The financial institution’s previous approach to ORM was largely manual and – in terms of risk maturity – 'basic'. That means that while some consistent ORM processes were in place, there was significant room for improvement. Keen to digitize and strengthen their ORM processes, the financial institution outlined several goals, including:
To achieve these goals, they needed a robust ORM solution. They evaluated 60 solution vendors out of which MetricStream ORM emerged as the clear choice. Why? For starters, MetricStream met most of the institution’s requirements out-of-the-box. The solution was also intuitive and easy for the frontline to adopt. Its flexibility meant that different departments with different levels of ORM maturity could start with any solution component they preferred. And since the solution was agile, it would evolve seamlessly with the institution’s risk management requirements over time.
After two years of using MetricStream ORM, the institution has moved up the risk maturity curve to the advanced level. This means there is now a common risk framework across business functions and lines of defense; risks are mapped to business objectives and measured against KRIs and KPIs; and loss events are recorded and monitored there by implementing a positive risk culture across the organization.
The institution now has developed a centralized risk governance framework that links business objectives, processes, policies, and risk appetites to risk management processes, risk events, controls, mitigation programs, and risk metrics.
With all these elements tightly mapped in a single framework, the institution has a more comprehensive understanding of their risk universe and how it ties back to their business.
The institution has also developed a common, standardized risk taxonomy. Level 1 of the taxonomy defines about 11 risks, ranging from cyber and third-party risks, to system failure, damage, physical assets, fraud and compliance risks. Levels 2 and 3 break down each of these risks into more granular categories. Since all the risks are well-categorized, risk assessments and communication have become simpler and streamlined.
With MetricStream, the financial institution is now able to clearly map risk management roles and responsibilities. So, there’s greater accountability, especially in the first line. This promotes a proactive risk culture across the organization.
MetricStream has helped the financial institution streamline ORM processes, ranging from risk identification, analysis, and treatment, to risk communication, monitoring, and reporting. Teams can now plan, manage, and perform risk-control self-assessments (RCSAs) more efficiently. They can also capture losses, track KRIs, set risk thresholds to identify potential threats, and manage action plans to mitigate risks – all through one system.
By digitizing ORM processes, the financial institution has strengthened agility. Teams are responding to risks quicker, and thus averting failures more effectively.
With MetricStream, the financial institution can now capture and consolidate all risk-related data to create a single source of truth. So, teams have a clear view of the organization’s risk profile, including legal risks, third-party risks, cyber risks, compliance risk and related losses.
This comprehensive risk visibility helps the institution understand their risks better and develop targeted mitigation plans. Teams can even drill down into the data to understand the root cause of a risk, associated KRIs, and loss incidents.
Faster response to operational risks with streamlined, automated processes
Improved risk accountability with roles and responsibilities clearly mapped
Better risk visibility with a single source of truth
Improved risk communication with a standardized taxonomy
Real-time insights on existing and emerging risks with powerful reports, heat maps, and analytics
Elevated risk maturity, thanks to a robust ORM framework and program
MetricStream's advanced reports and dashboards give risk functions and executive management a 360-degree, real-time view of operational risks. Risk heat maps with green-yellow-red zones make it easier to prioritize risk responses and strategies. Predictive analytics go a step further by highlighting emerging risks on the horizon. Status reports provide a clear picture of pending tasks and status of various risk management activities. Issue and loss reports highlight discrepancies and deficiencies that need improvements.
Together, all these insights enable management teams to make better-informed strategic decisions that help reduce operational losses and improve business resilience.
The institution is committed to continuously improving its ORM framework and methodologies in line with industry best practices.
Important themes for risk management in the future include third-party risk management, ESG (environmental, social, and governance)-driven risk management, and operational resilience.
In the next two years, the institution hopes to achieve the highest risk maturity level of 'optimized and fully integrated'. To that end, they’re working towards building a more dynamic and responsive risk culture, while also embedding more proactive and forward-looking approaches to ORM across organization-wide processes.