How to get ORM working for the bank

By Paul Bruggeman

Over the recent years, banks have faced many initiatives with respect to Governance, Risk & Compliance (GRC) programs. Most of these programs were initiated due to new legislation that was imposed to them. Today, we often experience a silo-oriented approach for sub domains. Business managers have to cope with (too) many staff departments and disaggregated but often similar information. The initiatives are not always well coordinated and lack a structured pattern. Business managers often perceive the extra work as non value adding and unpleasant. Time for a change…

“Implement a continuous Risk & Control cycle”
-Paul Bruggeman, managing director Artena Business Consulting and CERRIX

Next challenges for GRC

We take the business manager as starting point. He or she has to deliver performance according to the business objectives. The risk context and control objectives must be derived from these objectives. The CEO is considered to be responsible for risk appetite and risk culture within a bank. The CRO should define the risk policies and risk framework.

Recent developments in the finance industry have shown the importance of risk transparency.  Regulations like Basel II, Customer Due Diligence, Anti Money Laundering etc. have resulted in a tremendous workload for banks. The first dust has disappeared a bit these days and now the question arises how banks can optimize the GRC process and gain optimal result out of it. We believe that the challenge for successful operational risk management is to get the Risk-Control cycle running.

Cycle steps

Risk management is a process of modifying operations and business decisions to respond to current and future states of the uncertain environment. Many firms pay high attention to the initial risk analysis. With a Control & Risk Self Assessment (CRSA) process, managers and staff will evaluate their own risk profile based on their own perception. But how do we proceed and make this a sustainable Risk-Control cycle?

In order to proceed, it is a prerequisite to have a solid risk governance structure in place. The different lines of defense between operations, risk management, compliance  and internal/external audit must be set clearly and unambiguously. How are the different roles organized and how can we make these accountable? In addition, a compliance and operational risk committee must be formalized. This committee, hosted by the CEO, invites the representatives of most exposed business units and must review all important ORM information. The information supply of this is vital for delivery of accurate and up-to-date information among all involved managers and staff. Business managers must be triggered on a regular basis for stimulating their risk awareness. In the end, the demand for risk information should appear spontaneously.

Frequency & Content

For monthly (financial) performance management information, it is already quite usual to have a monthly reporting cycle in place. Why not enhance this information with operational risk information?  If managers are supported with relevant risk management information on a regular basis, you might also expect a quicker response to that information. If, during a month, the risk profile of the business units has changed, this should be reported to the senior executives. A Risk Console which is real-time accessible by managers and staff will be very helpful.

What should this monthly Risk Console contain?
•    A list of new reported incidents in combination with the loss cases that are still open;
•    The status and trend of the relevant Key Risk Indicators;
•    The status of open Measures-of-Improvement (MOI’s) aimed at risk mitigation initiated by the unit itself or compliance/audit departments;
•    The proof of effectiveness for relevant risk controls;
•    The list of operational risks for the business unit as listed the previous month.

These monthly risk metrics are preferably presented in a kind of dashboard format. Business unit managers must formally respond to this integrated risk information. This requires ORM tooling which is very user-friendly and eases the interpretation  of the integrated compliance and risk information. Has the business changed in such a way that it is exposed to new additional risks or can presumed risks be deleted  from the risk register?  It requires explicit monthly analysis and interpretation. In this way we focus on the incremental changes which impacts the risk profile either upwards or downwards. A complete CRSA is not needed but the result of the last CRSA is pushed forward month by month and might thus change. In addition, auditors and compliance officers may react on this response whether this is acceptable or not. It will result in a risk profile that changes over time and may differ by business unit (dynamic business indeed with more swings). The board members will ultimately get a more balanced opinion about the risk status and will be informed with a higher quality.

Next Generation tools can help

Artena Business Consulting specialized in Governance, Risk & Compliance consultancy & solutions, has developed a GRC software product named CERRIX that is ultimately designed for supporting this Risk-Control cycle in a way as described in this article. “We have noticed that in certain circumstances business managers did not pay any attention to Operational Risk unless it was requested by senior executives”, Paul Bruggeman of Artena Business Consulting and CERRIX says. This also is a result of poor knowledge about ORM and GRC concepts. Training will definitely help to overcome this, but also a solid risk framework which is based on a Risk-Control cycle is necessary. In CERRIX, flexible risk periods can be defined and these will steer the risk reporting and alerting. Also important is the handling of organizational changes. Risk and control information is always linked to processes, responsibilities, organizational units, products etc. To keep pace with these changes is not always easy for IT solutions, but In CERRIX we have solved this properly. The newest Risk Console of CERRIX will surely help implementing the Risk Control cycle.