ARCLogics Sword Blog

Many organizations today have some form of method and system in place for the effective management of day - to - day risks, such as control assurance frameworks and effective risk and control assessment processes. These processes are employed to effectively manage their current risk and somewhat help to identify future risk within the organization. The application of other practices such as mitigation techniques and incident management further enhances this process. But what about those risks that are coming down the track in the long term?

Many organizations are currently considering how they can improve their capabilities for identifying their next big emerging risk. Many emerging risks or ‘global’ risks are systemic in nature and may often be beyond the capability of one single organization to contain. The World Economic Forum’s Global Risks Network, with organizations such as SwissRe and Zurich at the helm, recently published its 2010 Global Risk Report. Fiscal crises and unemployment, underinvestment in infrastructure and chronic disease are identified as the pivotal areas of risk over the next years in the report. The report also explores the interconnectedness of risks, and considers how the strategies for the mitigation of emerging risks might be structured.

The Global Risks Network recommends that organizations take a long-term approach to emerging risk identification, analysis, tracking and mitigation. The management of global or emerging risks can be supported using different functions within our Sword Operational Risk system. The use of these functions can be combined or they can be used independently to manage emerging risks depending on the organizations own internal approach. One approach is to assess the risk’s significance within the organization, how it is linked to other risks and its implications to the business through risk assessment in Swords Risk and Control Assessment module. Such a process should be separate to the current assessment framework.

Another more powerful method is the use of scenario analysis through the Sword Scenarios module. Scenario analysis can serve as an effective means for organizations to estimate their potential risk exposures and levels of preparedness should catastrophic risk events emerge. This method is currently being employed by relatively few organizations but provides an excellent format for exploring what the future might look like and the likely challenges to the business.

A third method is to routinely monitor emerging risks through effective use of leading indicators within Swords indicator module. Monitoring emerging risk indicators helps to develop the organizational agility to address unknowable risks when they arise. Lessons learned should be captured in the issue and action module for analysis in relation to leading indicators, to further improve risk resilience.

The three approaches can also be combined together to identify, manage and mitigate emerging risks more effectively in the long term.

 Dan Wallace

As part of a recent announcement on the importance of Stress Testing, Paul Sharma, FSA director of prudential policy, said:
“Stress and scenario testing should be an important element in firms’ planning and risk management processes. These changes send a clear signal to firms’ senior management that they need to engage in building a robust stress testing infrastructure as an important part of effective risk management, and use that to assess capital needs in a stress.”

This will force financial institutions to use scenarios to model risk and then to stress those scenarios. It also implies that they will need to take a quantitative approach to measuring the risk in scenarios. As if this isn’t enough, the announcement goes on to say that it expects firms to carry out “simultaneous system-wide stress testing”. That means having a common set of scenarios that are assessed across the enterprise and then compared and aggregated.

Right now, the majority of financial insitutions who are doing scenario analysis are using spreadsheets and this is clearly going to have to change. In partnership with some of our clients in insurance who are preparing for Solvency II and the Swiss Solvency Test, we have built a Scenario Analysis module in Sword that supports exactly what the FSA is asking for. Users create a set of scenario templates, determining what information is captured and what measures are required for each scenario. These can then be assigned to each of the relevant parts of the organisation for assessment and their status monitored. Once assessments are complete, the results can be used to analyse and stress the scenarios. Importantly, scenarios can draw on the data in the underlying risk framework, linking risk assessment, mitigation and losses to scenarios automatically, to inform and improve their assessment.

Scenario analysis and stress testing is an important step towards reducing risk in the financial institutions and I believe that, if the FSA supervise this initiative robustly, it will have a very positive effect.

Mike MacDonagh

What is different about ISO31000 is more or less encapsulated in its definition of risk as; “The effect of uncertainty on objectives”. Firstly, risk; ISO31000 is unashamedly risk-based rather than control-based (as, e.g. COSO or COBIT) and this, in turn, makes it an approach rather than a prescription, unlike control-based standards. Secondly, there is ISO31000’s insistence that risk is measured in terms of its effect on objectives. Why is this important? Because without the need for pages of additional text it reinforces ISO31000 as a corporate governance standard. If the definition of objectives is correct and complete and the risks to them are understood, effective governance becomes possible. Finally, effect is a neutral term that includes the upside of uncertainty as well as the downside. It isn’t simply about stopping bad things from happening but implies quantitative measurement of positives and negatives and, hence, risk-based decision making.

The progenitors of ISO31000 have clearly thought hard about the definition of risk and this is one of the reasons why I am happy to join the crowd who are lauding it.

