Thoughts

A Capco point of view

Enterprise friction
The mandate for risk management
2
Enterprise friction
The mandate for risk management
By Sandeep Vishnu, Capco Partner
In this report, we explore the new — and heightened — role that risk management now plays in
operating a successful business in today’s economy and provide specific steps for defining and
implementing effective risk management programs.
Supporting enterprise friction in a
risk management strategy
In today’s battered economy, few are willing to put
in place anything that might meddle with earnings
potential. Even fewer are willing to spend money on
something that may offer only a theoretical return
on investment. Behind the polite but forced smiles
and handshakes from executives, there is a silent
accusation: Risk management dampens revenue and
puts brakes on innovation. This is a challenge faced
by risk managers as they try to put in place structures
to guard against losses.
But risk management isn’t about playing it safe;
it’s about playing it smart. It’s about minimizing,
monitoring and controlling the likelihood and/or
fallout of unfavorable events caused by unpredictable
financial markets, legal liabilities, project failures,
accidents, security snafus — even terrorist attacks
and natural disasters. There’s always risk in business,
and risk management should be designed to help
companies navigate the terrain.
Sure, risk management may at times call on
companies to pull back on the reins, and it certainly
isn’t free. However, risk management provides a
counterpoint to enterprise opportunity — friction, if
you will — that not only avoids unnecessary losses,
but enhances the ability of organizations to respond
effectively to the threats and vulnerabilities to which
they are exposed in the course of business.
Friction is a much-maligned term. The connotations
are more often negative than positive: a retarding
effect, in-fighting, etc. Even in physics, it is
characterized as a necessary evil. The fact that friction
allows us to walk properly is often overlooked. One
can understand the importance of friction simply by
3
trying to walk on ice, where the absence of friction
causes one to slip and slide. By contrast, high friction
makes walking on wet sand inordinately difficult.
Imagine Michael Jordan without his Nikes. One
might argue that a stockinged Jordan might be less
encumbered with the extra weight and trappings of
footwear. But few could argue that he would have
been as effective on the polished court that was his
field of operations.
Achieving a proper balance of risk in strategic
planning and operations for the enterprise is critical —
especially in today’s environment, when resilience and
agility in the face of uncertainty are as important as
the effective use of identified variables.
Now, even more than before, the goal of enterprise
risk management is to define and deliver the right level
of friction, because getting this calibration exactly
right can help improve enterprise agility. Too little
friction, and a company could slip into dangerous
scenarios; too much friction, and a company could
just get stuck. Getting this right can not only drive
corrective measures, but can also serve as an
effective counterbalance.
To create that necessary, well-balanced friction,
companies need to take some fundamental steps.
In this report, we’ll examine the three cornerstones
of robust risk management — cornerstones that will
help win over the naysayers and more importantly,
ensure that companies have the most-efficient risk
management programs in place. But for this to work,
we at Capco believe that:
• Companies will need to change their view of risk
management as a necessary evil, and elevate
the role of this critical function within their
 organizations. Risk should have a strong voice at
the management table, and risk mitigation should
be given as much importance as risk taking.
• Executives will need to design a new blueprint
for strategic management that integrates risk
management into every critical element of the
enterprise and thereby drives a risk-sensitive culture.
• Organizations will have to buttress the risk
management infrastructures they already have in
place, including, data, analytics and reporting
History lessons: extending the time
horizon of risk management
One of the toughest issues associated with
implementing an effective risk management program
revolves around effectively funding the efforts. The
challenge often boils down to cost versus benefit.
In the months and years that led to the housing
market and mortgage meltdown, credit crisis and
subsequent recession, companies paid less attention
to risk management mainly because times were so
good for so long. Typically, managing risks was not an
embedded element in critical business processes; it
was a bolt-on activity.
Consider a 2007 global risk information management
survey conducted by OpRisk & Compliance
magazine1. Although a majority of respondents said
they were at least somewhat effective in providing the
right information to the right people at the right time
to meet the organization’s business requirements, the
survey indicated that many felt the information they
had was not being used effectively to create a risk
4
management culture within their organizations. That
same survey also illuminated the ever-present ROI
hurdle. Only 9 percent of respondents said their firms
were able to trace the ROI of information management
initiatives designed to capture and manage vital
corporate data.
The biggest problem with risk management is in
the establishment of its ROI. Risk management is
primarily about loss avoidance, and it is difficult
to measure what’s been avoided and thus hasn’t
occurred. Efficiency and effectiveness metrics are
often dwarfed by the magnitude of loss avoidance;
however, while the former can be measured, the latter
are estimated.
Executives are often heard saying, “We haven’t faced
a serious problem; why are we spending this much
money?” It’s a classic Catch-22.
The ROI problem is compounded by the fact that
risk management can sometimes act as a retardant
to growth. Anything — especially the cost to fund an
initiative with fuzzy ROI metrics or threaten a company’s
profit margin — is definitely going to be suspect.
We suggest that firms refrain from looking at risk
management costs within quarterly financial reports time
frames. Analysis of risk management’s return needs to
be considered over much longer time horizons.
Sometimes retardants are necessary for growth. With
20/20 hindsight, many contend that Wall Street should
have invested more strategically in risk management
practices and infrastructure. If risk profiles had been
based on a 30-year historical record rather than
the standard 100year window, a fair number of the
subprime and adjustable rate mortgage (ARM) loans
processed during the housing bubble and in the years
leading up to the recession would have been seen
While longer-term views are desirable for assessments, ROI calculations, etc.,
