ARCLogics Sword Blog

The three lines of defence model is widely used by businesses of all types, across the globe. One of the key requirements of the three lines is the separation and independence of the audit function - the third line of defence. Despite this, there seems to be a trend towards vendors offering GRC solutions that include embedded internal audit management functions. In ARC Logics, we have taken a best of breed approach whereby our audit solution, TeamMate, is separate from our risk and compliance solutions, Sword and Axentis, but is integrated with them. Our customers tell us:

• We want a physically separate database for audit, so we can be certain our audit data is secure.
• We want to be sure that audit functions in the third line of defence are separate from business and assurance functions. While the fully integrated systems support separation of roles and permissions, they don’t guarantee it and would need to be monitored continuously to be certain that this is maintained.
• While we want our audit solution to reflect the risk framework being managed in the first two lines of defence, we want audit to be free to create their own views and extensions and to add risks that are not in the existing risk framework.

These are strong arguments but the killer as far as we are concerned is that our customers tell us they want an audit solution that has been designed and built specifically for auditors, not one that has been bolted on to an existing risk and compliance platform and is, by definition, a compromise.

To answer my own question; all-in-one GRC systems may not specifically compromise good governance but they do make it harder to guarantee the separation of the third line of defence and require additional effort and monitoring to ensure they do not allow good governance practices to be compromised.

Mike MacDonagh

They aren’t ready yet but there’s still some time to go. Having said that, many of the insurers we are working with are well advanced in their Solvency II preparations. Insurers appear (sensibly) to be taking a stepwise approach to Solvency II

• Step 1: Appoint a programme manager and plan the project.
• Step 2: Focus on Pillar 1 and the data and processes for calculating capital requirement.
• Step 3: Focus on Pillar 2 and the ERM and ORSA requirements
• Step 4: Focus on the reporting requirements of Pillar 3.

Each step requires different skill sets, and we can track the progress insurers are making by looking at who they are recruiting. Step 1 needs program managers, Step 2 actuaries and steps 3 and 4 require risk management skills. What we are seeing right now is that, as insurers complete step 2 (or at least have it under control) they are starting to look at Step 3 and are looking for risk management expertise. In particular, this expertise is needed to decide how to approach the ERM requirements of Solvency II.

In our experience, the larger insurers see Step 3 as an opportunity to embed risk management throughout the organisation and are using products like Sword as a foundation for this. Smaller insurers don’t necessarily have the resources in house for this but vendors such as ourselves are starting to make it easier by introducing solutions that include a pre-configured ERM framework for Solvency II, and pre-populated risk and control libraries.

Mike MacDonagh

Nobody doubts the importance of Solvency II to the insurance industry in Europe but will it achieve what it is setting out to with regard to good governance? The question is a bit broad so, more specifically, will Solvency II really result in insurers linking their capital calculations to their risk appetite and, through the ORSA, to their risk management frameworks? Also, will they really consolidate the different risk silos into an enterprise risk management framework that will increase the risk awareness of executive management and enable risk-based decision making?

It would seem like a no-brainer, but the problem lies in the ROI, or rather, the lack of it. The returns from investing in good risk management tend to manifest themselves in the form of bad stuff not happening but, set against investments that generate positive revenue streams, the comparison can be invidious and the argument for investment a tough one to win.

So what happens next? Faced with the choice between treating Solvency II as an opportunity to invest in an enterprise-wide ERM framework to underpin its capital calculations and help ensure good decision making or treating it as a a series of isolated compliance problems, how many insurers will opt for the latter? After all, this is more or less what happened with the response to Sarbanes-Oxley. If it costs less in terms of cash and organisational investment, will executives simply pass it to compliance and ask them to “keep the regulators happy”?

I guess time will tell, we are already working to implement ERM frameworks for some large insurers who are definitely taking the ‘high road’ in response to Solvency II, let’s hope they aren’t alone.

Mike MacDonagh

Many organizations today have some form of method and system in place for the effective management of day - to - day risks, such as control assurance frameworks and effective risk and control assessment processes. These processes are employed to effectively manage their current risk and somewhat help to identify future risk within the organization. The application of other practices such as mitigation techniques and incident management further enhances this process. But what about those risks that are coming down the track in the long term?

Many organizations are currently considering how they can improve their capabilities for identifying their next big emerging risk. Many emerging risks or ‘global’ risks are systemic in nature and may often be beyond the capability of one single organization to contain. The World Economic Forum’s Global Risks Network, with organizations such as SwissRe and Zurich at the helm, recently published its 2010 Global Risk Report. Fiscal crises and unemployment, underinvestment in infrastructure and chronic disease are identified as the pivotal areas of risk over the next years in the report. The report also explores the interconnectedness of risks, and considers how the strategies for the mitigation of emerging risks might be structured.

