There’s a scene in Star Wars “Episode III: Revenge of the Sith” when Yoda and Obi-Wan-Kenobi learn about Anakin’s treachery and the horrific massacre at the Jedi temple. Yoda says, “In a dark place we find ourselves…a little more knowledge might light our way.” It’s a line that, in many ways, sums up what the iconic film is about: darkness vs. light, good vs. evil, order vs. chaos, and ultimately, the notion of knowledge as power.
For companies trying to navigate a difficult risk landscape, knowledge is everything – particularly when it’s in the form of timely risk intelligence and insights that can offer stakeholders a clear view of the road ahead, and enable them to make better-informed business decisions. There is a caveat though. Risk intelligence is only as good as the data from which it was drawn. In other words, if companies don’t have accurate, comprehensive, or sufficient risk data, they may not be able to make risk-intelligent decisions. And therein lies the challenge.
For years, companies have looked at Enterprise Risk Management (ERM) from a “process engineering” perspective – putting in place procedures and controls across the enterprise, and ensuring that they are followed. However, with the rapid increase in both the sources and quantum of risk data, ERM has metamorphosed into a data science problem. It requires that companies be able to swiftly aggregate, consolidate, filter, and sift through risk information from various sources to arrive at a true picture of their risk profile.
This approach is particularly important in a world where corporate risk profiles are only growing more extensive and complex. Companies need better risk clarity, visibility, and simplicity through better data aggregation and reporting frameworks. Echoing this notion are a growing number of regulations such as BCBS 239 which requires that banks be able to integrate risk information in a manner that supports accurate and timely risk reporting.
The challenge, however, is the unprecedented volumes of risk data flowing in from both inside and outside the enterprise. There is data everywhere—be it in business lines and processes, or areas of compliance and audit findings, or key risk indicators and risk scenarios. How does one make sense of this data, bring it all together, and gain a complete and clear understanding of the organization’s risk profile?Download a Insight
Building a Risk Data Model
To comply with these five principles—to aggregate risk data in a way that supports and strengthens risk reporting—companies need to be able to bring together all the various components of the risk universe into a “single source of truth” or a centralized data model. This risk universe then needs to be mapped to the other universes in the organization, including the business universe, compliance universe, and audit universe (Figure 1). By integrating all this data in a single, structured framework, stakeholders will have a clear view of the risks that affect the organization, as well as their impact on each other and on business objectives, audits, compliance processes, and other data elements.
This kind of comprehensive, in-depth risk view is important because, as we discussed in our previous insight, the scope and scale of ERM has increased. No longer is it enough to simply align a risk to a process. Companies need to understand how various risks interact with each other, and how that, in turn, amplifies risk impact. They also need to think about metrics like risk velocity and what that could mean for various processes. All these insights are much easier to glean with a centralized, tightly mapped risk data model.
The flexibility of the data model also matters. Risks, controls, and regulations are constantly changing, and if the data model is too rigid to incorporate these changes, it will break or cease to provide any value.
Mapping the Risk universe
Step 1 of building the risk data model is to map the risk universe. It starts with identifying and establishing relationships between traditional quantitative risks like market risks, credit risks, and liquidity risks. These risks then need to be mapped to IT risks, compliance risks, third-party risks, and more. Eventually, the data model can be extended out to include longer range and more intangible risks such as strategic risks or reputational risks (Figure 2). Documenting all these risks in a central library with a common, federated taxonomy is important for risk visibility.
Building a Risk-Control Data Model
Once the risk universe has been mapped, it needs to be linked to the larger risk-control data model. That involves mapping risk assessments, be it vendor risk assessments or operational risk assessments, to the associated controls and control tests, as well as scenario analyses and risk metrics. The framework can then be extended out to include loss events, incidents, and issues recorded by auditors or any group performing risk assessments (e.g. IT security group). All this information should be aligned with the risk taxonomy and library at the top (Figure 3).
