© 2017 MetricStream, Inc. All Rights Reserved. LEADING WITH GRC The Return of the ERM – Extending Beyond It’s Past Scope Brenda Boultwood, SVP – Industry Solutions, MetricStream
©2017MetricStream,Inc.AllRightsReserved.
LEADINGWITHGRC TheReturnoftheERM–
ExtendingBeyondIt’sPastScopeBrendaBoultwood,SVP– IndustrySolutions,MetricStream
TheReturnOfTheJedi–Extendingbeyonditspastscope
June7,2017
©2017MetricStream,Inc.AllRightsReserved.
TheReturnoftheERM ExtendingBeyondItsPastScope
UnderstandingtheGrowingScaleandScopeforEnterpriseRiskManagementPrograms
InToday’sSession…
BuildingaScalableandFlexibleDataModelToDriveEnterpriseRiskManagementPrograms
Identifyingandintegratingriskdatasourcestobringtogethertaxonomies
Miningtheriskdatatoidentifycommonalityandbuildconsensusaroundriskprinciples
BuildingaRiskReportingStructurewhichcascadesriskimpactsacross
thelongandshortrun
ERMProgramsaregrowinginscale&scope
4
©2017MetricStream,Inc.AllRightsReserved.
The Return oftheEnterpriseRiskManagement– ExtendingScopebecausethebusinessenvironmenthaschanged
TheGrowingScopeofEnterpriseRiskManagement
ORGANIZATION
FACINGNEWCOMPETITION
EXPANDINGINTONEWMARKETS ECONOMIC/3RDPARTYRISKS
LAUNCHNONTRADITIONALPRODUCTS OPERATIONALRISK
DATAPRIVACYRISK
SHORTERCUSTOMERATTENTIONSPAN REPUTATIONALRISK
CHANGINGCUSTOMERINTERACTIONSDISRUPTIVEBUSINESSMODELS
PARABOLICTECHNOLOGYADVANCEMENT
NEWMODESOFINTERACTIONCYBERSECURITYRISKS
KEEPINGPACEWITHTECHNOLOGY
CONSTANTREGULATORYCHANGE CHANGINGPOLITICALENVIRONMENT
STRATEGICRISKS
EMERGINGREGULATIONSCOMPLIANCERISK
GEOPOLITICALRISK
©2017MetricStream,Inc.AllRightsReserved.
The Return oftheEnterpriseRiskManagement– ExtendingScale
TheGrowingScaleofEnterpriseRiskManagement
IMPACT LIKELIHOOD INTERRELATIONSHIP
*Reference. The Power of Four, KPMG (2016).
VELOCITY• IncreasingInterdependenciesbetweenEconomies(andbusinesses)
• LargernumberofPointsofFailureduetoincreasingbusinesstouchpoints
• Newsspreadsfast,BadNewsEvenFasterinahyperconnectedenvironment
• Multidimensionalbusinessmodelsleadstolatentrelationalinfluences
TRADITIONAL EMERGING
• LargerImpactFromSimilarRiskEventsthaninthepast
LEADSTO LEADSTO
• HigherFrequencyofSimilarRiskEventsthaninthepast
LEADSTO
• CertainRiskEventImpactToCatapultExponentially
LEADSTO
• Unpredictabilityintermsofimpactandfrequency
©2017MetricStream,Inc.AllRightsReserved.
ExtendedERMtointegrateinformation
q Streamlinedreviewandoversightprocesses
q Improvedcostrationalisation andoptimisation ofreportingusingacommonframework
q Increasedefficiencybyusingacommonlanguageandstructureonrisks,controls,processes,compliancethemesandissues
q IncreasedeffectivenessinAudit,RiskandComplianceManagement
q MultipleSilosofInformation
q Largegeographicallydiversifiedteams
q MultipleRegulatoryJurisdictions
q ComplicatedBusinessModels
q BusinessUnitvariations
WheredowestartwhilebuildinganERMprogram?
