Faced with a range of risks—including cyber threats, competitor shifts, and technological disruptions—the bank was committed to conducting regular risk assessments, and implementing appropriate mitigation measures that would protect customers and stakeholders. At the same time, they were keen to take more risks such as adopting the latest innovative techniques to improve operations and efficiency. To achieve an optimal balance between the two--i.e. between leveraging upside risks, while minimizing downside risks—the bank needed to strengthen the agility and efficiency of their operational risk management processes. They also needed to ensure that stakeholders had access to timely risk intelligence that would enable them to make quicker, more risk-informed business decisions.
For years, the bank had managed its operational risk management processes in a manual, fragmented manner that was neither efficient, nor able to keep pace with business growth and transformational initiatives. Each group in the bank developed their own isolated risk management processes with different taxonomies and methodologies. This siloed approach resulted in the duplication of data and effort, as well as occasional errors and inaccurate risk results. It also put more pressure on the first line of defense. As for the management team, they often didn’t have sufficient visibility into the full range of operational risks and their potential impact which, in turn, hindered the group’s decision-making and risk response abilities.
To deal with these challenges, the bank decided to adopt an automated and integrated risk management system that would connect assurance functions, while improving the efficiency of risk management processes and decision-making. The bank wanted a system that would not only help them drive a risk-aware culture across the three lines of defense, but would also act as an enabler in business growth initiatives. After exploring various operational risk management solutions, the bank chose MetricStream to help them achieve their goal of nurturing a holistic approach to risk management supported by a unified and timely view of risks
Today, the MetricStream Operational Risk Management Solution has enabled the bank to integrate and align all operational risks – including IT, cyber, fraud, third-party, model, and legal risks. The solution cuts across organizational silos, facilitating the use of a consistent risk taxonomy, as well as standardized processes for control testing, risk monitoring, mitigation, and reporting. The result is a more cohesive risk culture with improved transparency, accountability, and responsibility for risk among the three lines of defense.
The solution has helped the bank develop and use a common risk and control language. Every assurance group—be it risk management, IT, or audit—now refers to the same risk definitions, and leverages consistent risk management standards and methodologies. Each group has also developed a better understanding of the risks related to their function, based on which they can prepare an effective risk response strategy
• Manual, splintered approach to operational risk management
• Time-consuming risk and audit processes
•Inadequate visibility into operational risks, controls, and issues
• Operational risk management
•Internal audit management
• Cohesive view of risks, controls, and incidents
•Improved responsibility and accountability for risks across the three lines of defense
• Agility in risk-based decision-making with a single view of the top organizational risks
• Holistic, agile approach to risk data governance
While, on one hand, the solution strengthens consistency in risk management, on the other, it gives each group the flexibility to manage their individual process requirements and data in a secure manner. For instance, although operational risk management and internal audit groups use the same MetricStream solution and risk assessment approach, internal audit members do not have direct access to operational risk management data and vice versa. The data is shared between the teams only on a need basis
Using the solution, the bank has built a centralized data model of all their risks, losses, controls, and related data. After incidents are captured in the system, mitigation activities are planned and assigned to the relevant teams or owners. For example, an incident related to fraud, misconduct, or anti-money laundering is typically assigned to a compliance officer, whereas an incident related to financial risks or losses is assigned to a financial officer. This systematic approach has improved risk mitigation planning and tracking, while also reducing the number of open risk and compliance issues.
By integrating and rolling up risk data from across the enterprise, the solution provides an accurate and comprehensive picture of operational risks. With these insights, the executive team and board can make confident decisions that drive performance and growth. Powerful reports, advanced analytics, smart visualization, and risk intelligence tools transform raw risk data into actionable business intelligence to guide strategy.
The solution has helped the bank embed a culture of risk management deep into organizational processes by bringing everyone together on the same platform with clearly defined risk management policies, standards, methodologies, roles, and responsibilities. More than 400 employees use the solution to embody the bank’s risk management vision in their day-to-day decisions and actions, while fulfilling their responsibilities as true risk owners.
Through the solution, the bank has enabled a systematic and structured approach to internal audit processes, including riskbased audit planning and scheduling, field work, workpaper management, issue management, and reporting. Auditors can prioritize their tasks and resources based on the areas of highest risk. They also gain real-time insights into audit findings and critical issues at the click of a button.