Over the last few years, operational risk has evolved into a key business risk. This trend has been driven by growing economic uncertainties, stiffer regulatory fines, and the emergence of new risks such as conduct risk, model risk, vendor risk, and cybersecurity risk.
Stakeholders (boards, shareholders, and customers) are demanding swifter risk mitigation, real-time risk intelligence, and greater risk accountability from both management and business lines. In fact, operational risk management is increasingly being tied to individual and business unit performance.
As financial services institutions expand their businesses, there is a greater need for them to ensure process accountability and transparency, determine their true risk appetite, mitigate risks proactively, and build customer and shareholder confidence.Download Fact Sheet
MetricStream Operational Risk Management App
The MetricStream M7 Operational Risk Management (ORM) App provides a comprehensive set of capabilities to establish risk management discipline. The app embodies a pervasive approach to operational risk management, and strengthens collaboration across the enterprise – right from executives, to risk managers and business process owners. By streamlining operational risk management, the app helps organizations make risk-intelligent business decisions, improve business performance, and reduce losses. It also helps protect critical investments, and safeguard corporate brand equity.
The app facilitates operational risk assessments based on different qualitative and quantitative factors. It provides the flexibility to evaluate, rate, and score inherent and residual risks based on a configurable scoring logic and risk matrix. The app provides advanced capabilities for loss management, risk scenario definitions, multiple risk simulations, and KRI and KPI tracking. In addition, an integrated issue management functionality helps identify and manage issues at any stage of the risk assessment process. Powerful analytics and reporting tools, paired with detailed dynamic dashboards and charts, offer comprehensive, real-time visibility into ORM processes.
The app is certified for conformance with global accessibility standards and best practices as defined by WCAG 2.1 Level AA and Section 508.
Why MetricStream ORM App
The MetricStream ORM App provides the following benefits:
Enables a Unified Approach to ORM
Offers an integrated system to manage RCSAs, KRIs, KPIs, and losses, along with comprehensive risk libraries and content to support compliance with regulations
Provides a Consolidated Risk View
Aggregates and consolidates risk scores and ratings across processes into reports, and provides a single view of the top risks faced by the organization across the first and second lines of defense
Drives Agility and Risk-Based Decision-Making
Facilitates real-time monitoring of risks, controls, and losses; provides predictive risk metrics and indicators, enabling quick and informed decision making
Builds Confidence with Regulators and Stakeholders
Establishes a strong risk data governance and issue reporting framework with clear lines of accountability to reduce losses and adverse events
Integrates with Other GRC Processes
Integrates the risk management program with other assurance processes such as compliance management, policy management, and audit management, thereby enabling a cohesive approach to GRC
Engaging and Personalized User Experience
Makes risk processes context-sensitive and personalized for each user; facilitates an intuitive and engaging user experience
Supports app configurations and extensions in an upgrade-safe and scalable manner through the MetricStream AppStudio configuration framework; helps the organization adapt to change quickly
Mobility and Layering
Provides a responsive interface that allows risk processes to be managed across devices; leverages a REST API integration framework to layer compliance processes over heterogeneous IT systems and business-critical infrastructure
Reporting and Analytics
Delivers powerful visualization tools and analytics to manage and monitor ORM trends, data relationships, and actions in real time across the extended enterprise
Lean and Robust Architecture
Is built on a lean, modern, scalable, and extensible architecture that enables the global digital enterprises of today to function seamlessly
The MetricStream ORM App provides the following functionalities:
Process and Risk Repository
Structure a logical organizational risk hierarchy, including objectives, processes, associated risks, and controls. Establish relationships between these data entities, link risk appetites to strategic business objectives, and attach associated policies and procedure documents for reference. Standardize risk data across business units through the central risk library which can be accessed securely from anywhere in the organization. Record and manage operational risks and associated details such as risk description, category, hierarchy, ownership, and validity in a common risk register. Map this data to business units, processes, and mitigating controls. Gain the flexibility to categorize risks, map single risks to multiple categories, and define parent-child risk relationships. Create a risk and control matrix that can be assigned to processes, sub-processes, and locations, using best-practice forms, templates, and workflows.
Risk Control Self-Assessment
Plan, schedule, and perform both top-down and bottom-up risk assessments. Once they are complete, route the results for review and approval. Enable simple assessments by rating a risk, and advanced assessments using multiple factors and risk-scoring to meet variations in risk assessment methodologies across business units, regions, and products.
Add Risks and Controls on the Fly
Add new risks and associated controls (from the library or in an ad-hoc manner) during the assessment or approval stage. Define the level at which these ad hoc risks can be added. Once assessed, view the details of the added risks in the risk register report and heat map, as well as the overall roll-up score and rating. Also, delete risks or controls (either ad hoc or scoped as part of the plan) while performing an assessment.