Mike MacDonagh

The Senior Supervisors Group, a cooperation of regulators from the US, Canada, France, Germany, Japan and the UK has just published a report on Risk Management Lessons from the Global Banking Crisis of 2008. Based on self assessment of risk management practices in 20 global financial institutions, the report highlights failings in risk management and internal controls that have still not been addressed. They reported that the self assessments were “….. in aggregate, too positive and that firms still had substantial work to do before they could achieve complete alignment with the recommendations and observations of the (previous) studies.”

I will leave what this tells us about the overall state of financial services industry to better qualified commentators but the specific recommendations with regard to risk management practices are of interest, highlighting as they do, a lack of willingness thus far of these institutions to invest in risk management. Again quoting from the report: “….. supervisors believe that a full and ongoing commitment to risk control by management, as well as the dedication of considerable resources toward developing the necessary information technology infrastructure, will be required to ensure that the gaps between actual and recommended practice are closed in a manner that is robust and, especially important, sustainable.”

Wolters Kluwer both advocate and provide Governance, Risk and Compliance solutions to the financial services industry and, as suggested by the report, these solutions can help to address a number of the weaknesses highlighted by the regulators, including:

• Poor integration of fragmented risk management systems into a single technical infrastructure capable of providing a consolidated view of risk to senior management
• The lack of clearly defined firm-wide risk appetite statements that are linked to the underlying risk framework for monitoring and reporting purposes.
• Little or no ability (or infrastructure) to conduct firm-wide analysis and stress testing of forward-looking scenarios, especially reverse stress testing.

I have written recently on the the value of scenario analysis in terms of reducing the risk of or mitigating the impact of extreme events (http://www.cchsword.com/blog/?p=20). As a vendor of a risk management solutions we are constantly faced with the need to convince our customers and prospective customers of their value. In the case of Scenario Analysis, where the solution is seen simply as an aid for assessing a dozen or so scenarios to calculate regulatory capital, this can be a challenge. Of course there is an existing answer to that, based around pillar 2 and the Use Test. Where the scenario modelling and analysis functionality is built into the same system that supports the risk management framework, as it is in Sword, it will be much easier to satisfy the regulators.

From the insurance community however is emerging a different use of scenarios that has a more immediate business value. Scenarios used for assessing regulatory capital concentrate on the tail events in loss distributions, attempting to estimate the frequency and size of extreme events but scenarios can also be used to model the high volume, low value events that  fall in the ‘expected losses’ portion of the loss curve. Insurers are used to this type of analysis when looking at insurance risk but are starting to look at their own risks in the same way. Taking an expected loss scenario for which several million euros or more is reserved each year; if the organisation can build scenarios around the actual risks, controls and losses involved, it can examine the impact of further mitigation measures and put indicators in place to monitor the risk and allow early intervention. Unlike with extreme event scenarios, this involves assessing fifty or more different scenarios at many different points across the enterprise, with the total number of scenarios reaching or exceeding one thousand. This level of scenario analysis must be automated but it does raise the possibility of being able to go to senior management and ask for a budget to reduce expected losses immediately. I wouldn’t dare suggest that senior management in our financial insitutions might take a short-term view but human nature is such that this may be an argument that is much easier to win.

Mike MacDonagh

In his excellent report; “Enterprise Risk and Governance—Trends, Vendors, and Market Outlook“, I think Cubillas Ding has nailed a modern definition of Operational Risk Management. Describing inadequate operational risk management as a key cause of the financial crisis he notes: “Operational risk management defined not as a distinct discipline, but as a pervasive activity that is embedded in day-to-day processes and business decision-making.” By focusing on a definition of OpRisk as a verb rather than a noun, Cubillas captures the key concept of OpRisk as an active process that requires involvement throughout the enterprise. In the same paragraph, he discusses how OpRisk Management needs to cover a broad spectrum of risks and how it needs to be “…… intertwined with transactional, control and other risk management mechanisms to be effective.”

What is being described here is a mature OpRisk Management environment and, as a simple test, checking how your own OpRisk Management processes stack up against this definition will go a long way to telling you how effective they are likely to be.

The report can be purchased from Celent and an outline is available at http://www.celent.com/124_1939.htm.

Mike MacDonagh

Let me start by saying that I believe the importance that regulators are placing on scenario analysis in the light of recent events is a good thing. By identifying key risk scenarios, understanding the underlying risks, stress testing the scenarios and then acting on the results, we will make those scenarios less likely.
My concern is that, by focusing on stress testing of scenarios, rather than scenario analysis itself regulators are at risk of losing a large part of the potential benefit. Worse still, there is evidence that this is leading to the development of lists of standard scenarios, with companies offering scenario libraries to financial services organisations. Surely the whole point of scenario analysis is that it is intended to help to discover (and then understand) alternative future contexts? Rather like Douglas Adams’ philosopher, who demanded “rigidly defined areas of doubt and uncertainty”, the idea of the financial services industry beavering away stress testing standard scenarios while the world changes around us would be laughable if it wasn’t so scary.
In Donald Rumsfeld’s language, stress testing standard scenarios focuses on the known unknowns, and this certainly has value but in the past (including the recent past), it is the unkown unknowns that have risen up to bite us time and again. Financial services organisations need to focus on the process of identifying and defining scenarios that are consequential, challenging and coherent and then understanding how they may arise, so they can devise an early warning system of indicators to help them prevent or prepare for them if they do happen.

