COMMENTARY: Three steps to more resilient risk-management systems – DTCC risk chief

July 23, 2015

By Andrew Gray, Deposit Trust & Clearing Corporation

NEW YORK, July 23, 2015 (Thomson Reuters Regulatory Intelligence) – Of all the changes to global financial markets in recent years, the risk management function has undergone one of the most dramatic transformations in the industry. The discipline is broader, more sophisticated, and more diverse than ever before, encompassing new responsibilities that add operational, systemic, technology, vendor, and physical risk, as well as business continuity management, to the more traditional financial risk categories.

To meet and defend against these new challenges, firms must take certain fundamental steps to gain a more holistic view of the risks they face. 

Driving this change are several factors, including the fallout from the 2008 financial crisis and the accompanying regulatory response, the explosion of technology, the evolution of new trading strategies and financial products, and the growing interconnectedness of global markets. These factors have made the nature of risk increasingly complex and unpredictable. As a result, we now operate in an environment where systemic shocks seem to occur with greater frequency than ever before.

This sentiment was reflected in a recent survey conducted by the Depository Trust & Clearing Corporation (DTCC), where 37 percent of respondents said the probability of a high-impact event in the global financial system has increased during the past six months – up 16 percentage points in just one year. While three quarters of those surveyed said their firms have increased the amount of resources dedicated to identifying, monitoring, and mitigating systemic risks over the past year, 67 percent characterized their company’s ability to identify, assess, and manage these emerging risks as “developing”.

There is no one-size-fits-all approach to evolving the risk management function to meet these new risk challenges, but there are certain fundamental steps that firms can take to gain a more holistic view of the risks they face and strengthen their ability to defend against them.

A ‘systems view’ of risk

First, firms need to reorient how they view the financial system. The continuing globalization of financial markets and the increased interconnections between them mean that firms can no longer be viewed as a set of stand-alone entities. Rather, the modern financial ecosystem has become an adaptive structure with a diverse set of interconnected components through which risk is distributed to the system – and not always in a transparent fashion.

This systems view has many implications for how firms should think about managing risk. For example, participants must have a deeper understanding of the enterprise that extends beyond their own four walls, including other financial institutions and market participants, their clients and vendors, and even vendors of vendors. A case in point is the 2013 cyber breach at Target Corp., where hackers appear to have accessed the retailer’s systems by launching a malware-laced email phishing attack on an HVAC vendor that contracted with them.

At DTCC, incidents like these and many others have helped shape our thinking on ways to enhance our own risk management practices. We have materially enhanced our own capabilities by using interconnected analyses to better understand the risks posed by the key entities we are connected to or reliant upon for critical services, such as settlement banks, clearing banks, and other financial entities.

Building resilience

The second action firms can take to strengthen their risk management is to begin moving beyond analyzing and managing risk to building resilience. Given the openness and complexity of the financial ecosystem, breakdowns are inevitable. While it is critically important to measure, analyze, and mitigate risk, firms must also detect and recover from problems as quickly as possible. They also need to learn from these events so they are better equipped to withstand potential systemic shocks in the future.

There are a number of building blocks to strengthening resilience, but the cornerstones are establishing a strong risk culture and expanding ownership of risk management to all employees of a firm. This is not an easy assignment, because culture-change often requires a significant investment of time and energy by a firm’s most senior executives. However, the benefits of embedding risk-management into all parts of an organization can be transformational. Related to this, firms should also nurture a learning mindset to sharpen awareness among employees of potential risks, encourage them to question assumptions, and help them learn from the past.

At DTCC, we have operationalized the concept of “lessons learned” with the formation of an internal Post Incident Review Team, which brings together senior employees from across the organization to examine incidents, including near misses, from many different perspectives. Our objective is to gain a deeper understanding of what might have happened if certain controls were not in place and how an incident in one area could affect other parts of the enterprise. Session takeaways provide critical insights into other potential situations we may face in the future. We also use these findings to inform scenario analyses we conduct to understand how events could potentially play out, how existing processes would perform, and what actions could be taken to prevent or respond to incidents.

The data challenge

The third action that firms can take is to grow their ability to manage and leverage the data they collect. The ecosystem of complex interconnections and multiple interdependencies among companies require the collection, aggregation, and analysis of massive amounts of data to paint a comprehensive view of systemic risk. As an industry, we have become very proficient at data collection. A more meaningful question is, do we really know how to manage and interpret all this data? The industry as a whole needs more sophisticated analytical tools and data scientists to help mine the information for actionable intelligence in order to identify risk trends, including potentially extreme but plausible events. The ability to connect the dots is crucial for mitigating systemic risk.

Furthermore, we need to reevaluate and supplement the tools we have traditionally used in risk management, which have been based on assumptions of normal distributions and linear behavior. The Office of Financial Research seems to recognize this, suggesting that firms use tools from process systems engineering to tackle the difficulties in identifying, modeling, and analyzing data in the financial markets by taking into account feedback loops between components of the financial system.

With the nature and types of risks continually evolving, firms need to innovate how they view and manage risk in order to build resilience and strengthen their ability to withstand systemic shocks and other events. While the industry has made tremendous progress in recent years, there is still much work to do to ensure we are prepared to protect against the many new risks the industry faces.

The views expressed are the author’s own. They do not necessarily represent the views of Thomson Reuters.

Andrew Gray is managing director and group chief risk officer at the Depository Trust & Clearing Corporation (DTCC), the primary post-trade market infrastructure for the global financial services industry. Gray has global responsibility for DTCC’s enterprise risk management, including credit, market, and liquidity risk, as well as operational and systemic risk management. His responsibilities also cover information security, technology risk management, business continuity management, and global security management. In 2014, DTCC’s subsidiaries processed securities transactions valued at approximately $1.6 quadrillion.

No comments so far

We welcome comments that advance the story through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can flag it to our editors by using the report abuse links. Views expressed in the comments do not represent those of Reuters. For more information on our comment policy, see