Risk Scoring and Aggregation
Define your own factors for assessments along with the logic used, and specify how the overall control environment rating should be calculated. Define the logic for computing inherent and residual risk scores, and analyze them through heat maps. Also, determine the factors (standard or non-standard) and sub-factors (max, average, sum, min) for risk-scoring algorithms.
Through the app’s risk matrix configuration (RMC) feature, solve the variations in risk assessment methodologies. Aggregate risk scores across the risk hierarchy of the organization, product, process, asset, objective, and geography. Then, roll up the risk scores based on averages, worst-case scenarios (maximum) or best-case scenarios (minimum) depending on the organizational need. Route them to the corporate level where they can be monitored against the corporate risk appetite.
Gain the option of defining or assigning weights to organizational levels (in terms of percentages or numerical values), and calculating risk scores based on these weights. Also, rate and rank risks based on the scores.
Control Design and Assessments
Once the key risks are identified and prioritized, define a set of key controls to mitigate those risks (leveraging industry frameworks such as COSO). Assess the controls and overall environment based on multiple factors and a scoring methodology, both of which are configurable. Also, define control test plans or assessments (based on predefined criteria) in the form of surveys and questionnaires to determine the operational effectiveness of internal controls. Assign these tests or self-assessments to a chosen team or an individual member (as tester or assessor) along with details such as testing milestones, due dates, and task details. Enable multiple control level tests, including independent evaluations of control testing, as well as control scoring and reporting. Base the assessments and ratings on configurable attributes, including control strength. Override the overall effectiveness rating if desired. Capture and record non-compliance issues or control deficiencies, and incorporate them in the issue remediation process.
In compliance with the Basel accords, capture and categorize internal risk events and losses across multiple impacted organizations. Record event details such as description, region, functions impacted, regulatory classification, factors and potential loss. Capture loss details for each of the impacted organizations, and route the data for approval based on specific requirements. Define the event approval rule, where depending on the loss amount, different levels of approval can be configured. Aggregate loss events, analyze loss trends, conduct a causal analysis, and initiate corrective actions across the organization. Define loss thresholds, consolidate data from external loss data exchanges, and conduct a loss data analysis.
Key Metrics (KPI, KRI, and KCI) Monitoring
Define, measure, and track key indicators for risks (KRIs), controls (KCIs), and performance (KPIs). Set thresholds to identify potential threats, and mitigate them in advance. Enable correlative analyses between various key metrics. Send alerts and notifications on any breach to relevant personnel, and define multiple follow-up actions. Through dashboards, gauge the performance of key metrics, and analyze risk trends over a period of time to assess breach patterns. Use the risk metrics for future risk assessments. Extend the KPIs to track the risk appetite, both at the business unit level, and the organization level.
Issue and Action Management
Record findings/ issues stemming from risk assessments and control tests. Once issues are identified, documented, and prioritized, trigger a systematic mechanism of investigation, action planning, and remediation through the app’s underlying workflow and collaboration engine. Prioritize issues based on rating, impact, likelihood, or type. Also, recommend action plans for the treatment of issues (such as defining new controls, or modifying existing controls). Monitor the status of issues at every stage, along with the progress of the remediation process. Keep the process on track through automatic alerts which help the appropriate personnel address the issue on time. Ensure that all exception issues remain open till the action plans have been carried out, and the results have been verified for effectiveness.
Reporting and Monitoring
Leverage powerful dashboards, reports, and heat maps to gain quick and real-time access to information on risk management across the enterprise. Through graphical charts, capture and track details on risk profiles, risk-control assessments, loss event status, status of remediation, successes, failures, and trends. Report risks based on various dimensions such as the number of open issues for the risk, KRI trends, metric breaches, mitigating controls, and the number of risks falling within each risk level. Drill down to access the risk and control data at finer levels of detail. In addition, choose from various statistical and trend analysis tools to closely monitor remedial action plans. Pull out a word document report, export the details, or print them for reporting, analysis, and presentations during stakeholder meetings.
Create multiple heat maps, and access all required details even on a mobile device by simply clicking on a cell in the heat map. Easily select or filter details to display on the heat map, including information on inherent risks, residual risks, individual risks, or just the number of risks. View the movement of risks from inherent to residual based on the effectiveness of controls. Also, provide annotations (capturing the justification behind the risk profile and mitigation plan), and share the heat map with other stakeholders. Through every stage, ensure that risk managers are able to consistently keep a tab on the progress of risk management programs, learn lessons, detect changes, and identify emerging risks.