New threats, old foibles prompt banks to switch GRC vendors

Op Risk Benchmarking: more than half of participants are reviewing or switching systems

Tablet

Switching from one software vendor to another can be painful. It can also be unavoidable.

More than half of the participants in a new Risk.net survey are now either considering that wrench – or living through it – for their governance, risk and compliance (GRC) systems.

The reasons vary. In one case, a bank chose to upgrade from an in-house system because of the changing nature of the information security (infosec) threats it faces.

“Due to geopolitical tensions, more and more, you need to evolve to meet the threat with more metrics and more risk documentation – you need to have better GRC to work,” says a senior risk and cyber manager at one European bank. “I don’t think it’s that people are immature: I think the world is evolving, and we need to keep up.”

In another case, one bank reports pushing the business to shoulder more risk management responsibility, so is switching to a system that is easier for front-line staff to use. There are also complaints of being let down by an incumbent provider.

The findings are part of the second round of Risk.net’s Op Risk Benchmarking service, which will be published over the next couple of weeks. After data on op risk management at the largest global banks was published in July’s first round, the new batch of data comes from 12 somewhat smaller banks – mostly regional and domestic players (jump to box: Mini-methodology).

The list of participants is diverse, crossing five continents and taking in sizeable global markets banks alongside High Street lenders, regional commercial banking champions and one development bank. One trait they have in common is a surprising willingness to review and change the GRC vendors they are using – although policies and actions vary by risk type.

For information security, half of the banks review vendor provision at least annually, potentially reflecting the rapidly mutating nature of these threats – it may be easier for a vendor to fall behind the curve here (see figure below). Two banks are planning to increase spending, one on its incumbent vendor – IBM OpenPages – in order to use it more widely across other risk types.

 

Another firm benefiting from the winds of change is MetricStream, which was chosen as the replacement vendor by two banks that are cutting ties with their current providers. One of these banks will apply the new system to infosec; the other, to both infosec and execution and process errors.

For execution and process risk, incumbent vendors can rest a little easier. Only three banks review provision annually, and all appear happy with their existing systems – one bank is planning to increase spend with its current vendor – although another bank admits its solution still “requires development” (see figure below).

 

The two banks in the process of switching to MetricStream are very different animals in terms of business mix and risk profiles. For one of them, the decision to switch was driven by its attempts to push more responsibility for risk ownership down to first-line business units, including a drive to capture more risk data. The user-friendliness of its outgoing system was a barrier to progress.

“We received a lot of feedback from the business units that the current system is not that user-friendly,” says a senior op risk manager at the firm. “Also, there were lots of promises on the reporting side – but we never got to where we really expected. We want the business units to use the system more, and to take the lead on preparing the risk and control matrix – but when they say the system is not user-friendly, then it's hard to impose that.”

 

There are pros and cons to any change, though. This bank admits some risk aggregation functionality, which rests on legacy data and algorithmic processes, could be lost in the switch. “If we lose that data, then it could hamper some of that capability. So the data migration is important,” they add.

The other bank switching to MetricStream also notes that stripping out an incumbent vendor is hard – from both the technological and human points of view.

“We customised the previous tool so much to our framework – things that people are already used to for several years – and now they have to get used to the new tool. Having those two changes at once is a challenge,” says an op risk manager at the firm.

 

Given the complexity banks face when moving from one system to another, some risk managers are surprised their peers review providers so regularly: “If you look at the efforts we have to put in to switch, [reviewing] annually is quite funny.”

Other factors may be at play when banks review their vendors. The head of op risk at one G-Sib who took part in the first round of benchmarking work noted that he frequently invites pitches from vendors that the bank has no intention of engaging, largely to glean information on which providers his peers are buying, and how they are integrating them.

 

Mini-methodology

Risk.net’s Top 10 Op Risks help track – and set – the risk agenda at many institutions.

For the first time this year, we broke the responses into four cohorts – G-Sibs, banks, financial market infrastructures and asset managers & insurers – creating a separate top five list for each. We then engaged in detailed follow-up surveys for each cohort about how they manage the five risks selected by their peer group, from staffing to technology, from modelling to reporting.

The Op Risk Benchmarking service is built on the findings of those surveys. We hope the information will be helpful to a discipline that has grown up rapidly in the past decade, but often lacks clear standards and best practices.

The full dataset is only available to participants in the exercise. Subscribers have access to selected highlights and commentary.

More details on our Op Risk Benchmarking can be found here. Please send any questions or comments, and if you want to participate in the next round, let us know: ORMBenchmarking@risk.net

Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.

To access these options, along with all other subscription benefits, please contact info@risk.net or view our subscription options here: http://subscriptions.risk.net/subscribe

You are currently unable to copy this content. Please contact info@risk.net to find out more.

Most read articles loading...

You need to sign in to use this feature. If you don’t have a Risk.net account, please register for a trial.

Sign in
You are currently on corporate access.

To use this feature you will need an individual account. If you have one already please sign in.

Sign in.

Alternatively you can request an individual account here