Risk Management Insights

I want to join the BLOG

12/09/2018 / Enterprise Risk Management, Risk Analytics, Compliance Management

Managing Risk with the Second Line of Defence Launchpad

The Second Line of Defence Launchpad within the Protecht.ERM system is an effective and interactive visualisation designed specifically for the Line 2 Risk and Compliance Management teams to use in their role of reviewing and challenging Line 1, together with independent reporting and escalation. Read on to find out more.

Why a Launchpad?

A Launchpad can be configured as the first screen a user sees when they log into Protecht.ERM. This ensures that users first see the most important and relevant information to carry out their responsibilities.

Read More

15/08/2018 / Risk Management, Risk Appetite, Compliance Management

Can I? Should I? Would I? Using compliance as a decision making tool

Compliance is the act of “conforming to rules”. Deciding to, or not to, conform to rules affects the decisions we make. Compliance is therefore an integral part of decision making.

The question is “What are the rules that we will apply in our business decisions?” These rules can come from two primary sources as described by the ISO 19600 Standard: “Compliance Management Systems”. This standard recognises two main types of compliance obligations:

• Compliance Requirements: Requirements that an organisation has to comply with. These normally arise from external regulatory requirements and contractual requirements.

• Compliance Commitments: Requirements that an organisation chooses to comply with. These are normally manifested through internal policies, practices, codes of conduct, etc. 

Read More

23/07/2018 / ERM, KRIs, Press/Media, Risk Manager

Importance of 'Challenge' in Risk Management

In my earlier blog “What we can all learn from the APRA prudential inquiry report into the CBA” I noted that one of the strong themes of the report was the importance of “Challenge”. In fact, it is mentioned approximately 75 times including in the following recommendations:

  • Recommendation 7. The CEO ensure that the Executive Committee…. engages in constructive challenge and debate.

  • Recommendation 10. CBA ensure that business unit Chief Risk Officers have the necessary independence to provide effective challenge to the business. 

  • Recommendation 27. Senior leaders reinforce key behaviours of increasing self-reflection, giving and receiving constructive challenge and dealing with conflict effectively.

For those familiar with the three lines of defence model, the second line of defence "Risk Management" has as its key role, “Review and Challenge”. Read the article: Risk Governance and the Three Lines of Defence.

This blog takes a look at:

  • The meaning of challenge.
  • The importance of challenge in supporting strong risk management.
  • The reasons why challenge is so difficult in practice?
  • What a good challenge culture looks like and how can it be practically embedded within an organisation’s culture.

Read More

28/06/2018 / Enterprise Risk Management, Risk Governance

Risk Governance and the Three Lines of Defence

Effective risk management requires governance structures and processes commensurate with the organisation’s context. Regardless of the organisation’s size and complexity, implementation of the three lines of defence should be the first principle of an effective risk management framework.

At each line of defence there needs to be risk governance to support and provide oversight to the risk management framework

Read More

04/06/2018 / ERM, KRIs, Press/Media, Risk Manager

What we can all learn from the APRA prudential inquiry report into the CBA

Taking Risk Management to the next level 

The APRA report of the prudential inquiry in the Commonwealth Bank of Australia (CBA) was issued on 1 May 2018 https://www.apra.gov.au/media-centre/media-releases/apra-releases-cba-prudential-inquiry-final-report-accepts-eu. On the following day, I was flying from Sydney to Perth and downloaded the report to "skim" read the key points on the flight.

I began reading on take-off and on landing 4 hours later, had completed the full 111 pages. I could not put it down.

Rather than a negative feeling of what we are doing wrong, I saw instead a rich source of information that we can use to take risk management to the next level.

On page 5, the report states:

"The Report that follows may read as a long catalogue of shortcomings. That would be too narrow a read. The Panel acknowledges the undoubted financial strength and acumen of the CBA, its global standing, and the avowed commitment of staff to servicing customers. CBA needs to translate this financial strength and good intent into better meeting the community’s needs and the standards expected of a systemically important bank in Australia. The Report is a roadmap for this journey."

