leading with grc - metricstream presentation... · the return of the jedi – extending beyond its...

©2017MetricStream,Inc.AllRightsReserved.

LEADINGWITHGRC TheReturnoftheERM–

ExtendingBeyondIt’sPastScopeBrendaBoultwood,SVP– IndustrySolutions,MetricStream

TheReturnOfTheJedi–Extendingbeyonditspastscope

June7,2017


TheReturnoftheERM ExtendingBeyondItsPastScope

UnderstandingtheGrowingScaleandScopeforEnterpriseRiskManagementPrograms

InToday’sSession…

BuildingaScalableandFlexibleDataModelToDriveEnterpriseRiskManagementPrograms

Identifyingandintegratingriskdatasourcestobringtogethertaxonomies

Miningtheriskdatatoidentifycommonalityandbuildconsensusaroundriskprinciples

BuildingaRiskReportingStructurewhichcascadesriskimpactsacross

thelongandshortrun

ERMProgramsaregrowinginscale&scope

4


The Return oftheEnterpriseRiskManagement– ExtendingScopebecausethebusinessenvironmenthaschanged

TheGrowingScopeofEnterpriseRiskManagement

ORGANIZATION

FACINGNEWCOMPETITION

EXPANDINGINTONEWMARKETS ECONOMIC/3RDPARTYRISKS

LAUNCHNONTRADITIONALPRODUCTS OPERATIONALRISK

DATAPRIVACYRISK

SHORTERCUSTOMERATTENTIONSPAN REPUTATIONALRISK

CHANGINGCUSTOMERINTERACTIONSDISRUPTIVEBUSINESSMODELS

PARABOLICTECHNOLOGYADVANCEMENT

NEWMODESOFINTERACTIONCYBERSECURITYRISKS

KEEPINGPACEWITHTECHNOLOGY

CONSTANTREGULATORYCHANGE CHANGINGPOLITICALENVIRONMENT

STRATEGICRISKS

EMERGINGREGULATIONSCOMPLIANCERISK

GEOPOLITICALRISK


The Return oftheEnterpriseRiskManagement– ExtendingScale

TheGrowingScaleofEnterpriseRiskManagement

IMPACT LIKELIHOOD INTERRELATIONSHIP

*Reference. The Power of Four, KPMG (2016).

VELOCITY• IncreasingInterdependenciesbetweenEconomies(andbusinesses)

• LargernumberofPointsofFailureduetoincreasingbusinesstouchpoints

• Newsspreadsfast,BadNewsEvenFasterinahyperconnectedenvironment

• Multidimensionalbusinessmodelsleadstolatentrelationalinfluences

TRADITIONAL EMERGING

• LargerImpactFromSimilarRiskEventsthaninthepast

LEADSTO LEADSTO

• HigherFrequencyofSimilarRiskEventsthaninthepast

LEADSTO

• CertainRiskEventImpactToCatapultExponentially

LEADSTO

• Unpredictabilityintermsofimpactandfrequency


ExtendedERMtointegrateinformation

q Streamlinedreviewandoversightprocesses

q Improvedcostrationalisation andoptimisation ofreportingusingacommonframework

q Increasedefficiencybyusingacommonlanguageandstructureonrisks,controls,processes,compliancethemesandissues

q IncreasedeffectivenessinAudit,RiskandComplianceManagement

q MultipleSilosofInformation

q Largegeographicallydiversifiedteams

q MultipleRegulatoryJurisdictions

q ComplicatedBusinessModels

q BusinessUnitvariations

WheredowestartwhilebuildinganERMprogram?

8


EnterpriseRiskManagement– TreatitasaDataScienceProblem

“LackofRiskInformationLeadstoLackofRiskUnderstanding,LackofRiskUnderstandingleadstoUninformedDecisionMaking,UninformeddecisionmakingisthepathoftheDarkSide”

– Darth(RiskE)Vader,TheReturnoftheERM

RISK INFORMATIO

N

COMPLETENESSShouldbeabletocaptureandaggregateallmaterialrisk

dataacrosstheorganization

ACCURACYShouldstrivetowardsasingleauthoritativesourceforriskdataacrosstheorganization

INTEGRITY

TIMELINESSADAPTABILITY

BCBS239Shouldhavea“dictionary”oftheconceptsused,suchthatdataisdefinedconsistentlyacrossanorganization

Shouldbeabletogenerateaggregateandup-to-dateriskdatainatimelymannerwhilealsomeetingtheprinciples

Shouldbeabletogenerateaggregateriskdatatomeetabroadrangeofon-demand,adhocriskmanagementreportingrequests


EnterpriseRiskManagement– ThereisDataEverywhere

Risk

Controls

Risk Events

KRI

KPI

Scenario

Appetite

Asset

Product

Process

RISK UNIVERSE

BUSINESS UNIVERSE

Organization

Function

Requirement

Standard

Area of Comp.