The Global Risks Network recommends that organizations take a long-term approach to emerging risk identification, analysis, tracking and mitigation. The management of global or emerging risks can be supported using different functions within our Sword Operational Risk system. The use of these functions can be combined or they can be used independently to manage emerging risks depending on the organizations own internal approach. One approach is to assess the risk’s significance within the organization, how it is linked to other risks and its implications to the business through risk assessment in Swords Risk and Control Assessment module. Such a process should be separate to the current assessment framework.

Another more powerful method is the use of scenario analysis through the Sword Scenarios module. Scenario analysis can serve as an effective means for organizations to estimate their potential risk exposures and levels of preparedness should catastrophic risk events emerge. This method is currently being employed by relatively few organizations but provides an excellent format for exploring what the future might look like and the likely challenges to the business.

A third method is to routinely monitor emerging risks through effective use of leading indicators within Swords indicator module. Monitoring emerging risk indicators helps to develop the organizational agility to address unknowable risks when they arise. Lessons learned should be captured in the issue and action module for analysis in relation to leading indicators, to further improve risk resilience.

The three approaches can also be combined together to identify, manage and mitigate emerging risks more effectively in the long term.

 Dan Wallace

As part of a recent announcement on the importance of Stress Testing, Paul Sharma, FSA director of prudential policy, said:
“Stress and scenario testing should be an important element in firms’ planning and risk management processes. These changes send a clear signal to firms’ senior management that they need to engage in building a robust stress testing infrastructure as an important part of effective risk management, and use that to assess capital needs in a stress.”

This will force financial institutions to use scenarios to model risk and then to stress those scenarios. It also implies that they will need to take a quantitative approach to measuring the risk in scenarios. As if this isn’t enough, the announcement goes on to say that it expects firms to carry out “simultaneous system-wide stress testing”. That means having a common set of scenarios that are assessed across the enterprise and then compared and aggregated.

Right now, the majority of financial insitutions who are doing scenario analysis are using spreadsheets and this is clearly going to have to change. In partnership with some of our clients in insurance who are preparing for Solvency II and the Swiss Solvency Test, we have built a Scenario Analysis module in Sword that supports exactly what the FSA is asking for. Users create a set of scenario templates, determining what information is captured and what measures are required for each scenario. These can then be assigned to each of the relevant parts of the organisation for assessment and their status monitored. Once assessments are complete, the results can be used to analyse and stress the scenarios. Importantly, scenarios can draw on the data in the underlying risk framework, linking risk assessment, mitigation and losses to scenarios automatically, to inform and improve their assessment.

Scenario analysis and stress testing is an important step towards reducing risk in the financial institutions and I believe that, if the FSA supervise this initiative robustly, it will have a very positive effect.

Mike MacDonagh

What is different about ISO31000 is more or less encapsulated in its definition of risk as; “The effect of uncertainty on objectives”. Firstly, risk; ISO31000 is unashamedly risk-based rather than control-based (as, e.g. COSO or COBIT) and this, in turn, makes it an approach rather than a prescription, unlike control-based standards. Secondly, there is ISO31000’s insistence that risk is measured in terms of its effect on objectives. Why is this important? Because without the need for pages of additional text it reinforces ISO31000 as a corporate governance standard. If the definition of objectives is correct and complete and the risks to them are understood, effective governance becomes possible. Finally, effect is a neutral term that includes the upside of uncertainty as well as the downside. It isn’t simply about stopping bad things from happening but implies quantitative measurement of positives and negatives and, hence, risk-based decision making.

The progenitors of ISO31000 have clearly thought hard about the definition of risk and this is one of the reasons why I am happy to join the crowd who are lauding it.

Mike MacDonagh

The Senior Supervisors Group, a cooperation of regulators from the US, Canada, France, Germany, Japan and the UK has just published a report on Risk Management Lessons from the Global Banking Crisis of 2008. Based on self assessment of risk management practices in 20 global financial institutions, the report highlights failings in risk management and internal controls that have still not been addressed. They reported that the self assessments were “….. in aggregate, too positive and that firms still had substantial work to do before they could achieve complete alignment with the recommendations and observations of the (previous) studies.”

I will leave what this tells us about the overall state of financial services industry to better qualified commentators but the specific recommendations with regard to risk management practices are of interest, highlighting as they do, a lack of willingness thus far of these institutions to invest in risk management. Again quoting from the report: “….. supervisors believe that a full and ongoing commitment to risk control by management, as well as the dedication of considerable resources toward developing the necessary information technology infrastructure, will be required to ensure that the gaps between actual and recommended practice are closed in a manner that is robust and, especially important, sustainable.”

