Wednesday, April 13, 2011

You Get What You Pay For: Building Business Cases for Risk Management Investments

In 1993, I visited a factory in the (recently) former Soviet Union.

On the books, the place had a staff of 5,000 making 10,000 lenses a month. In reality, only about 1,000 turned up on any given day. That was fine with management. See, a few years back, Moscow had some extra budget and they let the factory buy some incredibly cheap used lens polishing machines. This meant that the army of 1,000 human polishers were no longer needed, but since nobody "up the chain" cared, the management just kept these folks on the payroll. It made the operation look bigger on paper, and therefore they got a bigger budget from Moscow.

Sadly, they could never get the machines to work quite right, so they kept a few hundred human polishers to "touch up" the lenses before they were shipped. They apparently assumed the machines were good, since they had previously been owned by a well-known Japanese lens manufacturer. In fact, they were heavily used, out-of-date models producing lenses so low in quality the Japanese couldn't sell them at any price point. After installing these machines at the Russian factory, quality went down overall, but was at least consistent, which made managers happy. Nobody at the factory asked if this would help them sell cameras, since their only customer was the Central Government in Moscow. What this intermediary did with the cameras afterward was not their problem.

Until the Soviet Union collapsed.

Their first question to my group was: Who will buy these lenses which are twice the price and half the quality of the competition?
Answer: Nobody.

Second question was: OK, we learned our lesson. Never again. We want to become state-of-the-art. How? Who will give us the money?
Answer: Fuggedaboutit. By the time you catch up, the competition will have improved again. Nobody bets on a losing horse.

Third question was: If we were to give you the factory and a 3-year supply of aluminum for free, would you at least keep paying our staff of 5,000?

It was a desperate situation, a totally reactive management, and a totally losing business case. After some analysis, my delegation told them to make car antennas with the aluminum and we walked away. Instead, the factory closed, the staff stopped getting paychecks, and the managers became "full-time pension administrators" since pension liabilities were all that was left of the once-bustling company.

Wait, what does this have to do with risk management in financial services?

If we in the Financial Services industry don't want to become "full-time pension administrators" presiding over gutted, non-productive zombie firms, we shouldn't act like Soviet factory managers.

Unfortunately, in certain ways, we do. Look at your organization's decision-making process through the lens of my anecdote. How similar is it? Does the annual budgeting process rule? How are those budgets determined? Then look at your process through a different lens. Imagine your department as a standalone business. Would you turn a profit? Would you be competitive? Would it change the way you spend? Would your customers be satisfied, or would they go elsewhere?

If you don't know the answers, read on...

I don't know the answers either, but here's how I think about the problem when I talk to my clients. Viewed very simplistically, FIs make risk management decisions in response to events and losses, either at their own institution or at a competitor. In other words: they're reactive. They don't want to waste money to manage a risk which is never going to happen. When it comes to incorporating risk management into their business cases, they rarely go much further than the camera factory managers did: "won't happen" or "can't happen here" meaning that their firm is somehow special or smart enough to avoid that risk.

Few organizations bother to invest enough time for a comprehensive cost-benefit analysis (CBA) of internal investment projects. Many manager don't even want a CBA because that would require them to familiarize themselves with each individual investment proposal. They prefer to operate at an overall budgetary level. As long as they have unspent budget and you can win the political fight for money, they'll let you have it.

Just like Moscow did for the camera factory managers. They had to change, and so will FIs.

Structurally (ie: permanently) smaller margins are already forcing FIs to be more discerning in their investments. Value for money can no longer be taken for granted. CBA is already taking over.

That may leave your head spinning with questions. How can I do a CBA in risk management? What is the "price" of a risk? How would I quantify the benefit of preventing something from happening? All good questions.

Start with what you already know. You can't assess what you can't measure, so make sure your operational metrics are up to the task. Enhance your processes as necessary to have comprehensive and high-confidence numbers on the all-in average cost per type of work item. Make sure this is broken down into roles. Investigators' time is important, but don't forget about their team leaders and managers, the QA review team, the auditors, the analytical team, etc. Make sure your per-item metrics add up to 100% of your total labor costs for the function or department.

Layer on technology costs, not by vendor or by solution, but by investigative work item. How much does it cost all-in to get an AML alert? or a card fraud alert? Again, this has to add up to 100% of your spend on technology. Often, shared technology costs are tough to measure, so work with your technology partners to really understand your use of those shared pieces as a percentage of the whole.

If, due to your company's budget allocation methodology, your department gets some or all technology services for "free" don't think you're off the hook.

Those services are paid for by someone, somewhere. Find out who. Get them on board. They also need to think in terms of business cases. If you can reach across organizational boundaries and collaborate with other departments to reduce overall IT costs, you're likely to appear on the promotion radar at high levels of the organization. Senior managers view this type of behavior as alchemy and tend to reward it well.

Now look at your impact on the institution's profitability. What business do you stop/prevent? What business do you monitor? What business is outside your scope? For each of those categories, what are the historical losses and recoveries?

Similarly, look at customer impact. What is the current attrition/retention rate of business? Talk to customers to find out why. Collaborate with your lines of business to assess customer satisfaction, especially among those who are "touched" by your group. On the fraud side, find out how many defrauded customers leave the institution within 6 months. How happy are they by your handling of their fraud event? On the AML side, the "customer" might be a regulator. Find out what their risk assessments say. What are they concerned about? What kinds of fines or orders are they hitting competitors with?

Get your statistical gurus to slice and dice the results and find differences. The end of this effort should be a "marginal contribution to profitability" percentage.

In other words, how many basis points do your activities add to (or remove from) overall profitability of each line of business?

Benchmark these stats against industry (or at least peer) numbers. Analyst reports and consulting firms are good at helping with this cross-industry view.

By following a framework like the one described here, the "benefit" side of the CBA can be fully understood. The initial effort might be high, but this work is reusable for every subsequent CBA. Individual metrics might change, but the overall benefit-assessment framework will not.