Framework

Audit Entity

Finding Evidence

COMPLIANCE UNIVERSE

AUDIT UNIVERSE

BU/FU Region/Coun Legal Ent


EnterpriseRiskManagement– MappingtheRiskUniverse

Asset

Product

Process

Risk

Controls

Risk Events

KRI

KPI

Scenario

Appetite

RISK UNIVERSE

BUSINESS UNIVERSE

Organization

Function

Requirement

Standard

Area of Comp.

Framework

Audit Entity

Finding Evidence

COMPLIANCE UNIVERSE

AUDIT UNIVERSE



Federated Risk Taxonomy

EnterpriseRiskManagement– MappingtheRiskData

Risk

Controls

Risk Events

KRI

KPI

Scenario

Appetite

RISK UNIVERSE

Risk Library

OperationalRisk ITRIsk ThirdPartyRisk BusinessContinuityRisk ComplianceRisk

CreditRisk MarketRisk LiquidityRisk

StrategicRisk ReputationalRisk

COMPLETENESS Aggregateallmaterialriskdata

INTEGRITY Definea“dictionary”oftheriskconcepts

ACCURACY SingleAuthoritativeSourceofRiskData

ADAPTABILITY ExtendibleRelationalRiskLibrary

TIMELINESS RealTimeRiskDataFromMultipleSources

BCBS

239


EnterpriseRiskManagement– RiskControlDataModel

Risk

Controls

Risk Events

KRI

KPI

Scenario

Appetite

RISK UNIVERSE

Risk Library




Risk Assessments

Risk Assessment Plan

Risk AssessmentAssessment Factor

Perspective

IssuesIssue

Action

IncidentsIncident

Investigation

MetricsMetric

Metric Data

Loss Events

External Loss

Internal Loss

Control Testing

Self-Assessment / Test Plan

Self-Assessment

Certification

Test

Scenario Analysis

Scenario Workshop

Scenario

Scenario Response

Regulatory Alerts

Regulatory Review

Regulatory Alert


EnterpriseRiskManagement– MappingRiskToTheOtherUniverses

Risk

Controls

Risk Events

KRI

KPI

Scenario

Appetite

RISK UNIVERSE

Risk Library




Risk Assessments

Risk Assessment Plan

Risk AssessmentAssessment Factor

Perspective

IssuesIssue

Action

IncidentsIncident

Investigation

MetricsMetric

Metric Data

Loss Events

External Loss

Internal Loss

Control Testing

Self-Assessment / Test Plan

Self-Assessment

Certification

Test

Scenario Analysis

Scenario Workshop

Scenario

Scenario Response

Regulatory Alerts

Regulatory Review

Regulatory Alert


EnterpriseRiskManagement– SettingtheBusinessContext

Risk

Controls

Risk Events

KRI

KPI

Scenario

Appetite

Asset

Product

Process

RISK UNIVERSE

BUSINESS UNIVERSE

Organization

Function



EnterpriseRiskManagement– SettingtheRegulatoryContext

Risk

Controls

Risk Events

KRI

KPI

Scenario

Appetite

Asset

Product

Process

BUSINESS UNIVERSE

Organization

Function

Requirement

Standard

Area of Comp.

Framework

COMPLIANCE UNIVERSE

RISK UNIVERSE



EnterpriseRiskManagement– AligningwiththeAudit(3rd LoD)

Risk

Controls

Risk Events

KRI

KPI

Scenario

Appetite

Asset

Product

Process

BUSINESS UNIVERSE

Organization

Function

Requirement

Standard

Area of Comp.

Framework

COMPLIANCE UNIVERSE

RISK UNIVERSE

Audit Entity

EvidenceAUDIT

UNIVERSEFinding


NowthatwehaveHighQualityRiskData,WhatNext?

