Facing the risks of loss

Established 21 years ago, BIMCOR (Bell Investment Management Corporation) manages more than $11 billion in investments that represent the pension funds and other investments of the employees of its parent company BCE Inc. and other subsidiaries.

The BIMCOR systems, processes and 55 employees at the Montreal and Toronto locations all work at avoiding any downtime – and for good reason.

“If our systems are non-operational for a few hours, we might have lost $100,000,” says Sylvain Leboeuf, BIMCOR’s vice-president of Information Technology. We definitely need to have our systems available so that our phone managers, our traders and our executives have access to the information they require when they require it,” he stresses. “We have put a lot of money and a lot of effort into that. We will buy two of everything if we have to, to be sure that our systems are available.”

And they have been available. “Our track record over the past two years has been tremendous,” Leboeuf admits. “The solutions that we have implemented have really helped us.”

BIMCOR implemented Computer Associates’ eTrust intrusion detection one year ago, the anti-virus software six months ago and the anti-spam product before Christmas. A centralized console manages the eTrust suite of products which run on the Windows 2000 platform of the company’s several servers.

Mark Diodati, CA’s technology strategist, has found that financial services firms typically have four drivers fuelling their security efforts: privacy in terms of how the information is acquired, used and shared; corporate governance regarding OSC Bill 198 and Sarbanes-Oxley; cost reduction with emerging technology; and the blurring of borders between types of financial services leading to organizations forming trusted partnerships.

Leboeuf reports that two of those drivers in particular are behind BIMCOR’s security efforts, in addition to the aforementioned concern for total availability of systems. He notes that they were concerned about keeping a lid on existing costs and not increasing their IT staff. “We wanted the people who were there to work more efficiently. That was a big plus.

“Like anybody else in the type of business we are in, it is extremely important to ensure the privacy of our clients’ information and our proprietary information,” he adds.

Canadian Trading and Quotation System Inc. (CNQ) has a similar reliance on always-on availability. Described as a new stock market for trading the equity securities of emerging companies, the CNQ Marketplace is a collaborative share-trading and disclosure engine, said to be the first of its kind approved by the OSC. It claims to match enhanced disclosure and streamlined issuer regulation with technology and regulatory oversight to meet the needs of emerging companies, their investors and investment dealers.

“The reality in providing a service-based technology is that people only remember the times things don’t work and not how great they are when they do [work],” says Michael Malone, CNQ chief operating officer. “In our business, downtime or less than 100 per cent availability is not acceptable. So, we had to have the highest level of availability for the provision of our service.”

Rather than build or manage their own facility to house technology to that level of availability, CNQ relies on Q9 Networks’ managed hosting services. “We didn’t have to incur any up front capital cost or hire any staff,” Malone explains. “The costs were competitive and the level of service was what we needed. We haven’t been down since launch, operating even through the blackout.”

CNQ makes its trading system and information service available via a highly interactive Web site which results in quite a complicated networking communications system. Housed at Q9, all levels of the system have built-in redundancy – all with the view of minimizing the risk of service interruption or non-operation.

“We offer a unique proposition to issuers because we’ve been able to use technology in ways that provide efficiencies for them and reduces the cost to them,” Malone stresses. “Our future growth is based on ensuring that issuers and companies providing services to issuers have confidence in our system to be able to do what we’re saying we’ll be able to do for them. That means making sure it works all the time.”


But what if it doesn’t work all the time? What would be the cost of that downtime? With the upcoming Basel II Accord initiatives, financial services firms have become more focused on operational risk and its impact on capital calculations. Regulatory pressures on financial institutions require them to precisely determine and evaluate the risks taken in terms of financial exposure and return-on-capital.

“The key thing that has happened over the last 10 years is that the prime focus of financial institution regulation is not so much on product and balance sheet regulation but now it is a focus on business process and control environments – in other words, what people do in order to manage these institutions to be better and more transparent and more efficient on a risk-adjusted basis,” explains Ed Shea, vice-president of financial markets at Providus Software Solutions, Inc.

However, as SAS points out, organizations face the daunting challenge of collecting, organizing, analyzing and reporting on financial information that is often scattered across dozens of operational systems and general ledgers in various business units around the world.

Among the several software vendors with products aimed at operational risk management issues, some are addressing head-on the problem of the lack of historical data.

Gary Love, program manager, SAS Canada, claims that SAS is the only company that offers loss data, monitoring capabilities and value at risk (VaR) calculations in one environment. He sees financial services firms as wanting to “reduce the number of vendors who they depend on. It is cheaper to be able to negotiate with one than one each for market risk, credit risk and operational risk.”

Further, he notes that “different vendors may not integrate all the silos.” He says a key capability is looking across the databases. “You are severely limited if you don’t have integrated systems and have to guess.”

SAS also offers scenario planning – ‘how much would it bring capital charge down if…’ Love says they offer an optimization tool as well.

Merrill Lynch has selected SAS Corporate Compliance software for managing its operational risk and compliance with the Sarbanes-Oxley Act, Basel II and other regulations. The software is said to provide publicly traded organizations a repository of financial documents, processes and controls from across their global operations that can be monitored, tracked and analyzed. This gives firms like Merrill Lynch an integrated, consistent interface and framework for risk and control self-assessment for the greatest possible return from data collection activities while minimizing business disruptions, according to SAS.


