Transcription

September 2015White PaperThe Use of InformationTechnology in RiskManagementAuthorTom Patterson, CPAComplex Solutions ExecutiveIBM CorporationExecutive Summary:These days, executives recognize enterprise risk management (ERM) as a much-needed core competency thathelps organizations deliver and increase stakeholder value over time. Because ERM is viewed as an essentialtool for helping management continually create, sustain, and deliver value, an ERM program is then only aseffective as the people, processes, and technologies the program uses. As executives increase their focus onrisk management as an emerging core competency, many also seethe need for better data and information, so their organizations cantake action on an ever-evolving inventory of risks. One challengerisk managers face, however, is risk data scattered across theorganization and not shared across business unit silos. Equallychallenging is that many risk management functions lack the toolsthey need to capture and use risk information more effectively.So, to be truly effective, risk management teams must facilitateand encourage the capture, analysis, and delivery of current andforward-looking (predictive or directive) risk information.Predictive risk information can give management a leg-up inmaking better informed decisions and help them take actions thatproduce more reliable outcomes. Leading organizations realizerisk management is fundamental to good organizationalgovernance because managing risks effectively requiresmanagement to connect and align the organization’s assets,people, activities, and goals, and it does that by focusing attentionon the achievability of the organization’s important objectives.Yet, many ERM programs also fall short when it comes to having skilled “risk aware” resources, analyticalprocesses, and tools. Many risk programs can also do a better job identifying, collecting, and analyzing riskdata and preparing to respond to risk scenarios, as evidenced in root cause analyses done after the occurrenceof an unexpected loss event. But, the good news is that evolutions in computing and risk technology, andrelated developments in new technologies that exploit Big Data, analytics, mobile applications, cloudcomputing, enterprise resource planning (ERP), and governance, risk, and compliance (GRC) systems, are alsoaicpa.org/FRC

important for risk management. These technical advancements offer risk managers and those in managementor outside the organization engaged in improving existing risk management programs with better abilities forenhancing risk management effectiveness.This report was written for risk professionals and CPAs engaged in operating, managing, and evaluating theeffectiveness of risk management functions and their investments in risk information technology (IT). Thisreport contains general information on current trends in technology tools (those becoming more visible to riskmanagers) and covers simple and more sophisticated risk applications and explains how they can be useful inenhancing the maturity of risk management overall. Finally, this report compliments a recently releasedAICPA publication, Enterprise Risk Management: A Practical Guide to Implementation and Assessment.The Evolving Use of ITAlmost all organizations these days would say they are critically dependent on IT as the enabler of theircontinued success. This is especially true if one considers the potential impacts from a data breach or networkoutage, as demonstrated recently in the Sony attack and data theft. As IT and related technologies continue toevolve, organizations see more uses for leveraging technology to do the following: More accurately and securely connect, communicate, and process business transactions withcustomers, suppliers, and other stakeholders Support human resources management and talent attraction and sustainment Handle detailed logistics activities across globally-integrated business operations or supplychain processes Support execution of business strategies and objectives and assign the accountability forexecution and achievement of these strategies and objectives with key managersIT also supports and underlies other business-related activities, such as scientific and quantitative research,financial modeling applications for asset-trading firms, and the monitoring of assets and asset values,investment positions, and contractual liabilities. IT tools are also used to support enterprise-wide GRCactivities, such as inventorying the entity’s risks, control activities, and control testing and monitoring requiredby market and regulatory authorities. Such tools can be very simple applications that operate on one personalcomputer connected to the Internet or intranet, or they can be very sophisticated. However, when one considersthe breadth of technology options available today, it is encouraging to realize that continuing evolutions in ITwill provide risk managers and CPAs many opportunities to continue to add value to the discipline of riskmanagement.One interesting recent development in the evolution of IT is the introduction of viable cognitive computingapplications, which represent a giant leap in computing capabilities from traditional, highly programmedapplications. This evolution is the next step in computing that originally began with large computationalmachines that calculated complex mathematical problems, which then evolved into programmable computersthat executed millions of pre-defined commands to solve more complex problems. The theoretical next step inthe evolution of computing has been described as “artificial intelligence,” in which computers are able toingest and organize massive amounts of facts and data points and be programmed to apply natural languageprogramming and complex algorithms to self-learn, apply logical thinking, and apply knowledge to problemsolving. One interesting development in this regard was the introduction of the IBM Watson computer on theU.S. television show Jeopardy. As a test to see whether a computer could ingest massive amounts of data, andafter some time in preparation, the Watson computer beat the top two all-time Jeopardy champions, provingthat this next evolution of natural language computing applied to massively large, big data repositories canhave very practical applications to real world problems. Although this paper is not about this emerging shift incomputing technology, the application of this game-changing technology to risk management will alsofundamentally transform the risk technology used in the future.ERMGenerally accepted risk management principles and standards articulate that an effective risk managementprogram is one that operates in an organization in which the governing board and executives formally acceptresponsibility for managing enterprise risks, and in doing so, agree to adhere to generally accepted riskmanagement standards. Standards such as the Committee of Sponsoring Organizations’ (COSO) ERMaicpa.org/FRC

