Teradata

In the wake of mismanagement that brought down some of the largest corporations, Enterprise Risk Management (ERM) has emerged as an essential discipline for any corporation. Yet successful ERM can be deceptively elusive without access to timely, accurate, and comprehensive risk information from throughout the enterprise. Creating and sustaining such an information rich risk environment requires a discipline known as Enterprise Risk Information Management (ERIM).

This paper traces and describes the evolution of ERM and introduces a comprehensive approach to ERIM.

ERM has gained considerable currency among the large global corporations because of the increased interdependence within businesses, regulatory demands, and a growing awareness of its importance in preventing systemic failure. Consequently, agreements, such as the Basel II Accord for the banking industry and the Solvency II initiative for insurance, stress that companies must use the risk information to manage their businesses. In other words, companies must demonstrate that they actually use the risk information as a key component of their business processes as opposed to simply generating regulatory reports.

The quality of an ERM program that embraces both defensive and offensive risk management (maturing from simply reducing risk to leveraging judicious risk-taking for above average returns) can be benchmarked in terms of the quality of their policies, methodologies, and infrastructure. Superior ERM approaches provide true transparency and insight into the amount at risk across business silos and risk types.

Timely, accurate, and comprehensive information for all key stakeholders is essential for achieving the above goals. (This paper distinguishes between information and raw data, by defining information as data in a form that is meaningful to business users.) The information used for ERM must have the following characteristics:

• It draws on integrated data from across the enterprise.
• Information must have integrity.
• A complete view of risk must be available.
• Flexible and rapid user access.
• Information can be analyzed in a variety of ways to generate deep insights.
• Information must be available in a timely manner.
• Information must be traceable and verifiable all the way back to the source.

To ensure that company data has the characteristics described above, companies have begun to focus on ERIM, which the paper defines as processes, technologies, and tools that transform data into information that can enhance risk management. One of the significant advantages of an ERIM program is the way it fosters the reuse of data. Data are a corporate asset, the value of which is not restricted to what it offers to specific business units. The large data repositories that ERIM demands – and the reuse of data within those repositories – force improvements in overall data integrity, as well as changes and additions that benefit all users. This extends ERIM beyond risk management to providing new and important insights to business units via the wider perspective of enterprise Information Management (EIM).

At the core of EIM, is the essential idea that data must be consistently modeled across the organization in a comprehensive, flexible blueprint – a logical data model (LDM) – that reflects the way an industry uses its data. Further, to tailor the information in the LDM to a specific business unit, EIM then requires Semantic Models, which represent information as the business users of a particular business function use it. Semantic Models must have a direct and documented link to the LDM.

EIM also requires the highest quality data, which reflects expertise in four distinct components
of data management:

• Metadata¹
• Data Quality²
• Reference Data (also known as master data)³
• Data Privacy and Security⁴ 

Data governance is the organizational construct that supports an effective EIM program. It involves the following components:

• Organizational Structure: A steering committee to set policies and guidelines.
• Funding and Allocation: Setting policies around data infrastructure investments.
• Policymaking Framework: Creating standards for data management.
• Communications: Defining effective methods for communicating data-related polices throughout the organization.

An organization should be able to measure the effectiveness of its EIM program. Simple metrics, such as measuring the percentage of departments that have begun to adhere to EIM policies can mature into comprehensive business value. Business value metrics might include such things as the savings in time and opportunity costs, as well as data quality metrics that reflect the business impact of data integrity.

Companies must have technology in place that supports the EIM program. There are many different tools available to do such things as manage metadata or reference data, but it's critical that before purchasing such tools companies think about interoperability among the various tools, the database, and enterprise security technology.

ERIM helps companies develop superior risk management polices, methodologies, and infrastructure. ERIM takes a comprehensive approach to data management that fosters a robust data environment, which in turn, provides the input necessary to set policies and measure risk. Perhaps equally important, by aligning the goals of ERM with the other strategic goals of the enterprise and individual business lines, ERIM delivers tangible business benefits that ripple throughout an organization.

