Agile Risk
New Thinking to Enhance Effectiveness
of All Three Lines of Defense
While Stabilizing or Lowering Costs
22nd Annual Risk Minds International
Amsterdam, The Netherlands
December 9, 2015
© 2015 Protiviti Inc.2
Agenda
Challenges Faced Today 3
Agile Risk Management 6
Risk Management Practices: Target State and Benefits 8
Risk Reporting Innovations 12
© 2015 Protiviti Inc.3
Challenges Faced Today
© 2015 Protiviti Inc.4
Inherent Risk Profile Is Continuing to Increase
IR0 IRF
Baseline inherent risk of retail financial services activities
Customer Growth &
Deepening Relationships
Dramatic Changes in
Processes & Technology
Manual Processes &
Siloed Functions
Dynamic & Changing
Market Landscape
Product & Service
Innovation
Ignoring the enhanced heightened regulatory environment – there are a number of factors
driving inherent risk higher increasing need for agile risk and compliance management
© 2015 Protiviti Inc.5
Sli.do Poll #1 – Challenges
What do you think is the biggest challenge your organization faces
regarding risk management?
Lack of skilled and knowledgeable resources
Stagnant risk and compliance operating budgets
Regulatory scrutiny and enforcement actions
Inefficient risk management processes and limited technology
Majority of time spent fixing problems rather than value-add activities
© 2015 Protiviti Inc.6
Stage One Attributes
• Duplication
• Manual processes
• Bad data
• Ineffective reporting
• Unclear accountability
Stage Two Attributes
• Control functions align
• Technology and data are common and
shared across control functions
• Risk and compliance management is
connected but fragmented
• Solutions fix problems but not root-
cause
Stage Three Attributes
• Consistent, efficient, effective, and
connected processes
• Risk radar
• Risk informed decisions
• Risk addressed in design
• Strong process management
• Clear accountability and
continuous engagement
• Optimized technology
• Customer focus
Risk Management Evolution
Reactive and
Siloed
Business of
the Control
Functions
Customer
Centric
Typical
Current State
Future State:
Synergy / Efficiency
Operational &
Customer Excellence
Internal
Audit
RiskCompliance
Internal
Audit
Risk
Business
Units
Compliance
Customer
Risk
Compliance
Internal
Audit
Business
Units
Business
Units
© 2015 Protiviti Inc.7
Optimized PerformanceFocus on Growth
Agile Risk
Management
Customer
Satisfaction
Operational
Excellence
Aligned
Organization
Agile Risk Management Framework
© 2015 Protiviti Inc.8
Un
ifie
d P
rocess
DefineStrategy Assess
Define Risk
Appetite
Market
Opportunity
Define
Products &
Services
Define
Enterprise
Standards
Identify
Inherent
Risks
Define
Performance
Needs
Design
Process
Ensure Initial
Performance
Achieved
Operate
Ensure
Process
Adherence
Communicate
to
Stakeholders
Identify Risks
Greater Than
Appetite
Identify
Impacted
Processes
Implement
Process
Bu
ild
ing
Blo
cks
1 – Risk Informed
Strategy
3 – Risk
Governance
Framework
2 – Compliance
Requirements
Inventory
5 – Risk
Identification and
Assessment
6 – Risk in Design
7 – Process
Management,
Monitoring and
Testing
4 – Accountability
and Incentives
11 – Integrated Risk Technology
10 – Quality Data and Governance
9 – Aligned Reporting and Actionable Analytics
Perform
Continuous
Improvement
8 – Issue
Management
Target State Operating Model – Agile Risk Management
Implement Sustain
© 2015 Protiviti Inc.9
Time Re-Allocation Benefits
-
20,000
40,000
60,000
80,000
Governance Identify andAssess
Measure Monitor andTest
Report ManageChanges
Admin/Other
Ho
urs
14%13% 17%19% 13%11%14%
23%17% 10%23% 5%13%12%
BEFORE AFTER
Issues
identified
faster
Time spent
on value add
activities
Redeploy or
reduce resources
© 2015 Protiviti Inc.10
Sample FTE Benefits
Asset Size*
FT
E p
er
Billi
on
*
1.36
2.53
1.02
1.85
7.32
2.24
1.38
$100 B $200 B > $300 B
0
.5
1
1
.5
2
2
.5
>
3
.82.87
1.61
*Asset size was based on Bank Holding Company size for applicable Banking benchmarks
Bank
Diversified/
Insurance
Current
State
2.28
Future
State25 Fewer FTE
~$3-5 MM savings
© 2015 Protiviti Inc.11
Sli.do Poll #2 – Risk Reporting
What do you think is the biggest challenge your organization faces
regarding Risk Reporting?
