“Risk Culture – the values, beliefs, knowledge, attitudes and understanding about risk shared by a group of people with a common purpose.” Institute of Risk Management
To successfully influence risk culture, we need great structural mechanisms or formal arrangements that support strong risk management practices in our systems, policies, procedures, and governance – and – senior leaders need to understand how risk performance is measured.
Expert Governance Risk and Compliance (GRC) systems have been around for a while and enhancements over time have provided powerful integrated platforms. They help organisations track key elements: risks, controls, issues, actions, and incidents. Lately more objects have been incorporated: models, policies, remediation and others, all linked and leveraging organisational tree structures within the tool. At Westpac NZ, we use IBM OpenPages which is a mature and globally recognised tool appropriate for a complex financial services organisation.
GRC systems are typically well designed and provide great data entry and quality controls built into both key element creation and their life cycles. However, what they don’t do is help you overlay all your operational risk policies and business rules, and they are not generally designed to provide trends, norms and benchmarks or great visualisations. Some of the greatest potential value in these systems lies in putting easily digestible information in the hands of decision makers. Being able to extract data from the source, overlay it with additional business rules and uplift the visualisation capability is key. For example, while the GRC system can tell you if an issue or action is open, it won’t easily flag to you if it’s long-dated, extended three times, or overdue and needing attention (an extreme case). Nor will it tell you that 45% of your controls are about frameworks and maybe only 5% preventative or 15% automated. It also wouldn’t flag that over 20% of your controls across the business are currently rated ineffective (for illustration only).
Some business rules for policy compliance, performance measurement or just good practice can only be provided outside your GRC ecosystem. That is where true risk performance, trends, and Key Risk Indicators (KRIs) can be applied to lift your underlying risk culture, allowing you to measure what matters and influence where your decision makers could most usefully focus their attention.
So how do you create that strategic risk insights platform?
Our Enterprise Risk team has been on a two-year journey to do just that, recently releasing a Cloud solution that enables our organisation’s most senior leaders to have meaningful insights at their fingertips for better and more efficient decision making. We aren’t at our aspirational state yet, but with agility and a clear focus on data quality we have begun surfacing the established business norms for both KRIs and KPIs, together with the desired state targets that are easy to find, well-designed and linked back to the underlying GRC solution. Our chosen visualisation engine for now is the PowerBI Cloud service, given its simplicity and integration to our existing tools.
This has been an integrated approach, calling on feedback from our UX designers and tech support from our data engineers and scientists. Together, we’ve worked through a tailored design approach focussing on how our Heads of Risk measure risk performance against policy and performance targets, and also how to make relevant, actionable insights more accessible for our leaders, supporting them in managing what they own and are accountable for. We utilise good organisational structure to bring the focus down from a high-level business unit to sub-business unit, creating a powerful platform for our executives to have important performance conversations.
We’re by no means the first to face into these challenges and build off-GRC tools. We are however happy with our Kiwi ingenuity, finding creative solutions on a limited budget by simply focussing on the business outcome and small value increments to deliver working software. I’m proud of our highly motivated “data wranglers and stylists”, risk and compliance cohort and enterprise services teams that have made this happen. Our backlog is full of enhancements and refinements as we move to our strategic target state integrating GRC and enterprise KRIs using a new lakehouse data management architecture.