Framework (COSO ERM) and the International Standards Organization’s ISO31000 are considered acceptableERM frameworks and recognize the connection between good governance and effective risk management.These standards also prescribe that to be effective, an ERM program should integrate “risk informed” or “riskaware” decision making into an entity’s formal governance structures and processes. So, an effective riskprogram should provide management with an enhanced ability to continually capture, evaluate, analyze, andrespond to risks arising from changing internal operations, external markets, or regulations. Not managingthese changes effectively can produce financial losses, negative publicity, and affect the achievement of theorganization’s objectives or mission. Therefore, effective risk programs consider, evaluate, and provide inputto an organization’s planning and performance measuring and support the evaluation of potentially negativeevents and their impacts from changes to an organization’s established risk appetite and tolerance-settingprocesses. ERM framework standards, such as COSO ERM, also note that information and communication areessential framework components, but more importantly, feedback tools.Having timely information is key to an effective ERM program. Immediately knowing a key supplier hasexperienced significant disruptions to a raw materials supply chain, for example, allows customers to invokesupply chain resiliency plans to quickly secure replacement materials elsewhere. Without that timelyinformation, a supplier’s disruption might also disrupt its customer’s manufacturing processes. Because ofsuch scenarios, management must continually monitor internal operations, suppliers, related parties, counterparties, and customers to look for changing circumstances that must be addressed to reduce the risk of loss.Because having timely information is so critical, some businesses now actively monitor social media content(for example, Yelp) to collect timely insights on customer service, product quality, or service delivery issues.In this example, widely and immediately available social media content provides valuable insights into thepublic’s perceptions of the business’ products and services, which helps the business avoid reputationaldamage by providing management tools that can quickly address service and product quality issues before theycause serious brand or franchise damage.Risk information is key to delivering an effective ERM program, and information about emerging, yet critical,new risk events and causal factors are key to effective risk management processes. These days, many ERMprograms maintain an inventory or listing of the organization’s critical enterprise-wide risks. Moreover, from atechnological perspective, these risk inventories can be fairly well managed with spreadsheets, tables, or, inmore sophisticated situations, using commercially available “off the shelf” ERM or GRC software. Riskmanagers in many organizations use these tools to capture, categorize, organize, evaluate, track, and prioritizethe organization’s inventory of risks. Many of these systems come pre-configured and can be furtherconfigured to apply risk prioritization schemas to risk inventories. Because risk prioritization helpsmanagement focus attention on the most critical risks, then a risk inventory generally captures data about thefollowing: The types and categories of risk (that is, human resources, financial, market, operational,counter-party, regulatory, and so on) The probability of occurrence for a specific risk loss event The potential impact and severity of the most probable risk events, including the potential forloss of life or asset values and the potential costs required to recover from a loss event or lossscenario The strength of the organization’s risk management process and related risk mitigation andcontrol activities (that is, the ability and readiness of the organization to react and respond to riskloss events and optimize potential recovery costs) The names of the individuals responsible and accountable for monitoring and managing eachcritical riskThere are other potential data points that can be captured in a risk inventory, but generally speaking, thepreceding list is a good starting point for an evaluation of potential risk technologies. Yet, before one decidesto evaluate an investment in risk technology or a technology-enabled risk system, it will be helpful to answerquestions about additional risk data and information needs that may be missing from an organization’s existingrisk-tracking tools. Some of these questions include the following: What data from current operations or the markets where we operate do we need, and if we hadthat data, would it help us do a better job identifying emerging critical risks?aicpa.org/FRC