Alignment with the Business universe
After the risk universe has been integrated together in one structured hierarchy, it has to be linked to the larger business universe, including business structures, assets, processes, products, and strategic objectives (Figure 4). This kind of mapping makes it easy to determine how a particular risk impacts the business at various levels – be it a process level, or a legal entity level, or a product level. It also allows the data to be sliced and diced from various angles to allow different types of risk analyses, perspectives, and stories to emerge based on who is looking at the data (e.g. CIO, CEO).
Setting the Regulatory and Audit Context
The ERM data model is now slowly beginning to take shape. It has a well-defined risk taxonomy and risk-control data model, as well as risk metrics and issue data aligned to the business universe. All that’s needed to complete the picture are the compliance and audit pieces. For that, the ERM framework needs to be mapped to compliance regulations, requirements, and standards (Figure 5), as well as audit entities, evidence, findings, and other data from the third line of defense (Figure 6). The result is a tightly-knit ball of information—complex at first glance—but rich with risk insights and intelligence.
Now That We Have a High quality Data Model, What Next?
Once the risk universe has been linked to other organizational universes in the ERM framework, it needs to incorporate information from external sources (Figure 7). There could be structured data coming in from professional content providers like the Unified Compliance Framework (UCF) to help the business harmonize controls across regulations. Or there might be Dow Jones alerts about third parties, OFAC, and PEP screenings. There could also be RSS feeds, emails, and regulatory notifications. All this intelligence needs to be integrated into the ERM framework, and then re-directed to stakeholders and decision-makers in the first and second lines of defense. This use of external information is important because risk assessments cannot be one-dimensional activities limited to the four walls of the organization. Business units and risk management teams need to look at the broader trends and developments in their industry and geography, and incorporate this information into their assessments to gain a truly holistic picture of their risk exposure.
After data from external sources has been incorporated, the ERM data model is more or less complete. It has structured and mapped together risk information from multiple sources within and outside the organization, making it easier for stakeholders to define risk tolerances, monitor risk exposure, and extract useful and accurate insights for risk reporting. The data model also enables the three lines of defense to collaborate and communicate more effectively. Internal auditors, for instance, can leverage risk assessment results from ERM teams to plan risk-based audits. Or, operational risk management teams can map loss events to IT security issues to identify and close gaps.
Here’s a detailed look at how an integrated risk data model can support and enable collaboration between risk management teams and other business functions.
- Risk intelligence generated from risk metrics feeds can be incorporated into third-party contract negotiations and SLAs
- Third-party risk assessments can be conducted collaboratively by the third-party management and operational risk manage- ment functions, thereby minimizing duplication of effort
- Operational losses and risk events can be mapped to third-party performance monitoring processes to track third-party failures and lapses
- Issues identified during operational risk assessments can be integrated into vendor performance assessments
- Risk reports can be integrated into regulatory filings. Since operational risk reporting is dynamic and strictly governed by regulators, the compliance and ERM functions can work together to ensure that risk reports are compliant with the latest requirements
- Regulatory compliance requirements can be mapped to risk-control self-assessments. This way, stakeholders can ensure that if a regulatory changes occurs, risk-control self-assessments are instantly aligned to it
- Compliance risk assessments can be integrated into the enterprise risk management strategy
- Compliance risk issues identified during operational risk assessments can be mapped to issues found in compliance assessments, thereby minimizing redundancies in issue management and remediation
- With a common view of the top 10 risks in the organization, auditors and ERM teams can ensure that their reports to the leadership team are aligned to each other
- By mapping ERM data round risks and loss events to auditable entities, auditors can plan their audits efficiently based on the areas of highest risk
- An integrated view of risk issues can be shared across internal audit and operational risk management teams, thereby minimizing redundancies and irregularities in issue management
Building a comprehensive and well-structured risk data model is pivotal to acquiring, what Yoda referred to as “a little more knowledge that might light our way.” However, it doesn’t end there. Once you have a data model, what do you do with it? How do you best leverage it to uncover risk trends, and to provide meaningful, actionable insights to boards and risk committees? Stay tuned for our final insight in this series.