John Kelly 270004J7VQ email@example.com | | Tags:  grc enterprise operational risk | 0 Comments | 2,834 Visits
This week I had the pleasure (aside from the Sunday morning flight) of attending the RMA Annual Risk Management Conference in Washington, DC. Based on the standing room only crowd (even in the second repeat session), I’d have to say one of the most popular topics was “Developing a Risk Appetite” delivered by Bill Perotti of Frost Bank and Bob Rose of Brookline Bank. The duo defined Risk Appetite as “the amount of risk you will take in pursuit of a desired financial return”, which makes sense, but an effective risk appetite exercise, the presenters emphasized, really needs to be taken to the next level to reflect risk tolerance in all key areas of enterprise risk management (operational risk, credit risk, reputation risk, compliance risk, liquidity risk, sustainability, etc.).
Several examples were provided for how to develop a risk appetite statement for each of these key areas. One example included Operational risk and provided an example of how to create a risk appetite statement:
Operational Risk Appetite example:
We are committed to implementing practices and controls that will minimize financial losses from failures of systems, people and processes.
Quantitative measure examples:
Most importantly, risk appetite statements should reflect your company’s mission statement and values. Benefits outlined in the session included:
Of course the direction and communication on risk appetite needs to start at the top with the board of directors and CEO and be communicated and demonstrated throughout the organization. Looking forward to more informative sessions.
Erwin Boeren 270002C43V ERWIN.BOEREN@NL.IBM.COM | | Tags:  grc analytics busness management openpages ibm erwin risk performance boeren | 0 Comments | 1,677 Visits
Last year IBM acquired OpenPages as a strategic move into the area of Governance, Risk and Compliance. The lasest announcement to acquire Algorithmics (quantitative risk management) shows the continuous commitment of IBM in the GRC market. GRC software will integrate into the Business Analytics Software group, the area where the former acquisitions like Cognos, SPSS and Clarity systems already resides.
Now that Risk Management is evolving, more and more organizations are starting an enterprise approach to risk management. And this is where I see the need for Risk and Performance Management convergence.
In past Risk Management implementations I see that a major portion of time and budget was spent on Risk Reporting and Dashboarding. Especially the need for self service reporting, where users can ad hoc create their own risk reports, is growing. We do not want to wait in the queue waiting for our report to be created. 2 days later you missed the opportunity to respond and the loss is there.
With this self service capability the question automatically pops up 'can I trust my data'. And now we are back in the area of data governance. This is exactly where the area of Performance Management is today.
Apart from these reporting and dashboarding capabilities Enterprise Risk Management means alignment of risks and controls to the strategic initiatives of the organization. What will prevent me from reaching my business goals? Isn't this defined as a risk? And how will we prevent this from happening? Wasn't that defined as a control?
Even more interesting are questions like, 'What if I was able to perform risk scenario planning?', 'What if I could predict risks from happening?' or 'What is the correlation between the risks that have materialized?'.
And there is the proof that Risk Management and Performance Management have lots in common and should be integrated. Lets call it Business Analytics.
Governance, Risk & Compliance Leader
IBM IOT Southwest Europe
Erwin Boeren 270002C43V ERWIN.BOEREN@NL.IBM.COM | | Tags:  openpages grc ipad solvency reporting | 0 Comments | 1,608 Visits
With Cognos 10.1.1 released you must have noticed the ability of having your reports and dashboards on mobile devices like iPad and iPhone.
With these mobile capabilities CROs (Chief Risk Officers) will now have the ability to measure risk from their mobile devices. For volatile risk areas like Market and Credit Risk this can make a huge difference.
IBM developed a risk monitoring system for CROs where one single version of the truth is provided of different risk areas like Credit Risk, Market Risk, Counterparty Credit Risk, Liquidity Risk, Basel II, Solvency II and Operational Risk. Not only does a CRO have the ability to monitor all these risk areas but he can also monitor the correlation between those risk areas and he is able to respond immediately to changes. Responses can immediately be formulated in the integrated social media platform.
One version of the truth and guaranteed quality of your data is simple to say but how do you govern this? This is where IBMs investment in data models starts to pay off. Since decades IBM develops and maintains data models for financial services including out of the box technical and business definitions. This enables organizations to come to one definition of risk over the entire organization. Taking definitions centrally will add value in the process of taking down the silod approach we spoke about in earlier articles. It will also help you in the accountability process of the business. Finally it is the business that should own the business definitions.