Headquartered in Toronto, with 15 offices around the world, Algorithmics Inc. serves more than 150 global clients in 26 countries. Founded in 1989, it continues to focus its efforts on creating and implementing enterprise risk management software. Though sales numbers are still small, the company did triple its sales of its OpRisk software this past year over the previous year.

Andrew Aziz, Algorithmics’ vice-president of products, describes operational risk as at the other end of a pendulum from market risk where there is ready data on interest rates and foreign exchange rates and all market risk factors. He says from a software perspective, their clients are looking for two things. One is the capability to log in a consistent manner all the losses that accrue from operational risk events as well as leading indicators. “Part of our solution we call OpData is really a framework for logging, auditing and all the work flow around being able to put in all the input data to do subsequent analysis. That is a key part of the issue – being able to log any losses associated with operational event types and also the risk factors and leading indicators themselves.”

Another part of the solution, he says, is the analytic tools on top of that to do risk assessment, to turn qualitative into quantitative data and then ultimately determine how much to allocate for capital purposes. “In op risk, because it is a newer field, we actually see people just buy the data input component first and that’s driven our growth in op risk over the last year or two around the world,” Aziz continues.

Algorithmics also markets OpCapital, the analytic component that analyzes the qualitative data, does statistical risk assessment and then turns it into a capital number.

“Our strength was on the data side as well as the capital side,” he admits. “The in-between tool that takes the qualitative data and turns it into quantitative data as input for the capital side is where SAS has had the competitive advantage although we believe we have overcome that recently.”


Providus in Nashua, N.H., has introduced new versions of its two RiskResolve risk management applications for Sarbanes-Oxley and Basel II regulatory compliance. The products provide financial institutions with a top-down view of potential risks across lines of businesses, according to Providus. The RiskResolve 3.0 applications are built on Microsoft’s .Net Framework for Web services and provide users with workflow and permission capabilities for entering, viewing, tracking and reporting on risks and risk-related data.

Providus claims that only its RiskResolve solution can support multiple, parallel compliance objectives – even if they overlap.

“Because of the convergence between Sarbanes-Oxley and Basel II, people want to have one repository for their entire control environment but be able to look at their compliance initiatives from a control standpoint on an individual basis. In other words, be able to roll it out for a given regulator,” explains Shea. “For Basel II, you can role out those controls around operational risk and look at your risk exposure from operational purposes in one fell swoop.”

Scotiabank has purchased risk management software from another vendor, Portiva Corporation in Amarillo, Tex. Portiva announced last fall that Scotiabank will use its Enterprise Suite of risk management software, including J-PORT, SurveyAssist and Loss-DataAssist. Scotiabank will gather risk data from over 50 countries and apply Portiva applications to conduct risk self-assessments, track controls and collect loss event data.

Portiva and Scotiabank jointly developed the loss event database module called LossDataAssist as a fully integrated prior loss database module that complements Portiva’s core application, J-PORT. LossDataAssist will allow clients to take full advantage of the Basel II Advanced Measurement Approaches. This data repository is tightly linked with the risk self-assessment process to allow the user to correlate all loss history to the appropriate process, activity and specific risk to which they are allocated. The first release of LossDataAssist was scheduled for November 2003.


In January, OpVantage, a division of Fitch Risk Management, released its new integrated self-assessment tool, OpVar Risk and Control Self Assessment (RCSA). This Java-based Web application is said to facilitate the collection and management of qualitative operational risk information throughout an organization. The company says RCSA users may create custom templates to capture numerous data types including risks, associated controls, key risk indicators (KRIs), action plans and other user-defined requirements.

OpVantage claims to be the first company to bring operational risk software solutions to market and the most advanced provider of highly sophisticated operational risk quantification tools and methodologies. The FIRST (Financial Institutions Risk Scenario Trend) Database was acquired in 2003. OpVantage says this database with enterprise-wide applications provides case studies on almost 4,500 operational risk loss events to help institutions manage operational risks.

The Risk Management Association (RMA) in November announced it had entered an agreement with OpVantage to have access to the vendor’s FIRST Database.

The RMA, founded in 1914 to advance the use of sound risk principles in the financial services industry, has about 3,000 institutional members that include banks of all sizes as well as non-bank institutions. Although headquartered in Philadelphia, Penn., the global organization is chaired by Toronto-based Suzanne Labarge for the year starting Sept. 1, 2003.

Labarge is also vice-chairman and chief risk officer of RBC Financial Group. In a speech to the RMA last year, she stressed that “risk in itself is not bad. What is bad is risk that is mismanaged, misunderstood, mispriced or simply unintended.”

Labarge is a keynote speaker at OpRisk USA, Risk Waters Group’s sixth annual operational risk conference this March 30-31, 2004, in New York City. Tony Peccia, vice-president, Bank of Montreal, is also a scheduled speaker. Details at www.opriskusa.com. RMA is on the Web at www.rmahq.org.

Related Download
A Guide to Print Security for Canadian Organizations Sponsor: HP
A Guide to Print Security for Canadian Organizations
IT security vulnerabilities are a growing cause for concern for organizations trying to protect their data from printer breaches.
Register Now