The risk management data conundrum
Utility companies that see the wisdom of embracing the concepts of consolidating and sharing data to enhance the management of their risk profiles face challenges beyond the typical hoarding that takes place within business silos. For most, the challenge is to build consensus to move away from the spreadsheet environment that is so deeply entrenched to a solution that is built either within the organization or externally by a solution provider. That process is often a difficult hurdle to overcome.
In our last column we examined how, as utilities consolidate data, they come to see they are sitting on the proverbial untapped gold mine within their existing system resources. They want to be able to use the data to create advanced risk analytics and guide senior management’s calculation of specific risk statistics. For instance, companies will be able to create what-if scenarios to guide decision making, with the end-goal being a move away from historical or theoretical assessments and toward real-time data integration and manipulation.
The Decision Tree
Utilities implementing a new risk system should evaluate their needs from a business perspective–including physical and financial–and the technology perspective–data, analytics and reporting.
The front-office trading group lends itself to the use of best-of-breed software solutions, due to the intricacies of each market. For instance, power varies greatly from crude oil and natural gas, and exchange-traded products differ from over-the-counter products (standardized versus non-standardized). Over the years, many software vendors have come into existence based solely on their mastery of a single market or commodity, which has had the unfortunate effect of creating a silo-approach to managing risk. As deal-capture software matured, vendors merged and products standardized so that companies could better consolidate their data to measure risk across a broader spectrum of commodity exposures. Data warehousing projects followed, providing data to the middle office for risk analysis. Those projects have enjoyed varying degrees of success–and failure.
But the middle office is precisely where the rubber hits the road. The middle-office risk managers must logically combine the various front-office data into a cohesive, unified corporate risk management environment–or else! It is indeed a daunting task and for the most part, success has eluded utilities due to the fragmented technology deployed. Risk systems typically provided analytics; data infrastructure and reporting had to be integrated, so the best-of-breed approach was tried.
Today’s environment, with its emphasis on best practices risk manage-ment, requires more. Depending on the size of a utility, there are, roughly, four categories of systems from which to choose: in-house built (includes outsourced), configurable risk frameworks, black-boxes and a fourth category we will call a “gray-box.”
In-house systems start as a project with the (unrealistic) scope of meeting all user requirements, the panacea of technology projects. From initial requirements to project planning, through coding and delivery, the project provides only a fraction of desired functionality and is often over budget and overdue. Another drawback of in-house built systems is the eventual and inevitable lack of documentation, a high priority at the onset but one that never seems to be completed. Vendor-supplied software has matured to a point where the in-house option, if chosen, is more of a political decision than a business one.
A configurable risk framework is just that: a starting point that provides the plumbing (data integration layer), analytical tools (programming environment) and reporting (portal, web) to configure a risk solution that can meet a high percentage of user requirements. The focus is on the methodology rather than reinventing the analytical wheel. Flexibility is paramount and since large integrated utilities have very complex business processes around measuring risk, this option can provide significant benefits. Strong project management skills are necessary as well as a committed project team. Risk frameworks cannot be implemented “part-time.”
Black-boxes are systems and software that are purchased from a third-party vendor. They are well-known in the industry but, because they are built by someone else, they lack transparency, something that is becoming more of an issue with the advent of Sarbanes-Oxley. Black-box solutions are “easier” to implement, providing a data model, canned analytics and reports, but since each business is as unique as a human fingerprint, it is hard to design a system that can meet varied user needs. A vendor will customize the solution to the point where the code stream essentially becomes an in-house build (effectively outsourcing) and ongoing vendor support is difficult to rely on. Additionally, the “canned” abilities of black-boxes make them laggards in terms of supporting all the new products and contracts
Gray boxes are similar to black-boxes but have the additional feature of being configurable, or a transparent open code architecture solution. They are a combination of black-box solutions with a configurable risk framework to provide the benefits of each (rapid implementation, flexibility) while avoiding the pitfalls (build from scratch, lack of transparency). Gray boxes take a risk framework and add a methodology to calculate risk and in some instances may provide a graphical user interface.
These categories are not mutually exclusive. We have seen many firms choose a best-of-breed approach, combining any or all of the above. But the devil is in the details. In this case, the details lie in the integration of the “breeds,” which can consume enormous amounts of scarce resources and bring a project and/or system to its knees if not properly maintained.
To state the obvious, a risk strategy needs to incorporate both business and technology dimensions. The latter has a critical piece that is often overlooked: data integration. The focus of many risk projects is on how the analysis is generated and/or presented. In the end though, an analysis/presentation focus is not valuable unless the basic data is integrated and verified, in order to ensure accuracy. Additionally, any technology project that the firm undertakes must provide appropriate change management and business process re-engineering in order to ensure success.
Louis Caron provides internal consulting services assisting the software sales and marketing function globally; Leigh Parkinson is an energy consultant with RiskAdvisory, assisting the software sales and marketing function in the Americas; and Peter Sofarelli is sales manager at RiskAdvisory, focusing on the planning, coordination and execution of go-to-market strategy. Contact Mr. Sofarelli at Peter.Sofarelli@sas.com. RiskAdvisory is a division of SAS.