As discussed in our previous published blog (The convergence of GRC and Performance Management) Business Analytics capabilities like risk forecasting, risk adjusted profitability calculations, scenario planning and predictive risk analysis are part of this risk monitoring system called FIRM (Finance Integrated Risk Management).
The new regulation for Insurance companies, Solvency II requires organizations to plan their risk assessments and capital requirements 2 to 5 years ahead and to reflect impact on financial positions when a risk materializes. All this means that an integrated approach to risk management is a must. In next blogs we will go deeper into the Solvency II regulation.
Erwin Boeren 270002C43V ERWIN.BOEREN@NL.IBM.COM | | Tags:  grc research openpages enterprise algorithmics ibm management risk | 1 Comments | 2,706 Visits
In the last 2 months three independent researchers have given their opinion on IBM’s approach to risk management. All 3 are very positive towards the areas of Innovation, Market Presence, Functionality and Enterprise GRC capabilities.
Forrester in the Forresterwave EGRC 2011: The OpenPages platform remains one of the most consistently strong enterprise GRC platforms on the market today. The company’s vision is to enable senior management to make strategic risk and reward decisions to improve business performance and reduce exposure to risks and loss on investments. The OpenPages platform’s GRC management and analytics features are just one example of where this mission will play out."
Gartner in its September update: The OpenPages platform has solid capabilities in all the core functions, has above-average support for ERM and ORM, and is rated very high on financial reporting integrity compliance. It continues to execute consistently on a well-planned road map.”
Chartis published its Risk Top 100 last November with IBM ranked the No.1 vendor in the area of Risk Management. With special rewards for Functionality, Market Presence, Innovation, Fund & Asset Management, Market Risk, Operational Risk and Enterprise GRC.
In the Chartis RiskTech 100 IBM was measured for the first time along the qualitative and quantitative risk capabilities (read the acquisitions of OpenPages and Algorithmics). In the Gartner and Forrester publications the latest Algorithmics acquisition was not taken into account.
Interesting enough researchers praise IBM for immediately adding value to its acquisitions. One year ago IBM was ranked number 7 in the RiskTech 100 and now IBM is on top of the list. Not because the individual products are that good but because the minimal overlap and immediate integrations create added value for customers.
Adding Risk to the area of Business Analytics (Business Analytics is one of the 4 key initiatives of IBM towards 2015, driven by our new CEO Gini Rometty) is a great step into Smarter Risk. Capabilities like predictive intelligence, driver based planning, regulatory reporting, scenario testing, forecasting, dashboarding, scorecarding, reporting and analysis will give a great boost if you apply this to risk. This is where the convergence of performance management and risk management create great value for our customers.>
Blog post from Erwin Boeren, Governance Risk & Compliance Leader IBM Europe
Richard Steinberg 270004HRBG firstname.lastname@example.org | | Tags:  grc risk_management | 0 Comments | 1,272 Visits
We know that MF Global, the firm run by Jon S. Corzine, recently imploded under the weight of bad bets and huge leverage. Reports say that Corzine, former U.S. Senator, Governor of New Jersey, and co-head of Goldman Sachs, did at MF Global what he did at GS – and that’s take large risks in trading. How, one could ask, could it have turned out so wrong?
Effective risk management processes have at their core identifying, analyzing and managing risks. It will be a while before we know all the details of MF Global’s risk management process, but it appears to have worked reasonably well. Wait, what – is that a misprint? Probably not.
Based on reports, Corzine knew the risks he was taking. Basically, he bet that the European leaders would act in a way to alleviate the sovereign debt crisis. He put over $6 billion of the firm’s money at risk, which with the associated leverage put the firm’s existence at risk. And the firm’s risk officers also knew, and they seemed to have done what they were supposed to – they brought the matter to the board of directors. Reports say a senior risk officer described the situation and the risks to the board, with Corzine present. The risk officer pointed out not only the nature and size of the risks, but also that risks included both potential defaults on the sovereign debt and the bonds losing sufficient value to cause a liquidity crisis at the firm. The directors listened, and decided to approve what Corzine was doing.
Now, we weren’t in the room with the directors, or inside their heads, so we don’t know whether they made a thoughtful and rational business judgment, or whether they rolled over under Corzine’s undue influence. If the latter, then they failed in their job. But if the former, then they determined that they and the firm had a risk appetite large enough to “bet the ranch.”
