The yin and yang of risk management

The findings of the global risk and information management survey conducted by OpRisk & Compliance suggest that risk managers believe they are adequately managing risks. At the same time, they feel they lack the formalised data and information required for risk-based decision-making.

Specific findings included:

• Risk managers have a reasonable understanding of their critical risks and the information necessary for managing them.

• The volume of data available for risk management has grown substantially, but may not be yielding desired insights.

• Capturing and using information required to reduce losses and manage risks remains a challenge. There is a disconnect between self-perceived effectiveness and the availability and use of structured data.

We believe there are two components representing the yin and yang of an effective risk management program:

• Formal structures – data, processes and technology used for creating, storing, sharing and analysing information.

• Informal networks – communication and relationships both within and outside the risk management organisation, which facilitate sharing important risk-related information.

Both formal structures and informal networks are important – risk managers can compensate for shortcomings in one by using the other. Risk management data architecture is a central part of the formalised structure, while risk culture encompasses both components.

The findings suggest financial services risk managers rely heavily on informal networks. Across virtually every type of risk, respondents say phone calls, e-mails and meetings are a major source of risk information. Few respondents indicate the use of automated e-mail alerts, regularly scheduled reports, compliance dashboards and similar tools. This suggests that organisations still have work to do in developing structured systems.

The findings further suggest risk managers have a reasonable grasp of their critical risks and the information they need to manage those risks. This is particularly true when the risks relate to mandates or are well defined. For example, with credit risk and financial statement compliance risk, financial services organisations have invested heavily in systems that track and maintain critical data.

However, such initiatives are not universal across all risk types. Organisations rely on various tools in order to use data collected both formally and informally. Less than a quarter of survey respondents are using core technologies such as data warehousing and business intelligence types of tools.

Despite these shortcomings, 78% of respondents say they are at least somewhat effective in providing the right information to the right people at the right time to meet the organisation's business requirements. While poor data quality and lack of data are considered top challenges for their companies, 86% believe they are at least somewhat effective in ensuring data quality.

As with many IT decisions, the question often boils down to cost versus benefit. What is the business case associated with tracking and maintaining specific data? The strength of the business case also becomes a factor in whether executives receive the information.

Some risk types – for example terrorism or natural disasters – do not lend themselves to detailed data requirements, making it difficult to obtain meaningful risk information. In other cases, risk information may be so sensitive that formal tracking in a system is undesirable. Examples include product development and innovation, mergers and acquisitions, employment-related matters, and loss conjectures that may be discoverable under litigation.

Risk managers who are successful in collecting these types of information use a strong informal network to stay in the information loop. This network puts them in touch with key stakeholders, who can provide information on risk identification and management.

At the same time, organisations must continue to improve their formal structures – the data models, processes and systems that can make the right data available to key stakeholders.

These steps offer a guide for strengthening risk management information strategy:

• Calibrate investments and strategy based on your needs – There is no one-size-fits-all approach. Risks are, and should be, defined differently in every context by every organisation based on desired risk posture, risk profile and experience in managing risk.

• Institutionalise risk management – Develop and articulate an explicit risk management strategy. Establish roles that reflect the organisation's risk management model.

• Build the risk management framework – Create a structure for identifying, measuring, controlling and monitoring risk.

• Nurture a culture of risk awareness and action – Include risk-based metrics in performance scorecards and operate a reward system.

• Tap into the data – Use data to meet multiple needs, including objective analysis and more informed decision making.

• Encourage and leverage informal networks – Share risk management insights and facilitate learning exchange.

• Be pragmatic – Focus on business needs, such as compliance and shareholder value. Then, attack those needs in bite-size portions to demonstrate success early and often.