creating€and€sustaining€risk€agility€and compliance€with...

Creating and Sustaining Risk Agility andCompliance with the Risk CockpitA White Paper from BT

Contents

Introduction...................................................................................... 3

Executive Summary ............................................................................ 4

Operational Risk is Central to the Organisation .......................................... 5

The Aftermath of Compliance – a Birthplace for Risk Management................... 5

Visualisation of Risk – dashboard vs cockpit ............................................... 7

Learning from the Past – Anticipating the Future ...................................... 10

Aligning Risk with Corporate Objectives ................................................. 10

Bringing it all together The Full ORM Framework around the Cockpit Hub ..... 11

The Emerging Risk Agile Organisation .................................................... 12

The Emerging Risk Agile Supplier.......................................................... 13

Where to Begin?............................................................................... 14

Introduction

The role of Risk Management in reducing volatility, increasing stability andpredictability, and promoting transparency in organisations’ operations has becomeenshrined in the majority of recent corporate governance and regulatorystandards. Some business sectors (e.g. finance) have always been based on risk,and have highly developed tools and techniques for dealing with it. Riskmanagement now touches enterprises beyond these sectors.

This paper will propose and describe an overall framework of capabilities,disciplines and technologies built around the hub of a Risk Cockpit for OperationalRisk Management in the networked IT space. It will describe the nature of the neworganisation that will emerge from the embracing of operational risk managementfor performance through a Risk Cockpit.

Finally, it will suggest how the considerable investments made thus far forcompliance will yield returns to the enterprise and its stakeholders andfundamentally change their relationship with their suppliers.

Why is BT talking about risk?BT recognises that governance, risk and compliance arehigh on the agenda of its customers, just as it is within BTitself for our own operations. Enterprise Risk Management(ERM) includes Credit, Market and Operational Risk (ORM).

BT believes that our customers will require more from theservices that BT as aGlobal Networked ITsupplier provides toaddress this riskagenda in terms oftheir operationalrisks.

We want to help ourcustomers bettermanage theiroperational risks anddirect their economiccapital to where thebest return on riskand performance canbe found.

We recognise thatsignificant elements of risk and control are managed anddelivered through Networked IT, managed services andoutsourcing, where BT has worldclass expertise.

This paper discusses the characteristics of the Risk AgileSupplier and the Risk Agile Organisation. BT is committedto becoming a Risk Agile Supplier and helping ourcustomers develop their own risk agility.

What has BT to offer?We have a sustained programme of investment in our ORMFramework to provide our customers the means tomanage risk and compliance through subject matterexperts, selected technology partners, and our ownresearch and venturing.

BT’s solution willprovide a coherentview of riskexposure allowingcontinuousvisualisation,monitoring andmanagement ofrisk including trendinformation on riskand businessperformance forinstigation ofoperational risktreatments toimprove riskmanagement andachieve business

objectives. It will allow organisations to implementcompliance, once, cost effectively, efficiently.

BT provides a set of consultancy services to help ourcustomers maintain the right levels of investment toextract the maximum value from ORM. We can help tomap out the organisation’s risks, controls and associatedpriorities, build a business case and a benefits model todrive the ORM programme for success and ROI.

Emerging Technology

Business Systems& Processes

Operational Risks

Asset ManagementCompliance

Data Security & Privacy

Business Continuity

Project Risk

CorporateGovernance

Business IntelligenceHealth & Safety

BT StrengthsSubject Matter Experts

Legal & Regulatory

PersonnelInformation

Management

Global Infrastructure

Systems Security & Integrity

Insurance

Fraud

IT Governance

Sourcing

Data Quality

Emerging Technology

Business Systems& Processes

Operational Risks

Asset ManagementCompliance

Data Security & Privacy

Business Continuity

Project Risk

CorporateGovernance

Business IntelligenceHealth & Safety

BT StrengthsSubject Matter Experts

Legal & Regulatory

PersonnelInformation

Management

Global Infrastructure

Systems Security & Integrity

Insurance

Fraud

IT Governance

Sourcing

Data Quality

Executive SummaryCorporate Governance codes and the demands of theregulator and auditor may have placed Risk Managementon the agenda of boards across industry. However, thereis more to risk management than satisfying a regulator orauditor in achieving compliance. It is easy to forget:

“Value is created, preserved or eroded bymanagement decisions ranging fromstrategy setting to operating theenterprise daytoday. Inherent indecisions is recognition of risk andopportunity, requiring that managementconsiders information about internal andexternal environments, deploys preciousresources and recalibrates enterpriseactivities to changing circumstances.”