So, whether this is a failure of risk management will be decided as the investigations continue and more facts emerge. And of course the missing “segregated” client funds is another matter, likely centered on specific internal controls over that money and what control activities might have been overridden by more senior executives. Also at issue is whether regulators did their job effectively. It will be interesting, indeed, to learn more, as no doubt we will as the investigations unfold.
Erwin Boeren 270002C43V ERWIN.BOEREN@NL.IBM.COM | | Tags:  risk operational grc compliance ibm openpages solvency governance | 0 Comments | 1,814 Visits
Solvency II and the need for Operational Risk
Blog post from Erwin Boeren, Governance Risk &
Blog post from Erwin Boeren, Governance Risk &
Erwin Boeren 270002C43V ERWIN.BOEREN@NL.IBM.COM | | Tags:  compliance enterprise egrc iii management grc solvency software audit selection openpages risk tooling governance ii basel and | 0 Comments | 2,991 Visits
Governance, Risk and Compliance software selection process
A client of mine recently asked me about what I have seen as the most effective way to run a selection process. Now I know this may seems a conflict of interest, a GRC solution vendor writing on the GRC software selection process and the need for a GRC platform. Still I think I can give you some dos and donts on a GRC software selection process since I have been there many times.
Let’s start with the need for a GRC software platform. Why do you need such?
Of course investing in a solution needs a compelling event. Either the cost for risk management and compliance becomes very high, or the process takes too long to be responsive to stakeholders or the 'in control' statement cannot be guaranteed any longer. Also external regulators can advise you to implement software.
Before you start thinking about a GRC platform carefully review the risk and compliance maturity level of your organization and the scope of the problem. This will help you make the judgment between 2 approaches. First approach is what we call 'point solution', second approach is 'enterprise solution'.
The first approach, Point Solution, is best when the compelling event is there but the scope is limited to one area. On a single point of your GRC activities you have a pain that must be resolved in a fairly short term. In this case you can search for specific capabilities with specific knowledge. You can make a selection of vendors that operate in the area where you have the pain and select the partner that understands your area. Of course you might want to consider your ambition on the long term. If your long term ambition is Enterprise wide GRC integration you might still look at enterprise vendors and use the specific area as a 'pilot' for further extension.
The second approach, Enterprise Solution, is best when the compelling event is on the integration of Governance, Risk and Compliance. The term risk and control convergence often comes up here. This approach requires a lot more work than the point solution and may have cultural impact. You might consider a second party to help you go through this project. A second party (consulting firm) can help you in making critical decisions and in reviewing your current (silo based) approach to GRC. They can keep the holistic view for you. Every silo needs to be reviewed and mapped to the enterprise approach. This will not come without discussions and sacrifices!
So the need is there, now how to make your selection?
In the first point solution approach there are just two considerations, short term or long term? In case of the short term do NOT select an enterprise vendor and go for the right point solution. Advantages are lower cost and shorter implementation time. Second consideration, long term, means a selection between enterprise GRC software vendors and consider the first phase as a pilot for the enterprise approach. Still you might want to involve a consulting firm with specific knowledge.
In the second enterprise approach you will go for an enterprise vendor. This is where you want to be careful in setting up your selection. I personally have seen many of these selection processes since I have been in such selections. And this is where I want to give you some guidance to save you a lot of time and money.
First do NOT expect the enterprise vendors to differentiate on functionality. The GRC software market has made an evolution in the last 10 years that have resulted in a fairly high mature software market. So a 'beauty contest' is a waste of money and resources. Outcome will be equal for all vendors and you will be stuck between your user community and the vendors in the process. You might get questions from your management team why you spend so much time and resources without any outcome.
Secondly involve your end users in the selection process early, but do not expect 20 people working in silos to come to one single conclusion. Again you will end up in a long discussion with no outcome. Have a small group of people (3 preferably) to make the selection.
Thirdly make your selection criteria known upfront and make them measurable. Also involve the vendors in the process and be open to them. If you are open and honest you will get transparent, open and honest answers. If you hide, vendors will hide! Criteria should be based on experience in your market, understanding of your organization, size and financial stability, ability to deliver in time and within budget, alignment of implementation approach to your implementation methodology and the cultural fit.
Again this may look preaching to the choir but I hope I just saved you time and money that you can invest in your implementation.
Erwin Boeren 270002C43V ERWIN.BOEREN@NL.IBM.COM | | Tags:  compliance grc governance manufacturing smarter energy&utilities openpages risk enterprise deloitte project | 0 Comments | 1,989 Visits
Smarter Project Risk
Last week I came across project risk, and not for the first time! So, time to spend some words on this topic.
