There’s a scene in Star Wars “Episode III: Revenge of the Sith” when Yoda and Obi-Wan-Kenobi learn about Anakin’s treachery and the horrific massacre at the Jedi temple. Yoda says, “In a dark place we find ourselves…a little more knowledge might light our way.” It’s a line that, in many ways, sums up what the iconic film is about: darkness vs. light, good vs. evil, order vs. chaos, and ultimately, the notion of knowledge as power.
For companies trying to navigate a difficult risk landscape, knowledge is everything – particularly when it’s in the form of timely risk intelligence and insights that can offer stakeholders a clear view of the road ahead, and enable them to make better-informed business decisions. There is a caveat though. Risk intelligence is only as good as the data from which it was drawn. In other words, if companies don’t have accurate, comprehensive, or sufficient risk data, they may not be able to make risk-intelligent decisions. And therein lies the challenge.
For years, companies have looked at Enterprise Risk Management (ERM) from a “process engineering” perspective – putting in place procedures and controls across the enterprise, and ensuring that they are followed. However, with the rapid increase in both the sources and quantum of risk data, ERM has metamorphosed into a data science problem. It requires that companies be able to swiftly aggregate, consolidate, filter, and sift through risk information from various sources to arrive at a true picture of their risk profile.
This approach is particularly important in a world where corporate risk profiles are only growing more extensive and complex. Companies need better risk clarity, visibility, and simplicity through better data aggregation and reporting frameworks. Echoing this notion are a growing number of regulations such as BCBS 239 which requires that banks be able to integrate risk information in a manner that supports accurate and timely risk reporting.
The challenge, however, is the unprecedented volumes of risk data flowing in from both inside and outside the enterprise. There is data everywhere—be it in business lines and processes, or areas of compliance and audit findings, or key risk indicators and risk scenarios. How does one make sense of this data, bring it all together, and gain a complete and clear understanding of the organization’s risk profile?
To comply with these five principles—to aggregate risk data in a way that supports and strengthens risk reporting—companies need to be able to bring together all the various components of the risk universe into a “single source of truth” or a centralized data model. This risk universe then needs to be mapped to the other universes in the organization, including the business universe, compliance universe, and audit universe (Figure 1). By integrating all this data in a single, structured framework, stakeholders will have a clear view of the risks that affect the organization, as well as their impact on each other and on business objectives, audits, compliance processes, and other data elements.
This kind of comprehensive, in-depth risk view is important because, as we discussed in our previous insight, the scope and scale of ERM has increased. No longer is it enough to simply align a risk to a process. Companies need to understand how various risks interact with each other, and how that, in turn, amplifies risk impact. They also need to think about metrics like risk velocity and what that could mean for various processes. All these insights are much easier to glean with a centralized, tightly mapped risk data model.
The flexibility of the data model also matters. Risks, controls, and regulations are constantly changing, and if the data model is too rigid to incorporate these changes, it will break or cease to provide any value.
Step 1 of building the risk data model is to map the risk universe. It starts with identifying and establishing relationships between traditional quantitative risks like market risks, credit risks, and liquidity risks. These risks then need to be mapped to IT risks, compliance risks, third-party risks, and more. Eventually, the data model can be extended out to include longer range and more intangible risks such as strategic risks or reputational risks (Figure 2). Documenting all these risks in a central library with a common, federated taxonomy is important for risk visibility.
Once the risk universe has been mapped, it needs to be linked to the larger risk-control data model. That involves mapping risk assessments, be it vendor risk assessments or operational risk assessments, to the associated controls and control tests, as well as scenario analyses and risk metrics. The framework can then be extended out to include loss events, incidents, and issues recorded by auditors or any group performing risk assessments (e.g. IT security group). All this information should be aligned with the risk taxonomy and library at the top (Figure 3).
After the risk universe has been integrated together in one structured hierarchy, it has to be linked to the larger business universe, including business structures, assets, processes, products, and strategic objectives (Figure 4). This kind of mapping makes it easy to determine how a particular risk impacts the business at various levels – be it a process level, or a legal entity level, or a product level. It also allows the data to be sliced and diced from various angles to allow different types of risk analyses, perspectives, and stories to emerge based on who is looking at the data (e.g. CIO, CEO).
The ERM data model is now slowly beginning to take shape. It has a well-defined risk taxonomy and risk-control data model, as well as risk metrics and issue data aligned to the business universe. All that’s needed to complete the picture are the compliance and audit pieces. For that, the ERM framework needs to be mapped to compliance regulations, requirements, and standards (Figure 5), as well as audit entities, evidence, findings, and other data from the third line of defense (Figure 6). The result is a tightly-knit ball of information—complex at first glance—but rich with risk insights and intelligence.
Now That We Have a High quality Data Model, What Next?
Once the risk universe has been linked to other organizational universes in the ERM framework, it needs to incorporate information from external sources (Figure 7). There could be structured data coming in from professional content providers like the Unified Compliance Framework (UCF) to help the business harmonize controls across regulations. Or there might be Dow Jones alerts about third parties, OFAC, and PEP screenings. There could also be RSS feeds, emails, and regulatory notifications. All this intelligence needs to be integrated into the ERM framework, and then re-directed to stakeholders and decision-makers in the first and second lines of defense. This use of external information is important because risk assessments cannot be one-dimensional activities limited to the four walls of the organization. Business units and risk management teams need to look at the broader trends and developments in their industry and geography, and incorporate this information into their assessments to gain a truly holistic picture of their risk exposure.
After data from external sources has been incorporated, the ERM data model is more or less complete. It has structured and mapped together risk information from multiple sources within and outside the organization, making it easier for stakeholders to define risk tolerances, monitor risk exposure, and extract useful and accurate insights for risk reporting. The data model also enables the three lines of defense to collaborate and communicate more effectively. Internal auditors, for instance, can leverage risk assessment results from ERM teams to plan risk-based audits. Or, operational risk management teams can map loss events to IT security issues to identify and close gaps.
Here’s a detailed look at how an integrated risk data model can support and enable collaboration between risk management teams and other business functions.
Building a comprehensive and well-structured risk data model is pivotal to acquiring, what Yoda referred to as “a little more knowledge that might light our way.” However, it doesn’t end there. Once you have a data model, what do you do with it? How do you best leverage it to uncover risk trends, and to provide meaningful, actionable insights to boards and risk committees? Stay tuned for our final insight in this series.