Enterprise Risk Management Framework – Executive Summary, COSO

Therefore, risk management is an intrinsic part of thedecision making process.

Risk Management is in many ways a victim of its own title.The word ‘risk’ suggests danger that must be avoided atwhatever cost.

We contend that Risk Management is about seizingopportunities as much as it is about avoiding the badthings – staying out of prison, staying out of court, stayingout of the papers. If you want success you must plan forsuccess you must set up your organisation so that it canarrive at its destination reliably and thrive in the modernbusiness environment.

This clearly dictates that a proper understanding of risk inthe organisation be established and assessed in terms ofits affect on corporate objectives and strategy.

This paper describes how such a starting point enablesoperational risk management to be used to driveimprovements in performance and competitiveadvantage.

The proper understanding, assessment, measurement andmonitoring of risk affords a detailed insight into anenterprise’s operations and environment. Such insightshould enable better corporate decisionmaking leading tohigher performance at better cost. However, in practice,compliance programmes on the whole have not resulted insuch improvements.

Clearly, the right information must be provided to thedecision maker in the right context, but visualisation ofOperational Risk Management in turn must go beyonddashboards, and cannot remain restricted to the ‘rearview mirror’ of reporting and assessment.

In the Digital Networked Economy enterprises competeand survive on their information. The establishment of areliable and assured networked IT infrastructure is vital tomaintain the provenance and quality of that informationand hence the effectiveness and performance of the riskmeasurement and control.

“The world of risk and compliancemanagement is complex, and the softwareproducts in this space are varied. There isno one solution that will do it all, whichmeans that an organization must build asustainable business and technicalarchitecture for enterprise risk andcompliance. This architecture is modelledaround the structure of an organization'srisk and compliance management program(e.g., centralized or distributed), theindustry risks it faces, its compliancemandates, and the governancerequirements set forth by executives andthe board. Software from these categoriescan then be selected and, mostimportantly, integrated to sustain thisarchitecture and the oversight of risk andcompliance within the organization..”

Michael Rasmussen “Will The Real Risk AndCompliance Vendor Please Step Forward” November 2005, Forrester Research, Inc.

This paper will propose and describe an overall frameworkof capabilities, disciplines and technologies built aroundthe hub of a Risk Cockpit for Risk Management in thenetworked IT space as part of an organisation’s overallERM strategy. The Risk Cockpit, as its name suggests,must provide not only the dashboard required by the user,but also the control and safety features needed to driveoperational risk for performance.

The introduction of a Risk Cockpit to an organisationexposes, stimulates and accelerates the adoption andintroduction of key disciplines central to sustainableimprovement in performance and the opportunities forexploitation of the information and knowledge gatheredaround the enterprise’s risk and controls.

This paper will describe the nature of the neworganisation that will emerge from the embracing ofoperational risk management for performance through aRisk Cockpit. It will suggest how the considerableinvestments made thus far for compliance will yieldreturns to the enterprise and its stakeholders andfundamentally change their relationship with theirsuppliers.

Operational Risk is Central to theOrganisation

“… the investment community may welladopt operational risk as one of thefundamental metrics it uses in theevaluation and valuation of companies invirtually any industry. Operational Riskmay well take its place alongside suchbenchmarks as p/e ratios and turnover… ”

Dan Geer “Basel II Being Security Conscious”ITsecurity.com

When looking at Operational Risk many start by examiningthe Basel II definition:

The risk of direct or indirect losses due to failures insystems, processes, people and external factors. Thisincludes legal risk but excludes reputational andstrategic risk.

This places a focus on the avoidance of loss and theability to properly capture and report on the internalcontrols and record and categorise the loss events. Forbanking, this has the direct advantage of affecting thecapital adequacy ratios and may in itself yield benefit interms of reducing regulatory and economic capital.

More generally, Risk Management is defined as:

A process by which risk is identified, measured(quantitatively and/or qualitatively), mitigated andmonitored on a regular basis.

