Case studies

 The  financial institution in the previous example also needed to establish a common risk taxonomy to facilitate risk identification as well as to demonstrate the risk aggregation and reporting capabilities.  The creation of an enterprise taxonomy provided a common reference for risk definition and rollup.  

For this effort, the top-of-the-house categories were initially defined  by the Enterprise Risk Management (ERM) group,  based on the company’s risk profile reporting structure.  Subsequently, the detailed hierarchy of risk categories  were developed based on industry reporting trends and by consulting with various risk program owners (e.g. Credit, Compliance, External Fraud, Internal Fraud, Cyber, Model Risk etc.) and the business First Line stakeholders.  Once the taxonomy was developed, it was reviewed with key stakeholders in the First Line and Second Line to gain consensus on the definitions, and any overlaps or redundancies were removed.  Once development and review were completed, the taxonomy was finally approved by ERM.  The newly developed risk taxonomy was implemented within the company’s enterprise Governance Risk and Compliance (GRC) platform, and was used as a framework for conducting the enterprise risk assessments.  The taxonomy also served as a tool for roll-up and aggregation of risks to the primary risk categories for the enterprise risk profile reporting.  Training and guidance were developed and deployed as part of the implementation, along with a change governance process  for periodic review and revisions. 

 This large government agency processes billions of dollars of payments for grants. 

Faced with challenges in its internal system controls over financial reporting, the agency's financial management division developed a multi-year plan to help improve the maturity of its financial management processes and systems.  The maturity strategy, encompassed a holistic approach including, people, processes, technology and data elements, to address inherent weaknesses in the control environment, and resolve long-standing audit issues.

A key component of enhancing financial management maturity was to implement a process for proactive identification and assessment of emerging risks relevant to financial management systems.  Our consultants assisted the agency by establishing an end-to-end process for identification and disposition of emerging risks, including the definition of scope and objectives of the program, identification of sources for monitoring, and establishing the governance for review and resolution of emerging risks.  A repository was established using a simple SharePoint application to help manage and assess the emerging risks.  Risks were triaged and assessed for overall impact and likelihood with respect to financial management systems and presented to senior management for review and approval.  Once approved for further research, these were analyzed and results presented to Financial Management Risk and Controls Working Group during monthly sessions.  The process was operationalized in 2021 and continues to run in Business--As-Usual (BAU) until today.

 Facing heightened regulatory scrutiny, the company needed to implement a comprehensive risk identification and assessment program to support its risk reporting needs. 

A phased approach was adopted considering the change implications on the business.  A top of the house risk assessment initially conducted by the enterprise risk stewards, was transitioned to the business areas in the next cycle, along with oversight and effective challenge from the Second Line.  A common risk taxonomy and universal risk scale were implemented to support the enterprise risk identification and assessment..  Risk identification activities spanned across all risk categories and  overseen the relevant risk committees.  Internal controls and other mitigating activities were identified and assessed to determine residual risk.  Risks were assessed assuming baseline operating conditions, and certain key risks and controls were re-assessed assuming conditions of stress, based on inputs provided by the company’s Scenario Analysis and Capital Modeling teams.  The results of all the assessments were aggregated, reviewed by the Risk Committees and reported o the Board.  The risk profiles were used for the company’s Comprehensive Capital Analysis Review (CCAR) process.

 Facing heightened regulatory scrutiny, the company needed to implement a comprehensive risk identification and assessment program to support its risk reporting needs. 

A phased approach was adopted considering the change implications on the business.  A top of the house risk assessment initially conducted by the enterprise risk stewards, was transitioned to the business areas in the next cycle, along with oversight and effective challenge from the Second Line.  A common risk taxonomy and universal risk scale were implemented to support the enterprise risk identification and assessment..  Risk identification activities spanned across all risk categories and  overseen the relevant risk committees.  Internal controls and other mitigating activities were identified and assessed to determine residual risk.  Risks were assessed assuming baseline operating conditions, and certain key risks and controls were re-assessed assuming conditions of stress, based on inputs provided by the company’s Scenario Analysis and Capital Modeling teams.  The results of all the assessments were aggregated, reviewed by the Risk Committees and reported o the Board.  The risk profiles were used for the company’s Comprehensive Capital Analysis Review (CCAR) process.

This top global technology company required to manage compliance for their suite of cloud solutions across multiple geographies and regulatory frameworks.  To help streamline their compliance efforts, the company embarked on implementing an automated GRC solution to not only reduce manual efforts related to controls and testing across all of their technology stack, but also to enable consistent processes, reduce duplication, and improve compliance reporting and analytics.  

We helped with alignment of process, risks, and controls across different product teams, identifying and removing redundancies in control assessments  wherever possible to optimize efficiencies across the division.  A common methodology for managing control assessments was also implemented, including a common testing calendar.  The integrated control assessment methodology was implemented on its GRC solution.

Through this newly designed streamlined process, the company was able to support compliance with multiple frameworks in a sustainable manner going forward.