Despite having access to IT tools such as analytic applications to flag incident exceptions, the financial industry and its regulators were challenged by various technical and other issues during the crisis, experts told ZDNet Asia.
Irving Low, head of internal audit, risk and compliance services at KPMG in Singapore, said in an e-mail interview that "disintegrated IT systems" were the reason technology faltered in the face of the economic downturn.
Financial organizations that did not properly integrate their IT systems across their various businesses, and had risk management applications running on different systems, received information that was incomplete for effective risk monitoring and decision-making, Low explained.
Neil Katkov, senior vice president of Celent, a research firm specializing in the financial sector, said such systems failed to look at multiple scenarios--in particular, the crash of the credit default swap (CDS) market that occurred around the subprime mortgage crisis in the United States.
"Each system tended to look at one area. They did not tend to look at a pileup of multiple issues," said Tokyo-based Katkov in a phone interview.
It is essential to implement multiple products and lines of business into the systems, and have these systems collect relevant information across the organization, he said. "Firms that don't have that yet should get that done," he urged.
Intervention of humans
Another reason for the current financial crunch, Katkov said, involved the "human decision" factor.
"Simply put, you can have all the technology and models in place, but if the company [still] decides that [a risky undertaking] is a business it wants to be in, it will determine that this is acceptable and continue to do that business," he said.
Low described this as a lack of balance between risk appetite and risk control.
"The thresholds set for the red flags may not necessarily reflect the actual risk appetite, and as such, decision-making or escalation of a 'red flag' incident is often delayed," he explained. "High-risk behavior may then be allowed to proceed unhindered."
Katkov noted that before the crisis erupted, there was a boom in the financial markets, during which "people do not tend to put on the brakes, [choosing instead to] go along with the good times".
According to Low, when financial institutions implement their IT strategy for risk management, they should also consider a more holistic and integrated approach. For example, they could leverage existing IT functionalities to integrate fragmented governance, risk and compliance programs.
"In the process, they would be strengthening their internal control structures," he said.
He suggested that financial organizations also embed controls into their day-to-day financial, operational and regulatory processes, using available governance, risk and compliance systems.
"This enables the continuous monitoring of risk using alerts generated from pre-determined business rules," Low said.
With IT playing a greater part in risk management, IT professionals should also demonstrate an understanding of the peculiarities and unique needs of their companies and the industry. This way, they can better advise business users how to optimize existing IT risk management capabilities, Low said.
"They should show an appreciation for the underlying business policies, rules and risk management and business frameworks, such as how Basel II can be supported by IT."
But while Katkov agreed a conceptual understanding of what is needed in risk management would go a long way for IT to support financial risk management, he noted that risk modeling is a very "deep and technical field".
"So it would be unreasonable to expect IT professionals to know the ins-and-outs of everything," he said.
Instead, he noted that since the IT department will be responsible for implementing an enterprise-wide system, a business analyst can work with IT to provide insights into the business requirements for the IT systems.
"It needs to start with a risk management division that realigns its risk management approach, including which products to monitor and what type of risk models to adopt," Katkov said. "That will then have implications for the types of systems or data integration that needs to be in place."