Over the past two decades, a series of corporate scandals has yielded a far-reaching regulatory response that includes the demand that corporations implement ERM programs. In contrast to the traditional silo approach to managing risk, ERM gauges the way various risk factors affect each other and, in turn, the risk profile of the entire business. As such, ERM has the potential to improve how companies manage risk from within a unit, as well as across units within a business, and on an integrated enterprise-wide approach throughout the entire business. Equally important, superior ERM has consistently been shown to improve the way the entire
enterprise functions.

ERM is highly dependent upon timely, accurate, and comprehensive information from throughout the enterprise. ERM is really just a theory without high-quality, integrated data that are readily accessible to all key users in a timely way – and easily traceable to verify their genesis and accuracy when necessary. Creating and sustaining an ERM-enabling data environment demands that companies have a system solution for gathering, organizing, and providing data access. EIM is the discipline that must inform the solution.

After tracing the evolution of risk management practices, this paper introduces a comprehensive EIM approach that can not only support the delivery of superior risk management practices, but also tangible business benefits, including the alignment of risk management with the strategic business goals of an organization.

The past two decades have seen an intense and growing interest in risk management. The '90s experienced the devastating effects of losses, such as Barings and Long Term Capital Management (LTCM). Many of these risk events resulted in the abrupt death of long-standing corporate entities. The new millennium experienced its own share of spectacular business failures, such as Enron and WorldCom. Each of these catastrophes can be traced back to a lack of sophisticated risk management, as well as a failure in organizational discipline in one or more areas. The result of these types of visible collapses has led to a determined thrust by the worldwide regulatory authorities to upgrade their Governance, Risk and Compliance (GRC) practices.

A corporation should not engage in risk management without clearly deciding on its objectives in terms of risk and return. Without clear goals determined and accepted by the board of directors, management is likely to engage in inconsistent and costly activities to control or actively hedge an arbitrary set of risks. Some of these goals introduce important accounting versus economic issues. For example, is the firm concerned with managing the volatility of economic profit measures, such as the return on economic capital, or the volatility of accounting profit measures, such as ROE?

Measures of accounting versus economic profit do not necessarily coincide, and at times their risk exposure is vastly different. For example, if a corporation buys a futures contract on a commodity, then the accounting exposure may be hedged, but the company will most likely be exposed to economic risk. In this case, no strategy can always protect the company against both the accounting and the economic risk simultaneously. Another important factor is the time horizon for any of the risk management objectives. Should hedging be planned to the end of the quarter or the end of the accounting year? Further, hedging a future expected transaction with a long-term option or futures contract has liquidity, accounting, and tax implications.

Engaging in risk management activities allows management to have better control of their risk adjusted performance. Each firm may legitimately communicate to their stakeholders a different "risk appetite," confirmed by the board. Management can better achieve the board's objectives by employing superior risk management tools. The corporate risk management system should be evaluated periodically. The evaluation should assess the extent to which the overall goals were achieved – not whether specific transactions made a profit or loss.

Reducing earnings volatility may or may not be a criterion. There is nothing wrong with a firm changing its objectives as long as the changes are based on a thorough analysis and are consistent with the aims of the firm. Local regulatory requirements for the disclosure of risks may mean that policy changes in risk management should be made public if the changes are material.

ERM is a discipline that goes well beyond the traditional silo approach to managing risk across the enterprise. ERM has gained considerable currency across a wide range of industries, including banking, securities firms, insurance, asset management, energy, and others. ERM has gained impetus from regulations, such as Basel II, Sarbanes- Oxley Act (SOX), and Solvency II. It also has gained momentum from adverse market events, such as those market events that negatively impacted LTCM. Further, an increasingly knowledgeable community has benefited from increasingly sophisticated tools to manage risk.

Many financial organizations have been making great strides in risk management over the past few years. Banks and securities firms have historically focused on addressing transactional risk and have refined these processes to a high degree of sophistication. Insurance companies in particular are very good at using actuarial analysis to develop predictive models for underwriting risks.

The major developments over the past few decades have included holistically applying risk management to the context of the enterprise. These developments have leveraged a substantial body of knowledge in the field of portfolio risk management, starting with the developments of Markowitz in the '50s. If the organization moves closer to a true ERM framework, then these risk types can be interrelated in a number of ways to gain a practical competitive advantage for the enterprise.

