Risky Business

The dust may have settled on Scotland’s independence battle, but its destabilising nature offers a key lesson to Australia’s financial system. Robin Christie reports.

Speaking at this year’s AB+F Chief Risk Officer Panel Discussion in Sydney, sponsored by SAS and hosted by SAS director, financial services, Paul Franks, Macquarie Group chief risk officer Stephen Allen pointed to the Scottish referendum as a timely reminder that financial institutions don’t have to stick around when the going gets tough. “Lloyds, RBS and Clydesdale have all come out and said that if the Scots leave they’re going to move their head offices,” he said at the pre-referendum event. “Financial institutions can move, we all know that. We want to do things to make Australia a strong place to run a global business.” The message was loud and clear: Australia is a growing financial services hub, but it must foster a competitive environment to ensure financial institutions don’t move elsewhere. To that end, he urged the financial system inquiry to focus on ensuring Australia competes on the global stage. But a competitive environment that becomes too intense can have risky effects on human behaviour, explained Bank of Queensland chief risk officer Peter Deans.

In the retail space, for example, which Deans believes is as competitive as it’s been for 10 years, he noted that the “trench warfare” that’s taking place over every loan is something to keep an eye on. “I think you start to get some of the behaviours – and I won’t single out whether it’s mobile bankers, or mortgage brokers, or perhaps even corporate employees – they start to think about crossing lines from the reputation perspective and responsible lending perspective,” he said. Picking up on this theme, CUA chief risk officer Scott North added that a strong organisational risk culture is key. “How can we ensure we’ve got the right behaviours, the right culture all the way through the organisation?” he asked. Human beings make mistakes, and for North it’s really important to use these incidents to reinforce the more desirable behaviours. Educating employees who are on the ground of their own risk management duties is also vital.

Data sovereignty

With cloud computing becoming a part of daily life for consumers and financial institutions alike, data sovereignty was another point of discussion. For Deans, simply keeping up with the changing risks that new technologies create is a major challenge. “If you go back 10 years ago everyone just had core banking systems all hosted in one spot,” he said. “But now, whether it’s operating in different countries or even within one country, there are just so many different variations on what you can do.”In terms of managing data sovereignty, he suggested that best practice involves making sure that data is stored onshore. He recommended conducting a cloud audit to find out which sectors of the business use cloud solutions, what software they’re using, and where the data is stored. “The cloud is on the ground somewhere, you just need to go and find where that is,” he said. Based on his experience with CUA’s recent core system change, North added that adopting new technologies isn’t just about managing technological risks, it’s also about managing people. And embedding risk management into the change process is crucial. “We actually got someone dedicated to ‘risk in change’,” he said, noting that part  of their role was to identify risks that were “going to end up on the laps of people the day it went live”.

For Allen, who’s playing a role in the early stages of Macquarie’s core banking replacement, satisfying each stakeholder is a big challenge. “You’ve got people in your organisation who you’ve got to get on the same page,” he said. “But then you’ve got to go to regulators around the world.” With physical and cloud-based operations coming under various different jurisdictions, there are numerous regulations the project needs to align with. And that’s before privacy laws come into play. “In the US, you have regulations that are 10 years old, but the IT world’s moved faster than that, so then even to interpret what they mean is a challenge,” he said.

Combatting cyber crime

The fast pace of IT developments doesn’t just create compliance headaches, it also feeds a more sinister threat: cyber crime. But Australian Securities Exchange (ASX) chief risk officer Alan Bardwell explained that some simple strategies can be put in place on this front. His team uses the Australian Department of Defence Intelligence and Security’s top 35 cyber intrusion mitigation strategies as something of a security bible, with a particular focus on the top four tips, which the Department says can prevent at least 85 per cent of targeted cyber intrusions:

  • Use application “white-listing” to help prevent malicious software and unapproved programs from running.
  • Patch applications such as Java, PDF viewers, Flash, web browsers and Microsoft Office.
  • Patch operating system vulnerabilities.
  • Restrict administrative privileges to operating systems and applications based on user duties.
As well as following government guidelines, Bardwell explained that having a team of cyber crime specialists on board is vital. Governance practices, too, are involved. For Bardwell, there can’t be transparency and a clear understanding of how to manage the threat, as well as approval of an adequate cyber crime budget, unless senior management, executives and board members are engaged and informed. “So we’ve got a very senior security steering committee,” he said, adding that reporting and transparency all the way through to the audit risk committee are also vital. This is because they need to know exactly what the organisation’s cyber crime vulnerabilities are, understand what the cyber security team are doing and, importantly, “give us the dollars to invest to continually be upgrading”. North picked up on the continuing upgrade theme, noting that hackers don’t work on the same six to 12 month IT change cycles that banks do. “The way that cyber crime is evolving is so rapid,” he said. “They can make changes in a matter of moments”. With this information being shared globally, he noted that it’s vital for the finance industry to continue the cyber crime dialogue, and for each institution to invest both in technology and education. “A lot of the frauds we do see in financial services actually start with some compromise, either at a branch, a call centre or some sort of relationship or engagement with a customer,” he said. “That customer may actually fall into the trap of some phishing campaign, and that’s because they’re not made aware of what they’re doing and the consequences of it.” Part of this education push should involve making sure that all staff members are aware of the correct processes for weeding out fraudulent behaviour, explained Deans.

