ARCLogics Sword Blog

I have been spending a lot of time recently talking to industry analysts about GRC. It has been a genuinely enjoyable and informative process. So what have we learned from these discussions?

The overwhelming impression is that GRC is an immature concept and that it is still very much a concept.

The areas of agreement between the analysts are probably greater than between the vendors (allegedly up to 600 of them and counting) but there is certainly no universally accepted definition of GRC. As for implementation of GRC by companies, the view is that there aren’t many GRC Platform projects and that the number is actually dropping as a consequence of the economic downturn. Almost everyone agrees that the prevalent approach to GRC right now is for companies to implement solutions that address specific pain points but to look for those that fit into an overall GRC strategy.

Mike MacDonagh

I have spent a lot of time recently talking with Financial Services firms about risk and compliance and there’s no doubting that the visibility and maturity of these disciplines is increasing rapidly. Recent events, including the credit crisis certainly provide an incentive for this but the key driver is surely the desire of shareholders, rating agencies, regulators and the businesses themselves for better governance.

Risk appetite is a concept that sits at the heart of good governance but it is a concept that lacks a universally agreed definition and has a hugely varied implementation in Financial Services. It is a term that is often confused with other measures, so it is worth looking at some definitions of these, culled from a variety of web sources:

• Risk Capacity - is the maximum risk that an organisation can bear (defining ‘bear’ is another discussion point but is most often taken to mean ‘before insolvency’). Risk capacity is usually a straightforward financial measure.
• Risk Appetite - includes the additional element of possible gain and tends to align with specific areas of the organisation and is linked to broad objectives, often in a rather qualitative or informal way.
• Risk Tolerance - is a more quantitative measure of the amount of risk that an organisation is prepared to accept in pursuit of specific objectives. Risk tolerance is usually measured as a combination of impact and likelihood.

If we look at statements on risk appetite taken from the annual reports of two of Britain’s largest banks, the difference in approaches is apparent:
For Royal Bank of Scotland: “Risk appetite is an expression of the maximum level of residual risk that the bank is prepared to accept in order to deliver its business objectives.”
Barclays has a more specific view that risk appetite is: “…… expressed as the group’s appetite for earnings volatility ……. credit, market and operational risk …….. against our broad financial targets …. “.

In these cases, it appears that Risk Appetite and Risk Tolerance are perhaps closer than the definitions imply. In each case the key is that they are linked to objectives and this is what I am finding that firms are picking up on. Objectives provide them with the link between risks and a meaningful measure of the impact of that risk on what is important to the organisation. This works both on an enterprise-wide and a local scale and so provides a framework for risk measurement across the organisation. Importantly, it also provides a mechanism for using different frameworks for risk appetite different objectives, some quantitative and some qualitative. I’ll explore this in a future blog.

Mike MacDonagh

I was at a a conference last week where Swiss Re made an excellent presentation on their implementation of a risk framework for Operational Risk. They use Ci3’s SWORD to implement it but that isn’t my point today. The speakers were able to show how they managed to create an integrated risk management framework by involving business users in activities such as risk and control assessment, loss capture and the tasks and actions involved in mitigating risks and investigating control failures. In return, business users receive consolidated risk and loss information that they can use to improve their business.

Presented in this way, the only question is; “Why wouldn’t everyone do it this way?” but all too often risk departments are unwilling to involve business users because ” ………. it’s too complex for them” or ” ….. it is too hard to train them”. Most often though, I suspect it is because they struggle to justify additional software licence costs against a value proposition that has not been fully examined.

The FSA’s ‘Use Test’ requires that not only should risk measurement systems also provide for risk management but they should also provide a discernible benefit to the organisation. Extending the use of risk management systems to business users must be one of the best (and most cost-effective) ways of achieving this.

Mike MacDonagh