Managing Enterprise GRC and Big Data: Risk vs. Reward
By Jenna Danko on Nov 20, 2013
In his previous blog Big GRC: Turning Data into Actionable GRC Intelligence, Matthew Long discussed Big Data and how it can affect the GRC process. In this post, I would like to emphasize a very basic aspect of operational risk management: to strike risk-reward balance.
Enterprise Governance, Risk & Compliance (EGRC) is increasingly becoming an umbrella term to refer to the enterprise activities in the area of GRC. These three areas are being progressively aligned through the EGRC framework in organizations. An EGRC framework is now being perceived as an integral and vital element for enabling better corporate governance in financial institutions; helping them to operate profitably and to effectively achieve stakeholders’ interests. Many experts and analysts over the years have given several effective approaches to risk management. One of the most popular is the enterprise risk management guidelines by the Committee of Sponsoring Organizations (COSO) of the Tread way Commission. This COSO ERM framework defines essential components, suggests a common language, and provides clear direction and guidance for enterprise risk management. The COSO Enterprise Risk Management – Integrated Framework details the various components and its interrelationships.
The GRC framework in the last few years has become quite systematic, informative and advanced. Financial institutions are now trying to adopt a much more coherent, board-led framework for GRC that communicates with all risk departments. It is increasingly becoming a tool of oversight for board of directors. Tier-1 organizations are moving towards a unified analytical platform for GRC and all other risk disciplines. Having a unified platform helps in providing a holistic view of the risk portfolio of an organization. It allows you to look at information in the context of related measures. The value out of this unification is tremendous because there has always been a very strong overlap between credit and operational risk. It is of immense value to identify the operational aspects of credit losses and improving them to reduce credit losses and hence the capital.
A unified platform for GRC allows itself to converge very easily with the financial crime and compliance (FCCM) systems. There are a large number of touch points between FCCM and GRC systems and a close interaction between them is absolutely essential to ensure reduction in financial crime and operational risk losses which is particularly valuable in the aftermath of recent bank scandals. What is of more value is the fact that it facilitates end to end compliance workflows. Compliance workflows bring intelligence in the compliance management process. It starts from identification and goes onto actual compliance execution, tracking and monitoring and hence interjecting compliance assessments with actual facts. This offers terrific value to compliance management in organizations by giving them not just compliance assessments but a lot of qualifying or disqualifying facts along with the assessment.
An example - Company policy states there can be no unsolicited offers to customers over 65 years of age. DO I ADHERE TO THIS POLICY? Yes I do, but the compliance system gives me some interesting facts which needs attention like - there has been an increase in solicitation to seniors alerts, complaints from seniors has been on the rise, annuity sales have gone up greatly, only a small percentage of reps have completed their training on sales to seniors and their cumulative risk score is high.
With all the above facts and examples it is quite evident how advanced the GRC frameworks are getting by the day; however, today I would still like to emphasize a very basic aspect of risk management: to strike risk-reward balance. EGRC frameworks, from the time of its inception to this day, have always called attention to the criticality of looking at these two factors collectively to maintain the right equilibrium between them. Organizations need to make money, without which no business can hope to achieve its aims. The entrepreneurial spirit and the profit motive are thus integral to the successful conduct of business anywhere. But these organizations also have a great responsibility towards customers and stakeholders, and any organization which aims to succeed over the longer term will need to be aware of the various threats and challenges to its business and adapt its behavior accordingly. In short, it needs to balance risk and reward.
Though Risk and Reward are two sides of the same coin, it is often looked at and managed in silos. Organizations are performing both of these functions and continue to improve, but the convergence of these aspects in order to add value to each other has been missing. Setting up the risk and performance objectives and then combining it with the right risk appetite levels could facilitate very useful business portfolio decisions against risk and reward. The Risk Appetite Framework by Booz and Co describes how a desired risk appetite helps facilitate business portfolio decisions based on a comparison of risk-return profiles and illustrates it with example below.
What is required to get there?
Risk Aware and Sensitive Culture
To me, the most important step is creation of a risk sensitive and risk aware culture in the organization, one where risk is embraced in a very open, positive and proactive manner. It is as much about the right culture as it is about people, process and systems. A risk sensitive and risk aware culture is one where risk is integrated with strategy setting and its execution. A risk sensitive and risk aware culture should promote an open environment and allow people to speak up and provide opinion on what an organization is doing. A careful observation would show that, with an open discussion, the organization would generally end up taking more risk and not less.
The other important point is the fact that this has to be a very involved activity in the organization and while it is the board’s responsibility, this culture has to go down to employees at all levels in the organization. Employees at all levels must be made aware of and informed of the consequences of not adopting the risk culture. They should also know that each one of them has a contribution to make in the larger goals of the organization.
Quantitative metrics in the form of indicators should be set up, monitored and communicated to all the relevant parties in an organization. Mining the data for relevant facts and implications and publishing them appropriately is extremely useful. And this gets easily done with a unified system.
To give you a simple example, a branch employee who sells financial plans or someone who is responsible for personal lending needs to be educated on the fact that while his targets are of prime importance, a little risk awareness could 1) avoid financial losses to the organization, 2) avoid a reputational damage, 3) bring in more business because of good will, 4) could bring down the capital itself and hence a better stakeholder. They key is to promote the fact that everyone in the organization has a role to play in the organization’s success.
So everyone in the organization needs to be encouraged to identify and assess the possible events associated with every new opportunity. They must evaluate how good or bad it can get. Are we ok to end up somewhere in between? A comprehensive risk analysis is required before stepping into every opportunity.
Holistic Use of Data
Big Data is the buzz word today. It is very important to make use of the enormous amount of information around us. Someone had rightly said, “Wisdom is dead. Long live information.” There is just so much information in various formats available all around us to help us take more informed decisions and help us be risk sensitive and risk aware based on true facts. It is about turning the data all around you into actionable GRC intelligence.
Although GRC professionals are not looking at the implementation of covert surveillance programs, there are many GRC “Big data” challenges to be faced and potential lessons to be learned from PRISM, a data mining program by the US Intelligence, that can be applied a lot closer to home.
For example, similar to the PRISM challenge, how can GRC professionals collect, manage and analyze an enormous and disparate volume of data to create and manage their own actionable intelligence covering hidden signs and patterns of criminal activity, the early or retrospective, violation of regulations/laws/corporate policies and procedures, emerging risks and weakening controls etc. Not exactly the stuff of James Bond to be sure, but it is certainly more applicable to most GRC professional’s day to day challenges.
As always, please share your thoughts.