Implementing a Federated Approach to Operational Risk Management
Enabling flexible risk-control self-assessments at the business unit level, while simultaneously rolling up risk data from across business units to provide an integrated risk view at the enterprise leve
The Client: A multi-billion dollar financial services provider with operations across the world with millions of customers.
Being a complex organization with multiple business units and operations spread across geographies, the company found it increasingly complex to measure and monitor risks. Although risk assessments were being performed regularly in every business unit, complexities arose when it came to consolidating the results. Each business unit used different risk terminologies and languages, which made it challenging to get a holistic picture of risk at the enterprise level.
After analyzing the situation, the company chose to implement a federated approach to Operational Risk Management (ORM), supported and enabled by a workflow-based ORM solution. The approach was designed such that each business unit would be able to conduct their own independent operational risk assessments, while at the same time, the results would be automatically aggregated and rolled up so that the board and top management would gain a single, comprehensive view of risk across the enterprise
Towards a New ORM Strategy
The company's federated ORM project was kick-started in early 2012. Stakeholders from different groups such as Compliance, Audit, Vendor Governance, and Risk Management came together to discuss what to do, how best to go about it, and what technology solution to implement. Eventually, the company developed a comprehensive ORM strategy, and implemented a solution that focused on strengthening existing ORM processes, standardizing the risk language, and gaining an integrated risk view.
Below are the key elements of the company's enhanced ORM program:
Risk-Control Self-Assessments (RCSAs)
At a broad level, the company's operational risk assessment process begins with the risk administrator preparing an RCSA plan and schedule, based on which the operational risk managers assess their business unit's risks and controls. Each business unit has the flexibility to implement their own approach to RCSAs such that it is relevant to the risks they face. This kind of flexibility is important because a risk such as credit risk which is critical to one business unit may not be relevant to the other.
But whatever the approach to RCSAs, all business units use the same risk language and nomenclature to describe operational risk drivers, correlation bundles1, controls, control objectives, and reliance maturity2. All these risk terms are clearly defined and stored in a centralized risk data dictionary that can be accessed by operational risk managers across the globe while preparing their risk reports.
Risk Control Self Assessment - High Level Flow
Given that risk events can be unpredictable as well as subject to constant change, the company enables continuous and recurring risk assessments. They also conduct process RCSAs which focus on ad hoc but granular evaluations of a specific risfunction
Business Environment Analysis (BEA)
Several internal and external factors such as a change in policy, or a restructuring of the management team have a direct impact on risk management at various levels of the organization. Every time such a change occurs, a BEA event workflow is triggered. This allows risk administrators to route the BEA to concerned risk managers in their team who, in turn, can either accept or reject the BEA depending on how it impacts their organization or their risk management processes.
Risk profile tracking
Each operational risk manager has access to powerful graphical dashboards which provide real-time insights into all risks, issues, losses, KRIs, BEAs, and other critical information in the business unit. Users can view risks by category and organizational tier, and identify if there needs to be a re-assessment of a risk driver, a loss scenario, inherent risk, controls, or any other elements. This top-level risk view helps risk managers focus their attention on the most critical risk areas. Advanced drill-down capabilities help the risk managers view the data at any level of granularity, and proactively identify and analyze risk triggers (e.g. new issues, losses, BEA change events, breach of KRI thresholds).
At regular intervals, an informal risk snapshot is taken of all RCSAs in a business unit. The result is a â€œfreeze-frameâ€ picture of risks which enables operational risk managers to identify and analyze risk trends effectively. A more formal risk snapshot is taken every quarter.
Risk landing page
Similar to the ORM dashboard is a landing page in the ORM solution which provides operational risk managers with a complete overview of their business unit's risk profile. Any risk manager who logs into the system can quickly and easily understand the risk profile without having to click on several different links and tabs.
At a broad level, the landing page contains top-level risk categories, events, number of controls, number of issues, number of KRIs, number of loss events, and other such critical data that can be quickly navigated through. If there is a change made to the data (e.g. a new issue registered in the system), it is automatically mapped to the relevant risk categories (e.g. credit risk issue, market risk issue).
Since risk managers are located in different geographies, and may therefore speak different languages, the landing page provides multi-lingual support, in addition to being intuitive and easy-to-use.