8
©2017MetricStream,Inc.AllRightsReserved.
EnterpriseRiskManagement– TreatitasaDataScienceProblem
“LackofRiskInformationLeadstoLackofRiskUnderstanding,LackofRiskUnderstandingleadstoUninformedDecisionMaking,UninformeddecisionmakingisthepathoftheDarkSide”
– Darth(RiskE)Vader,TheReturnoftheERM
RISK INFORMATIO
N
COMPLETENESSShouldbeabletocaptureandaggregateallmaterialrisk
dataacrosstheorganization
ACCURACYShouldstrivetowardsasingleauthoritativesourceforriskdataacrosstheorganization
INTEGRITY
TIMELINESSADAPTABILITY
BCBS239Shouldhavea“dictionary”oftheconceptsused,suchthatdataisdefinedconsistentlyacrossanorganization
Shouldbeabletogenerateaggregateandup-to-dateriskdatainatimelymannerwhilealsomeetingtheprinciples
Shouldbeabletogenerateaggregateriskdatatomeetabroadrangeofon-demand,adhocriskmanagementreportingrequests
©2017MetricStream,Inc.AllRightsReserved.
EnterpriseRiskManagement– ThereisDataEverywhere
Risk
Controls
Risk Events
KRI
KPI
Scenario
Appetite
Asset
Product
Process
RISK UNIVERSE
BUSINESS UNIVERSE
Organization
Function
Requirement
Standard
Area of Comp.
Framework
Audit Entity
Finding Evidence
COMPLIANCE UNIVERSE
AUDIT UNIVERSE
BU/FU Region/Coun Legal Ent
©2017MetricStream,Inc.AllRightsReserved.
EnterpriseRiskManagement– MappingtheRiskUniverse
Asset
Product
Process
Risk
Controls
Risk Events
KRI
KPI
Scenario
Appetite
RISK UNIVERSE
BUSINESS UNIVERSE
Organization
Function
Requirement
Standard
Area of Comp.
Framework
Audit Entity
Finding Evidence
COMPLIANCE UNIVERSE
AUDIT UNIVERSE
BU/FU Region/Coun Legal Ent
©2017MetricStream,Inc.AllRightsReserved.
Federated Risk Taxonomy
EnterpriseRiskManagement– MappingtheRiskData
Risk
Controls
Risk Events
KRI
KPI
Scenario
Appetite
RISK UNIVERSE
Risk Library
OperationalRisk ITRIsk ThirdPartyRisk BusinessContinuityRisk ComplianceRisk
CreditRisk MarketRisk LiquidityRisk
StrategicRisk ReputationalRisk
COMPLETENESS Aggregateallmaterialriskdata
INTEGRITY Definea“dictionary”oftheriskconcepts
ACCURACY SingleAuthoritativeSourceofRiskData
ADAPTABILITY ExtendibleRelationalRiskLibrary
TIMELINESS RealTimeRiskDataFromMultipleSources
BCBS
239
©2017MetricStream,Inc.AllRightsReserved.
EnterpriseRiskManagement– RiskControlDataModel
Risk
Controls
Risk Events
KRI
KPI
Scenario
Appetite
RISK UNIVERSE
Risk Library
OperationalRisk ITRIsk ThirdPartyRisk BusinessContinuityRisk ComplianceRisk
CreditRisk MarketRisk LiquidityRisk
StrategicRisk ReputationalRisk
Risk Assessments
Risk Assessment Plan
Risk AssessmentAssessment Factor
Perspective
IssuesIssue
Action
IncidentsIncident
Investigation
MetricsMetric
Metric Data
Loss Events
External Loss
Internal Loss
Control Testing
Self-Assessment / Test Plan
Self-Assessment
Certification
Test
Scenario Analysis
Scenario Workshop
Scenario
Scenario Response
Regulatory Alerts
Regulatory Review
Regulatory Alert
©2017MetricStream,Inc.AllRightsReserved.
