The screening process of the suppliers can be long drawn-out, but it has to be methodical and it has to be done well. This mix of weighted-criteria process is sometimes called a beauty contest. It can be done in secrecy with sealed bids to only invited suppliers. Or it can have all interested suppliers bidding. The selection process is certainly more objective with the ‘lowest bid wins’, but it can leave out the user’s needs considerably. Therefore, the argument for user functionality has to be spelt out for all. You can include the system criteria, or priorities, you deem important.
The supporting detail of the grid, used for further analysis and line management purposes, is contained in a risk functional cross-matrix.
Red warning lights show us the most critical systems to redesign or overhaul. Where departments are already operating well, and currently get the green risk light, then there is no immediate need to replace that subsystem. Nevertheless, systems engineers will often replace that subsystem too and install a completely new one that is guaranteed to be compatible with the rest of the new integrated system.
A lot of the system satisfaction revolves around the functionality, that is, fulfilling the needs of the users. The needs analysis comes out in the defining document that is usually called the “user system requirements” (URS). Such a vital document, in summary, is circulated to interested system vendors in a communication flow, initiated by the “request for information” (RFI). This is a preliminary document that defines the summary of needs, and the firm’s plans for upgrading systems. It gives enough data to inform systems builders if they can meet the client’s needs, or not.
The final URS is analysed in full and sent to short-listed system vendors in a contractual document, usually called the “request for proposal” (RFP). It contains some data such as the user’s functional needs.
User’s functional priorities
When you are designing a risk management system, you are searching for best:
price
functionality
time taken to implement
confidentiality/security
reliability
after-sales support.
How you prioritise and assign weightings to these criteria is a subjective matter, and it defines your company’s exact situation. Even getting the best price–quality ratio and product involves the client in a calculus that offers more room for abstract judgement, rather than costs and figures alone.
You will have to check interfacing and efficiency of sharing data with the new programs. Otherwise, system integration difficulties can bring your risk management system that “speaks” English into a German bank with a French accounts system. The company’s central IT department may specify an Esperanto of XML as a mediator language for translating between the bank’s myriad systems. XML serves as a universal format for translation that also ports well to the Internet. Shared data can be sent over all the bank’s operational centres world-wide in this way. The complex design issues and the need for linking many disparate systems grow ever more insurmountable with a global corporation.
A world-wide financial company is likely to have several risk management systems, including all the “legacy” systems. This indicates a need for sophisticated integration, with the bank’s risk management system at the epicentre. The system can sit in the middle, linked by an EAI intermediary layer or module.
The interfacing and data conversion difficulties between the different business programs and suppliers may tend to work against easy linking of an enterprise-wide risk management system.
For this reason, the company may take a strategic policy for IT standards, e.g. something on the lines of:
For all global offices. To standardise our IT systems, we stipulate that:
All mainframes will be supplied by IBM, all servers by Sun Microsystems or Compaq, all PCs from Compaq or Dell, all operating systems either IBM-AIX or the latest Windows. Bloomberg will be our preferred dealing systems supplier and integrator, with MKI for back office and Sungard for risk management. Deviation from these standards will have to be approved by IT department beforehand.
After selecting the desired staff, we have to install the technical elements of risk management. It has to be emphasised that IT supports the business and not the other way around. The business department should not go out alone to shop for the “best” risk management system; neither
should the IT department.
Financial risk management has to rely on specialised software. There are relatively small firms that usually work with a limited number of clients. An extra customer won can make a difference between boom and bust. Sales overcommitment can take over the aims of delivering the most suitable product for the client at the best price. This sales scramble can lead to excessive promises.
Value-added systems rely upon the supplier’s understanding of the business in that situation, the implementation of adequate security procedures and good quality staff. The business functionality inherent within the risk management system may prove unsuitable for the specific bank or fund. You can buy technology and marketing hype instead of system utility. We can take a subjective view of technology for the sake of demonstration.
Finding the “best” risk management system
Searching for the “best” risk management system and service delivery constitutes a major project in itself. This is known as the ITT (invitation to tender) process where we follow a rigid methodology to get the best for us. It is likely that a more suitable product and service can be obtained at a better price once we have gone through all ITT steps.
The invitation to tender (ITT) process
If you consider creating critical risk management functions within your company, you have two general choices:
Build in-house, or
Buy from an outside party.
Build
This dictates that your company has the adequate internal resources and scale to undertake such a major task. With Basel II, this is further complicated by the small pool of talent able to handle compliance and technical issues for market, credit and operational risk. Given the extreme novelty of the Basel II “Three Pillars”, we will probably face a medium-term shortage of able personnel to understand and implement the new regulations.
Specialised risk management has a dearth of skills available. Thus, the company is committed to having the business skills in-house for understanding the risk management issues, and outsourcing the technical skills for implementing the new system. This entails getting the cocktail of talent right, i.e. combining financial skills, risk management, change management, project control, mathematical and IT systems experience.
Buy
It is more probable that you do not have all or enough of all the resources to carry out this large project. “Buying in” is the preferred option when companies do not want to “reinvent the wheel”. Some external personnel will handle part of the risk management, some the IT side. This can range from specific technical tasks that require specialist advice, to wholesale design and implementation of the entire system.
There are security issues at stake here because few banks and funds wish an external party to know their finances and risk management status. Confidentiality clauses are written into contracts, and “Chinese walls” emerge to promise non-disclosure of sensitive data to another client. The trust works both ways and it behoves a client to provide accurate data to the system supplier. It is likely that the project size and risk management complexity will force a combination of build and buy-in, with most companies preferring the buy-in route. Once inviting risk management firms to design and install the business solution, some methodology must be used to select the most suitable suitor. It is crucial to select the best long-term business solution provider, not just for Basel II, but quite possibly for Basel III and all the follow-on work. We have often gone into banks and fund managers and seen the client allied to the wrong business solutions provider. The ITT is a bidding process that is worth conducting carefully.