In the disruptive, often uncertain, and tightly regulated world of financial services, business performance and success are closely linked to risk awareness and foresight i.e. the ability to identify and respond to potential risk events proactively, rather than being caught off-guard by them. Executive teams and boards that are up-to-date on the top risks impacting their enterprise are empowered and informed to make the right decisions for their business.
However, when an organization is as large, complex, and geographically dispersed as the subject of this case study—a global bank—it can be extremely challenging for the management team to keep track of the status of various risks across the enterprise, be it mis-selling, non-compliance, cybersecurity, business disruption, or fraud risks.
There needs to be an automated, integrated mechanism to ensure that risk data is efficiently gathered, consolidated into common taxonomies, ranked, analyzed, formatted into reports, and then rolled up to the management team to support decision-making—all as swiftly and systematically as possible.
The Legacy Problem:
In the past, the bank relied on multiple different systems to monitor and report key disruptive risks across their businesses and geographies. They didn't have a streamlined process to capture emerging risks, and to determine how these risks mapped to the overall risk profile of the organization. The result of this approach was a tangle of risk information silos that became increasingly challenging to reconcile or harmonize for the top management’s and board’s consumption.
As the organization scaled up its operations, each team ended up using their own risk and control taxonomies which made it that much harder for the management team to arrive at a cohesive understanding of the organization’s risk profile. Identifying and managing emerging risks was also a challenge. Since risk data often had to be manually aggregated, sorted, and entered into reports, the final insights that flowed up to decision-makers were often delayed, thus hampering the speed of risk response. Moreover, existing risk systems captured only 60% of risk findings, thereby limiting visibility into potential issues.
Realizing that this approach was neither efficient nor sustainable, the bank began looking for a better alternative. They wanted to implement a single, integrated risk management system that could be used across the enterprise to collate, monitor, manage, and report all risks consistently and swiftly. With the ever-increasing threat of financial and reputational loss posed by both existing and emerging risks, the bank also needed to establish a process that would allow them to continually update their risk universe.
To support and enable these efforts, the bank chose MetricStream’s risk management solution.
Improved View of Emerging Risks:
The MetricStream solution has helped the bank build a single source of truth on risks across the enterprise. The solution captures data on external and internal loss events, as well as a wide range of risks, scenarios, treatment plans, and key indicators. This data is populated on graphical dashboards with a clear view of risk thresholds, enabling stakeholders to swiftly identify emerging risks.
Through the solution, the top risks are classified into 17 broad categories, ranging from money laundering and terrorist financing risks, to IT and cybersecurity risks, as well as regulatory non-compliance and vendor risks. Essentially, the bank now has a single, integrated risk data model with standardized risk taxonomies which simplify risk communication and reporting.
Since risk rankings are constantly subject to change, the solution allows stakeholders to periodically re-assess the top risks based on seven criteria, including financial loss, reputational damage, client impact, and regulatory impact. Therefore, senior management always has an up-to-date, timely picture of critical risks. Risk rankings are automatically calculated based on residual risk findings.
The solution enables the bank to report top risk instances, thus informing the management and board about the organization’s exposure to critical risks, while reconciling high level statements with granular control outcomes in each process and country.
Faster Reporting of Top Risks:
The solution rolls up risk data from across business units and geographies to the executive team and board to provide an overall perspective of the top risks. These findings can be compared with industry/ target standards and practices to identify and close any gaps.
Meanwhile, the executive team and board can add their own risks based on their observations and interactions with the market. The solution triggers a streamlined process of creating, reviewing, approving, and publishing a new top risk. It also allows for existing top risks to be modified or retired.
Better Business Resilience:
Through the solution’s systematic and automated workflows for risk monitoring, as well as its cohesive view of the top risks across the enterprise, the bank is better able to understand the dependencies between risk exposure, execution of strategy, and achievement of business objectives. Senior management can proactively uncover potential risks to the business, and take informed steps to protect customers and stakeholders before a problem actually strikes. This improved risk awareness and response capacity has strengthened the bank’s overall resilience and agility, enabling it to thrive in the midst of a complex and changing risk landscape.
The solution covers 90% of the countries that the bank operates in, has over 10,000 business users, and is one of the largest implementations in the organization.
1The bank also implemented MetricStream’s solutions for regulatory change management, regulatory engagement management, and policy management.