EnterpriseRiskManagement– MappingRiskToTheOtherUniverses
Risk
Controls
Risk Events
KRI
KPI
Scenario
Appetite
RISK UNIVERSE
Risk Library
OperationalRisk ITRIsk ThirdPartyRisk BusinessContinuityRisk ComplianceRisk
CreditRisk MarketRisk LiquidityRisk
StrategicRisk ReputationalRisk
Risk Assessments
Risk Assessment Plan
Risk AssessmentAssessment Factor
Perspective
IssuesIssue
Action
IncidentsIncident
Investigation
MetricsMetric
Metric Data
Loss Events
External Loss
Internal Loss
Control Testing
Self-Assessment / Test Plan
Self-Assessment
Certification
Test
Scenario Analysis
Scenario Workshop
Scenario
Scenario Response
Regulatory Alerts
Regulatory Review
Regulatory Alert
©2017MetricStream,Inc.AllRightsReserved.
EnterpriseRiskManagement– SettingtheBusinessContext
Risk
Controls
Risk Events
KRI
KPI
Scenario
Appetite
Asset
Product
Process
RISK UNIVERSE
BUSINESS UNIVERSE
Organization
Function
BU/FU Region/Coun Legal Ent
©2017MetricStream,Inc.AllRightsReserved.
EnterpriseRiskManagement– SettingtheRegulatoryContext
Risk
Controls
Risk Events
KRI
KPI
Scenario
Appetite
Asset
Product
Process
BUSINESS UNIVERSE
Organization
Function
Requirement
Standard
Area of Comp.
Framework
COMPLIANCE UNIVERSE
RISK UNIVERSE
BU/FU Region/Coun Legal Ent
©2017MetricStream,Inc.AllRightsReserved.
EnterpriseRiskManagement– AligningwiththeAudit(3rd LoD)
Risk
Controls
Risk Events
KRI
KPI
Scenario
Appetite
Asset
Product
Process
BUSINESS UNIVERSE
Organization
Function
Requirement
Standard
Area of Comp.
Framework
COMPLIANCE UNIVERSE
RISK UNIVERSE
Audit Entity
EvidenceAUDIT
UNIVERSEFinding
BU/FU Region/Coun Legal Ent
NowthatwehaveHighQualityRiskData,WhatNext?
18
©2017MetricStream,Inc.AllRightsReserved. 19
LEVERAGINGTHEINTEGRATEDPLATFORMFORCORRELATIVEINTELLIGENCE
Curate
Risk/ControlLibraries
RegulatoryFeeds
NewsFeeds
OperationalRiskManagement
ComplianceRiskManagement
InternalAudit
ThirdPartyRiskManagement
CollaborateonChangesandSubsequentActionsintheOperationalRiskRegulatoryFramework
CollaborateThirdPartyAssessmentswithInformationfromComplianceUpdatesonThirdPartyrelatednews
CollaborateonmarketinformationfordeignofproductsinlineswithConductrelatedregulations
CollaborateonSupplierAuditswithRegulatoryIntelligenceonRiskProfiles
RegionalORMRegulations
ChangingComplianceRequirementsEmergingRisks
KRIs PubliclyReportedComplianceFailures
EmergingRegulatoryConsultations
FinancialResultAnnouncements
ReportedThirdPartyBreaches
ThirdPartyRatingsAgencyUpdate
AuditFrameUpdates
AuditAnalytics
Metrics
EXAMPLESONUSEOFCORRELATIVEINTELLIGENCE
EnterpriseRiskManagement– IncorporatingAllSourcesofRiskData
©2017MetricStream,Inc.AllRightsReserved.