What risks, risk scenarios, or stress tests should we evaluate, and for which of these should weprepare a response? What additional data do we need to perform this type of “what if” analysis more accurately? Can we enhance risk management effectiveness using other nontraditional risk data points, forexample, with data from external data and information providers? If we invest, how much should we spend given our risk profile and past experience withfinancial significant risk loss events?When considering whether to make investments in new or updated risk technology, it’s also important to notethat many organizations already have large and extensive databases currently in production, and many ITdepartments are actively engaged in integrating these better with existing applications to extract more valuefrom IT investments. Many databases contain risk data points that can also be extracted, “mined,” or ingestedby more powerful computing platforms to deliver even more organizational value over time. Tools that chiefinformation officers (CIOs) of organizations now use to help facilitate such efforts include electronic datawarehouses (EDWs), “Big Data,” business intelligence (BI) applications, and information analyticaltechnologies. These tools can be complimented with powerful data extraction, transformation, and loading(ETL) technologies that provide greater latitude in extracting value from hard-to-locate and parse data files.Though risk managers may not initially be the intended beneficiaries of such data integration investments,many organizations are, nonetheless, using these tools for that purpose.Big Data is a term frequently used these days to describe massive amounts of structured (that is, numeric data,such as financial amounts and values) and unstructured, yet digital, data sets (that is, textual data in free formsor data that is visually graphical), many of which are too large or complex for traditional database managementapplications. To enhance the usability of Big Data, the latest generation of Big Data analytic tools providesfeatures that provide users with the ability to consume and analyze very large and diversely structured andformatted data sets. These tools may also perform incredibly complex problem solving by using powerful“parallel-processing” computing platforms. Parallel processing allows an application to break down andseparate very complex and computationally intensive calculations into even smaller sub-tasks. This is doneusing multiple, interconnected virtual machine processors, so the job of parsing and comparing very large datasets can be performed faster and more efficiently than with many of today’s single-use personal computeroperating systems based computing platforms.With the integration of technologies like Big Data analytics, cloud computing, GRC and ERM applications,and parallel-processing platforms, in the near future, risk managers will be able to gain even greateradvantages from capturing, extracting, transforming, and using legacy databases to perform risk assessments,stress tests, and risk scenario analyses. Although not easy nor cheap to implement and manage, these currentIT evolutions will become less costly over time and have a huge impact on the way organizations track andmanage risks.Future risk applications using this technology can further enhance risk management when integrated withworkflow process and business “rule logic” software. Business rules systems can be pre-programmed to seekout and capture emerging risk data within transaction execution systems and present these data points tomanagement in more consumable formats. As future Big Data-enabled technologies become even moreintegrated into an organization’s existing operational monitoring and reporting processes, management will beable to more objectively measure and rationally explain the actual events that affect the organization’s currentoperating results or might affect future performance.Nowadays, data about changing economic conditions and markets is instantaneously available to mostorganizations via real-time data feeds. Business news service providers, such as Thompson Reuters,BlackRock, Bloomberg, Dow Jones, and the Wall Street Journal, all offer up-to-the-minute information on thechanging values of financial assets and markets. Such data feeds can also be exploited to support mature ERMprograms and risk-monitoring processes, and the impact of these information services on equity trading andcapital markets participants can be seen. Many global organizations are becoming more globally integrated andoperate very complex business processes across borders. Such organizations execute transactions and evaluateand take actions in nanoseconds when real-time changes in market conditions occur. Many of the newer breedof Big Data-oriented, “analytics-based” BI systems already support intelligent decision making, transactionaicpa.org/FRC