Again, this encourages the focus to be on the mitigationof risk, i.e. the limitation or avoidance of loss throughproper understanding of risk exposure and the mitigatingeffect of applied controls.

There is no doubt that this level of understanding is vitalin surviving adverse situations but business is not justabout avoiding risk; it is about risk appetite andresponse; it is also about knowing when to take a risk andknowing what risks to take.

The AS/NZ 4360:1999 risk management standard offerswhat we believe is a highly mature definition of risk andrisk management:

Risk: “The chance of something happening that willhave an impact on objectives.”

Risk Management: “The culture, processes, andstructures that are directed toward realizingpotential opportunities whilst managing adverseeffects.”

If organisations highlight the adverse and ignore theopportunity, the systems and processes they deploy will

be more likely those that can accurately portray thesituation. You can liken this to a war correspondent thatcan tell you what the war is like at the front line butcannot change the situation.

Investing in risk mitigation to achieve the stability soughtby stakeholders (investors, etc.) is laudable but is thatthe totality of its justification? This paper contends thatOperational Risk should also be driven for performance,and in order to make this a reality in an organisation asuite of supporting processes, tools and services arerequired so that the organisation can:

operate within a targeted level ofoperational risk and in compliance withlegal, regulatory and corporate guidelines,aligned with business objectives,maximising operational performance whilesimultaneously minimising cost

We will discuss the visualisation of risk in a later sectionbut in order to ensure the right sorts of visualisation andfeatures are built it is vital to consider what you need toview, why you want it, and how you will get it. That willallow us to determine the set of components required tobuild and maintain effective risk management forperformance and competitive advantage.

The Aftermath of Compliance – aBirthplace for Risk ManagementMany organisations are still recovering from the burden ofcompliance foisted on them with the introduction ofregulations such as SarbanesOxley. Given the choice,would organisations have chosen to capture, assess,affirm and attest their financial controls to the extentdemanded by SarbanesOxley? Possibly not and veryprobably not to the level of investment it required.

There has been much debate in the industry media in thewake of the Sarbanes Oxley compliance programmes ofthe last 2 years. Journalists are essentially posing thequestion – ‘Did the downside of what SarbanesOxley wastrying to prevent actually pose the biggest threat toorganisations’ futures?’ If the answer to this is “No”, andgiven the finite nature of budgets, the journalists ask –‘What has had to be set aside or starved of investment,and what does this mean with regard to the other risksfaced in these organisations?’

In the aftermath of the compliance efforts of recent yearsit is vital to set about effective risk management andleverage the greater levels of understanding of operationsgained through that process. This must be set about in asustainable manner that yields competitive advantage andshareholder value as well as ongoing compliance atminimal cost.

Regulatory Compliance ReportingRegulatory compliance reporting and the associatedsupport for internal and external audit functions is anongoing cost that cannot be avoided. It is therefore aninfrastructure cost for the organisation that allows it tocontinue to operate and must be made as cost efficient aspossible.

Recent studies show that up to 40% of a company’s ITbudget may be spent on compliance, in other wordspaying to stand still. Boards must address therequirement to create more shareholder value andtranslate this cost into an investment.

The frameworks of regulation can be dissected intomandates, which further map to controls within theorganisation.

Risk and Control AssessmentsThe problem with the pure compliance reporting resultingfrom a pure compliance agenda is that the controls areassessed as individual points.

This limits their value and yields little return on their costas it prevents two key abilities:

The ability to do a single audit in a business unitencompassing multiple themes with a resulting singlemitigation strategy;

The ability to reslice to look at a compliance view tovalidate such strategies across business units.

Exposure CalculationsControls need to be viewed along side the risks andthreats in the organisation that these controls aremitigating. Their effect on the risks they mitigate must becaptured and the risk itself assessed so that the residualrisk can be calculated.

Calculation has two main aspects:

The risk itself in terms of the exposure from the riskand its constituent sub risks or threats;

The control in terms of its effectiveness, performanceand its mitigation modifier on the risk exposure.

KRI/KPI RepositoryA single assessment of the above has limited value as itcan only show the situation now. For the risk to bemanaged all these measures need to be gathered on aregular basis as appropriate to the risk’s nature.