First, it becomes important to consider an enterprise view for a single risk type, such as market risk, through properly calculating correlations that drive portfolio effects. In addition, the relationships between various kinds of risk must be considered, such as market and credit risk. For example, market risk traditionally was managed independently from credit risk. A more advanced approach ties together the impact that market risk and credit risk have on the price of the corporate bond, as well as incorporates the integrated effects that these risks have on the correlation between each of the bonds in the portfolio. Finally, some risks actually depend on the existence of other risks (e.g. an operational risk, such as the theft of customer names, can lead to significant reputation risk).

Risk management has two distinct flavors. Defensive risk management focuses primarily on protecting against downside risk, such as through setting risk limits without taking active positions in the marketplace. Offensive risk management, on the other hand, primarily refers to the idea that risk management actively executes transactions, such as purchasing a credit derivative on a loan on behalf of the enterprise. Firms are typically willing to pay a premium to actively reduce risk. For example, they regularly take out traditional insurance policies to protect property and other assets at a price that is higher than the expected value of the potential damage that may occur if the risk materializes.

In recent years, firms have upgraded their GRC activities to gain a significant competitive advantage. These firms have faced a deluge of new GRC related regulations aimed at improving the transparency of their risks. These regulations include Basel 98 (market risk), Basel II (credit and operational risks, plus Asset-Liability Management or ALM related market risks), Sarbanes-Oxley (operational risks), Anti-Money Laundering (AML)/Bank Secrecy Act legislation (operational risks), and the Gramm-Leach-Bliley Act (operational risks around data privacy). In addition, financial institutions (FIs) have had to increasingly contend with the linkage between traditional operational functions, such as fraud-detection and national security legislation, due to the increasing use of such techniques by terrorist networks. In Europe, there have been other efforts, such as Solvency II for insurance and MiFID¹ in the securities business. As these gather momentum, it is eminently feasible that these regulations will be increasingly adopted by authorities in other jurisdictions.

In response, FIs have invested huge sums of money on projects aimed at compliance with such legislation. The estimates for worldwide compliance spending range in the tens of billions of dollars. These efforts have historically been justified with a combination of soft return metrics and the fact they're necessary steps for FIs to stay in business. Nevertheless, there is increasing interest in understanding how these efforts can be leveraged for direct, measurable business benefit.

Firms have also invested a significant amount of money in building risk tools to perform active risk management, such as hedging a firm's key risk. For example, by hedging, a firm can stabilize its costs and hence also its pricing policy. This stabilization of prices may offer a competitive advantage. Further, companies may work to reduce the cost of capital and enhance their ability to finance growth. If a firm does not actively hedge the volatility of a firm's cash flows, then it might lead to a rejection of investment opportunities. If the firm is forced to ignore profitable opportunities that are related to its special comparative advantages (or to private information that it possesses), then this is likely to be particularly expensive for the firm. The debt capacity and costs of the firm may be also adversely affected by high cash flow volatility.

Regulators try to ensure that FIs are well capitalized to avoid a systemic "domino effect," whereby the failure of an individual FI or a run on a FI caused by the fear of such a failure, propagates to the rest of the financial system. Such domino effects can cause other financial companies to fail, disrupting the world economy and incurring heavy social costs. The Basel Committee on Banking Supervision (Basel Committee) has emerged as the nearest entity that the international banking industry has for an international regulator, although it's really more of a coordinator of national regulators than an authority in its own right. On the committee sit senior officials of the central banks and supervisory authorities from the G-10, as well as officials from Switzerland and Luxembourg.

The overarching initial goal for the Basel II framework has been to ensure that banks are adequately capitalized, as well as to encourage best-practice risk management to strengthen the overall stability of the banking system. Securities firms have also "opted-in" to Basel II. Regulators have adopted a menu approach. The menu approach has been designed so that a FI can select a suitable level of sophistication. The idea is that the more sophisticated firms who get approval from their regulator for having successfully implemented the advanced Basel II approach will lead them to having less minimum required regulatory capital (than they would be charged under the less advanced approaches) due to the quality of their superior risk management.

The Basel II Accord was preceded by various industry initiatives. For example, in 1993, the Group of 30 (G-30) published a report that described best-practice price risk management recommendations for dealers and end users of derivatives, as well as for legislators, regulators, and supervisors. The report was based in part on a detailed survey of industry practice among dealers and end users around the world.