sometimes they are hard to achieve. Consequently, enterprises should try
to embed risk management in all “risk-taking” activities and ultimately drive a
risk-sensitive culture.
more clearly for what they became — toxic assets
that damaged the health of the financial industry and
ultimately the entire U.S. economy.
In all likelihood, many on Wall Street probably knew
intuitively the risks they were taking; they just chose
to make a management decision that the risk was
acceptable because the top line return was so
attractive. We wouldn’t call it willful negligence, but
we do believe it was a measured decision recognizing
that the benefit of the upside potentially outweighed
the likelihood of the downside. Of course, we doubt
anybody suspected that the downside would turn
out to be as severe as it has been. This phenomenon
is exacerbated when dealing with new products and
structures (e.g., collateralized debt obligations (CDO),
mortgage backed securities (MBS), which do not have
the same experiential basis as traditional products
such as fixed-rate mortgages.
While longer-term views are desirable for
assessments, ROI calculations, etc., sometimes
they are hard to achieve. Consequently, enterprises
should try to embed risk management in all “risk-
taking” activities and ultimately drive a risk-sensitive
culture. This can be facilitated by the increased use
of risk-sensitive measures such as risk-adjusted
return on capital (RAROC), economic value added
(EVA), shareholder value added (SVA), etc. For
example, within investment banks this would mean
that the desk heads are not just responsible for P&L,
but also for the amount of capital used to generate
that P&L. Extending this sentiment further, incentive
compensation can also be based on RAROC or
similar metrics. These metrics allow for a degree
of normalization across the enterprise and allow
the board and senior management to determine
investment strategy and consistently evaluate returns.
If such metrics and management approaches gain
5
broad support, then markets would begin assessing
enterprise performance through risk-adjusted
measures in addition to traditional top-line and
bottom-line metrics. Regulatory standardization and
public availability of such information has greater
potential to drive a shift toward sustainable growth
versus short-term results.
Fast forward to today, and risk management is still
receiving short shrift because so many companies are
scrambling to make ends meet. Few feel they have
the financial resources or time to finance and bolster
existing risk management practices. It is once again a
Catch-22 situation:
•W
 hen times are good, people don’t want to pay
attention to risk management because they’re too
busy counting their money.
• When
 times are bad, people don’t want to pay too
much attention to risk management because they’re
already incurring losses, and they don’t want to
spend more money.
In the end, risk management gets only lip service. That
needs to change.
Striking a balance
Enlightened enterprises promote creative tension
between strategy and risk management, and put in
place a set of checks and balances to guard against
the exploitation of short-term opportunities at the
expense of long-term viability. Failure to strike this
balance can have devastating consequences, as
evidenced by Countrywide’s demise in 2009. In 2005,
The interplay between formal structures and informal networks is important
because this allows risk managers to compensate for shortcomings in one by
using the other.
it was the largest mortgage originator; however, 19
percent of its loans were option ARMs, and of those,
91 percent had low documentation.
More specifically, strategic considerations and risk
assessments need to be made in tandem. There
must be a dynamic — even symbiotic — interaction
between these two perspectives. They should be seen
as two sides of the same coin — like the classic yin
yang balance principle.
To effectively integrate risk considerations into the critical
strategic decision-making processes, organizations
should incorporate the following principles into every
aspect of their management philosophy.
Promote a culture of resilience
Executives may well consider revisiting many of the
major pillars of their organization and refine critical
processes by integrating risk considerations into their
enterprise architecture. Resilience and agility should
be primary goals of such efforts and should address
foundational elements such as data, as well as
derived capabilities, including analytics, and feedback
loops driven through reporting.
Often organizations conduct risk assessments as
a bolt-on activity. But organizations that integrate
resilience (and risk management in general) into their
culture in a granular manner stand a better chance of
not only mitigating risks more effectively — but also
more cost efficiently.
The agile software development process adopted
by high-tech organizations has demonstrated that
6
integrating quality assurance into the development
process results in both higher-quality and less-
expensive final products. Checking for mistakes “after
the fact” is almost always more expensive.
Robust enterprise risk management (ERM) needs to
leverage formal structures — data, processes and
technology used for creating, storing, sharing and
analyzing information — as well as informal networks
represented by the communication and relationships
both within and outside the risk management
organization. Informal networks have repeatedly shown
their usefulness in identifying and mitigating fraud, and
often provide early warnings of potential tail events.
The interplay between formal structures and informal
networks is important because this allows risk
managers to compensate for shortcomings in one by
using the other. But this requires the right culture to
be in place: one that encourages staff to ask tough
questions without fear of being seen as inhibitors to
growth — risk identification should not have punitive
consequences. A culture of appropriately calibrated
enterprise friction should be fostered. Doing this would
allow critical elements of the organization to accelerate
their pursuit of opportunities while knowing that they
have the perspective — and operational ability — to
slow down, accelerate or change course because of an
appropriate sensitivity to key risk parameters.
Compensation is — and always has been — a key
lever in determining the nature of a corporate culture.
Culture depends heavily on incentives, which today are
often skewed toward rewarding upside benefits and not
necessarily avoiding downside losses. Compensation
practices need to become more risk-sensitive, so that
they reward long-term value creation and not just short-
term gains. Risk mitigation should be as important as
risk-taking to drive the appropriate culture.
Figure 1. Enterprise Risk & Performance Strategy Figure 2. Informal Networks fill gaps left by
should function like the Yin-Yang balance principle. formal structures