This can be likened to the evolution of moving pictures. Inthe beginning, people had a single photograph. Eventuallyby using multiple cameras set to fire in quick succession aseries of photographs could be produced in a flip book andfrom this a moving picture was produced yielding muchgreater understanding of the subject. For example it wasjust this technology used by Eadweard Muybridge (1830–1904) (a brilliant and eccentric photographer, who gainedworldwide fame photographing animal and human

movement imperceptible to the human eye) that was ableto prove in 1877 that a horse’s four feet all left theground at the same time at the gallop. In modern sciencetime lapse and highspeed film and photography are usedto analyse a wide variety of subjects.

So too in the effective management of risk and theperformance management of the risk and its controls aregular feed of risk and performance indicators arerequired.

Key Performance Indicators (KPI) are the sets of measuresand statistics gathered together that are then used incombination to determine risk exposure and themitigating effects of controls. When applied to a risk inthe form of a mathematical rule that combines andaggregates the indicators and applies a red/amber/greenthreshold we have a Key Risk Indicator (KRI).

This must all be combined with the regular human auditand assessment to establish an effective set of processesand procedures for the management of controls and risks.The risk appetite for the organisation and theperformance targets for the controls can be expressedusing thresholds and thresholds for Green (acceptable),Amber (cautionary) and Red (unacceptable) must be setto trigger management attention.

Gathering the history of these assessments builds a libraryof experience on the behaviour of the risks over time aswell as the mitigation effects of the controls. It isimportant to remember that risks do not in themselvescost the organisation money. A risk can only cost moneyif, as a result of one or a combination of events theymaterialise into an incident which over time, if not dealtwith appropriately, will result in a financial loss. Thecontrols however are there all the time and have anongoing cost. They need to be viewed as an investmentwhich must be justified in terms of risk mitigation butalso contribution to the corporate goals of theorganisation i.e. performance and competitive advantage.Such knowledge can be used to right size investments andalso highlight areas where there appears to bedisproportionate investment compared with the benefit

Risk Register ReportingMost organisations manage their risks through riskregisters and indeed evidence of this style of managementis encouraged by much corporate governance guidance.Having gone to the trouble of gathering a hierarchicalrepository of risks and controls it is vital to express it tothe risk managers in terms of their risk registers. It is theRisk Cockpit that makes this registers alive and active – aLiving Risk Register. We will discuss in a later section howthe needs of the full organisation must be served and itsevolution into full risk management can be supported andpromoted.

Loss History and Near MissesThe final piece to this core is the light of experience ofwhen risks become, or get close to becoming, real events

(loss events and near misses). It is vital to capture theseas this the only evidence of the behaviour of the risk as itcosts and impacts the organisation. When this data isoverlaid with the effectiveness and performanceinformation from the controls, it is then possible toappreciate properly the return on the investments and themake informed decisions on future investments andbusiness strategy.

From a compliance and governance angle, failure (loss ornear miss) may mandate official corporate investigation,which must be supported by a clear and accountableprocess.

We have now identified six core components required tomanage risk effectively in a sustained manner.

ExposureCalculations

KRI / KPIRepository

Loss HistoryNear Misses

RegulatoryComplianceReporting

RiskRegister

Reporting

Risk & ControlAssessments

Risk CockpitIt does not take much to realise that the management ofthe relationships between the hierarchies of risks andcontrols, with their various risk and performanceindicators, their ongoing need for assessment and auditand reporting at the right level to the risk managers,means that it cannot be sustained using a federation ofdocuments and spreadsheets. The overhead andopportunity for inaccuracy (and hence renderingworthless the effort) is too high.

In our experience, all organisations reach thisprecipitous point where there are two choices:

Allow technology and constrained process to be thelimiting factor accepting that risk management willnever penetrate the depths of the organisation norbe consistently applied across its breadth.

Make a suitable investment in a supporting toolsetto allow risk management to accelerate and evolve,limited only by culture and an understanding of therisks and controls themselves.

The tool needs to support the framework of componentsdiscussed so far with equal strengths in its abilities toregularise assessment, measurement, reporting andmanagement process:


KRI / KPIRepository


Risk Cockpit


RiskRegister

Reporting


This is the essence of the Risk Cockpit but why “Cockpit”?

Visualisation of Risk – dashboard vscockpitThe key enabler for organisations addressing riskmanagement is the provision of a rich featured“dashboard” to allow the capture, visualisation,monitoring and management of risk.