Especially organizations in Energy&Utilities and Manufacturing have huge risks in their assets and in their projects. You think you have all risks identified through the standard risk identification process and you just missed that elephant?! This might impact your yearly financial result or worse!
This is why more and more clients start to look at Project Risk methodologies. My client happened to use the PMBOK methodology. In this methodology you consider standard project phases including standard risks and controls. This is great, since you have most of the standard risks covered. But what about that risk that is just not standard? This is where gate reviews will help you. These gate reviews are held after every project phase. Each gate review contains questions used to identify risks, holds monitoring methodologies to check status and behavior and contains audit like activities. Key element here is that all findings roll up to top level so no significant risk can be missed.
all works for what we call manageable risks, but what about risks that you
cannot manage? How will you anticipate on this? Well these risks can be covered
by sensitivity analysis, simulations and business continuity management.
Especially sensitivity analysis and business continuity analysis will help you.
For simulations you will need data, and a significant amount of data. Only in
case you have many similar projects running in a regular cycle you will be able
to generate enough risk identifications and losses to be able to make a sensible
Now the system is in place, and now we are in control? Wrong! This is where the real work starts. How do I get my organization to adopt risk in her daily business? How do I get input with the right quality? How do I make everyone a risk manager? This takes time and effort. Guide your people in how to make the assessments and make them part of it. Give them back where they contributed to, and make their life easier. That is what we call Smarter Risk.
IBM OpenPages and Deloitte have put together a Risk Methodology for project risk where all these technologic and organizational aspects come together and can be integrated in your enterprise risk platform.
Blog post by Erwin Boeren
Senior Governance, Risk & Compliance specialist IBM
Twitter : http
Erwin Boeren 270002C43V ERWIN.BOEREN@NL.IBM.COM | | Tags:  watson erwin risk governance grc compliance management ii business analytics solvency ibm boeren basel | 0 Comments | 2,093 Visits
IBM Watson found a job as a risk expert!
IBM Watson goes to work in financial services as a risk expert. One of the largest Financial Services institutes and IBM now partner to enhance and simplify the consumer banking experience with faster, more accurate decisions, better risk assessment, and more targeted customer offers.
IBM Watson is transforming expectations for how technology can help individuals live and work in better ways. Its ability to make sense of vast quantities of unstructured information, communicate in natural human language, learn from experience, and offer confidence weighted responses is already a game changer in healthcare. Focusing these capabilities on financial services brings new possibilities for higher service levels to an expanded set of users.
For those who do
not know IBM Watson, Watson is an artificial intelligence computer system
capable of answering questions posed in natural language, developed in IBM's
DeepQA project. As a test of its abilities, Watson competed on the quiz show
Jeopardy!, in the show's only huma
Now what will that bring to our Financial Service clients? Potentially as an assistant to client service professionals to help deliver evidence-based recommendations across multiple areas of the bank, including: credit card; private banking; wealth management; and call centers. Since IBM Watson can think faster than any human being it is able to make cross checks, prevent fraud, determine risk, etc. It is able to analyze data such as client information, online news reports, blogs, Twitter feeds, analyst reports, regulations, credit ratings, and government securities filings which can help to suggest options targeted to a consumers' individual circumstances.
Blog post by Erwin Boeren
Senior Governance, Risk & Compliance specialist IBM
Erwin Boeren 270002C43V ERWIN.BOEREN@NL.IBM.COM | | Tags:  ibm solvency insight dashboarding governance grc management openpages risk reporting basel cognos ii compliance | 0 Comments | 3,140 Visits
With the brand-new IBM Cognos Insight you can now connect to your IBM OpenPages environment from your desktop. You always have that moment that you need the information on a report but just a bit different than the standard report provides to you. The solution is here now, IBM Cognos Insight!
Insight is a powerful, intuitive desktop solution, that can read many different data sources from Excel to datawarehouses. Even your real time IBM OpenPages environment!
And it is not only reporting and dashboarding but it also lets you create what if scenarios on the fly! How would my risk exposure be if in one risk category the loss impact increases with 15%? Two clicks and you know the answer! And then you can comment on your report, which gives your colleagues more information on the context the moment you share your workspace.
How easy can risk reporting be???
For more tour on how IBM Cognos Insight please look at : http
Blog post by Erwin Boeren
Senior Governance, Risk & Compliance specialist IBM
Twitter : http