processing, and the visualization of data, all useful tools for monitoring risks and operational performance. Asthese applications become less expensive and more widely available, many organizations may still struggle tointegrate them with existing “legacy” applications or do so across historically “siloed” functions, databases,and processes.Therefore, it’s sometimes necessary to modernize an organization’s IT infrastructure before risk managersattempt to use new technologies to capture, synthesize, process, and use real-time data from different datasources and in different data formats. Transforming IT to embrace these technologies may be required beforerisk managers can also embrace future evolutions in risk management technologies. Furthermore, investmentsrequired to fully integrate and unleash trapped organizational data from legacy stand-alone databases may behard to come by even in the most technically sophisticated and well-funded IT organizations, especially inorganizations not known for investing in recently evolved information technologies.In line with that, risk management executives can find the task of attempting to connect diverse data baseschallenging without executive support and a clear, concise project plan that defines the risk program’srequirements in terms of people, processes, and technology, and more specifically, financial resourcerequirements, architectures, data flows, and quantifiable risk management needs. Yet, as organizationscontinue to build their enterprise content, enterprise data management, and EDW capabilities, they will alsofind it important and extremely valuable to implement strong data governance, master data managementpractices, and the use of a risk taxonomy (see section that follows) to define risk management terms and riskdata elements in technical terms, so risk-related data elements can be defined, identified, captured, processed,and analyzed.Because many ERM programs may be immature or small because the organizations they support do notrequire much sophistication, from a cost-benefit perspective, such risk programs can greatly benefit from lesscomplex and less expensive office automation tools, such as Microsoft Excel, PowerPoint, and SharePoint.These tools are used extensively in large, medium, and smaller organizations for risk tracking and reportingpurposes. These tools can help a risk management program capture and evaluate the impacts and potential of identified enterprise risks; define, communicate, track, and monitor risk appetite and risk tolerance levels within theorganization; assign ownership for executing ongoing risk monitoring and internal control activities; and report an organization’s ongoing risk management effectiveness.Stand-alone or network-based “off-the-shelf” GRC systems are also widely available to help risk managerscapture and report on an organization’s corporate and legal structures, create and apply a risk taxonomy, andevaluate risks and related risk-mitigating control activities and their performance over time. These tools alsosupport ongoing evaluations and a fundamental requirement of a generally accepted risk framework, and theyhelp risk managers evaluate potential impacts to an ERM program’s coverage from organizational changes.GRC systems offer the ability to collect, capture, and report data about assets and people resources to helporganizations define and monitor risk and control performance, establish risk accountability, and help trackcompliance with internal codes of conduct or regulations. GRC tools also help in defining an organization’srisk framework. For readers interested in learning more about GRC and risk analytic systems, organizationssuch as Forrester Research, Gartner, IDC, and Chartis Research, issue research reports that analyze andcompare leading market tools available for purchase.Many of today’s GRC applications can also be enhanced by integrating them with both data-feeding and datareceiving systems. For example, some GRC systems can be integrated with operational monitoring or alertingsystems and can feed emerging risk data points to business managers via mobile applications. Futureevolutions of GRC technologies will also provide the basis for an even more integrated ERM capability. Theywill provide this integration functionality via application programming interfaces and more powerful systemdevelopment and integration tools.Moreover, the evolution of cloud-based IT environments is also something one might want or need tounderstand and consider when evaluating GRC applications. Cloud-based IT environments that provide “ondemand” GRC software as a service (SaaS) exploit inherent virtualization capabilities of platform-basedoperating systems and related infrastructures and middleware software and provide “tenant” users with evenmore efficient and cost-effective alternatives to buying a GRC application and running it in house. Cloudbased applications, or “tenants,” and the organizations that use them provide and charge for just the processingaicpa.org/FRC

power that users of such applications need. Demand-based usage and charging schemes give users moreflexibility by requiring them to spend only on the applications they need to run the business. Cloud-basedapplications take advantage of economies of scale, and SaaS allows a cloud-hosted application to be madeavailable to multiple tenant user organizations while supporting a wide mix of IT use cases. As mentionedpreviously, virtualization allows cloud providers to divide processing across multiple IT platformenvironments, so each cloud tenant only consumes the processing resources needed. Technically speaking,virtualization optimizes system resources and tenant usage demands that require either more or less systemresources over time.In the future, many large globally-integrated enterprises may also benefit from implementing a centrally oroptimally managed enterprise risk center (ERC). An ERC combines all of an organization’s relevant risk andcontrol operational functions into a single operation center that can also provide even more risk visibilityacross the enterprise. Using segregation of duties and organizational reporting lines to avoid potentialindependence issues, the idea is to place an organization’s legacy operational risk functions, such as the ERMfunction, the network operations center, security operations center, the physical security monitoring, financialoperations, and customer service or call center functions into one business unit and enable these withtechnology. An ERC also provides risk information to key stakeholders and provides some contextual analysisto drive risk response and risk event or incident response capabilities. However, establishing an ERC mayrequire some adjustment of the role of IT within an organization because to operate effectively, the ERC willneed to change its direction to focus IT on also supporting the business from a risk and sustainabilityperspective rather than a traditional focus of monitoring and managing IT platforms and data. The ERC shouldoperate using the organization’s own data warehouse because these become inputs to the “central nerve center”that manages the broad inventory of risks each organization faces. The ERC works to enhance legacy datamanagement capabilities with real-time monitoring using dashboarding tools and physical and environmentaldata inputs (weather, security, operational control, asset and inventory movement data points, and so on). Theability of the ERC to establish and monitor operational controls to keep the organization better aligned from arisk management perspective will be key to the future deployment of ERCs in globally-integrated enterprises.Therefore, having seasoned IT data management, risk, operations, and data analytics and tools integrationexperts supporting the ERM program’s risk technology goals will be key to the setup, operation, andmanagement of an ERC-driven program.aicpa.org/FRC