EnterpriseRiskManagement– CollaboratingAcrosstheLinesofDefenseLINESOFDE
FENSE
1
2
3
BusinessUnits
OversightFunctions
IndependentAssurance
OperationalRiskFramework
OperationalRiskFunction
InternalAudit
BusinessDriversandInitiativesBusinessStrategy RiskTolerance
RiskUniverseOperational Compliance ThirdParty IT
OperationalRiskManagementRCSA KPI&KRI
ControlTest LossMgmt
InternalAudit
ThirdPartyRiskManagement
OtherRisks
OtherRiskFunctions
VendorAssessment Onboarding
SLAMonitoring LossMgmt
ComplianceManagementReg ChangeMgmt ComplianceRisk RuleMappingCompliance
Assessments
OtherManagementAssuranceFunctions
OtherTPMFunctionality
OtherORMFunctionality
RiskBasedAudits Audit“TopRisks”AuditofRisk
EventMonitoringSpotTestingof
ControlsIssue
Management
OtherInternalAuditFunctions
COMBINEDREPORTINGFOREACHRISK
©2017MetricStream,Inc.AllRightsReserved. 21
ThirdPartyRiskManagement
EnterpriseRiskManagement
Performance Management
Risk Assessment and
Mitigation
Contract Compliance
Due Diligence and Continuous
Monitoring
Loss ManagementIncorporatingIssuesIdentifiedDuringOperationalRiskAssessments
inThirdPartyPerformanceManagement• Issuesidentifiedduringtheoperationalriskassessmentsisintegratedinthe
balancedscorecardbasedassessmentofVendorPerformanceIssue and
Action Management
MapLoss&RiskEventsToThirdPartyPerformanceMonitoringMechanism• LossesandRiskeventsaremappedtoThirdPartiestobuildamechanismtotrack
thirdpartyfailuresandlapses
Risk Metrics and IntelligenceIntegratedRiskAssessmentswithCollaborationofDualPerspective
• RiskAssessmentsforrisksattributedtothirdpartyrelationshipsareconductedincollaborationacrossThirdPartyandOperationRiskUnits
Risk Control Self
Assessments
RiskRatingsandIntelligenceFormsandIntegralPartofThirdPartyContractNegotiations• Riskintelligencegeneratedfromthetrackingofriskmetricsfeedsintothedefinitionof
contractSLAsandassistintrackingthecompliancewithSLAs
EnterpriseRiskManagement– CollaboratingAcrossRiskPortfolios
©2017MetricStream,Inc.AllRightsReserved. 22
EnterpriseRiskManagement– 3CorePrinciplesofEverySuccessfulERMProgram
Empower People to manage their Risk Management tasks with ease;
enable swift, intelligent business decisions
Embed Risk Management seamlessly and deeply into the organization’s
culture and DNA
Predictive Insightsto analyze and prescriptively solve future challenges in
Governance, Risk and Compliance Functions
RiskDataisbeingcollectedbutwhatdowewiththisriskdata?
23
©2017MetricStream,Inc.AllRightsReserved.
Executive dashboards capturing:
• Residual risk trend
• Risk exposure by objectives, risks, etc.
• Metric breaches by threshold category
• Control effectiveness status
• Issue status by organization
• Residual heat maps for rolled up risks
EnterpriseRiskManagement– ProvideCRO,CEOsandBoardsCompleteRiskVisibility
©2017MetricStream,Inc.AllRightsReserved. 25
YouAreHereHindsight Foresight
InsightDescriptiveAnalytics PredictiveAnalytics
“WhatHasHappened”
• CognitiveIntelligencePatternRecognitionthroughvisualizingandIdentifyingapparentandlatenttrendsinhistoricaldata
“WhyDidItHappened” “Whatislikelytohappen”“WhatisHappening”
MetricStream
FocusAreas
• AlgorithmicIntelligenceEstablishingCausalRelationshipsandContagionsbetweendiverseeventsanddatasets
• AugmentedIntelligenceNaturalLanguageProcessingandMachineLearningtoaugmenthumandecisionmaking
• AnticipatoryIntelligencePredictivemodelingofdeephistoricaldataandself-optimizedlearningmodels
• AssistiveIntelligenceContextualVirtualIntelligentAssistanceateverypointofjudgementbaseddecisionmaking
EnterpriseRiskManagement– TheRiskDataCanAnswerTheseQuestions
“Whathastobedone”
©2017MetricStream,Inc.AllRightsReserved. 26
YouAreHere
DescriptiveAnalytics PredictiveAnalytics
“WhatHasHappened”• AggregateInformationwithdatamodeling• Identify&VisualizePatterns&Exceptions
“WhyDidItHappened”• DrillDownandRollUpofInformation• DataValidationforHypotheses
Hindsight Foresight
Insight
“Whatislikelytohappen”• Dataminingfordetectingpatterns• Forecastingidentifyingtrendsandlikelihoods
“Whathastobedone”• ScenariosandConstraintsModeling• Focusonrelationaldecisionoptimization
“WhatisHappening”• Collectingandcategorizingdata• Proactivefeedbackloops
EnterpriseRiskManagement– HowCanTheRiskDataAnswerTheseQuestions
©2017MetricStream,Inc.AllRightsReserved.