Scandals have also led to a wave of legislation in the United States and elsewhere that is designed to mend perceived failures in corporate governance practices. A striking feature of these reforms is that they penalize inattention and incompetence just as much as deliberate malfeasance. In the short term, U.S. corporations need to ensure that they are complying with these key reforms, which include SOX and associated changes in stock exchange rules. Together with the Basel II regulatory capital reform, these initiatives are shaping the overall corporate governance and risk management environment. For example, SOX strengthens the process of financial reporting, and therefore, sets the stage for better risk reporting and disclosure.

The wide scope of ERM across functional units of an organization, as well as industries, makes it challenging to define. One way to understand ERM is to use a framework that decomposes it into Policies (P), Methodologies (M), and Infrastructure (I). This is helpful in understanding the motivations of risk managers and also for understanding the dependencies between components of a robust risk management solution.

Rating agencies, such as Standard & Poor's (S&P), have implemented a program to better understand the effectiveness of a firm's risk management practices based on a framework that analyzes a company's policies, infrastructure, and methodologies. This approach focuses on these three key aspects of a firm's risk management practices. The relative importance of each of these aspects in forming S&P's opinion of the quality of a company's risk management practices will depend on the complexity, size, and range of risk for each individual company.

Policies refer to what the organization wants to accomplish, such as the company's philosophy about risk and its goals and objectives for risk management. Another critical component is to establish a clear policy on the proper taxonomy of risk within the organization, which is likely to be somewhat different between organizations. Policy also establishes the risk appetite of a company.

Methodologies refer mainly to the techniques used to quantify risk within an organization. For example, the value-at-risk (VaR) methodology has become a popular measure for certain kinds of risk. Methodologies help implement policies by quantifying risk and allowing line executives to measure the actual risk against the risk that senior management has accepted at a policy level. Sophisticated methodologies have helped to make risk more transparent. For example, the ability to measure credit risk has rapidly evolved with the introduction of models, such as the Merton model.

The infrastructure component provides the means to implement these policies. Infrastructure refers to much more than just the technology, hardware, software, or applications, but also includes the organizational and operational processes that tend to the day-to-day task of implementing risk management within an organization. For example, the underwriter's job in an insurance company would be classified within infrastructure, since he/she performs the risk analysis for an insurance contract at its outset. Infrastructure includes the organizational structure for risk management.

Infrastructure also makes use of methodologies since the software component of the infrastructure may be based on proprietary mathematics embedded in a vendor supplied software application.

As an example, consider credit risk limits on derivative exposures. Limits are usually set by senior management with regard to how much exposure a particular line of business may take in derivative contracts. Monte Carlo simulation software engines are often used to compute potential future exposure (PFE) of a derivative contract. The PFE software is an example of a methodology expressed as an application. Infrastructural mechanisms of varying levels of sophistication use the PFE measurement to control risk; these may be automated or not. The firm's location on the continuum of sophistication will determine the agility and rigor of risk control in the organization.

Effective risk management depends on the ability to accurately assess risks in a timely manner, and then communicate risk mitigation strategies to all parties who are involved in executing them. If risk management is to become a strong partner of the business then risk information must be measured effectively and be actionable. If the risk information is to be actionable, then it must be delivered on a timely basis to the business. Accurate information in a well run firm is available both to senior management, as well as line executives in a consistent manner.

This cannot be done without a robust ERIM environment where information flows without friction between the front lines of the business and horizontal functional units, such as risk management and finance. Up-to-date transactional information is essential to gaining a true picture of risk. Likewise, risk control and mitigation depend on timely information and controls flowing back from risk management to transactional business units.

ERIM environments in superior risk management firms have exhibited the characteristics described here:

Data are integrated across the enterprise. For example, there is an ability to analyze all exposures related to a given customer together.

Data has integrity and gives users of reports confidence in the information they are reviewing.

Information verifiably encompasses all data from the organization.

Users can access detailed data in flexible ways, including large amounts of historical data, to perform rapid analyses.

Users can analyze data across any dimension they choose. For example, analyses of risk across product lines may indicate the need for further calculations of risk for one product across the time dimension.