Manual processes in aggregating and creating
Limited data to support reporting quality or ideal metrics
Inconsistent risk reporting across business units and/or geographies
Reporting does not drive action
Content overload when providing to Executives and Board Members
© 2015 Protiviti Inc.12
Elements of Effective Risk Reporting
Effective
Risk
Reporting
Accuracy
Targeted
Graphical
Consistency
Clarity
Completeness
Actionable Meaningful
Comparative
Clarity
Reports have defined elements, are clearly
labeled, and easy to interpret
Actionable
Reports prompt informed
decision-making
Graphical
Data is depicted pictorially
where possible
Completeness
Reports provide an aggregate
view of risk
Comparative
Risk information is easy to compare
across business units
Consistency
Format and content are consistent across
all reporting
Targeted
Length and granularity are
tailored to target audience
Accuracy
Data is complete and precise
across all reports
Meaningful
Reports contain historical and
forecasted results as well as
environmental analysis
© 2015 Protiviti Inc.13
The Protiviti Risk Index
• Protiviti’s conversations with Board members and executives of leading financial services firms
across the globe have frequently come back to three simple questions:
The Protiviti Risk Index is a powerful solution to focus attention on highest priority items in
an intuitive and straightforward manner. It is designed to capture, calculate and evaluate a
large volume of complex risk data and reduce it to a single-number snapshot of
organizational risk.
Review shifts in performance of underlying factors.
Create a Risk Index that consists of time-oriented measures (past, present, future); Extrapolate future-oriented risk measures.
Am I Going into a
Riskier Time?
What are the
Underlying
Causes?
Generate Risk Index Score based on changes in risk factors’ outcomes.Am I Riskier Today
than I was
Yesterday?
The Protiviti Risk Index is a tool that aims to strengthen the overall well-being of the company’s
risk management capabilities.
© 2015 Protiviti Inc.14
The Basel Committee on Banking Supervision:
Risk Data Aggregation
Protiviti Risk Index
Meet Standard?
Risk Index Directly
Meets Principle
Risk Index Indirectly
Meets Principle
Risk Index Could be
Designed to Meet
Principle
Outside the Scope
of the Risk Index
# BCBS Principle
1 Governance
2 Data Architecture and IT Infrastructure
3 Accuracy and Integrity
4 Completeness
5 Timeliness
6 Adaptability
# BCBS Principle
7 Accuracy
8 Comprehensiveness
9 Clarity and Usefulness
10 Frequency
11 Distribution
• The BCBS Risk Data Aggregation guidance against Protiviti’s Risk Index shows that the index
meets the principles outlined for risk data aggregation practices. Principles beyond the scope of
Protiviti’s Risk Index heavily rely on existing governance, IT and risk infrastructure, and data
accuracy.
Supervisors expect that data and IT infrastructures will be enhanced in the
coming years to ensure that their risk data aggregation capabilities and risk
reporting practices are sufficiently robust and flexible to address all potential
needs through the normal course of business and during time of stress /
crisis.
In January 2013, the Basel Committee on Banking Supervision (BCBS) issued a guidance titled,
“Principles for Effective Risk Data Aggregation and Risk Reporting.”
© 2015 Protiviti Inc.15
Chief Risk Officer View
• CRO view is built to show the enterprise risk index score, the risk outlook of the organization,
trends by geography and line of business, positions of the material risk categories, notable risk
movers, and key matters requiring attention
• Encompasses the CRO span of control in a single, concise dashboard
© 2015 Protiviti Inc.16
Strategic Risk Homepage
• A drill down into one of the material risk categories – strategic risk – moves the user to the strategic
risk homepage
• Illustrates the strategic risk score compared to the prior period score, maintaining a similar look and
feel to the risk index homepage
© 2015 Protiviti Inc.17
0.00
1.00
2.00
3.00
4.00
5.00
6.00
7.00
8.00
Risk Rating Collateral Type Product Type Credit Rating OutstandingBalance
Loss GivenDefault Rating
Charge OffAmount
Data
Qu
ality
Sco
re
Key Data Elements (KDEs)
Protiviti Risk Index Example: Data Quality
6.02Lower
Limit: 5.7
6.69
3.82
5.80 6.22 6.18
Upper
Limit: 6.6
4.03
© 2015 Protiviti Inc.18
Risk Score
9
High8
7
6
Medium5
4
3
Low2
1
Model 1 Model 2 Model 3Individual
Models
Assumptions Source #3 Source #4 Source #5Data Collection
and Quality
Governance
Sources of Model Risk
Risk #5Risk #4 Risk #6Credit Risk #3
Principal Risks
Model Risk
Score
Protiviti Risk Index Example: Model Risk
© 2015 Protiviti Inc.19
Closing Thoughts
Working towards being more agile in risk and compliance management can
begin today – foundations are important.
Risk management enables the business and can support the organization in
achieving operational excellence.
Risk management needs to be a partner – proactive collaboration and
engagement establish credibility.
Efficiency gains can be had without negatively impacting effectiveness.
© 2015 Protiviti Inc.20