“The dashboard is the CEO’s killerapplication, making the gritty details of abusiness that are often buried deep withina large organisation accessible at a glanceto senior executives”

“Giving the Boss the Big Picture” Business Week, 13 February 2006

Corporate dashboards are very much in vogue at presentand as the name suggests is connected to what lies underthe bonnet (to use a car analogy) and provides the rightlevel of summary information for the driver to operatethe vehicle and arrive at their destination in safety.

Risk management needs more than the information“under the bonnet”. Risk management is a human activityabout risk appetite and response but also about knowingwhen to take a risk and what risks to take. For that reasonit must be able to take input and direction from the driver– this is what makes it a cockpit.

For now, our “driver” realisation in the Risk Cockpit is toprovide the means for managers to overlay their view andexpertise on the reports and visualisation coming from theoperational environment. For example, the KRI and KPIdata can give an accurate backward looking trend on therisk and control performance. Perhaps this will havehighlighted a cautionary or unacceptable area thatprecipitates management intervention.

In the example below, we would envisage the Risk cockpitmaintaining an overall matrix of the net risks.

On drilling into a risk (a cautionary Amber risk) we wouldsee a backward trend display showing the trend of theGross risk exposure (pale blue bar) and the Net riskexposure (red/amber/green) bar, amber in this case forthe current net risk exposure score.

85 87 84 82 84 86 90 92 94 96 98 100105110120

130140135130

145150140

130120

40 45 43 45 50 47 50 55 57 60 60 65

90105105

115130125

11090 85

75 70 65 NetExposure

ControlMitigation

GrossExposure

The difference between the Gross and Net exposures inthe trend indicate the mitigation effect of the controlsapplied to this risk and give a clear indication at thecontrols’ abilities to cope with the risk as it changes overtime.

The controls themselves may well be working withinperformance but are they having the effect on the riskdesired?

In this instance we can see a risk that has increased overtime and now represents a much higher threat to theorganisation than before (variation in the gross barheight).

In the middle of this period the existing controls failed todeal with the increasing exposure (as reflected in the netbar height) and the mitigation effect also decreased – i.e.it was not even maintaining the delta of mitigation.

It is vital that the view of what is likely to happen next isadded to the picture to inform the ongoing effort i.e. thelikely future trend. We would enhance the matrix displayto overlay the likely future trend and as such use colouredarrows (red/amber/green) in the cells to show a steady

, worsening , or improving trend prediction.

For example, at the point described above, where theexisting controls fail to deal with the increasing exposurewe would have expected the managers to have set thefuture trend as to reflect that until the managementintervention had established an action plan, bearing inmind the continuing trend of the Gross Risk and thecontrol failure, the situation would be likely to worsen.

Once the action plan was agreed and in place,management would have indicated that the situationshould stabilise and then improve.

In this way, the risk cockpit is engaging the managers atall levels, acknowledging their expert opinion, which isassisted by the trend data, and reflected in the toolengendering a confidence in managers’ abilities tomanage risk effectively. This is a main benefit of the toolcharacterised in this paper.

In the aftermath of the example above, we can also seethat the managers have performed well in that they haveincreased the mitigation effect of the controls throughtheir action plan against a risk whose gross exposure hasincreased markedly and have brought the net exposureback towards an acceptable level for the organisation.

Once again, capture of the history of this managementoverlay against the event as it unfolded, married to thelosses or near misses, constructs a rich set of informationfrom which learning and improvement can be derived aspart of an effective and professional risk managementlifecycle. In this example, it is likely that actions wouldbe taken to both better understand the risk and toimprove the consistency of the controls’ effectiveness andperformance.

The cockpit must provide a navigable journey through therisks and controls to allow the root causes of issues to beunderstood with performance thresholds set for eachindicators being measured. Setting of thresholds on everyitem allows it to be managed for performance and tohighlight areas of unsatisfactory performance. Not everypoorly performing control will cause a risk to enter acautionary or unacceptable net position but such a controlmay be an early indicator of a situation that couldworsen.

It is therefore a critical capability for a cockpit toprovide measures and thresholds in a navigablehierarchy of risks and controls, to allow the rapidvisualisation of risk relevant to the viewer, allowingdrill down to root cause, and the ability to providemanagement overlay.