It is also clear that many other financial institutions accept that they could change the name "CBA" on this report to their own and it would be equally as valid. At Protecht, we see this as a must-read for anyone serious about taking their risk management to the next level. It is, as APRA states, "a valuable roadmap".

The following is a summary of the main lessons we can learn from the report, and also the main themes that run through the report. 

Read More

01/06/2018 / Enterprise Risk Management, ERM, Risk in Motion

Enterprise Risk Management - Connecting the Dots

Connecting the dots (in this case, the risks).

This is an updated version of the original article published on 06/12/2016.

It has been a bit of a journey over the last 15 years. At Protecht, we started with the vision of a SaaS enterprise risk management solution that allowed connection of risk to the core components of what was back then, considered an ERM framework. This meant that our central library of risks was not only used in the risk and control assessments but also linked to key risk indicators, attestations and incidents. This enabled our client base to get a more fluid picture of risk and was the genesis of the RiskInMotion™ concept.
 

What was missing back then was the business intelligence engine to bring it all together.

Roll forward to 2018 and there are even more dots to connect. Over the last 5 years we have seen our clients rapidly build and deploy the following additional web-based forms to capture, workflow and report on risk related information pertaining to:

  • Fraud
  • Supplier due diligence
  • Conflicts of interest
  • Internal audit findings
  • Complaints
  • Compliance breaches
  • Business continuity plans and tests
  • Conflicts of interest
  • New products evaluation
  • Ex gratia payments
  • Policy management
Read More

01/06/2018 / Risk and Reward, ERM, KRIs

Balancing the Voices of Reward and Risk

The financial services industry is under the microscope in Australia with the Royal Commission in full swing, and the recent APRA (Australian Prudential Regulatory Authority) report into the CBA (Commonwealth Bank of Australia).

Many sobering findings have been aired, but looking at this positively, the findings provide an excellent blueprint for the development of stronger risk management and business practices going forward. The APRA report is really a roadmap for any organisation wishing to raise its risk management to the next level.

Read More

25/05/2018 / Bow Tie Analysis, Risk Appetite, Risk Manager, Risk Culture

Are you a risk manager?

risk.png

I am often asked “what are the key requirements that make a good risk manager?”  My first response is “to be able to walk on water”. Such is the required varied skill set of a good risk manager.

The roles and responsibilities of the risk manager are many and varied depending on the organization they belong to. I will use the example of an organisation that has an independent risk management function where risk, and the day to day management thereof, is owned by the business. Let’s look at the key characteristics of the CRO and the staff of the independent function.

The main function of the independent risk manager is to review and challenge what the front line business is doing to manage risk. In addition, they should be seen as subject matter experts and assisters in developing and maintaining the risk management frameworks. They should be seen as value-adding and adopted by, and engaged with, front line staff.

What are the key skills and characteristics needed to be a success in this role? Here is my list:

  1. Risk management is to a large degree an art form. This requires a strong right hand (artistic) brain, able to cope with qualitative and inexact concepts and able to “see” into the future.

Read More

18/05/2018 / Enterprise Risk Management, Risk Analytics, Risk Intelligence

Improving your insights into Risk with Historical Models

Enterprise Risk Management (ERM) software manages the processes and the risk related data that drive risk behaviour, including Risks, Controls, Issues and Actions, Incidents, Key Risk Indicators (KRIs), Audit Findings, Compliance Obligations, Risk Control Self-Assessment (RCSA), Compliance Questions, and Compliance Attestations to name a few.

Read More

03/05/2018 / Compliance Management, Enterprise Risk Management

Understanding Compliance Risk

Today, corporations and government agencies are facing an unprecedented wave of regulatory obligations and increased penalties for non-compliance. The financial services sector, as an example, needs to comply with a myriad of prudential regulations, federal privacy, AML/CTF, consumer credit and protection laws to name a few. Obligation registers now contain over 1,000 entries for compliance teams to deal with. In smaller organisations, these teams are often under-resourced due to compliance being a cost centre.

In this blog, we will discuss issues around some of the complexities of effective compliance risk management.

Read More