Towards a New ORM Strategy
The company's federated ORM project was kick-started in early 2012. Stakeholders from different groups such as Compliance, Audit, Vendor Governance, and Risk Management came together to discuss what to do, how best to go about it, and what technology solution to implement. Eventually, the company developed a comprehensive ORM strategy, and implemented a solution that focused on strengthening existing ORM processes, standardizing the risk language, and gaining an integrated risk view.
Below are the key elements of the company's enhanced ORM program:
Risk-Control Self-Assessments (RCSAs)
At a broad level, the company's operational risk assessment process begins with the risk administrator preparing an RCSA plan and schedule, based on which the operational risk managers assess their business unit's risks and controls. Each business unit has the flexibility to implement their own approach to RCSAs such that it is relevant to the risks they face. This kind of flexibility is important because a risk such as credit risk which is critical to one business unit may not be relevant to the other.
But whatever the approach to RCSAs, all business units use the same risk language and nomenclature to describe operational risk drivers, correlation bundles1, controls, control objectives, and reliance maturity2. All these risk terms are clearly defined and stored in a centralized risk data dictionary that can be accessed by operational risk managers across the globe while preparing their risk reports.
Risk Control Self Assessment - High Level Flow
Given that risk events can be unpredictable as well as subject to constant change, the company enables continuous and recurring risk assessments. They also conduct process RCSAs which focus on ad hoc but granular evaluations of a specific risfunction
Business Environment Analysis (BEA)
Several internal and external factors such as a change in policy, or a restructuring of the management team have a direct impact on risk management at various levels of the organization. Every time such a change occurs, a BEA event workflow is triggered. This allows risk administrators to route the BEA to concerned risk managers in their team who, in turn, can either accept or reject the BEA depending on how it impacts their organization or their risk management processes.
Risk profile tracking
Each operational risk manager has access to powerful graphical dashboards which provide real-time insights into all risks, issues, losses, KRIs, BEAs, and other critical information in the business unit. Users can view risks by category and organizational tier, and identify if there needs to be a re-assessment of a risk driver, a loss scenario, inherent risk, controls, or any other elements. This top-level risk view helps risk managers focus their attention on the most critical risk areas. Advanced drill-down capabilities help the risk managers view the data at any level of granularity, and proactively identify and analyze risk triggers (e.g. new issues, losses, BEA change events, breach of KRI thresholds).
At regular intervals, an informal risk snapshot is taken of all RCSAs in a business unit. The result is a â€œfreeze-frameâ€ picture of risks which enables operational risk managers to identify and analyze risk trends effectively. A more formal risk snapshot is taken every quarter.
Risk landing page
Similar to the ORM dashboard is a landing page in the ORM solution which provides operational risk managers with a complete overview of their business unit's risk profile. Any risk manager who logs into the system can quickly and easily understand the risk profile without having to click on several different links and tabs.
At a broad level, the landing page contains top-level risk categories, events, number of controls, number of issues, number of KRIs, number of loss events, and other such critical data that can be quickly navigated through. If there is a change made to the data (e.g. a new issue registered in the system), it is automatically mapped to the relevant risk categories (e.g. credit risk issue, market risk issue).
Since risk managers are located in different geographies, and may therefore speak different languages, the landing page provides multi-lingual support, in addition to being intuitive and easy-to-use.
Most organizations measure their inherent risk in terms of impact and likelihood, expressed as a 2x2 framework. But since the company deals specifically with finance, they opted to express risk impact in terms of other dimensions such as currency i.e. USD, Euro, etc.
A specific group in the organization uploads the risk data based on changing currency rates. So when the risk report is shown to the Board, they can view the currency conversion rate. The currency is also defined based on the user profile. For instance, a user in Europe will see the risk impact expressed in terms of Euros while his or her counterpart in the U.S. will see it in USD.
Risk can also be measured in terms of probability i.e. the likelihood that a risk scenario paired with the defined inherent risk, will occur within a year. Users even have the ability to determine the inverse actuarial risk probability.
Another unique way of measuring risk is in terms of velocity. Risk velocity adds a third dimension to the traditional model of risk impact and likelihood, and refers to the speed of occurrence of a particular risk impacting the organization. In other words, it introduces the â€œtimeâ€ factor to risk management. So, by measuring risk velocity, the company can determine how quickly a risk might occur, how fast they will be impacted by it, and how much time they will have to prepare and react.
Control objectives and ratings
In its risk data dictionary, the company maintains a comprehensive list of control objectives i.e. a description of the types of controls for a specific risk. There are also control objective ratings which tell the organization whether or not all the required controls are in place, and how important they are to the overall risk category. A strong control objective rating indicates that the needed controls are in place, while a bad control objective rating indicates that some controls are missing for a particular risk category. Control ratings, on the other hand, indicate the effectiveness of an individual control. By combining these control ratings with overall control objective ratings, the organization gets a complete picture of the adequacy of the control environment for a particular risk category.
All RCSA, loss management, and BEA processes eventually link to issue management in a closed-loop approach. In fact, there are many other processes and functions such as Compliance and Audits which also integrate with issue management. If each function uses different terminologies for these issues and the associated risks, then reporting becomes complicated. To avoid this challenge, all functions refer to the same risk data dictionary for enterprise-wide issue reporting. And if any of the issues pose an operational risk, the ORM group gets notified immediately.
The Enabling Role of Technology
The company implemented MetricStream ORM Solution to support and enable their risk management strategy. The solution provides the following core capabilities:
- A single, centralized system for managing and assessing risks across the enterprise
- Integration with multiple enterprise systems to automatically gather and aggregate a variety of risk data, including KRIs, KPIs, issues, BEAs, and internal and external losses
- Powerful dashboards and reports to help risk managers gain better risk visibility and thereby better risk control.
- A centralized data dictionary/ risk library with common definitions of risk categories, risk drivers, correlation bundles, controls, control objectives, and other risk terms
- Multi-lingual support so that operational risk managers have the freedom to select their choice of language for various field values in a form, rating guides, and reporting
- Flexibility to seamlessly adapt to organizational changes such as the introduction of new risk policies or regulations