In summary then the core of the Risk Cockpit mustprovide the navigation and visualisation of the following:

At the matrix levelA matrix view for the relevant risks for the dimension

selected from a navigation bar. Likely dimensionscould be risk register, line of business, value chain,business unit, location, process, compliance regime,audit etc.

The matrix cells to clearly show the Red/Amber/Greenstatus of the net risk exposure with the directionarrows to show likely future trend.

Drill down from the matrix into a hierarchy of furtherrisk matrices as configured to reflect the aggregation(the summing or net effect) of the risk from subrisks.

Navigation to backward trend data on the risk andcontrols as well as the detailed data on the risk itself.

At the individual risk levelAll Risks in the hierarchy must be owned and

maintained though a defined, audited andrepeatable, managed process.

Risk drivers as made up of subrisks or threats, eachone assessed in terms of its gross (worst case)exposure with a weighted formula to aggregate thesubrisks into the overall score. This score and subscores to have Red/Amber/Green thresholds setagainst it with the ability to record likely futuretrend.

The controls mitigating the risk attached such thatthey can be drilled into to look at individual controleffectiveness and performance with the ability torecord likely future trend.

The mitigation effect of the controls on the riskexpressed as a weighted formula to allow theaggregated effect on the risk to determine its net riskscore.

The consequences of the risk expressed in easy tounderstand terms so that effective actions can betaken for emerging situations.

Linkage to legal, compliance, policy and best practicesuch that the role of internal and external audit canbe supported and the compliance position of theorganisation can always be determined.

Action plans attached where risk improvement ormitigation improvements are in place as part of acontinuous improvement process.

Any other relevant reference materials outside of thecockpit attached as links.

The facility for multiple assessment types to becaptured to allow the organisation to analyse risks indifferent ways but to report (from a matrixperspective) on the net exposure.

At the control levelAll controls in the hierarchy must be owned and

maintained though a defined, audited andrepeatable, managed process.

The controls detail showing at individual controleffectiveness and performance with the ability torecord likely future trend;

Linkage to legal, compliance, policy and best practicesuch that the role of internal and external audit canbe supported and the compliance position of theorganisation can always be determined.

Action plans attached where control improvements arein place as part of a continuous improvementprocess.

Any other relevant reference materials outside of thecockpit attached as links.

In this way, the Risk Cockpit becomes the hub of theorganisations risk management and provides all theinformation needed to properly maintain the assessment,monitoring and management of risk. Many organisationsfall short of achieving this and it is rarely because theinformation is not available. Rather it is usually due to thelimitation of the federated documents and spreadsheetsolution currently in place. We contend that suchinfrastructure cannot sustain the level of riskmanagement and compliance now required for modernbusiness and as such, the Risk Cockpit is more than afunction, it is an application in its own right.

Ultimately the Risk Cockpit would have the oversightof all operations and should integrate with businessintelligence and enterprise control systems such thatpreemptive actions could taken from the cockpitand the effect of the action immediately seen onthe cockpit display. In essence, the cockpit wouldhave driver controls (in the car analogy steering,throttle, brakes, and gears). We believe this will bethe evolution of the Risk Cockpit.

Learning from the Past –Anticipating the FutureOver time, the cockpit provides a rich repository ofinformation:

Risk behaviour

Control performance

Loss history and near misses

Assessment and audit history

Action plan and management historyIn its basic form, risk management can operate at a levelto limit the effect of adverse conditions i.e. the riskinformation used to detect emerging situations such thatthe appropriate management actions are put in place toregain control or to limit loss and impact.

Risk Management LifecycleRisk management however needs to be part of aformalised and supported continuous improvementprogramme (a risk management lifecycle) involvingcontrol and policy definition and communication, regularaudit and assessment, the ability to analyse fromexperience to determine improvement, and the ability tomanage action plans for those improvements and measuretheir success.

Completing the lifecycle gives equal weight to both riskassessment and monitoring, and risk/control treatmentand management. This is vital for sustainability andsuccess.

Business CaseThe data on the risk exposures and effect of control canbe used to build the business cases for the investmentprogrammes ensuring that budget is spent wisely, onlywhere it is needed and only to the extent that it bringsthe risk within the desired appetite for the organisation.

Change ManagementThe action plan can be utilised to coordinate the changemanagement required to prosecute these riskimprovement strategies and indeed the risks associatedwith the change programmes can be captured andmonitored in the cockpit.

