Non Financial Risk Senior Executive & Board Reporting Richard Pike

Without good line of sight into the business, senior executives and board members have much higher personal risk Financial firms are struggling to effectively govern due to problems aggregating and presenting risk data. Risk & Compliance frameworks and systems consultant since 2000 Non executive director at permanenttsb bank (€28bn, ECB regulated, LSE listed) Non executive director at JPMorgan Fund Administrators & Hedge Fund Administrators Steering board member of GRCTC (GRC research centre based in Ireland)

RISK Problem Without good line of sight into the business, senior executives and board members have much higher personal risk RISK Financial firms are struggling to effectively govern due to problems aggregating and presenting risk data.

Causes RISK Financial firms are struggling to effectively govern due to problems aggregating and presenting risk data. RISK The Goldilocks problem: Too much or too little information in reports and board packs RISK The basis problem: Risk data is provided in different bases (e.g. quantitative (VaR), qualitative (RAG)) RISK The interdependencies problem: The recording and visualisation of relationships between different risks is not possible in current systems RISK The line of sight problem: Risks are not aggregated in a cohesive and structured manner, so hindering line of sight into the business RISK The taxonomies problem: There are multiple competing ways of naming and categorizing risks and metrics

How does it work elsewhere? The driver is given a small set of important indicators that suggest he/she does something Each important part of the car has indicators that are monitored by the engine management system. There are a set of rules that cause only certain threshold breaks to trigger driver indicators Every car has an average of sensors on board. Because cars are rapidly getting “smarter” the number of sensors is projected to reach as many as 200 sensors per car.

How does it work elsewhere? Each important component sensor is calibrated by the part manufacturer and/or the car manufacturer using detailed testing and past experiences The logic of the engine management system is based upon detailed testing and experience If there is a systemic issue with a car model, the set of indicators and the rules in the engine management system are reviewed and recalibrated

How does it work in FIs? For Financial Risk we have a reasonably good set of indicators that we constantly review and re-calibrate We still often give too many details to senior execs We have also seen that some indicators are not really valid e.g. VaR

How does it work in FIs? For Non Financial Risk we have a whole host of indicators of different types KRIs Losses RCSA results Issues & Actions Control attestations Control tests Capital They are all at different levels of the business and often aren't reviewed and recalibrated

Solution Define a set of indicators that informs you of the status of the risk Define the thresholds for each indicator, these can be quantitative or qualitative

Solution Red = 100% Amber = 50% Green = 1% Red = 60% Amber = 30% Green = 10% Answer the simple question: What is the probability that should this KRI value occur it would have a material effect on the risk event. (how likely is it that it would materially affect “identify beneficial ownership” risk event.

Solution Answer the simple question: What is the probability that should this parent risk event occur it would have a material affect on the child risk event (i.e. does it matter; if so how much effect will it have). 50% 70% 30% 20% 10% 90% 80% 60% 50% 40%

Solution Review and recalibrate the indicators based upon objective experiences Losses Audits Control tests Focus on ensuring that the indicators present a robust evaluation of the status of the risk

Solution How do you draw the map? Deconstruct the: Policies Current reports To start leave out the: Procedures Systems Controls details

Solution RISK The Goldilocks problem: Clear definition of scope and materiality to ensure right data for right people RISK The basis problem: All data is presented in RAG status based upon the firm’s risk appetite RISK The interdependencies problem: Network diagrams show linkages and relationships RISK The line of sight problem: Risks can be aggregated using client designed rules. Drill through to lower level risks is provided RISK The taxonomies problem: Clients can define one standard taxonomy and map it to others already in use

Why it works: It joins the dots Strategy & Risk Appetite Policies & Governance Business Metrics & Actions Decisions at the top are based upon business metrics and risk appetite Action items in the business can be tracked in relation to the strategic goals

Why it works: It reuses the current infrastructure There is no need to change anything in the current frameworks. All of the data for population of the indicators is already captured in current risk and control systems. The selection and importance of individual indicators is not a commercially sensitive piece of information (but the thresholds, levels and risk appetite probably is), so best practice can be shared. Senior executives can choose to watch the high level indicators or drill into the details should they feel the need to. It separates the governance and reporting of non financial risk from the day to day operations but leverages the detailed work It can be easily integrated into the reporting and governance of the financial risk types.

Questions?