Wolters Kluwer both advocate and provide Governance, Risk and Compliance solutions to the financial services industry and, as suggested by the report, these solutions can help to address a number of the weaknesses highlighted by the regulators, including:

• Poor integration of fragmented risk management systems into a single technical infrastructure capable of providing a consolidated view of risk to senior management
• The lack of clearly defined firm-wide risk appetite statements that are linked to the underlying risk framework for monitoring and reporting purposes.
• Little or no ability (or infrastructure) to conduct firm-wide analysis and stress testing of forward-looking scenarios, especially reverse stress testing.

I have written recently on the the value of scenario analysis in terms of reducing the risk of or mitigating the impact of extreme events (http://www.cchsword.com/blog/?p=20). As a vendor of a risk management solutions we are constantly faced with the need to convince our customers and prospective customers of their value. In the case of Scenario Analysis, where the solution is seen simply as an aid for assessing a dozen or so scenarios to calculate regulatory capital, this can be a challenge. Of course there is an existing answer to that, based around pillar 2 and the Use Test. Where the scenario modelling and analysis functionality is built into the same system that supports the risk management framework, as it is in Sword, it will be much easier to satisfy the regulators.

From the insurance community however is emerging a different use of scenarios that has a more immediate business value. Scenarios used for assessing regulatory capital concentrate on the tail events in loss distributions, attempting to estimate the frequency and size of extreme events but scenarios can also be used to model the high volume, low value events that  fall in the ‘expected losses’ portion of the loss curve. Insurers are used to this type of analysis when looking at insurance risk but are starting to look at their own risks in the same way. Taking an expected loss scenario for which several million euros or more is reserved each year; if the organisation can build scenarios around the actual risks, controls and losses involved, it can examine the impact of further mitigation measures and put indicators in place to monitor the risk and allow early intervention. Unlike with extreme event scenarios, this involves assessing fifty or more different scenarios at many different points across the enterprise, with the total number of scenarios reaching or exceeding one thousand. This level of scenario analysis must be automated but it does raise the possibility of being able to go to senior management and ask for a budget to reduce expected losses immediately. I wouldn’t dare suggest that senior management in our financial insitutions might take a short-term view but human nature is such that this may be an argument that is much easier to win.

Mike MacDonagh

In his excellent report; “Enterprise Risk and Governance—Trends, Vendors, and Market Outlook“, I think Cubillas Ding has nailed a modern definition of Operational Risk Management. Describing inadequate operational risk management as a key cause of the financial crisis he notes: “Operational risk management defined not as a distinct discipline, but as a pervasive activity that is embedded in day-to-day processes and business decision-making.” By focusing on a definition of OpRisk as a verb rather than a noun, Cubillas captures the key concept of OpRisk as an active process that requires involvement throughout the enterprise. In the same paragraph, he discusses how OpRisk Management needs to cover a broad spectrum of risks and how it needs to be “…… intertwined with transactional, control and other risk management mechanisms to be effective.”

What is being described here is a mature OpRisk Management environment and, as a simple test, checking how your own OpRisk Management processes stack up against this definition will go a long way to telling you how effective they are likely to be.

The report can be purchased from Celent and an outline is available at http://www.celent.com/124_1939.htm.

Mike MacDonagh

Let me start by saying that I believe the importance that regulators are placing on scenario analysis in the light of recent events is a good thing. By identifying key risk scenarios, understanding the underlying risks, stress testing the scenarios and then acting on the results, we will make those scenarios less likely.
My concern is that, by focusing on stress testing of scenarios, rather than scenario analysis itself regulators are at risk of losing a large part of the potential benefit. Worse still, there is evidence that this is leading to the development of lists of standard scenarios, with companies offering scenario libraries to financial services organisations. Surely the whole point of scenario analysis is that it is intended to help to discover (and then understand) alternative future contexts? Rather like Douglas Adams’ philosopher, who demanded “rigidly defined areas of doubt and uncertainty”, the idea of the financial services industry beavering away stress testing standard scenarios while the world changes around us would be laughable if it wasn’t so scary.
In Donald Rumsfeld’s language, stress testing standard scenarios focuses on the known unknowns, and this certainly has value but in the past (including the recent past), it is the unkown unknowns that have risen up to bite us time and again. Financial services organisations need to focus on the process of identifying and defining scenarios that are consequential, challenging and coherent and then understanding how they may arise, so they can devise an early warning system of indicators to help them prevent or prepare for them if they do happen.

Mike MacDonagh