Key Risk Indicators:Changing the Reference Points

KRIs & Navigating the Regulatory Landscape

1. Behaviour-based Metrics

2. Multi-jurisdictional Horizon Scanning

3. Measuring Compliance Maturity

Behaviour-based Metrics

“Behaviour-regulation” is politically fashionable

• Loosely defined (“it’s what I say it is”) – easy to prosecute

• More significantly…

Populist Low-cost Lucrative

Expert Assumptions v. Behavioural Findings

Is it true that…• More detailed risk data reports will improve our decision-making?• Balanced scorecards and KPIs improve risk culture?• “Crackdowns” create improvements in conduct?• “Tone at the top” determines risk culture and compliance?• Staff ’s first loyalty is to their employer brand?

Source: Dr Roger Miles

Econometric v Behavioural view

What we’d like risks to be:• Items we can define, quantify, model• Manageable by us, via routine operating tasks• A good fit with our models / assumptions

What they may really be:• Qualitative, slippery - can’t quantify• Demanding a strategic management view• External factors, new influences, breaking assumptions

So… reconceive Compliance as scalar, not binary• ‘Yes / No’ (false clarity) answers not possible• Instead scale: progress, commitment & responsiveness

Why Behaviour is Hard to Calibrate

Dynamic• changing in individuals• changing in social groups

More qualitative than quantitative• opinions, judgments, perceptions• …… maturity continuum

Needs external calibration• not just what we do…• what do customers expect, tolerate – today?• what does Risk Culture mean for us?

What Actually Happens?

• Observation is Key!• be “relentlessly empirical”• start with real peoples’ everyday interactions (not “the system”)

• jargon-free reporting style (“Friends and Family” test)

Example: Employee Overconfidence Detector• Reveals: levels of certainty gaps between actual and claimed expertise

- low knowledge with high self-belief - high knowledge with low self-belief

• Removes culture of ‘casual non-compliance’ / ‘local rules’

knowledgelevel

certaintylevel

New Metrics for “good behaviour”

• Responsiveness– How able (propensity) to learn, react, adapt?

• Empathy– How able (receptivity) to appreciate…

• the regulator’s view?• the customer’s view? • other employees’ view (above / below)?

Multi-jurisdictional Horizon Scanning

Changing Regulatory Landscape

800M

300M

The “Regulatory Enterprise” Accelerates

Since 2009 54,000 regulatory documents have been published from 130 regulatory

bodies in the G20 countries alone.

2009 to 2015

Forecast to 2020

Chemistry in the 1850’s

Periodic Table of Elements

Dmitri Mendeleev

Modern Day Periodic Table of Elements

B

T

#

S

!

