The Situation and Challenges
A global investor services company had experienced various challenges undertaking their global operational risk transformation; the transformation was underpinned by the implementation of the MetricStream Operational Risk Module (ORM). XCF Consulting (XCF) were introduced by MetricStream to The Client; The Client then engaged XCF to work with them and MetricStream to turn around the implementation and transformation.
The transformation had been executing for around a year and had not made a delivery. The situation was caused by several reasons, also there was a significant list of MetricStream customisations that The Client had determined were necessary. The newly in post client Chief Risk and Compliance Officer was conscious of the investment to date and was keen to show credibility and value from the transformation and the chosen system. Additionally, the firm aspired to create a broader GRC transformation programme but had growing reservations due to the progress and experience to date.
What XCF Consulting Did
Over a focused period XCF spent time with various stakeholders to understand the company, the drivers for the transformation, and the transformation progress and status.
In parallel with the time spent with the stakeholders, XCF had sessions with the Risk Team to review the requested MetricStream customisations. The sessions supplied holistic information to the Risk Team on (i) how the vanilla system worked, (ii) the rationale behind why things were done in a particular way, (iii) broader risk practises in industry and (iv) how things might be received by the primary business. This was done from a risk practitioners’ perspective and not a technology perspective to ensure there was business understanding of the value, opportunities and possible outcomes; XCF complement MetricStream technology expertise with Risk, Compliance and Audit practitioner expertise. The revised customisation list was less than 10% of the value of the original list. The work undertaken by XCF was done with a sensitivity to the existing client practices but with a focus on delivering clear desired outcomes. With this new understanding the Risk Team were able to refine their risk framework and target completing the standards for what was to be the first delivery.
It was decided that Risk Events and their associated Issues and Actions would be the first delivery. XCF devised an implementation plan with The Client and the first delivery went live in under two months of XCF being engaged. This first delivery was chosen to provide prompt broad business benefit, visibility and value to start to build credibility.
From a priority and planning perspective KRI’s, RCSA and other typical areas of the risk framework were seen as the next priorities by The Client. However, from an understanding of (i) the history of the situation (ii) client maturity and the time required for The Client to make the next delivery and (iii) the longer-term client aspirations, XCF advised The Client to extend the roll-out of Issues and Actions to cover Compliance and Audit (Internal and External) following on from the first delivery. The work to prepare for the other risk framework areas could continue in parallel. In creating the standards for Issues and Actions the Risk Team engaged heavily with Audit and Compliance to establish holistic Issues and Actions standards covering all disciplines.
Value Delivered
XCF worked with MetricStream and The Client to successfully turn around the implementation and the broader transformation by enabling prompt delivery to show visible value, benefit and credibility. They helped accelerate additional credibility by guiding The Client in an approach that delivered further ongoing benefits that had not been expected, solidifying the credibility of the transformation and MetricStream. XCF continue to work with The Client on their ongoing broader GRC transformation and strategy which is underpinned by the MetricStream platform.
Having all Issues and Actions in one place provides significant business benefits, which are not often recognised and further maximises the technology investment and value. Many organisations have Risk, Compliance and Audit, Issue and Action items in various places and can struggle to gain a prompt consolidated agreed understanding on what items are in existence; hence the process of managing these items is compromised. The benefits of the consolidation of Issues and Actions can be seen to be :-
• Heightened Significance and Improved Risk Culture – the consolidation establishes a more significant process that encourages greater focus across the business. This greater focus enhances cultural significance and consideration of risk and compliance across a firm.
• Removal of ambiguity on the number of Issues and their ownership - the consolidation encourages clear rules around existence (how many items are out there) and ownership (who is responsible for what). Relevant people should have knowledge and access to all the information that is relevant to them there should be no-surprises, this creates clear obligations on 1st, 2nd and 3rd line.
• Improved Risk and Compliance Issue Content – the consolidation encourages consistency of process ensuring greater clarity and understanding over expectations for behaviour, timeliness and quality. The alignment of data improves reporting and analysis; for example the impact of an Issue rated “High” is the same for Risk, Compliance and Audit meaning objective informed, transparent risk decisions can be made; things are not done as a priority purely because Audit are seen to be more important.
• Improved Risk and Compliance Insights - the quality and consistency mean that issues can accurately, transparently and readily be considered in various new ways such as thematically, encouraging 2nd and 3rd line teams to consider working together to optimise areas of focus and priority.
• Accelerated delivery of other modules within the MetricStream platform – the creation of Issues and Actions is a capability used as part of various other modules in the platform such as Audit and Compliance Management. The upfront implementation of this capability without using the relevant module fully means that when the time is right to implement the module fully an element of the work has already been done and there is broader familiarity and buy-in to the system.
The above benefits contribute to improvements in the quality and sophistication of risk and compliance management.
Σχόλια