Data are available to users in a timely manner, soon after the occurrence of the business event that caused the data.

Data are easily traceable from reports all the way back to their source so that a culture of transparency develops in the organization.

Enabling such a data environment for risk management users is a daunting, but not impossible, task requiring commitment from the senior-most executive levels.

Information and data management is a complex topic within all organizations. This is even more so for financial firms whose life blood is information.

Before delving into the topic further, we need to differentiate the terms data and information. Data are the raw output of the numerous interlocking business processes within the organization. Data emanates from all corners of the organization – the front-office and transactional systems, middle-office and risk management groups, back-office settlement and payments groups, financial controller's groups, and so on. Data will largely be used by the group that produces them. Information is data that are meaningful in a business context. While data will, on occasion, be used in business processes in their raw form, there is often a need to transform them to enhance their usefulness. The overarching goal of ERIM is to convert all this data into actionable information on all risks facing the corporation.

EIM is the set of disciplines that works together to ensure not only that data are properly integrated, but also that information is available in the desired manner by business users. ERIM can be considered a risk-oriented view of EIM. A framework for EIM is shown in Figure 1.

At the core of EIM are the data. Data are optimized to the business processes where they are generated due to proximity between sourcing and usage. This means that data, in the narrow context of a particular business group, will usually be internally consistent and reasonably accurate. They can be relatively easily transformed into information relevant to that line of business. The integrity of data begins to break down as one moves further away from the source.

Data must be consistently modeled across the enterprise to ensure that data semantics are consistent and well-understood across all business units and horizontal functions. The structured form of documenting this common understanding is called the LDM. The LDM is a comprehensive, flexible blueprint of how data are organized within the enterprise.

To make information useful to any one function, it's necessary to crystallize the information in the LDM to a documented form that is tailored to a given business unit. This form is called the Semantic Model, which represents information as viewed by business users in any particular function, such as risk management, marketing, or trading. The Semantic Model is represented in parochial terms that users in each unit are comfortable with. It's important that the Semantic Model have a direct and documented link to the underlying LDM. This link then becomes the mechanism by which users in risk management and each business unit relate to one another. The overall structure is shown in Figure 2.

As an example, a corporate banking customer may have relationships in several loan facilities, each of which may have multiple draws. Customers can be related to each other via a legal entity hierarchy. In addition, customers may also act as guarantors for loans. Loan officers may want to see the historical details of a particular obligor's performance over the past three years when considering renewal. Credit risk officers, on the other hand, may, however, want to aggregate various kinds of loans together for purposes of credit analysis, such as examining industry or country risk. The aggregation will include translating derivative exposures into loan equivalent exposures.

The LDM will contain details of both the loan facilities themselves, as well as any derived data, such as a loan equivalent. This model will be common to both the business unit disbursing loans, as well as to the credit risk management function. The semantic layer will distinguish the differing data requirements of the two units. The loan officer will see specific details of loans, while portfolio risk management semantic layer will be devoid of these details.

Amalgamating data into the Logical and Semantic data models is only the first step to ensuring a robust data environment. For widespread business use, data needs to have integrity. While users tend to view all data integrity problems as quality issues, problems are typically attributed to four distinct causes. These are – Metadata, Data Quality, Reference Data Management, and Data Privacy and Security. Each of these disciplines is supported by both technology and business processes. In some cases, a mix of technologies may be needed to address a particular discipline.

Metadata¹ is the mechanism to precisely define terminology used in the business. For example, use of the term facility in the above example could be construed in the trading room as opposed to the loan book. Metadata also refers to the data definitions and specific physical characteristics of data. For example, metadata will define the number of decimal places required for accuracy and other data-specific attributes.

Data Quality² ensures that data are accurate and complete. Quality may be measured along a variety of dimensions. Data quality issues can result both from business process breaks, such as imperfect input data validation processes, as well as from technology problems. Quality monitoring does not require much organizational and business interaction. Quality improvement, on the other hand,
involves processes that ensure appropriate escalation of issues to system and business process owners.

Reference or Master Data³ is the cornerstone of all analysis. Reference data are all the data that are relatively static, such as customer information, product masters, and organizational hierarchies. Aggregations are typically done using reference data so poor reference data can cause large inaccuracies in aggregated results.

