bank admits some risk aggregation functionality, which rests on legacy data and algorithmic processes, could be lost in the switch. “If we lose that data, then it could hamper some of that capability. So the data migration is important,” they add.
The other bank switching to MetricStream also notes that stripping out an incumbent vendor is hard – from both the technological and human points of view.
“We customised the previous tool so much to our framework – things that people are already used to for several years – and now they have to get used to the new tool. Having those two changes at once is a challenge,” says an op risk manager at the firm.
Given the complexity banks face when moving from one system to another, some risk managers are surprised their peers review providers so regularly: “If you look at the efforts we have to put in to switch, [reviewing] annually is quite funny.”
Other factors may be at play when banks review their vendors. The head of op risk at one G-Sib who took part in the first round of benchmarking work noted that he frequently invites pitches from vendors that the bank has no intention of engaging, largely to glean information on which providers his peers are buying, and how they are integrating them.
Mini-methodology
Risk.net’s Top 10 Op Risks helps track – and set – the risk agenda at many institutions.
For the first time this year, we broke the responses into four cohorts – G-Sibs, banks, financial market infrastructures and asset managers & insurers – creating a separate top five list for each. We then engaged in detailed follow-up surveys for each cohort about how they manage the five risks selected by their peer group, from staffing to technology, from modelling to reporting.
The Op Risk Benchmarking service is built on the findings of those surveys. We hope the information will be helpful to a discipline that has grown up rapidly in the past decade, but often lacks clear standards and best practices.
The full dataset is only available to participants in the exercise. Subscribers have access to selected highlights and commentary.
More details on our Op Risk Benchmarking can be found here. Please send any questions or comments, and if you want to participate in the next round, let us know: ORMBenchmarking@risk.net
Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.
To access these options, along with all other subscription benefits, please contact info@waterstechnology.com or view our subscription options here: http://subscriptions.waterstechnology.com/subscribe
You are currently unable to print this content. Please contact info@waterstechnology.com to find out more.
You are currently unable to copy this content. Please contact info@waterstechnology.com to find out more.
Copyright Infopro Digital Limited. All rights reserved.
You may share this content using our article tools. Printing this content is for the sole use of the Authorised User (named subscriber), as outlined in our terms and conditions - https://www.infopro-insight.com/terms-conditions/insight-subscriptions/
If you would like to purchase additional rights please email info@waterstechnology.com
Copyright Infopro Digital Limited. All rights reserved.
You may share this content using our article tools. Copying this content is for the sole use of the Authorised User (named subscriber), as outlined in our terms and conditions - https://www.infopro-insight.com/terms-conditions/insight-subscriptions/
If you would like to purchase additional rights please email info@waterstechnology.com
More on Trading Tech
For MarketAxess, portfolio trading buoys flat revenue in Q3
The vendor is betting on new platforms like X-Pro and Adaptive Auto-X, which helped forge a record quarter for platform usage.
Quants look to language models to predict market impact
Oxford-Man Institute says LLM-type engine that ‘reads’ order-book messages could help improve execution
JP Morgan pulls plug on deep learning model for FX algos
The bank has turned to less complex models that are easier to explain to clients.
Nasdaq says SaaS business now makes up 37% of revenues
The exchange operator’s Q3 earnings bring the Adenza and Verafin acquisitions center stage.
Harnessing generative AI to address security settlement challenges
A new paper from IBM researchers explores settlement challenges and looks at how generative AI can, among other things, identify the underlying cause of an issue and rectify the errors.
The causal AI wave could be the next to hit
As LLMs and generative AI grab headlines, another AI subset is gaining ground—and it might solve what generative AI can’t.
Waters Wrap: Operational efficiency and managed services—a stronger connection
As cloud, AI, open-source, APIs and other technologies evolve, Anthony says the choice to buy or build is rapidly evolving for chief operating officers, too.
BlackRock forecasts return to fixed income amid efforts to electronify market
The world's largest asset manager expects bond markets to make headway once rates settle.