Primary Data
ERP/ DBMS
End Users
Enterprise Primary Data Sources
BI Systems
• EndUserQueriesusingsimplenaturallanguagesearchinterface.
• RapidVisualisation ofDataforefficientdecisionmaking
• Canread,pull,analyse fromothertooloutputs.
• Intelligentlyconnectstoallexisting&futuredatasources
• Datastoredacrossmultipledisparatedatabases
• Multipledatasources,generatingstructuredandunstructureddata
Business Users Corporate / Governance
• AutomatesQueryFulfillment(code,blend,prep,curate,extract,createcubes&marts,collate).
• Reducesresourceneedandresponsetimetoseconds/minutesvshours/days
Legacy & Proprietary
Systems
MetricStream-NLPApplications
SimpleNaturalLanguageSearchInterfaceIntuitively,IterativelyExploreandAnalyse In“UserSpeak”
.
SemanticKnowledge
ModelsFine grain security & access control
Metadata LevelParsing,
Aggregation
Connectors
et al…
VirtualisationLayers
et al…
APP DBA
Custom Dynamic Results
NLP StrategyMetricStream
Apps
EnterpriseRiskManagement– IdentifyingCommonThemesUsingNLP
©2017MetricStream,Inc.AllRightsReserved.
AlgorithmicIntelligence– UseCaseandFutureDirectionMetricStreamCorrelationEngineFocusedonCorrelatingTrendsandDiscoveringCausality
UseCaseUnderConsiderationCreditRatingandRiskBasedPricing
§ Correlatingcreditratingstodefaultprobability§ Calculatingriskbasedclustersforconsumerloans§ Correlatingpricepremiumstoriskbasedclusters§ Estimatingpricepremiumsbyriskcategories
FutureDirection
• Macro-economicfactoranalysis
• IntegratedStressTesting
• CapitalSensitivity
• QualitativeFactorImpactAnalysis
©2017MetricStream,Inc.AllRightsReserved.
TheReturnoftheERM ExtendingBeyondItsPastScope
UnderstandingtheGrowingScaleandScopeforEnterpriseRiskManagementPrograms
InToday’sSession…
BuildingaScalableandFlexibleDataModelToDriveEnterpriseRiskManagementPrograms
Identifyingandintegratingriskdatasourcestobringtogethertaxonomies
Miningtheriskdatatoidentifycommonalityandbuildconsensusaroundriskprinciples
BuildingaRiskReportingStructurewhichcascadesriskimpactsacross
thelongandshortrun
©2017MetricStream,Inc.AllRightsReserved.
MaytheforcebewithyouThankYou!
©GRCSummit2017|AllRightsReservedGRCforHighPerformers
©2017MetricStream,Inc.AllRightsReserved.
ThankYou!
©GRCSummit2017|AllRightsReservedGRCforHighPerformers
Continuetheconversationonline#GRCSummit