18

©2017MetricStream,Inc.AllRightsReserved. 19

LEVERAGINGTHEINTEGRATEDPLATFORMFORCORRELATIVEINTELLIGENCE

Curate

Risk/ControlLibraries

RegulatoryFeeds

NewsFeeds

OperationalRiskManagement

ComplianceRiskManagement

InternalAudit

ThirdPartyRiskManagement

CollaborateonChangesandSubsequentActionsintheOperationalRiskRegulatoryFramework

CollaborateThirdPartyAssessmentswithInformationfromComplianceUpdatesonThirdPartyrelatednews

CollaborateonmarketinformationfordeignofproductsinlineswithConductrelatedregulations

CollaborateonSupplierAuditswithRegulatoryIntelligenceonRiskProfiles

RegionalORMRegulations

ChangingComplianceRequirementsEmergingRisks

KRIs PubliclyReportedComplianceFailures

EmergingRegulatoryConsultations

FinancialResultAnnouncements

ReportedThirdPartyBreaches

ThirdPartyRatingsAgencyUpdate

AuditFrameUpdates

AuditAnalytics

Metrics

EXAMPLESONUSEOFCORRELATIVEINTELLIGENCE

EnterpriseRiskManagement– IncorporatingAllSourcesofRiskData


EnterpriseRiskManagement– CollaboratingAcrosstheLinesofDefenseLINESOFDE

FENSE

1

2

3

BusinessUnits

OversightFunctions

IndependentAssurance

OperationalRiskFramework

OperationalRiskFunction

InternalAudit

BusinessDriversandInitiativesBusinessStrategy RiskTolerance

RiskUniverseOperational Compliance ThirdParty IT

OperationalRiskManagementRCSA KPI&KRI

ControlTest LossMgmt

InternalAudit


OtherRisks

OtherRiskFunctions

VendorAssessment Onboarding

SLAMonitoring LossMgmt

ComplianceManagementReg ChangeMgmt ComplianceRisk RuleMappingCompliance

Assessments

OtherManagementAssuranceFunctions

OtherTPMFunctionality

OtherORMFunctionality

RiskBasedAudits Audit“TopRisks”AuditofRisk

EventMonitoringSpotTestingof

ControlsIssue

Management

OtherInternalAuditFunctions

COMBINEDREPORTINGFOREACHRISK



EnterpriseRiskManagement

Performance Management

Risk Assessment and

Mitigation

Contract Compliance

Due Diligence and Continuous

Monitoring

Loss ManagementIncorporatingIssuesIdentifiedDuringOperationalRiskAssessments

inThirdPartyPerformanceManagement• Issuesidentifiedduringtheoperationalriskassessmentsisintegratedinthe

balancedscorecardbasedassessmentofVendorPerformanceIssue and

Action Management

MapLoss&RiskEventsToThirdPartyPerformanceMonitoringMechanism• LossesandRiskeventsaremappedtoThirdPartiestobuildamechanismtotrack

thirdpartyfailuresandlapses

Risk Metrics and IntelligenceIntegratedRiskAssessmentswithCollaborationofDualPerspective

• RiskAssessmentsforrisksattributedtothirdpartyrelationshipsareconductedincollaborationacrossThirdPartyandOperationRiskUnits

Risk Control Self

Assessments

RiskRatingsandIntelligenceFormsandIntegralPartofThirdPartyContractNegotiations• Riskintelligencegeneratedfromthetrackingofriskmetricsfeedsintothedefinitionof

contractSLAsandassistintrackingthecompliancewithSLAs

EnterpriseRiskManagement– CollaboratingAcrossRiskPortfolios


EnterpriseRiskManagement– 3CorePrinciplesofEverySuccessfulERMProgram

Empower People to manage their Risk Management tasks with ease;

enable swift, intelligent business decisions

Embed Risk Management seamlessly and deeply into the organization’s

culture and DNA

Predictive Insightsto analyze and prescriptively solve future challenges in

Governance, Risk and Compliance Functions

RiskDataisbeingcollectedbutwhatdowewiththisriskdata?

23


Executive dashboards capturing:

• Residual risk trend

• Risk exposure by objectives, risks, etc.

