In the past, the bank relied on multiple different systems to monitor and report key disruptive risks across their businesses and geographies. They didn't have a streamlined process to capture emerging risks, and to determine how these risks mapped to the overall risk profile of the organization. The result of this approach was a tangle of risk information silos that became increasingly challenging to reconcile or harmonize for the top management’s and board’s consumption.
As the organization scaled up its operations, each team ended up using their own risk and control taxonomies which made it harder for the management team to arrive at a cohesive understanding of the organization’s risk profile. Since risk data often had to be manually aggregated, sorted, and entered into reports, the final insights that flowed up to decision-makers were often delayed, thus hampering the speed of risk response. Moreover, existing risk systems captured only 60% of risk findings, thereby limiting visibility into potential issues. Realizing that this approach was neither efficient nor sustainable, the bank began looking for a better alternative. They wanted to implement a single, integrated risk management system that could be used across the enterprise to collate, monitor, manage, and report all risks consistently and swiftly. With the ever-increasing threat of financial and reputational loss posed by both existing and emerging risks, the bank also needed to establish a process that would allow them to continually update their risk universe.
To support and enable these efforts, the bank chose MetricStream’s Integrated Risk solution1
1 The bank also implemented MetricStream’s solutions for regulatory change, regulatory engagement, and policy management
Holistic view of key risks and their impact on business objectives
Faster risk assessments with automatic segmentation of fourth parties into various risk categories
Faster, better decision-making to balance risks and rewards/p>
Improved ability to identify both emerging and evolving material risks
Greater consistency in risk taxonomies, plus increased automation
The MetricStream solution has helped the bank build a single source of truth on risks across the enterprise. The solution captures data on external and internal loss events, as well as a wide range of risks, scenarios, treatment plans, and key indicators. This data is populated on graphical dashboards with a clear view of risk thresholds, enabling stakeholders to swiftly identify emerging risks.
Through the solution, the top risks are classified into 17 broad categories, ranging from money laundering and terrorist financing risks, to IT and cybersecurity risks, as well as regulatory non-compliance and vendor risks. Essentially, the bank now has a single, integrated risk data model with standardized risk taxonomies which simplify risk communication and reporting.
Since risk rankings are constantly subject to change, the solution allows stakeholders to periodically re-assess the top risks based on seven criteria, including financial loss, reputational damage, client impact, and regulatory impact. Therefore, senior management always has an up-to-date, timely picture of critical risks. Risk rankings are automatically calculated based on residual risk findings.
The solution enables the bank to report top risk instances, thus informing the management and board about the organization’s exposure to critical risks, while reconciling high level statements with granular control outcomes in each process and country.
The solution rolls up risk data from across business units and geographies to the executive team and board to provide an overall perspective of the top risks. These findings can be compared with industry/ target standards and practices to identify and close any gaps.
Meanwhile, the executive team and board can add their own risks based on their observations and interactions with the market. The solution triggers a streamlined process of creating, reviewing, approving, and publishing a new top risk. It also allows for existing top risks to be modified or retired.
Through the solution’s systematic and automated workflows for risk monitoring, as well as its cohesive view of the top risks across the enterprise, the bank is better able to understand the dependencies between risk exposure, execution of strategy, and achievement of business objectives. Senior management can proactively uncover potential risks to the business, and take informed steps to protect customers and stakeholders before a problem actually strikes. This improved risk awareness and response capacity has strengthened the bank’s overall resilience and agility, enabling it to thrive in the midst of a complex and changing risk landscape.
The solution covers 90% of the countries that the bank operates in, has over 10,000 business users, and is one of the largest implementations in the organization.