Today businesses are adopting digital technology at a rapid pace. While this is creating major opportunities for firms, it’s also creating new risks.
Recently Camms collaborated with PRIMIA New York, to bring together three elite risk management practitioners for an engaging panel discussion focused on managing risks across global organisations. I spoke with them about the challenges around disparate systems, complex reporting requirements, and the difficulties of extracting meaningful data from a risk management programme to support strategic decision making.
The panel featured:
- Aaron Glover, Data Science Executive for Fraud Financial Crimes, and Model Risk Management, Phyton Consulting
- Emmanuel Rickard, Managing Director, Head of Enterprise Performance & Change, Mizuho Americas
- Catharine King, Acting Chief Data Officer, NATIXIS
Here we take a journey through some of the highlights from the session.
Manual Processes and Excel
Currently, many firms still rely on manual processes – largely Excel – to drive their risk programmes. The panel talked about some of the challenges businesses face when using manual processes and the lack of automation. They also shared some of the cultural issues that must be addressed to successfully implement best practice tooling.
Emmanuel noted that the organisation gets into a mindset that “Nothing beats Excel”. He said “When it actually comes to implementing a strategic tool, that can be quite hard to do, because the use of Excel is very embedded in the user of the strategic tool’s mindset and often what you can find is when a tool is put in and up and running, the first thing they often try to do is they figure out a way to export that information from the tool into excel so they can get closer to how things were previously!” But he noted that “with manual processes businesses can experience a loss of control over the process” and experience “data inconsistency”. In excel it can be next to impossible to put into place a fully functioning, data management and data quality processes.
Aaron pointed out that “organisations that don’t rely so much on Excel have invested heavily in developing that UI, and that journey map, of the risk assessment process, and doing it within the confines of the tool. Where we see folks being successful is where they in a very agile manner, adapt their workflows, and adapt their use of the tool to really meet how they’re doing risk assessments in 2021 and 2022”
According to Catharine, one of the biggest challenges when it comes to IT tooling is “right-sizing”, she added “you really have to pick and choose what is the priority, there’s only a certain number of dollars.’’ She noted that risk assessment is a function that people do not want to spend money on from an IT perspective and “Unfortunately, if your organisation is a little bit smaller, you might not have the option to have a tool that can be really helpful and functional for this kind of assessment.”
It is clear to see from our panel that there are certainly challenges around manual processes, especially when it comes to quality of data and information sharing. But there are also some advantages of being able to slice and dice the data in excel. It is best when you are choosing tooling, to map out exactly how you will want to view and use the data to cover all bases. Choose a system that offers the flexibility to export to excel, with a long-term view to stop using that functionality once you have the tool configured to get what you need out of it. Working towards this long-term goal is a great way to future proof your organisation.
Speaking on the cultural impact of adopting ‘risk taxonomy’ and ‘standardisation harmonisation’ across the organisation, all three panellists recognised that it’s not a just tick the box or administrative exercise.
“Culture is everything”, said Aaron. “The organisational tolerance in the culture of compliance is so critical. It ties back to enterprise policy and enterprise governance to ensure that if there is a policy, for example ‘model risk management’ that there is a proper procedure to enforce it. The key is not just to have a risk policy, and a risk framework, but to integrate that deeply into the ethos of the organisation through the policies and procedures. Bringing risk forward in sort of a non-confrontational manner is really key.”
Emmanuel added “What works well us when you have a very clear end to end process from the bottom of the organisation right up to the top. Where your risk taxonomy is tied to a set of ‘key risk indicators’ and they are understood and owned by key individuals across the organisation.”
It is clear from out panellists that ‘culture’ is a fundamental part of a risk management programme and using GRC software is a great tool to drive that cultural change. It promotes the sharing of information and cross-department working and adds a layer of ownership to risk.
Getting a Holistic View of Risk
Emmanuel spoke on the challenges of getting a holistic view of risk management data.
Emmanuel stated “Risk owns a lot of the data – and it needs to – to create that holistic view of risk. But it doesn’t own everything. It is dependent on finance & finance processes, ops data, and just recognising that, and how much influence the risk function can have on that is important.” He stated that ‘Inconsistent definitions’ are a challenge.
Businesses spend a lot of time cleansing and aggregating data to get a clear picture, and software can certainly support organisations to collect data consistently. Leaders need to have a confidence that data is correct and the admin behind getting to the point should be a key focus for businesses.
Emmanuel also stated that “Risk functions need to understand what their ‘critical data’ is as not all data is critical”. Businesses need to understand the weight of the data in terms of importance when evaluating data.
Disparate Systems & Silos
With disparate systems, different functions and processes, different technologies might have to co-exist within the organisation, creating in itself another set of risks and challenges. I spoke to the team around some of the challenges with disparate systems.
Aaron recognised that “A lot goes into getting everything into a unified a holistic vision and risk system and a lot of that is manual. Sometimes you can federate and connect to other systems. But the reality is, when we manage risk in different silos, sometimes it all doesn’t come back to the system of record for managing risk ‘’.
This is where business benefit from choosing GRC software that allows you to pull in data from different systems via API’s to get a holistic view of risk. It also helps to select a system that offers all of the functionality and tooling you may need throughout the business. You may not be ready to put all areas of the business onto the new tool straight away, but in time you want to know that that functionality is available as and when you need it as your organisation matures.
Controls to Monitor Risk Tolerance
The conversation also took a turn around getting visibility when your ‘risk tolerance’ is reached and defining a process specifically about how to deal with that type of risk.
Catharine shared her thoughts, she said “Tolerance is most defined on the operational risk side, businesses have very clear representatives, very clear tracking, very clear reporting to exco for operational risks that are severe”.
Aaron concurred that operational risk is a key area where risk tolerance measures come to life, he said “When operational risk events are recognised by frontline personnel or oversight personnel they get very quickly escalated through that chain of command to the risk committees, using a ‘push-driven’ model.”
But he added “the optimal model for risk detection is if you could continuously run the assessment every day or every hour every minute to detect at the first point of loss or the first point of risk that you have exceeded a threshold. That’s ideal.”
Setting up a control framework that allows for continuous monitoring is the best way to add automation to any risk management programme. Once you define your risk tolerances, you can set up workflow and notifications so when the risk tolerance is reached, the relevant parties are notified and the issue can be rectified.
At Camms, we know from experience what a difference best-practice risk management technology can make on an everyday basis to real-time practitioners. We are passionate about helping companies get the most out of their risk and compliance programmes. Request a no-obligation demo of our industry recognised, out of the box solution to learn more.
To watch the original webinar on-demand, click here.