ARCLogics Sword Blog

In most analysis, Enterprise Risk Management has focused on creating risk frameworks based on an organisation’s business strategy and then managing the risks within the business, reporting the results back up the hierarchy to senior management. The value that ERM provides to a business is assumed but has proven hard to measure or demonstrate directly.

Governance on the other hand is predicated on the ability of senior management not just to set and monitor business strategy but to contunuously update it in response to internal and external events.

Enterprise Risk Governance takes the steering concept of Governance and applies it to Enterprise Risk Management. Management at relevant levels of the organisation can update risk appetites in line with changing business and regulatory pressures, driving and monitoring changes in risk management and mitigation further down the hierarchy. In the case of Enterprise Risk Governance, the value is more immediately apparent to senior management, directly improving their ability to manage change and dramatically increasing business agility, even in large organisations.

Mike MacDonagh

I was at a a conference last week where Swiss Re made an excellent presentation on their implementation of a risk framework for Operational Risk. They use Ci3’s SWORD to implement it but that isn’t my point today. The speakers were able to show how they managed to create an integrated risk management framework by involving business users in activities such as risk and control assessment, loss capture and the tasks and actions involved in mitigating risks and investigating control failures. In return, business users receive consolidated risk and loss information that they can use to improve their business.

Presented in this way, the only question is; “Why wouldn’t everyone do it this way?” but all too often risk departments are unwilling to involve business users because ” ………. it’s too complex for them” or ” ….. it is too hard to train them”. Most often though, I suspect it is because they struggle to justify additional software licence costs against a value proposition that has not been fully examined.

The FSA’s ‘Use Test’ requires that not only should risk measurement systems also provide for risk management but they should also provide a discernible benefit to the organisation. Extending the use of risk management systems to business users must be one of the best (and most cost-effective) ways of achieving this.

Mike MacDonagh

One of the reasons often quoted for ERM being not having been achieved in real-life Financial Services Organisations is the emphasis on a purely top-down approach to appetite setting and reporting. In large organisations, with deep hierarchies, this is impractical. This rationale misses the point that while the view from the top is vital if ERM is to be effective, that view could be nothing more than a consolidation of the views at the level beneath and any ERM processes and activities actually going on at the top level itself.

This can be repeated at each level down the hierarchy and, if implemented in this way, means that not only does ERM become a practical proposition but that it provides valuable information to management at each level of the hierarchy. Solutions that support this approach, such as Ci3’s SWORD ERG are starting to be used by FSOs and are helping to deliver the results that ERM has promised.

Mike MacDonagh