Enterprise risk management must be based on a holistic approach targeted at reducing risk to business performance objectives.
By Brian Barnier, ValueBridge Advisors
Systems failures, rogue trading, data breaches, project delays, troubled products, trading failures, money laundering through mobile networks?these are just some of the operational risk sink- holes that have sunk business performance. Why do these problems keep coming back despite financial services firms? efforts to prevent them? What are we doing wrong? Is there an easier way? The answer is probably simpler than you think.
In analyzing risk management difficulties, much damage is self-inflicted, as institutions try to tackle risk through a collection of compliance checklists?looking at ?trees? rather than the ?forest.? This makes it difficult to cut process waste, much less find risks.
The holistic ?forest? view, however, focuses on reducing risk to business performance objectives. The performance-driven approach uses a simple risk management process to bring clarity to the complex and changing situation that is a financial company. The heart of this risk management process is life-like scenario analysis, because all other risk management steps depend on realistic scenarios. CIOs are well positioned to improve the realism of scenarios and thus reduce risk to performance.
A financial CIO?s ops risk ?to do? list includes four priorities: creating a more integrated view of risk, generating more insightful risk scenarios, meeting data management challenges and improv- ing data analytics. For each objective, the CIO is concerned about chewing up time and money? What complicates each task and how can these complications be more easily resolved?
1) Creating a more integrated view of risk. The financial CIO sees the need for an integrat- ed view both within IT and between the business and IT. The lack of an integrated risk view has been clear in dramatic failures such as sub-prime mortgages, massive outages, robo-sign- ings and rogue trading. These gaps are almost always associated with failures in scenario analy- sis?next on the financial CIO?s list.
2) Generating more insightful risk scenarios. A scenario is not ?$10 million internal fraud.? That?s a loss data point. Scenarios are ?what if?? stories about how situations unfold with all the complications of real life?a systems overload, during a hurricane or flooding, wireless degradation, broadband washed out, at month-end closing, etc. Scenarios are created in workshops designed to find out about risks now, rather than later. How many post-incident investigative reports have you read? Available online, they tell the painful stories of unfolding problems, multiple root causes and resulting damage.
IT leaders, however, can encourage a rich, disaster-drill type perspective on scenario analysis, and provide the systems details needed to shine a light on lurking risks?all while cutting analysis time in half.
3) Meeting data management challenges. These projects struggle for the usual reasons, plus some reasons specific to ops risk, including defining taxonomies and structures. This is especially true because ops risk processes are in flux and seek to compile data in new ways?end-to-end, cross-silo and in view of a variety of risks. What would make that easier? Realistic scenarios!
4) Improving data analytics. Now the CIO knows the pattern. While IT can support soft- ware, real insight rather than ?garbage in, garbage out? requires data logic?a clear view of systems, end-to-end processes and dependencies from scenario analysis. The CIO can sug- gest the ops risk team start with scenario analysis and tools to map how systems actually work?and how they can fail.
So the jumbled list of ops risk tasks can be simplified by focusing on one simple thought: reducing risk to performance objectives. This demands a simple, repeatable risk management process to bring clarity. A key step in this process is realistic scenario analysis. Robust sce- narios are only possible if the workshop group can crisply apply deep business knowledge toask rigorously ?what if??
The pressing need is to know now?before the painful day when a press release is being written to explain the dreaded ?bad thing.?
To get ahead of the pain, it?s crucial to upgrade scenario analysis workshops. To better manage risk to performance objectives, IT leaders can encourage operational risk leaders to adopt rigor- ous and realistic scenario approaches, expanding on scenarios for user interface or continuity used in IT. Then, supply detail to illuminate how business processes work to generate profit. For the CIO, this makes it easier to manage IT risk and implement risk software tools.
As a bonus, more deeply connecting the business and IT on risk catalyzes deeper linkages everywhere. For the business, it?s faster to find and fix risks to performance.