governance

reporting

analytics

data

resilience

Figure 3. Risk management components

for enterprise resilience

7
Data as a foundation for
risk management
There is a growing consensus among risk managers
across industries — from government, to financial
services, to manufacturing and health care — that
the data upon which key organizational decisions are
made represent the foundational layer for enterprise
risk management (ERM).
Bad data can have an immediate and negative impact
at any point of the organization, but the downstream
impacts of bad data can snowball out of control.
Some data challenges, such as completeness
and timeliness, are harder to overcome than
others. However, incorporating a risk management
perspective on the design of a robust data model
can help reduce inconsistency and inaccuracy, and
drive overall efficiency. This can help address the
challenges that result from the fact that data often
exists in silos, making it difficult to get an accurate
view of a related set of information across these silos.
Wachovia’s write-down of the Golden West financial
portfolio, which stemmed largely from overreliance
on poor data, offers an example of disproportionate
emphasis being placed on valuations rather than on
borrower income and assets.
Another challenge relates to inconsistent labels, which
make it hard to match customers to key metrics over a
common information life cycle. Different technological
platforms (which help create the silos in the first place)
make aggregation and synthesis challenging. Most
organizations lack a clear enterprisewide owner in
charge of addressing such data quality issues, which
complicates their identification and remediation.
8
Analytical risks
Analytical frameworks help translate data into actionable
information. However, analytics should not just be
simple characterizations of data. They should be timely
and insightful so that analysis can enable appropriate
actions. In the financial services industry, the credit
crisis demonstrated how neglected — or inappropriate
— analytical frameworks prevented organizations
form identifying knowable risks (e.g., flawed model
assumptions) and illustrated why key decision makers
were unable to break through the opacity of others (e.g.,
lack of transparency into the risk of underlying assets
being traded in secondary markets, especially when it
related to second-order derivatives).
All too often, analytical frameworks emerge as
simplistic characterizations of the “real world” that
may not be able to convey a complete risk profile.
This is evidenced by the overreliance on value-at-risk
as a key risk metric in the recent financial crisis. The
dissolution of Lehman Brothers and the near collapse
of AIG offer good examples of the shortcomings of
traditional analytics, which were unable to adequately
account for dramatic increases in leverage,
counterparty risk and capital impacts as markets and
ratings deteriorated.
A strong risk-information architecture is crucial to delivering the right
information to the right audience in a timely manner. It should present salient
information as a snapshot, as well as provide the ability to drill down into
the detail.
Reporting deficiencies
Reporting is a multidimensional concept that does
not necessarily capture the dynamic nature of
information presentation. Typically, reporting has
at least four major stakeholders — two external
(regulators and investors) and two internal (senior
management, including the board of directors, and
line management).
A strong risk-information architecture is crucial to
delivering the right information to the right audience in
a timely manner. It should present salient information
as a snapshot, as well as provide the ability to drill
down into the detail. Well-defined business usage
will help drive overall requirements, while integrated
technology platforms can help deliver the processing
efficiency needed to manage the volumes and
timeliness of information presentation.
Reporting has often been segmented into regulatory
reporting and management reporting, directed
toward specific compliance requirements for the
former and financial statements for the latter. The
financial crisis highlighted the need for organizations
in many industries to develop both ad hoc and
dynamic reporting, which not only meet compliance
requirements, but also — and more importantly
— improve the decision-making process. Many
organizations are coming to the conclusion that
current architectures and infrastructures might not
necessarily facilitate easy achievement of these
requirements. For example, a March 2007 statement
to investors by Bear Stearns represented that only
6 percent of one of its hedge funds was invested
in subprime mortgages. However, subsequent
examination revealed that it was closer to 60 percent.
9
Governance imperatives
Governance has many definitions and flavors, which
span the strategic as well as the tactical. It is probably
simplest to think of governance as the way that
an enterprise steers itself. This involves using key
conceptual principles to define objectives as well as
