Facing heightened regulatory scrutiny, the company needed to implement a comprehensive risk identification and assessment program to support its risk reporting needs.
A phased approach was adopted considering the change implications on the business. A top of the house risk assessment initially conducted by the enterprise risk stewards, was transitioned to the business areas in the next cycle, along with oversight and effective challenge from the Second Line. A common risk taxonomy and universal risk scale were implemented to support the enterprise risk identification and assessment.. Risk identification activities spanned across all risk categories and overseen the relevant risk committees. Internal controls and other mitigating activities were identified and assessed to determine residual risk. Risks were assessed assuming baseline operating conditions, and certain key risks and controls were re-assessed assuming conditions of stress, based on inputs provided by the company’s Scenario Analysis and Capital Modeling teams. The results of all the assessments were aggregated, reviewed by the Risk Committees and reported o the Board. The risk profiles were used for the company’s Comprehensive Capital Analysis Review (CCAR) process.
The financial institution in the previous example also needed to establish a common risk taxonomy to facilitate risk identification as well as to demonstrate the risk aggregation and reporting capabilities. The creation of an enterprise taxonomy provided a common reference for risk definition and rollup.
For this effort, the top-of-the-house categories were initially defined by the Enterprise Risk Management (ERM) group, based on the company’s risk profile reporting structure. Subsequently, the detailed hierarchy of risk categories were developed based on industry reporting trends and by consulting with various risk program owners (e.g. Credit, Compliance, External Fraud, Internal Fraud, Cyber, Model Risk etc.) and the business First Line stakeholders. Once the taxonomy was developed, it was reviewed with key stakeholders in the First Line and Second Line to gain consensus on the definitions, and any overlaps or redundancies were removed. Once development and review were completed, the taxonomy was finally approved by ERM. The newly developed risk taxonomy was implemented within the company’s enterprise Governance Risk and Compliance (GRC) platform, and was used as a framework for conducting the enterprise risk assessments. The taxonomy also served as a tool for roll-up and aggregation of risks to the primary risk categories for the enterprise risk profile reporting. Training and guidance were developed and deployed as part of the implementation, along with a change governance process for periodic review and revisions.
This top global technology company required to manage compliance for their suite of cloud solutions across multiple geographies and regulatory frameworks. To help streamline their compliance efforts, the company embarked on implementing an automated GRC solution to not only reduce manual efforts related to controls and testing across all of their technology stack, but also to enable consistent processes, reduce duplication, and improve compliance reporting and analytics.
We helped with alignment of process, risks, and controls across different product teams, identifying and removing redundancies in control assessments wherever possible to optimize efficiencies across the division. A common methodology for managing control assessments was also implemented, including a common testing calendar. The integrated control assessment methodology was implemented on its GRC solution.
Through this newly designed streamlined process, the company was able to support compliance with multiple frameworks in a sustainable manner going forward.