Most organizations measure their inherent risk in terms of impact and likelihood, expressed as a 2x2 framework. But since the company deals specifically with finance, they opted to express risk impact in terms of other dimensions such as currency i.e. USD, Euro, etc.
A specific group in the organization uploads the risk data based on changing currency rates. So when the risk report is shown to the Board, they can view the currency conversion rate. The currency is also defined based on the user profile. For instance, a user in Europe will see the risk impact expressed in terms of Euros while his or her counterpart in the U.S. will see it in USD.
Risk can also be measured in terms of probability i.e. the likelihood that a risk scenario paired with the defined inherent risk, will occur within a year. Users even have the ability to determine the inverse actuarial risk probability.
Another unique way of measuring risk is in terms of velocity. Risk velocity adds a third dimension to the traditional model of risk impact and likelihood, and refers to the speed of occurrence of a particular risk impacting the organization. In other words, it introduces the â€œtimeâ€ factor to risk management. So, by measuring risk velocity, the company can determine how quickly a risk might occur, how fast they will be impacted by it, and how much time they will have to prepare and react.
Control objectives and ratings
In its risk data dictionary, the company maintains a comprehensive list of control objectives i.e. a description of the types of controls for a specific risk. There are also control objective ratings which tell the organization whether or not all the required controls are in place, and how important they are to the overall risk category. A strong control objective rating indicates that the needed controls are in place, while a bad control objective rating indicates that some controls are missing for a particular risk category. Control ratings, on the other hand, indicate the effectiveness of an individual control. By combining these control ratings with overall control objective ratings, the organization gets a complete picture of the adequacy of the control environment for a particular risk category.
All RCSA, loss management, and BEA processes eventually link to issue management in a closed-loop approach. In fact, there are many other processes and functions such as Compliance and Audits which also integrate with issue management. If each function uses different terminologies for these issues and the associated risks, then reporting becomes complicated. To avoid this challenge, all functions refer to the same risk data dictionary for enterprise-wide issue reporting. And if any of the issues pose an operational risk, the ORM group gets notified immediately.
The Enabling Role of Technology
The company implemented MetricStream ORM Solution to support and enable their risk management strategy. The solution provides the following core capabilities:
A single, centralized system for managing and assessing risks across the enterprise
Integration with multiple enterprise systems to automatically gather and aggregate a variety of risk data, including KRIs, KPIs, issues, BEAs, and internal and external losses
Powerful dashboards and reports to help risk managers gain better risk visibility and thereby better risk control.
A centralized data dictionary/ risk library with common definitions of risk categories, risk drivers, correlation bundles, controls, control objectives, and other risk terms
Multi-lingual support so that operational risk managers have the freedom to select their choice of language for various field values in a form, rating guides, and reporting
Flexibility to seamlessly adapt to organizational changes such as the introduction of new risk policies or regulations
Look at ORM as an opportunity to strengthen the business, not just as a function that has to be fulfilled
Track your risk profile consistently to ensure that all risks stay within the defined risk appetite
When standardizing your risk language, make sure that it is reflected and integrated in all risk systems
Have an honest dialogue about what your ORM technology can and cannot do – push the limits but be clear about them
If you are using an ORM platform, upgrade it regularly to enhance its capabilities, and ensure holistic bug fixes
Single view of enterprise risk
Tools such as executive risk dashboards and a centralized risk landing page offer a quick, high-level overview of risk and control data which can then be drilled down to analyze details. This comprehensive picture of risk enables operational risk managers to proactively identify and address opportunities, as well as areas of concern.
Standardization of risk language
The risk data dictionary has helped the company implement a common risk language across business units. Thus when the management team at the company headquarters looks at the consolidated RCSA results, they get a clear and comprehensive understanding of the enterprise risk profile. This, in turn, helps them make better risk-informed strategic decisions.
Greater understanding of risk
The company can measure and analyze their risk not only in terms of impact and likelihood, but also parameters such as currency and velocity. This helps them understand and prioritize their risks better, and determine which ones need to be mitigated immediately, and which ones can be transformed into opportunities.
More systematic and closed-loop risk processes
The company has been able to streamline end-to-end risk processes, right from risk assessment, to risk tracking, risk reporting, control assessments, loss management, KRI monitoring, and issue management. This structured approach helps minimize redundancies and duplicate effort, and improves the cost-efficiency of risk management.