Enterprise Risk: The Need for an Integrated Approach
Advice from ERM experts on coordination, collaboration and communication across an increasingly complex risk landscape
Friday, January 10, 2020
By John Hintze
New technologies have broadened and sped up the communication and analysis of data, changing the nature of risks that companies face and how to mitigate them. Banks, for example, have long tended to view risks as compartmentalized or in silos, but today risks are interconnected. Cybersecurity, for example, blends into third-party risk as well as compliance, business continuity and other operational issues.
As a result, risk managers must assess risks company-wide and be less backward-looking, instead working more closely with business leaders as their initiatives are unfolding. Not merely checking boxes, risk management must present itself as enabling the company to generate revenue in a sustainable and profitable manner. The goal, in fact, is for the business to view and appreciate robust and dynamic risk management as a competitive advantage.
In a GARP webcast, Rethinking Enterprise Risk, Gabrielle S. Aryeetey and Diane Doering discussed how an integrated approach provides the most value for an organization's enterprise risk management (ERM) program, predicated on strategic partnerships with business leaders and other stakeholders.
Aryeetey, senior director of operational risk and third-party oversight in KeyBank's Enterprise and Operational Risk Management group, provided a macro view of this evolving approach. Diane Doering, vice president and director of enterprise risk management at Iron Mountain - and formerly of Putnam Investments, Columbia Management, State Street Global Advisors and the Abu Dhabi Investment Authority - detailed the challenges in aligning the business-line risk owners with the risk managers charged with identifying and reporting those risks - the so-called first and second lines of defense.
Here Aryeetey and Doering take a deeper dive into some of the follow-up questions posed by webcast participants.
LINES OF DEFENSE:
How do you mitigate the potential for lines to blur between the 1st and 2nd lines of defense, i.e. the front-line management control and independent risk functions? How do you maintain independence?
Aryeetey: Organizations should define and document an operating model that clearly outlines the roles and responsibilities across the 1st and 2nd lines, including 1st line business risk functions commonly referred to as 1.5 line. Define roles and responsibilities by significant risk programs and/or operating rhythms, such as risk control self-assessment (RCSA), regulatory change, third-party risk, and product approval. The model should be compiled by a cross-functional team - across the 1st and 2nd line] and broadly communicated to ensure awareness and alignment across the enterprise. The established operating model should be periodically reviewed or recalibrated, maybe annually or every two years, to ensure it remains relevant to the operating environment of the organization. Significant changes in the organization may require more frequent recalibrations.
Doering: The 1.5-line operating model also helps foster collaboration. To be successful in having meaningful conversations about risk, you need input from both the front line and those who provide independent challenge; neither can do it alone. People in the front line can rely on the tools and best practice from center-of-excellence expertise. The 2nd line of defense benefits from having feet on the ground in the business. Together they can identify and escalate issues appropriately.
When might scope conflicts, i.e. duplicate efforts between the 1st and 2nd lines, occur, and how can they be avoided?
Aryeetey: Generally, scope conflicts occur when clear roles and responsibilities, referred to above as a defined operating model, are not in place. Once you set an operating model relative to the significant risk programs and operating rhythms, it can alleviate much of the duplication. Duplication may also occur when roles shift due to organizational change, but we recalibrate to ensure the roles and responsibilities are efficient and effective for the current organization. The operating model cannot be successful if there is not cross-functional buy-in and adoption across the enterprise.
Doering: In the product-approval process, senior management says the front line owns the profitability and risk associated with the new product or service. However, the 2nd line is responsible for making sure that those risks are identified, understood and that the front line has processes in place to mitigate them. And if not, there needs to be a determination whether those risks are acceptable. It's important to have the processes in place to continue to challenge whether the risk, as initially identified, remains within agreed-upon levels and that there is a forum for escalating when that tolerance level is exceeded.
Senior management and project teams often see risk management as a check-the-box part of their project-development process, and consequently work in isolation. Or they don't see how their project risks can impact other projects and vice versa. How can that be addressed?
Doering: Many organizations initially see risk as a regulatory requirement, something they need to do, but they're not quite sure how to embed it into their processes without slowing down innovation or customer responsiveness. The best way to address this challenge is by becoming strategic partners. To become a strategic partner the risk manager needs to proactively engage in answering the question of “how?” Often, risk is perceived as the naysayer, since there's inherent risk in doing something new or different. I like to tell people that risk is not a four-letter word, but rather something we want to embrace and understand, so we can manage and mitigate it together.
Aryeetey: Risk management has to understand and articulate the value proposition to business partners. Due to their position in the company, risk management professionals generally view the aggregate enterprise risk, industry trends and regulatory focus areas. Coupling this knowledge with their business expertise can bring a unique perspective typically not held by other stakeholders. Gaining credibility with the 1st line through differentiated insight throughout the project lifecycle can yield a better partnership with the 1st line and result in more effective 2nd line oversight.
How can that message get across?
Aryeetey: Tone at the top is critical. Being crisp about what the message is - what the value proposition is - and telling your message often to colleagues across the lines of defense at all levels of the organization. Also providing some real-life examples of how prior operating models were ineffective.
Doering: It's best to have that collaboration and partnership along the way. At the end of the day, we're all trying to manage risk, so we might as well partner and do it well.
What clashes arise between the business and risk teams, and how can they be persuaded to work together more effectively?