Mike MacDonagh

I have been spending a lot of time recently talking to industry analysts about GRC. It has been a genuinely enjoyable and informative process. So what have we learned from these discussions?

The overwhelming impression is that GRC is an immature concept and that it is still very much a concept.

The areas of agreement between the analysts are probably greater than between the vendors (allegedly up to 600 of them and counting) but there is certainly no universally accepted definition of GRC. As for implementation of GRC by companies, the view is that there aren’t many GRC Platform projects and that the number is actually dropping as a consequence of the economic downturn. Almost everyone agrees that the prevalent approach to GRC right now is for companies to implement solutions that address specific pain points but to look for those that fit into an overall GRC strategy.

Mike MacDonagh

For both Enterprise Risk Management and GRC, we have been encouraged to think of individual silos of risk management or compliance function as a bad thing and their removal as a sign of increasing ERM or GRC maturity. This doesn’t have to be true and indeed, there is a growing belief that it is important to retain the right kind of silos.

Take Audit; there has been a rush among GRC vendors to add audit function to their offering and to integrate it tightly with the risk management and compliance function. As the leading vendor of audit systems, CCH TeamMate are starting to hear of dissatisfaction with this approach. Independence is vital to the auditors’ role and it needs to be guarded jealously. Most importantly, auditors want to be free to choose the best audit tool for their requirements, usually from a specialist supplier.

In this case, Audit Management is a “best of breed” solution that needs to be joined up with other governance, risk and assurance solutions but that integration needs to reflect the needs of auditors and to continue to be developed exclusively with those needs in mind. The same is true of many areas of compliance and risk management. These areas are staffed by skilled experts and those experts need to be given the tools to do their jobs properly.

The trick is to be able to bring these “best of breed” solutions together in the right way to provide management not just with a ‘joined-up’ view of risk, compliance and audit but also with tools that enable them to do something about it.

In our view, the ‘central’ GRC platform needs to have:

• A data warehouse that contains a common view of:
  • the organisational structure
  • the process structure
  • risk and control categories
• Issue and Action Management
• Key Risk and Performance Indicators
• Risk Analytics
• Dashboards and Reporting

This is supported by ‘best of breed’ solutions for:

• Loss Recording
• Risk & Control Self Assessment
• Audit Management
• Compliance Monitoring (e.g. AML, SOx, etc.)
• Continuous Control Monitoring
• Controlled Document Management (inc. Policy & Procedure Management)
• Other risk management solutions (e.g. Credit Risk, Market Risk, etc.)

Mike MacDonagh.

Common-sense might tempt us to believe that the larger financial services organisations are the ones who are most likely to be leading the way towards Enterprise Risk Management. After all they have a more sophisticated view of risk management overall and have many years of experience in different areas of risk management. They also have the most to gain from the benefits of common risk management processes and a consolidated view of risk across the organisation. Some recent market research I have carried out in smaller financial organisations in the US and Europe points to an unexpected challenge to this assumption.

In the smaller banks, insurance companies and asset managers, the growth of regulation means that compliance is one of the most significant challenges that they face and, as a result, compliance management is a comparatively well developed (and well resourced) discipline. Compliance is also a very wide-ranging subject, encompassing most areas of and processes within the organisation and overlapping with many risk areas. What is happening is that regulators on both sides of the Atlantic are asking financial services organisations to take a more risk-based approach to compliance and, at the same time, encouraging them to have an enterprise-wide view of risk.

So why would the smaller firms be in a better position to adopt an Enterprise Risk Management approach? The answer seems to lie in where they are coming from. The larger organisations already have well developed risk management silos for different categories of risk, so there are both technical and organisational barriers to an Enterprise Risk Management approach. Each area has its own specific requirements and has bought or developed sophisticated solutions and bringing them together is both expensive and risky. In the smaller organisations these silos are less well developed, so it appears far more likely that a system implemented to manage compliance risk will also be adopted by other risk management areas that were hitherto using manual methods or spreadsheets. In these firms, cost constraints and small size may mean that instead of there being organisational barriers to an enterprise-wide approach, there are actually organisational incentives.

Mike MacDonagh