Data Privacy and Security⁴ are important topics both from a business perspective, as well as for regulatory reasons – they are the source of very significant risk (regulatory, reputation, and operational) in their own right. There are an increasing number of regulatory requirements to protect the privacy of individuals, such as the Gramm-Leach-Bliley Act. Paradoxically, one of the few downsides to creating an easy-to-access data repository is that it presents an attractive target for large-scale data theft.

The glue for all four EIM disciplines is Data Stewardship and Data Governance processes. Data stewardship represents the tactical processes involved in creating a robust EIM environment. Data governance represents the senior management oversight and funding processes necessary to ensure adequate support for EIM.

The rigor with which the data underlying business processes are captured reflects the importance that the organization ascribes to it as a tool to improve revenue and profitability. The quality of data is determined by factors, such as organizational culture, the relative power equation between sources and users of data, and the level of automation in the business process, leading to uneven quality of data. For example, retail units of banks are typically better automated for cost reasons than their commercial and corporate lending counterparts. The quality of data in the retail area can therefore be expected to be higher.

As discussed earlier, creating a superior EIM environment for robust risk management requires complex interactions among several disciplines. In fact, the structure that is required involves a mix of policies, methodologies and infrastructure reflecting the mix of disciplines needed for risk management itself.

A data-aware culture is essential. This is accomplished via an evolutionary process of continuous education and improvement. Data governance sets the framework for effecting such change and involves the following:

Establishing a data steering committee and setting guidelines for the data stewardship organization.

Deciding on the process for an effective allocation of costs and investments for data management.

Setting high-level policies regarding data, including lending its authority to standards about reference data or metadata.

Establishing effective procedures that communicate data-related policies throughout the organization.

The effectiveness of data governance policies should be measured. This can be accomplished either by Simple Metrics, such as the percentage of departments that have begun to adhere to specific standards, or by Business Value Metrics, which calculate return on investment in EIM. Cost-takeout from EIM is relatively simple to calculate. Business value can also be calculated prospectively by considering the opportunity cost of projects not being undertaken due to lack of data.

Data quality metrics are also important. Business users view all data issues as quality problems, while technology groups charged with solving quality issues tend to take a more discerning approach. Precise measures of data quality are therefore necessary. Data quality measures can include simple ratios, such as the ratio of good to bad outcomes (e.g. the number of records in a feed for which trade date is undefined). Value-weighted ratios are useful when some kinds of data errors are more critical than others (e.g. errors may be weighted by trade size). Other metrics can be derived by combining basic measures via min-max operations or by value-weighting average techniques.

Probabilistic techniques can also be used to detect quality problems, especially where manual investigation is required. For example, definitively determining whether a 3- ð deviation from the mean trade size is an unusually large trade or a data entry error will take human intervention.

Infrastructure for EIM comprises data stewardship processes coupled with applications and infrastructure. Data stewards are usually knowledgeable in the details of a particular type of data. They address data quality problems, metadata inconsistencies, and may be involved in data security aspects as well. The stewardship process requires well-defined issue escalation and control processes. For example, the data steward is alerted when a data quality problem is detected. The data steward will investigate the problem and devise a solution. A control layer acts as a check against errors introduced by data stewards.

Technology plays an important part. There are several tools that address data management disciplines. Metadata tools consolidate metadata from a number of technical and business sources, and allow users across the enterprise to view them from the web.

Reference data management tools offer a range of functionality to manage and use reference data. Several business intelligence (BI)⁵ and extract/transform/load (ETL)⁶ tool vendors have developed or acquired data quality capability. Data security is usually addressed via technology within databases and also by role-based security in data access tools.

Before purchasing and implementing EIM technologies, it is important to ensure that the tools being considered interoperate well with each other. For example, it's important that the metadata tool can easily extract metadata from the database, BI, and ETL technology. Likewise, database technology must be able to seamlessly integrate with the enterprise security software.

Risk management has traditionally been a collector and aggregator of data. Risk managers have long been troubled by data issues because business units do not see data needs beyond their narrow areas of focus. One of the great challenges for risk management is to make business units willing participants in collecting and managing data.

