The Client: A Major Financial Organization
In today’s volatile and deeply complex markets, the role of financial organizations has become critical to fostering financial stability and mitigating risks. Every single day, many such organizations ensure that post-trade obligations are met, transactions are settled, and market risks are flushed out of the settlement system.
Any malfunction within their systems could jeopardize the seamless functioning of the markets, and consequently, the whole economy. Therefore, the pressure on these organizations to successfully manage risks at every step is tremendous.
The company and its subsidiaries are renowned for managing customer risks efficiently, vigorously and effectively. Through decades of high profile bankruptcies, the company has played a critical role in protecting the markets and economy from loss by employing a wide range of tools, including centralized trade netting and capital adequacy standards.
However, the increasing globalization of capital markets, complexity of market instruments and the company’s own vast and deeply elaborate organizational structure, prompted it to consider upgrading its Operational Risk Management (ORM) system.
The company wanted to establish an integrated framework to integrate ORM initiatives, and align them with corporate strategy, instead of handling them in separate silos. Its aim was to enhance collaboration across business units, establish a closed-loop ORM process, and facilitate greater transparency into risk metrics.
After understanding the limitations of its existing risk management systems, the company opted for an upgrade. It prepared an extensive list of technological requirements, studied the market carefully, and analyzedthe various risk management products available. Eventually, the company selected MetricStream based on its successful track record in leading financial institutions, as well as the rich capabilities, flexibility and extendibility of MetricStream’s solution.
MetricStream provided the company a complete Operational Risk Management Solution built on an integrated GRC platform that integrates, streamlines and automates multiple ORM initiatives across the company’s subsidiaries.
Risk Control Self-Assessment
The MetricStream solution provides a centralized ORM framework to profile the company’s operational risks in great detail. Process owners are able to comprehensively document and evaluate their risk frameworks, including processes, risks, events and Key Risk Indicators (KRI).
The solution enables Risk Control Self-Assessments (RCSAs) to be conducted in either a scheduled or ad hoc manner. It also supports risk rating based on predefined rating methodologies, and helps process owners prioritize risk-response outcomes.
Once the key risks are identified and prioritized, the MetricStream solution provides a flexible framework to define controls according to various parameters such as manual, automated, detective, preventive, frequency and cost. Each control can be associated with others on a one-to-one or many-to-many basis.
The solution also enables control assessments both at the top-level and process-level, as well as targeted and deep dive assessments. Its intuitive capabilities to score, tabulate and report results enable process owners to quickly evaluate control effectiveness.
Across complex organizational hierarchies, the solution links multiple risks, controls, policies and processes together, thereby simplifying RCSAs. It also supports residual risk rating which determines if risks need to be mitigated or accepted.
At each stage, supporting documents such as policy and procedure files and work-papers can be attached to the assessments. All documents and assessment results are stored in a centralized repository with easy search capabilities. Thereby, process owners and managers can quickly check if a control was tested according to specifications, and if an action plan is required. If so, the solution automatically routes the identified issue for investigation and remediation.
Continual monitoring of RCSAs is streamlined and automated. Therefore, even when the area’s risk and control environment changes, the solution seamlessly incorporates the changes, and simplifies process monitoring.
Key Risk Indicators
After risks and their root causes are identified, the MetricStream solution helps define and select KRIs along with their risk thresholds. These KRIs can be entered into the system either manually or through automated data feeds.
The solution provides a systematic, on-going process to track KRI metrics, and prevent large operational losses. It also provides trending analytics to identify increasing/decreasing risk trends. Automated alerts indicate when thresholds are about to be breached, while a centralized KRI library enables risk metrics to be easily monitored and referenced.
The MetricStream solution enables tracking of loss incidents and near misses, as well as identification of their root causes and ownership. Through manual or automated feeds, it captures multiple incidents - including financial and non-financial incidents - and integrates them in a centralized database.
Embedded statistical and trend analysis capabilities help identify key risks, examine inconsistencies, analyze recurring patterns and weaknesses, and recommend actions to mitigate losses.
The solution closely tracks action plans, near misses, losses and incidents. It also identifies when thresholds are about to be breached, and sends out automatic emails and notifications to the respective process owners.
Scenario analyses enable the company to assess future risk, including its outcomes, severity and probability. This is critical in enhancing the effectiveness and efficiency of risk management processes, as well as calculating economic capital.
