A prominent European financial institution established a new department for risk prevention and compliance. Key objectives behind this change were to build an integrated risk management program, strengthen responses to emerging technology risks, and improve risk management efficiency.
With MetricStream Operational Risk Management (ORM), part of the BusinessGRC product line, the financial institution is successfully meeting these objectives. Teams can now identify, assess, monitor, and mitigate operational risks faster and more efficiently. All risk related data is integrated in a single platform for platform risk visibility. What’s more, a standardized risk taxonomy and framework have been established across the lines of defense. This is helping the institution foster a stronger risk culture and better resilience.
Moving Up the Risk Maturity Curve
The financial institution’s previous approach to ORM was largely manual and – in terms of risk maturity – 'basic'. That means that while some consistent ORM processes were in place, there was significant room for improvement. Keen to digitize and strengthen their ORM processes, the financial institution outlined several goals, including:
- Embedding ORM in all processes through a unified and centralized risk approach
- Incorporating best practices in risk management
- Fostering efficiency through automation
- Driving a risk aware enterprise and strong corporate culture
- Keeping pace with digital transformation and innovation
- Using predictive and behavioral analytics to strengthen risk visibility
To achieve these goals, they needed a robust ORM solution. They evaluated 60 solution vendors out of which MetricStream ORM emerged as the clear choice. Why? For starters, MetricStream met most of the institution’s requirements out-of-the-box. The solution was also intuitive and easy for the frontline to adopt. Its flexibility meant that different departments with different levels of ORM maturity could start with any solution component they preferred. And since the solution was agile, it would evolve seamlessly with the institution’s risk management requirements over time.
After two years of using MetricStream ORM, the institution has moved up the risk maturity curve to the advanced level. This means there is now a common risk framework across business functions and lines of defense; risks are mapped to business objectives and measured against KRIs and KPIs; and loss events are recorded and monitored there by implementing a positive risk culture across the organization.
A Robust, Integrated ORM Framework With Clear Lines Of Accountability
The institution now has developed a centralized risk governance framework that links business objectives, processes, policies, and risk appetites to risk management processes, risk events, controls, mitigation programs, and risk metrics.
With all these elements tightly mapped in a single framework, the institution has a more comprehensive understanding of their risk universe and how it ties back to their business.
The institution has also developed a common, standardized risk taxonomy. Level 1 of the taxonomy defines about 11 risks, ranging from cyber and third-party risks, to system failure, damage, physical assets, fraud and compliance risks. Levels 2 and 3 break down each of these risks into more granular categories. Since all the risks are well-categorized, risk assessments and communication have become simpler and streamlined.
With MetricStream, the financial institution is now able to clearly map risk management roles and responsibilities. So, there’s greater accountability, especially in the first line. This promotes a proactive risk culture across the organization.
Improved Agility and Efficiency
MetricStream has helped the financial institution streamline ORM processes, ranging from risk identification, analysis, and treatment, to risk communication, monitoring, and reporting. Teams can now plan, manage, and perform risk-control self-assessments (RCSAs) more efficiently. They can also capture losses, track KRIs, set risk thresholds to identify potential threats, and manage action plans to mitigate risks – all through one system.
By digitizing ORM processes, the financial institution has strengthened agility. Teams are responding to risks quicker, and thus averting failures more effectively.
A Unified View of Risks
With MetricStream, the financial institution can now capture and consolidate all risk-related data to create a single source of truth. So, teams have a clear view of the organization’s risk profile, including legal risks, third-party risks, cyber risks, compliance risk and related losses.
This comprehensive risk visibility helps the institution understand their risks better and develop targeted mitigation plans. Teams can even drill down into the data to understand the root cause of a risk, associated KRIs, and loss incidents.
Stronger, Faster Decision-making
MetricStream's advanced reports and dashboards give risk functions and executive management a 360-degree, real-time view of operational risks. Risk heat maps with green-yellow-red zones make it easier to prioritize risk responses and strategies. Predictive analytics go a step further by highlighting emerging risks on the horizon. Status reports provide a clear picture of pending tasks and status of various risk management activities. Issue and loss reports highlight discrepancies and deficiencies that need improvements.
Together, all these insights enable management teams to make better-informed strategic decisions that help reduce operational losses and improve business resilience.
Looking Ahead
The institution is committed to continuously improving its ORM framework and methodologies in line with industry best practices.
Important themes for risk management in the future include third-party risk management, ESG (environmental, social, and governance)-driven risk management, and operational resilience.
In the next two years, the institution hopes to achieve the highest risk maturity level of 'optimized and fully integrated'. To that end, they’re working towards building a more dynamic and responsive risk culture, while also embedding more proactive and forward-looking approaches to ORM across organization-wide processes.