He used a couple of examples from his own institution as cases in point, where fraudsters hacked into customers’ email accounts to enact overseas transfers. Thankfully neither instance involved huge sums of money, but they highlighted the importance of setting effective anti-fraud policies – and making sure that staff follow them. “The bad guys had just got into a Yahoo or Hotmail account, the same one that the customer’s been using for five years. Same normal passage of instructions, just a different bank account,” he said. “Both instances were overseas, and our staff haven’t followed the right procedures.” He was encouraged to hear cyber crime advisers at the US Federal Reserve and Bank of England explain at a recent event that “if you can just get the hygiene sorted out you’ve probably got a fighting chance”. “It’s all around penetration testing, and what I think are basics that a lot of organisations don’t do,” he added. “We’ve gone through a clean-up in the last 12 months with things like cleaning out applications.” These applications and technological advancements have made internet and mobile banking more accessible to customers in recent years, but they’ve also opened up new avenues for hackers to exploit. Which is why it’s as important as ever for the industry to work collaboratively to combat cyber crime. Bardwell explained that the World Federation of Exchanges has a subcommittee on cyber crime, for example, and, as his cyber security specialist puts it, “one thing we don’t compete on is security”. “There should be an open discussion around security, because you’ve all got a vested interest,” he said.

Managing portfolio risk

No chief risk officer discussion is complete without some reference to portfolio risk and the globak financial crisis. Finance professionals are all too familiar with the story of toxic collateralised debt obligations contributing to the GFC, and the panel were asked how to avoid going down a similar path. Allen cut through the talk of risky financial instruments and aggregation models to identify the GFC’s root cause. “Too many people lent too much money to too many people who couldn’t repay it,” he said, adding that the people behind each transaction must follow “banking 101” rules, such as identifying and monitoring good deals, and putting adequate covenants in place. But this doesn’t mean that Macquarie doesn’t run thousands of stress tests on its portfolios each day, and Allen also highlighted “worst case contingent law” as a core principle. Before every deal it’s vital to ask “how bad could it be,” he explained. If the answer to that question isn’t satisfactory, then walk away. Deans added that while it’s obviously vital to invest in portfolio management and stress testing, it’s also important to take a more bespoke approach when it comes to larger exposures. This includes looking carefully at who you’re exposed to, and being aware of clusters within the portfolio, such as private equity infrastructure, for example.

Noting that portfolio modelling may not be able to pick up on these nuances, he said that “you have to have an investment in technology and people, but at the same time good portfolio management is actually taking a bit of a higher level view”. Stress testing makes sure that your institution has enough capital to weather severe longer term downturns, he explained. But when it comes to optimising performance, or avoiding profit or impairment hits, a mixture of analytics, technology, people and traditional credit techniques are required. And don’t forget to focus on the fundamentals and produce a sound risk appetite statement, said North. “At the end of the day that’s owned by the board and then executed by management,” he said. “A well-articulated and managed risk appetite statement that is used and embedded in what you do in your strategic decision making is critical and fundamental to portfolio management.” Bardwell provided an interesting view from a securities exchange perspective. He explained that despite the ASX already being quite a diversified business, “from a pure portfolio top level enterprise view, trying to be diversified and continuing down that path is important”.

Ultimately, however, what his team is really worried about is making sure that they have enough capital and liquidity to survive if the “big guy goes bust”, or even if the top two ASX companies collapse simultaneously. These are very high standards, he explained, but that’s what you’d expect of a securities exchange. Meanwhile, exchanges are moving towards sophisticated risk management methods, such as real time risk management and optimal portfolio risk management. “We’re catching up with the banking world in terms of the competitive regime that’s been in banking for many years,” he said.
Banking, Capital Markets,
Robin Christie, SAS, CRO, Paul Franks, Stephen Allen, Peter Deans, Alan Bardwell, Scott North, CUA, ASX Limited, BOQ, Macquarie Group
Robin Christie
Article Posted:
October 01, 2014

Review this content

Fields marked with an asterisk (Required) are mandatory.

Extranet Login

Remember me

Forgot password?
Click here

If you do not have an Email and Password please call: (02) 9376 9509 or email subscriptions@financialpublications.com.au