Aryeetey: The general complaint is that risk does not understand the pressures the business faces, or even the business fundamentally - product offerings, third parties, whatever the case may be. There's the narrative that the business wants to make money and that risk is there to prevent them from doing that. As Diane mentioned, engaging in a partnership, reviewing and challenging along the way, and not at the end, helps the business see that we're in this together. Risk management also has to ensure the right talent is in place to oversee the respective business areas and perform credible challenge. In addition, it's very important for people to know that risk management is grounded in common tenets and priorities, that we do care about revenues, but generating them in a sound manner. A bank doesn't want to underwrite loans that go bad, to have clients who cannot make payments, or to have loan interest calculated incorrectly. Those are all risks that have a business impact and need to be mitigated. So creating those connections between risks and the business helps.
Doering: The other clash is that we're not responsive or timely enough, and that we don't understand the needs of the customer, and that largely stems from coming in late to the process. If we've been proactively building a strategic partnership along the way, then we are better able to support the business objectives while being timely and responsive.
How can various types of risk be integrated to present a unified view of risk to the business?
Aryeetey: Traditionally, risk disciplines have functioned relatively fine in their silos, but we are beginning to see how fluid and interconnected the various risk disciplines are and how they show up in business. As such, there has to be a more intentional effort across the risk disciplines to break down silos and share information, to foster more effective risk management. More tactically, organizations can facilitate a quarterly forum with the appropriate risk discipline stakeholders to talk about their collective risk view across the enterprise.
For example, the chief credit risk officer may discuss aggregate credit risk trends, how the bank is mitigating it, and where that risk stands relative to the bank's risk appetite. Operational, market, model and other risks follow suit, and they all engage in a collective discussion about enterprise risk. This collective risk view can be shared with governance committees and the board.
It's important to put mechanisms in place so that risk disciplines can come together and provide their individual perspectives for the purpose of compiling a comprehensive and thoughtful enterprise risk view.
Doering: One of the frustrations for the 1st line is that the 2nd line can require them to complete the same types of assessments, but for different purposes. As we think more holistically about operational resilience and the overlap between cybersecurity, business continuity and third-party risks - just to name a few - we have to think about how we can streamline our requests for information so that we can use it for multiple purposes.
For example, we may have the business complete or update a business impact analysis for its systems or processes, another to assess cybersecurity controls, and yet another to understand the impact of the third party who may be providing a service. We really need to do this all at once, rather than requesting them to fill out multiple assessments.
What are the challenges in bringing up risk appetite with the business owners, and how can risk appetite be integrated into operations?
Aryeetey: The business owners generally say their risk appetite is “moderate.” The challenge then becomes defining what that means, so you have to define metrics and, where possible, try to quantify, or at a minimum identify more specifically, the particular appetite level. Risk management and the business need to establish those metrics so they each understand what “moderate” or another designation means.
Metrics are defined at the enterprise and business level so 1st-line business leaders understand the thresholds they are expected to work within to maintain the stated risk appetite.
Doering: From my perspective, the challenge is how to operationalize your risk appetite statement, or statements, by gathering business-level input and providing real examples. At the board and senior executive level, the risk appetite statement sets the broad parameters for risk tolerance and what is considered either excessive caution or reckless risk taking.
Having conversations about risk as organizations think about their culture is essential to successfully creating a collaborative partnership. Therefore, ERM must continue to partner with other support functions, such as HR and compliance, as they drive conversations about culture to ensure they're also talking about appropriate risk taking.
How can risk appetite best be articulated to ensure those metrics are put to use?
Aryeetey: Culture, emanating from the C-suite, is a critical component or you'll basically have metrics on paper, and that's where they will stay. The culture is what really matters to drive meaningful risk management across the organization.
A core value proposition for risk management is to connect more “academic” risk management concepts, such as risk appetite, inherent and residual risk, etc., to the everyday business. Speaking in terms they understand is critical. Connecting loan losses, servicing issues, complaints, cyber breaches, etc., to the business environment to discuss risk appetite is likely more meaningful to a business leader than discussing risk management frameworks.
From a policy perspective, risk appetite and associated tolerances should be clearly defined in an organization's enterprise risk management policy program. Risk management can partner with the business to identify key risk indicators that are valuable to the business and to risk management. These metrics should be reported on at least a quarterly basis and integrated into enterprise risk reporting to inform the overall risk profile of the organization.
PARTNERSHIP AND COLLABORATION
How can queries about different types of risk, including business continuity, operational risk, and artificial intelligence, be used for multiple purposes to help build strategic partnerships with the businesses and help business leaders see the bigger picture?
Aryeetey: Instead of focusing on operational risk, I can explain to a business leader that without the proper controls around data, we could have a breach causing a lack of trust and clients potentially leaving the bank. Now the business leader sees the connection. There's value in risk management being an educator to help business leadership understand risk in a way that's meaningful to their business.
How does that collaboration work for emerging risks such as machine learning (ML) and artificial intelligence (AI)?
Aryeetey: Technological innovation in general is serving as a catalyst for this more integrated, evolved way of risk management. ML and AI risk principally sit with the model-risk-management team, given the large number of algorithms running and the accompanying assumptions. However, there's a heavy partnership with technology, on the operations side as well as compliance, because of the fair-lending implications. So ML and AI are really excellent examples of how risk is so intertwined and requires collaboration in order to be effectively managed.