BenchmarkingThe historical repository can be used in internalbenchmarking of risks and controls to ensure consistentperformance across the organisation, e.g. CRM centres.Key indicators may also be used with peers in theorganisation’s industry to establish benchmarking for theorganisation externally.

At Risk Process EngineeringThe risk model and history will help to highlight theelements in the organisation’s operation that pose the

most serious exposures. Modern organisations have to becapable of change and re structuring to remain agile andcompetitive. Organisations are therefore increasinglyprocess based rather than structure based regarding theiroperations and as such, analysis of compliance andoperational risks in these processes is vital if they are tobe engineered to sustain an acceptable level of risk.

Horizon ScanningLooking to the future the organisation needs to makesense of its environment, and how it might change overtime. Utilising a combination of pasthistory, theestablishment of external indicators (to sense theenvironment) and the ability to conduct whatif andscenario modelling the horizon can be scanned andinformed strategy decisions made.

This ability to support scenario modelling of risk and thecompletion of business impact assessments is part of theRisk Cockpit’s role and distinguishes it from a“dashboard” whose view is fixed looking backwards like a‘rearview mirror’.

At RiskProcess

Engineering

HorizonScanning

ChangeManagement Benchmarking


KRI / KPIRepository


Risk Cockpit


BusinessCase

RiskRegister

Reporting

RiskManagement

Lifecycle


Not only is the cockpit forward looking, it isbeginning to provide expert opinion, and being usedto set up sensors and analysis that will determinewhich way the environment will change and hencewhat the organisation may wish to do in anticipationof this.

Aligning Risk with CorporateObjectivesThis is not as difficult as it sounds once the Risk Cockpitand its associated framework of components we havebeen building in this paper have been put in place.

For any desired outcome in an organisation, there is areason why it is desired, and this is essentially acomparison between what the situation will be if theoutcome is not achieved and the expected outcome if itis.

Also for any desired outcome there are the series ofthings that need to happen or be achieved to reach that

outcome. This lends itself very well to be seen in terms ofrisk.

There are risks to achieving the outcome in terms of theseries of things to be executed to get there and as suchthe means by which the organisation will measure theserisks and the controls they will put in place to keep theseexposures within their appetite.

The more critical the importance of the outcome thetighter the thresholds are likely to be.

Once there however the things put in place have anongoing influence in sustaining that position (the netposition) against where the organisation started or willfall back to if the new things fail.

These are the new controls and therefore need toassessed and monitored for effectiveness andperformance.

For example, the desired outcome could beachieving 92% customer satisfaction from a currentunacceptable position of 80%. Customer satisfactionwill be determined by individual contribution fromall aspects of the customer experience from sales,through ordering and fulfilment, customer contact,delivery, support and maintenance. Theconsequences of 80% satisfaction may be reflectedin erosion of market position, increased costs ofsales to persuade customers to buy, increasedcustomer churn, increased costs of customer contactdue to unhappy customer interactions, etc...

The Risk Cockpit therefore provides the means to addressthe setting and implementation of the organisation’sstrategy in terms of the risk and return to theorganisation integrated into the current risk profile andoperation.

Bringing it all together The FullORM Framework around the CockpitHubSo far, we have described the rich combination ofcomponents required to establish the capabilitiesdemanded of a Risk Cockpit.

Data Quality ManagementThe cockpit runs on the availability of good quality datafrom the operational environment and conscious actionmust be taken to maintain and safeguard those qualitystandards and prevent bad data polluting the cockpit andits displays.

Furthermore, the cockpit as the hub for risk andcompliance holds a history of risk and controlperformance and assessment data in support of the riskand control management process.

Information Management (assurance)For many compliance regimes information related topolicies and controls must be managed under a strictprocess of definition, maintenance, communication,publication, acknowledgement and training. All thesupporting evidence of the process, its instantiation(workflow/BPA) and success must also be available to theauditor (content and records management).

For auditors to be happy to use this information in theirattestations of the effectiveness of controls or for theinformation to deemed acceptable as evidence ofoperation it must be both assured and managedthroughout its lifecycle and in compliance with corporatepolicy. Without this, the information loses its provenance.