• Metric breaches by threshold category

• Control effectiveness status

• Issue status by organization

• Residual heat maps for rolled up risks

EnterpriseRiskManagement– ProvideCRO,CEOsandBoardsCompleteRiskVisibility


YouAreHereHindsight Foresight

InsightDescriptiveAnalytics PredictiveAnalytics

“WhatHasHappened”

• CognitiveIntelligencePatternRecognitionthroughvisualizingandIdentifyingapparentandlatenttrendsinhistoricaldata

“WhyDidItHappened” “Whatislikelytohappen”“WhatisHappening”

MetricStream

FocusAreas

• AlgorithmicIntelligenceEstablishingCausalRelationshipsandContagionsbetweendiverseeventsanddatasets

• AugmentedIntelligenceNaturalLanguageProcessingandMachineLearningtoaugmenthumandecisionmaking

• AnticipatoryIntelligencePredictivemodelingofdeephistoricaldataandself-optimizedlearningmodels

• AssistiveIntelligenceContextualVirtualIntelligentAssistanceateverypointofjudgementbaseddecisionmaking

EnterpriseRiskManagement– TheRiskDataCanAnswerTheseQuestions

“Whathastobedone”


YouAreHere

DescriptiveAnalytics PredictiveAnalytics

“WhatHasHappened”• AggregateInformationwithdatamodeling• Identify&VisualizePatterns&Exceptions

“WhyDidItHappened”• DrillDownandRollUpofInformation• DataValidationforHypotheses

Hindsight Foresight

Insight

“Whatislikelytohappen”• Dataminingfordetectingpatterns• Forecastingidentifyingtrendsandlikelihoods

“Whathastobedone”• ScenariosandConstraintsModeling• Focusonrelationaldecisionoptimization

“WhatisHappening”• Collectingandcategorizingdata• Proactivefeedbackloops

EnterpriseRiskManagement– HowCanTheRiskDataAnswerTheseQuestions


Primary Data

ERP/ DBMS

End Users

Enterprise Primary Data Sources

BI Systems

• EndUserQueriesusingsimplenaturallanguagesearchinterface.

• RapidVisualisation ofDataforefficientdecisionmaking

• Canread,pull,analyse fromothertooloutputs.

• Intelligentlyconnectstoallexisting&futuredatasources

• Datastoredacrossmultipledisparatedatabases

• Multipledatasources,generatingstructuredandunstructureddata

Business Users Corporate / Governance

• AutomatesQueryFulfillment(code,blend,prep,curate,extract,createcubes&marts,collate).

• Reducesresourceneedandresponsetimetoseconds/minutesvshours/days

Legacy & Proprietary

Systems

MetricStream-NLPApplications

SimpleNaturalLanguageSearchInterfaceIntuitively,IterativelyExploreandAnalyse In“UserSpeak”

.

SemanticKnowledge

ModelsFine grain security & access control

Metadata LevelParsing,

Aggregation

Connectors

et al…

VirtualisationLayers

et al…

APP DBA

Custom Dynamic Results

NLP StrategyMetricStream

Apps

EnterpriseRiskManagement– IdentifyingCommonThemesUsingNLP


AlgorithmicIntelligence– UseCaseandFutureDirectionMetricStreamCorrelationEngineFocusedonCorrelatingTrendsandDiscoveringCausality

UseCaseUnderConsiderationCreditRatingandRiskBasedPricing

§ Correlatingcreditratingstodefaultprobability§ Calculatingriskbasedclustersforconsumerloans§ Correlatingpricepremiumstoriskbasedclusters§ Estimatingpricepremiumsbyriskcategories

FutureDirection

• Macro-economicfactoranalysis

• IntegratedStressTesting

• CapitalSensitivity

• QualitativeFactorImpactAnalysis


TheReturnoftheERM ExtendingBeyondItsPastScope

UnderstandingtheGrowingScaleandScopeforEnterpriseRiskManagementPrograms

InToday’sSession…

BuildingaScalableandFlexibleDataModelToDriveEnterpriseRiskManagementPrograms

Identifyingandintegratingriskdatasourcestobringtogethertaxonomies

Miningtheriskdatatoidentifycommonalityandbuildconsensusaroundriskprinciples

BuildingaRiskReportingStructurewhichcascadesriskimpactsacross

thelongandshortrun

leading with grc - metricstream presentation... · the return of the jedi – extending beyond its...

Documents