The MetricStream solution provides process owners comprehensive information on incidents, RCSAs, KRIs, audit issues and other relevant business metrics for establishing scenarios. It also provides a holistic view of scenarios across all entities and assets, and supports Monte Carlo simulations.
The MetricStream solution enables the company to seamlessly investigate and resolve issues arising from RCSAs, loss incidents or scenario analyses. The solution captures and integrates relevant issue information, such as the description of each issue, date of identification, root cause, severity and owner.
It then triggers a systematic mechanism to route the issue to authorized users for an in-depth investigation and remediation process. Each issue is assigned a unique ID, making it easy for owners to track the issue as it moves from one stage to the next.
The solution automatically monitors the progress of the issue, and provides automatic alerts if deadlines are missed. An embedded audit trail enables managers to track issue changes, activity, status and dates, while dashboards and flexible reports provide key statistics and data on the issue.
Once a corrective action or remediation is initiated, the case remains open till the action plan is carried out, and results are verified for effectiveness.
The MetricStream solution consolidates RCSAs, risk profiles, issues and loss data in graphical charts, reports and dashboards. Thereby, managers gain a real-time, birds-eye view of ORM processes across the enterprise.
Each dashboard comes with drill-down capabilities that display data at finer levels of detail. Managers can analyze and compare the data by various categories such as risk type, time horizon, process or business unit. Ad hoc or scheduled reports can be generated in PDF and PowerPoint, or exported to other systems.
The solution provides quarterly and monthly trending analyses which can be drilled down to view the underlying details. This helps top management stay in constant touch with the ground reality and progress on ORM programs. Automated alerts for events such as exceptions and failures eliminate surprises, and make the process predictable.
Lack of collaboration: The company is made up of several subsidiaries that function as stand-alone entities. Each has its own operational risks which were managed in separate systems, processes and initiatives. There was very little, if any collaboration and information sharing among the entities. This siloed approach inevitably resulted in duplicate risk-control assessments which, in turn, wasted valuable time and resources.
Limited transparency: Managers needed a clear view of risks in order to proactively identify and resolve vulnerabilities. But due to the company’s siloed and disparate approaches to ORM, the managers had to rely on isolated and manually prepared insights from each business entity. It was extremely difficult to gain a consolidated view of ORM at the enterprise level.
Lack of preparedness for future risks: Without real-time insights into key risk metrics, the company’s approach to risk management was more retrospective than forward-looking. It did not have the tools to proactively identify and mitigate emerging or unanticipated risks.
High costs of ORM: Process owners used manual processes and paper-based spreadsheets to record risk and control data. As a result, tremendous amounts of time, effort and resources had to be spent on documenting findings, consolidating the data and preparing reports. Data analysis and comparison were also difficult because the spreadsheets were cumbersome, unwieldy and prone to manual errors.
Technology innovation: The MetricStream solution provide a host of innovative capabilities such as powerful dashboards, heat maps, configurable forms, real-time exception tracking, reports, risk-control libraries, KRIs, email alerts and notifications, business intelligence, analytics and secure access control – all built and deployed on the robust MetricStream GRC platform.
Simplified user interface:Highly intuitive user interfaces and well-defined navigation standards minimize the learning curve, and ensure quick adoption of the MetricStream solution. Users are able to easily monitor risks and controls, quickly access contextual information, and intuitively visualize the relationships between processes, risks, controls, regulations and policies.
High degree of flexibility: The MetricStream solution provides out-of-the-box functionalities based on industry standards and best practices. It also provides tools to configure and model the solution to each organization’s specific business requirements. Reports, forms, fields and workflows can be rapidly created and modified to suit business needs and rules without any programming or coding. The solution also provides the flexibility to be integrated with various existing internal / external systems and programs.
High degree of extensibility:The MetricStream platform is scalable, and can be quickly extended beyond risk management to other areas of GRC, including audit management, compliance management and policy management.
Market leadership: Leading analysts and industry experts regard MetricStream as one of the market leaders in the GRC space. MetricStream solutions are widely deployed in leading global financial institutions.
Thought leadership:MetricStream’s knowledge portal ComplianceOnline.com is visited by hundreds of thousands of compliance professionals annually to search for content, and access the latest thinking, innovative ideas and best practices. The portal is fully integrated into MetricStream’s application suite.