Breach type

Transaction Volume

Frequency

Severity

Risk Exposure

C Scope of change

FS Regulatory Periodic Table

MiFID II – Projected Risk Exposure

Dissemination

Client Asset/ Cash

Mis-selling & suitability96

144

54

Protection Against Regulatory Blind Spots

Measuring Compliance Maturity

Intelligent Knowledge Generation

Data / Information

Sources

Big-Data Information &

Knowledge Base

12

3

Internal ClientData Sources Manual Capture

ExternalConsulting & Audit

Big-Data Analysis & Knowledge Generation

Smart RatingService

Benchmark Service

Analysis / Sensitivity

Service

Market Intelligence

Service

Intelligent Data

Selection Service

Business Value

Services

Compliance Monitoring

Conduct Risk

Monitoring

Cyber Risk Monitoring

Insurance Monitoring

Service / Process

Monitoring

Strategy Monitoring

Supply Chain

Monitoring

BenchmarkData

Analysis Result Data

Market Data

IndustryData

Data & InformationWeb-Crawling

Dydon International

Excellence in Insurance Benchmarks

Firm and Market Risk Information

Relevance of InformationRelevant Not Relevant

Definition Key Focus Areas

IdentifiedWeak-Points

Relevance Filter

Mathematical Systems Scoring Fuzzy LogicRule Based

Aggregation Neural Nets

Dydon International

Aggr.Level n

Aggr.Level 3

Aggr.Level 2

Indicator Level 1

InputBase

Values

Track Causal Links and Maturity

Qualityof GRC

Framework

Num. News Reports on

Corp. Culture

Corp. Training

Level CoC

Corp.Training

Level GRC

Int. Whistleblower Mgt

AuditEmployee

Culture

Neg. NewsReports on

Culture

CoCProgram

TrainingLevel CoC

GRC / Culture/CoC Initiatives

ReputationRisk

Qualityof CoC

Program

Whistle-blower

Ratio Neg.News

Reports

EmployeeCulture

ComplianceRating

1 2 3 4 5 6

GRCFramework

TrainingLevel GRC

Audit RatingEmpl. Culture

CorporateTraining

Level

CorporateCulture

Aggr.Level n

Aggr.Level 3

Aggr.Level 2

Indicator Level 1

InputBase

Values

Identify Weak Points, Benchmark

BaseValue 2

BaseValue 3

BaseValue 4

BaseValue 5

BaseValue 6

BaseValue ..

BaseValue n

BaseValue 1

1 2 3 4 5 6

1 2 3 4 5 6

1 2 3 4 5 6

1 …. n 1 …. n 1 …. n 1 …. n 1 …. n

1 2 3 4 5 6

Aggregation of Indicators via:- math. Formula- Rule Aggregation- Fuzzy Logic

Aggregation of Indicators via:- math. Formula- Rule Aggregation- Fuzzy Logic

Full Comprehensibility of Aggregation Result

Full Comprehensibility of Aggregation Result

Find current weak points

Aggregation Result

Benchmark2.8

Benchmark to Peer Group or Industry

Aggr.Level n

Aggr.Level 3

Aggr.Level 2

Indicator Level 1

InputBase

Values

Monitor Improvements

BaseValue 2

BaseValue 3

BaseValue 4

BaseValue 5

BaseValue 6

BaseValue ..

BaseValue n

BaseValue 1

1 2 3 4 5 6

1 2 3 4 5 6

1 2 3 4 5 6

1 …. n 1 …. n 1 …. n 1 …. n 1 …. n

1 2 3 4 5 6

Aggregation of Indicators via:- math. Formula- Rule Aggregation- Fuzzy Logic

Aggregation of Indicators via:- math. Formula- Rule Aggregation- Fuzzy Logic

Aggregation Result

Transparent sensitivity of impact

Variation of Input ValuesVariation of Input Sensitivity Analysis 1

Transparent sensitivity of impactSensitivity Impact Understanding

Benchmark2.8

Aggr.Level n

Aggr.Level 3

Aggr.Level 2

Indicator Level 1

InputBase

Values

25

Compare Improvement Sensitivities

BaseValue 2

BaseValue 3

BaseValue 4

BaseValue 5

BaseValue 6

BaseValue ..

BaseValue n

BaseValue 1

1 2 3 4 5 6

1 2 3 4 5 6

1 2 3 4 5 6

1 …. n 1 …. n 1 …. n 1 …. n 1 …. n

1 2 3 4 5 6

Improvement via sensitivity 1

Variation of Input Sensitivity Analysis 2

Improvement via Sensitivity 1

Improvement via sensitivity 1Improvement via sensitivity 1Improvement via Sensitivity 2

Benchmark2.8

Original RatingResult without Improvements

Proactively Managing Personal Risk

Answers questions such as:

What is my personal risk?Is our compliance effort adequate?Where are our weak points?Which improvement would have best impact?How’s our compliance v. our peer

benchmarks?What do we get for our spend on compliance

(ROC)?How efficient and effective are our efforts?

Transparent Cause & Affect

Identify Weaknesses

Link to Market Information

Informed & Focused Investments

Reduce Personal Liability

In Conclusion …..

Assemble Dynamic Key Risk Indicators

SENSE• Scanning processes

• Observation

• Sense-making

SEIZE• Revise policies/actions• Reshape business/risk models• Review decision making

SHIFT• Governance/structure• Beyond best practices• Strategy & Risk alignment

Tony Moroney | Managing DirectorBerkeley Research Group, LLC6 New Street Square, 15th Floor | London, EC4A 3BFD +44 (0) 20 3597 5167 | M +353 87 2556947 tmoroney@thinkbrg.com | thinkbrg.com

The views and opinions expressed are those of the author and do not necessarily reflect the opinions, position, or policy of Berkeley Research Group, LLC or its other employees, affiliates and clients. All graphs are illustrative only and should not be relied on.

29

Thank You