Discover how a leading financial services company overcame the challenges of risk silos, legacy systems, and inconsistent taxonomies to improve risk management maturity and visibility across the three lines of defense
To maintain their reputation as a leading source for mortgage financing, the company is committed to innovation i.e. implementing new approaches and systems that can make mortgage processes for both borrowers and lenders as quick and effective as possible. At the same time, the company has to understand and mitigate the risks associated with their new processes and technologies. They need to have a well-defined risk appetite, so that everyone across the organization takes measured risks. They also need to have a strong risk culture across business lines to ensure that corporate goals are accomplished with a sense of integrity.
The first step towards achieving these objectives is to identify the risks associated with each process, and then set up the right risk measurement standards and indicators. All the three lines of defense need to work together towards identifying risks, understanding their impact, determining interdependencies, and finally, collating the data to provide a unified view of risks across the organization.
The Limitations of Silos and Manual Tools: For years, the company used several systems and manual processes for risk management, compliance, and audits. Each risk group leveraged their own tools and process libraries which were not integrated across the enterprise. The lack of a common taxonomy and risk framework meant that multiple risk management resources with different skill-sets and knowledge had to be appointed to maintain and communicate risk data. This siloed approach resulted in unnecessarily high maintenance costs. Moreover, it complicated the process of collecting and analyzing data for board-level reporting – so much so, that there was often a 2-3 month delay in the data reported.
As a result, the management and other stakeholders didn’t receive the timely risk insights they needed to understand critical risk areas and their impact on business objectives. Without this data, stakeholders found it difficult to make risk-reward optimized decisions. That’s when they turned to MetricStream to enable an integrated approach to governance, risk, and compliance (GRC) which, in turn, would facilitate a more unified and timely view of risks.
Better Consistency through a Common Risk and Control Taxonomy: MetricStream implemented a holistic GRC solution for the organization’s three lines of defense with capabilities for policy management, case management, audit management, and compliance management. The solution has since enabled teams to develop and use a common risk and control taxonomy linked to regulations, policies, audit programs, and other related metrics. Through this taxonomy, teams can easily identify, collate, and organize risk data, while understanding inherent risk relationships. They have also been able to rationalize controls, reduce testing processes, and enhance data quality.
Improved Risk Visibility across the Three Lines of Defense: With the solution’s unified risk assessment capability, the organization has been able to streamline and align risk and control assessments across audit and compliance functions. Users can leverage common risk and control assessment frameworks, methodologies, and classifications to not only improve risk visibility at the enterprise level, but to also provide an individual process-level perspective of risk across the lines of defense.
Unified risk assessments provide a single view of inherent and residual risk exposure at various levels of the organization.
Better Assurance through Centralized Issue Monitoring and Reporting: Instead of managing risk issues and incidents in silos, the company can now integrate them on a unified platform. Stakeholders have also been able to define a common methodology for issue management across business functions, groups, and locations. The result? Fewer redundancies and inconsistencies as well as effective mitigation planning.
The three lines of defense now work together to define and approve the issue management process – including process standards, issue definition, classification, severity level, and reporting processes. This collaborative approach enables consolidated reporting to the management team who can then respond to critical issues proactively and effectively.
Greater Efficiency in Compliance: The solution enables the organization to streamline the creation, communication, review, and approval of policies across functions. It stores policies and procedures centrally, while mapping them to regulations, risks, controls, and processes. This integrated framework makes it easy for the company to identify the impact of regulatory changes on policies, while highlighting potential risks and gaps.
The solution also enables the company to manage a wide range of compliance requirements in an integrated manner. Users can efficiently perform control assessments, and identify high-risk areas as well as non-compliance incidents for remediation.
More Effective, Risk-Based Audit Processes: Through the solution, the company has enabled a systematic, structured approach to audit processes and activities, including risk-based audit planning and scheduling, field work, work paper management, issue management, and reporting. Auditors can prioritize their tasks and resources based on the areas of highest risk. They can also gain real-time insights into audit findings.
Powerful dashboards and reports enable the teams to conduct a “so-what” analysis for deep risk insights that can then be sliced and diced from different perspectives, and reported to the risk committee.
Increased Risk Consciousness in the First Line: The integrated solution gives first line users high-quality risk data and reporting mechanisms to perform their day-to-day activities effectively. It has empowered them to easily manage and report an issue, incident, or risk, while taking timely and appropriate mitigating action which can then be reviewed by the second line. Essentially, the solution and its workflows connect all the lines of defense, thereby simplifying and accelerating the flow of risk information for quick analysis and decision-making