monitoring the performance of processes to ensure
that objectives are being met.
Reporting, or information presentation, is the
mechanism that enables governance. Governance
relies on this function to provide timely and insightful
information that allows executives to take preventative
and corrective action so that they can avoid imbalance
and tail events. For example, executives from Bear
Stearns and the SEC, which was providing regulatory
oversight, failed to recognize that risk managers at
Bear Stearns had little experience with mortgage-
backed securities, where the greatest risk was
concentrated. Reporting mechanisms were oriented
toward capturing and characterizing transactions
and did not appropriately address competencies and
capabilities, thereby creating a knowledge gap.
Defining and facilitating the integrated management of
different risk types should become a primary activity
for enterprise governance.
Conclusion: where to go from here
Risk management isn’t new; most companies already
have infrastructure in place to help execute their
risk management strategy. The good news is that
companies do not need to scrap what they’ve got.
Instead, firms need to enhance and buttress current
risk management infrastructures to drive the right level
of enterprise friction.
The first order of business an organization needs
to put in place to begin reversing negative attitudes
about risk management is to elevate its role. The
CEO needs to be involved, along with boards of
directors and senior executives across the lines of
business. Senior management needs to define and
then promulgate a shared set of risk management
values across the company. One positive outcome
of the recession is that risk management has greater
executive mindshare, and risk managers need to
capitalize on that.
Specific goals for creating a risk management culture
include:
• Institutionalize risk management. Develop and
articulate an explicit risk management strategy.
Establish roles that reflect the organization’s risk
management model.
• Determine and define who has ownership over risk
management issues and actions, and who will take on
the roles established in the risk management model.
• Nurture a culture of risk awareness and action.
Include risk-based metrics in performance
scorecards and operate a reward system that
balances risk taking with risk mitigation.
10
• Be
 pragmatic. Focus on business needs, such as
compliance and shareholder value. Then, attack
those needs in bite-size portions to demonstrate
success early and often.
In the end, creative tension between strategy and
risk management should be seen as a positive
development in organizations. This helps to ensure
that short-term opportunities are not exploited at
the expense of long-term viability. However, these
strategic considerations and risk assessments should
be made at the same time, ensuring a symbiotic
interaction between these two perspectives.
In summary, three components are critical to
delivering enterprise friction:
•E
 nterprise risk management should have a strong
voice at the management table and should work in
tandem with enterprise strategy across all enterprise
activities.
•F
 ormal risk management structures must be
buttressed across data, analytics, reporting and
governance to help the enterprise achieve the
appropriate level of resilience.
• Informal networks should be encouraged. These
networks can evolve to fill the white space left
uncovered by formal structures.
Footnote
1. www.opriskandcompliance.com
 Sandeep Vishnu is a Partner
in Capco’s Finance, Risk, and
Compliance (FRC) practice with
over 20 years of experience
serving in principal and
management roles in strategy
and technology consulting. His
focus is extensively on enterprise
risk management, financial
analysis, data, risk analytics/
modeling, business intelligence/reporting, compliance,
capital, and operational/control issues. Sandeep has
a broad background in risk management and business
planning/evaluation that includes multi-disciplinary
engagements involving strategy and technology services.
sandeep.vishnu@capco.com

11
 About Capco
Capco, a global business and technology consultancy dedicated solely to the financial services
industry. We work in this sector only. We recognize and understand the opportunities and the
challenges our clients face. We apply focus, insight and determination to consulting, technology
and transformation. We overcome complexity. We remove obstacles. We help our clients realize
their potential for increasing success. The value we create, the insights we contribute and
the skills of our people mean we are more than consultants. We are a true participant
in the industry. Together with our clients we are forming the future of finance. We serve
our clients from offices in leading financial centers across North America and Europe.

Worldwide offices
Amsterdam • Antwerp • Bangalore • Chicago • Frankfurt • Geneva • London
New York • Paris • San Francisco • Toronto • Washington DC • Zürich

To learn more, contact us at +1 877 328 6868 or visit our website at capco.com.

Capco © 2010. All rights reserved. T1003-1210-02-NA