The increasing sophistication in risk measurement techniques, as well as the growing convergence between finance and risk functions is enabling risk management to be well-positioned to become the source of important data for running the business.

A potent argument for better control of data comes from the possibilities for data reuse. Increasing use of data serves to enhance its value. More eyes on data means improved data validation and correction. Projects can also incrementally add data to an existing repository and enhance the data for the benefit of all users.

A simple example serves as a useful illustration. All large banks have developed one or more repositories of data to comply with Basel II requirements and calculate regulatory capital. If the repository is designed correctly, the addition of a small number of new data elements is sufficient to leverage the same repository for use in calculating economic capital. This not only saves cost but also results in new uses, such as detailed comparisons of imbalances between regulatory and economic capital.

Risk management data can also be leveraged by business units affording insights they didn't have previously. The Basel II repository, which contains regulatory and economic capital information that has been attributed at a detailed level, can serve as important input to implement accurate risk-based pricing and risk-adjusted performance measurement. Aside from the functional benefits, this tends to further strengthen the primacy of the data environment and raise the value of risk management.

This whitepaper shows how the quality of data is critical to an effective ERM process and introduces a comprehensive approach to managing data. A robust data environment can produce tremendous benefits to delivering superior risk management policies and methodologies. An enterprise approach to data management involves cultural change that is driven by the implementation of data-specific policies and methodologies in addition to technology infrastructure. While this is a long and sometimes difficult journey, showing that there's a direct business benefit that is realized from sophisticated use of data is a critical enabler of having a successful
journey.

The end result of developing such a robust data environment for ERM not only serves the risk management function but also provides significant and tangible business benefit, aligning the goals of risk management and business lines.

Dr. Robert M. Mark is the Chief Executive Officer of Black Diamond, which provides corporate governance, risk management consulting, and transaction services. He serves on several Boards. In 1998, he was awarded the Financial Risk Manager of the Year by the Global Association of Risk Professionals (GARP). He is on the board and is the Vice Chairman of The Professional Risk Managers' International Association (PRMIA). Prior to his current position, he was the Senior Executive Vice-President and Chief Risk Officer (CRO), as well as Corporate Treasurer, at the Canadian Imperial Bank of Commerce (CIBC). Prior to CIBC, he was the partner in charge of the Financial Risk Management Consulting practice at Coopers & Lybrand. He earned his Ph.D., with a dissertation in options pricing, from New York University's Graduate School of Engineering and Science, graduating first in his class. Subsequently, he received an Advanced Professional Certificate (APC) in accounting from NYU's Stern Graduate School of Business, and is a graduate of the Harvard Business School Advanced Management Program. Dr. Mark is also the co-author of two popular and well-regarded books about Risk Management.^{7 & 8}

Dilip Krishna is head of Teradata's Enterprise Risk Management practice in North America. He and his team have consulted on enterprise risk management and Basel II initiatives with several U.S. financial corporations. He has had 15 years of experience in technology and business consulting in the financial industry and brings significant experience in the successful management of large-scale projects. He has authored numerous articles about risk data architecture and implementations and has also spoken about the topic in diverse settings. He has a strong academic background with CFA and FRM designations, as well as engineering degrees from the Ohio State University and the Indian Institute of Technology.

1. The Markets in Financial Instruments Directive (MiFID) aims to build a single, seamless financial services market in the European Union. It focuses on creating transparent and efficient financial markets in the EU. It is due to come into effect in November 2007.

2. Universal Meta Data by David Marco and Michael Jennings, John Wiley & Sons, 2004.

3. Data Quality: The Field Guide by Thomas Redman, Digital Press, 2001.

4. "Information Strategy: The Master Data Management Challenge" by Jane Griffin, May 2005, DM Review Magazine.

5. Business Intelligence from Wikipedia, at http://en.wikipedia.org/wiki/Business_Intelligence.

6. Extract, Transform, Load from Wikipedia, at http://en.wikipedia.org/wiki/Extract,_transform,_load.

7. Risk Management by Michel Crouhy, Dan Galai, and Robert Mark, McGraw-Hill, 2000.

8. The Essentials of Risk Management by Michel Crouhy, Dan Galai, and Robert Mark, McGraw-Hill, 2005.