Drive a Connected GRC Program for Improved Agility, Performance, and Resilience
Power Business Performance and Resilience
Discover ConnectedGRC Solutions for Enterprise and Operational Resilience
Explore What Makes MetricStream the Right Choice for Our Customers
Discover How Our Collaborative Partnerships Drive Innovation and Success
Find Everything You Need to Build Your GRC Journey and Thrive on Risk
Learn about our mission, vision, and core values
The Client: A multi-billion dollar financial services provider with operations across the world with millions of customers.
Being a complex organization with multiple business units and operations spread across geographies, the company found it increasingly complex to measure and monitor risks. Although risk assessments were being performed regularly in every business unit, complexities arose when it came to consolidating the results. Each business unit used different risk terminologies and languages, which made it challenging to get a holistic picture of risk at the enterprise level.
After analyzing the situation, the company chose to implement a federated approach to Operational Risk Management (ORM), supported and enabled by a workflow-based ORM solution. The approach was designed such that each business unit would be able to conduct their own independent operational risk assessments, while at the same time, the results would be automatically aggregated and rolled up so that the board and top management would gain a single, comprehensive view of risk across the enterprise
The company's federated ORM project was kick-started in early 2012. Stakeholders from different groups such as Compliance, Audit, Vendor Governance, and Risk Management came together to discuss what to do, how best to go about it, and what technology solution to implement. Eventually, the company developed a comprehensive ORM strategy, and implemented a solution that focused on strengthening existing ORM processes, standardizing the risk language, and gaining an integrated risk view.
Below are the key elements of the company's enhanced ORM program:
At a broad level, the company's operational risk assessment process begins with the risk administrator preparing an RCSA plan and schedule, based on which the operational risk managers assess their business unit's risks and controls. Each business unit has the flexibility to implement their own approach to RCSAs such that it is relevant to the risks they face. This kind of flexibility is important because a risk such as credit risk which is critical to one business unit may not be relevant to the other.
But whatever the approach to RCSAs, all business units use the same risk language and nomenclature to describe operational risk drivers, correlation bundles1, controls, control objectives, and reliance maturity2. All these risk terms are clearly defined and stored in a centralized risk data dictionary that can be accessed by operational risk managers across the globe while preparing their risk reports.
Given that risk events can be unpredictable as well as subject to constant change, the company enables continuous and recurring risk assessments. They also conduct process RCSAs which focus on ad hoc but granular evaluations of a specific risfunction
Several internal and external factors such as a change in policy, or a restructuring of the management team have a direct impact on risk management at various levels of the organization. Every time such a change occurs, a BEA event workflow is triggered. This allows risk administrators to route the BEA to concerned risk managers in their team who, in turn, can either accept or reject the BEA depending on how it impacts their organization or their risk management processes.
Each operational risk manager has access to powerful graphical dashboards which provide real-time insights into all risks, issues, losses, KRIs, BEAs, and other critical information in the business unit. Users can view risks by category and organizational tier, and identify if there needs to be a re-assessment of a risk driver, a loss scenario, inherent risk, controls, or any other elements. This top-level risk view helps risk managers focus their attention on the most critical risk areas. Advanced drill-down capabilities help the risk managers view the data at any level of granularity, and proactively identify and analyze risk triggers (e.g. new issues, losses, BEA change events, breach of KRI thresholds).
At regular intervals, an informal risk snapshot is taken of all RCSAs in a business unit. The result is a “freeze-frame†picture of risks which enables operational risk managers to identify and analyze risk trends effectively. A more formal risk snapshot is taken every quarter.
Similar to the ORM dashboard is a landing page in the ORM solution which provides operational risk managers with a complete overview of their business unit's risk profile. Any risk manager who logs into the system can quickly and easily understand the risk profile without having to click on several different links and tabs.
At a broad level, the landing page contains top-level risk categories, events, number of controls, number of issues, number of KRIs, number of loss events, and other such critical data that can be quickly navigated through. If there is a change made to the data (e.g. a new issue registered in the system), it is automatically mapped to the relevant risk categories (e.g. credit risk issue, market risk issue).
Since risk managers are located in different geographies, and may therefore speak different languages, the landing page provides multi-lingual support, in addition to being intuitive and easy-to-use.
Most organizations measure their inherent risk in terms of impact and likelihood, expressed as a 2x2 framework. But since the company deals specifically with finance, they opted to express risk impact in terms of other dimensions such as currency i.e. USD, Euro, etc.
A specific group in the organization uploads the risk data based on changing currency rates. So when the risk report is shown to the Board, they can view the currency conversion rate. The currency is also defined based on the user profile. For instance, a user in Europe will see the risk impact expressed in terms of Euros while his or her counterpart in the U.S. will see it in USD.
Risk can also be measured in terms of probability i.e. the likelihood that a risk scenario paired with the defined inherent risk, will occur within a year. Users even have the ability to determine the inverse actuarial risk probability.
Another unique way of measuring risk is in terms of velocity. Risk velocity adds a third dimension to the traditional model of risk impact and likelihood, and refers to the speed of occurrence of a particular risk impacting the organization. In other words, it introduces the “time†factor to risk management. So, by measuring risk velocity, the company can determine how quickly a risk might occur, how fast they will be impacted by it, and how much time they will have to prepare and react.
In its risk data dictionary, the company maintains a comprehensive list of control objectives i.e. a description of the types of controls for a specific risk. There are also control objective ratings which tell the organization whether or not all the required controls are in place, and how important they are to the overall risk category. A strong control objective rating indicates that the needed controls are in place, while a bad control objective rating indicates that some controls are missing for a particular risk category. Control ratings, on the other hand, indicate the effectiveness of an individual control. By combining these control ratings with overall control objective ratings, the organization gets a complete picture of the adequacy of the control environment for a particular risk category.
All RCSA, loss management, and BEA processes eventually link to issue management in a closed-loop approach. In fact, there are many other processes and functions such as Compliance and Audits which also integrate with issue management. If each function uses different terminologies for these issues and the associated risks, then reporting becomes complicated. To avoid this challenge, all functions refer to the same risk data dictionary for enterprise-wide issue reporting. And if any of the issues pose an operational risk, the ORM group gets notified immediately.
The company implemented MetricStream ORM Solution to support and enable their risk management strategy. The solution provides the following core capabilities:
Subscribe for Latest Updates
Subscribe Now