aicpa.org/FRC

Another important characteristic of an effective ERM program isthe program’s ability to integrate the organization’s people in amore operationally aligned manner by formally establishing andexplicitly defining risk-taking authorities, risk tolerances (that is,across key, organizationally important functions and processes)and setting risk tolerance “levels” within the context of anorganization’s strategic, operational, and financial objectives.Although many ERM programs are still evolving and may not yetbe mature enough to tackle the challenges that come with formallysetting risk appetites, risk-taking authorities, accountabilities, andrisk tolerance thresholds, these activities should drive the evolutionof maturing an existing ERM program, that is, one that currentlydoes not have these processes formally defined.Another software tool many organizations already use is statisticalanalysis software. This software is very useful for modeling andevaluating the probability and impact of risk events or scenarios,especially those affecting financial assets and investments.Because market-wide, geographical, or economic changes may notbe immediately anticipated or felt until reported by management,some organizations are using statistical modeling tools forsupporting an ongoing ERM program’s risk analysis. Riskmanagers may already monitor ongoing changes in geopoliticalconditions, severe weather, market movements, or other eventsthat might cause disruptions to normal “business as usual”operations; but, statistical tools allow even more diverse riskscenarios to be evaluated so better decisions can be made.In addition to the data points listed previously, more sophisticatedrisk systems might provide users with information about the following: Risks within an organization, its departments, operations, functions, assets and asset classes, andrisks to capital, processes, and the established accountability of those responsible for managingrisk Potential risks in geographies and industries where the organization operates and the duration ofsuch risks, their magnitude, and time horizons The ability of the organization to continue to meet regulatory and compliance requirements andcontractual obligations and commitmentsFor a source of reference material related to risk technology, readers are encouraged to browse the Risk andInsurance Management Society (RIMS) webpage at www.rims.org and a white paper RIMS published in 2009on Enterprise Risk Management Technology Solutions.1Many risk functions already find it very useful to leverage enterprise financial data used in routine accounting,reporting, and business operations. Such data helps risk managers identify, escalate, and address evolvingenterprise risks. This same enterprise data currently used to monitor and calculate pension liabilities, track andaccount for changes in the fair value of assets and liabilities, and support compliance, financial, andoperational processes can also be captured, analyzed, and summarized for decision makers or to support ERMor ERC processes.ERP systems used by many organizations can also be primary enterprise risk data sources. Complex statisticaland analytic software tools can be integrated with ERP systems and used to extract and model potential riskevents or exposures and perform predictive scenario analysis or evaluate changing risk factors that might affect1Michael Thoits, “Enterprise Risk Management Technology Solutions,” Risk and Insurance Management Society, chnology%20Solutions.pdf.aicpa.org/FRC

the current or fair carrying value of assets and liabilities. Such tools already help many financial firms to makemore informed decisions on allocating equity capital and for keeping cash deposits in reserve for expected(non-outlier) and unexpected economic losses and provide capital resilience and “stress test” details.International banking regulations, including UK Financial Services Authority (FSA) Living Will guidelinesand Bank of International Settlement rules such as Basle II & III, also require organizations to effectivelymodel and keep track of their regulatory capital. Although complex financial services companies build theirbusiness by managing valuation, liquidity, and counter-party risks to assets they manage, smaller organizationswith concerns about asset valuation and liquidity risks can also benefit from a mix of less costly and lesssophisticated technology tools and risk treatment tactics.Accounting rules already require many organizations to monitor and track the fair value of assets and identifypatterns that might signify a financial loss event for recording and disclosure purposes. However, applying anenterprise view of risk will most likely expand this concept of focusing on enterprise value through thecontinual collection of data on the organization’s breadth of operations, operating environments, people, andcapital, plus data on internal and external factors that introduce risks to the enterprise as a whole. As ERMcapabilities within an organization naturally mature over time and become even more effective in protectingenterprise value, the deployment of more sophisticated IT-enabled ERM operat

Immediately knowing a key supplier has experienced significant disruptions to a raw materials supply chain, for example, allows customers to invoke supply chain resiliency plans to quickly secure replacement materials elsewhere. Without that timely information, a supplier's disruption might also disrupt its customer's manufacturing processes.