At RiskProcess

Engineering

HorizonScanning

InformationManagement(Assurance)

DataQuality

Management



KRI / KPIRepository


Risk Cockpit


BusinessCase

RiskRegister

Reporting

RiskManagement

Lifecycle


Risk TreatmentsRisk Treatments

Risk TreatmentsThe risk management lifecycle is about the process ofcontinuous improvement to reduce volatility, increasepredictability and performance in line with corporateobjectives for sustainability and competitive advantage.

It is also about the management of incidents and eventsas they unfold incorporating the adequate capture of dataon the event such that it can be assessed as part of theloss history or near misses associated with the risks andcontrols.

The “treatments” of risk are therefore a key aspectto the overall investment programme, as theyprovide the controls to mitigate the risks, eithersystematically or procedurally.

The risk treatments represent the larger proportion of anorganisation’s investment in the management ofoperational risk. In any other field of business, aninvestment decision is only made based on soundknowledge and yet often in the realm of risk there can bea desire to mitigate the risk whatever it takes. This isneither sustainable nor sensible, but without the

framework of components built around the Risk Cockpit itmay be the best an organisation can do.

Any investment needs to be made against a set ofmeasurable benefits (in this case the expected net riskposition) and an analysis of the consequences of notmaking the investment (the gross risk). These determinethe performance and effectiveness targets for thetreatment.

The performance indicators must be set and thedata sources identified such that the treatment canbe connected to the cockpit and the measuresswitched on as the implementation of the treatmentprogresses.

This allows the outcomes of the investment to beseen as they emerge either confirming orchallenging the investment decision but in eithercase allowing management action to ensureachievement of the goals.

Survey and AnalysisThe risk treatments are therefore the key underpinning ofthe ORM framework but their value cannot be sustainedunless they have the following attributes establishedthrough survey and analysis:

Analysed and relevance ranked with regard to theirsuitability and effectiveness as controls against risks,risk areas and compliance frameworks;

An identified suite of performance indicators to allowtheir operational performance to be measured withstipulation to the frequency and data quality issuesthat must be maintained;

An identified method of effectiveness assessment suchthat their impact on the risks to which they areattached can be assessed and added to the relevantinternal and external audit processes;

Analysed in terms of implementation, operation andmaintenance costs to underpin the development ofbusiness case and return on investment models linkedto the operational costs of managing a risk areas,specific risk or compliance regime;

Analysed in terms of families of controls such that theadvantage of combining the implementation of risktreatments and the benefit to other treatments isunderstood to prevent wasteful, siloed investments.

Strategy and PolicyAn organisation that manages its risk and compliance tosupport investment decisions, change management, andoperational excellence, will be well on their way to trulyaligning their risk profile to the corporate objectives ofsustainability and competitive advantage.

To achieve this transformation will take time for anyorganisation and to complete the framework recognitionof the necessary survey, analysis, strategy and policy

formulation and sustained programme and projectmanagement must be added.

At RiskProcess

Engineering

HorizonScanning

InformationManagement(Assurance)

DataQuality

Management



KRI / KPIRepository


Risk Cockpit


BusinessCase

RiskRegister

Reporting

RiskManagement

Lifecycle


Strategy& Policy

Survey& Analysis

Program / Project ManagementProgram / Project Management

Risk TreatmentsRisk Treatments

The Risk Cockpit however remains at the core as themeeting and sharing point of all of these activities.

The Emerging Risk AgileOrganisation

The ORM framework built around the hub of a RiskCockpit will enable the transformation of riskmanagement in organisations from a fragmented,subjective, inconsistent application of techniques,judgement and reporting, to an action orientatedand aggregated view across the business utilisingreal data, consistent aggregation, clear ownership,aligned action plans and trend information.

The strength of the Risk Cockpit is in its ability to performthe following:

Aggregation – combining KPIs and KRIs into a riskdimension drawn from one or many sources in theorganisation’s risk and control landscape.

Navigation – it is the risk community that benefit fromthe data. The risk management executive and thecontrol owners all work together to manage theoperational risks.

The Risk Cockpit provides the information necessary to dothat job effectively across the management hierarchiesand at every level as a virtual team. People need contextrelevant views to allow them to do this and also thehigher level or common shared views so that they can be

effective both in their own role and work effectively intheir risk management hierarchy.

Correlation – whilst navigation indicates to the userwhat else relates to them in the risk dimension underinspection this will not provide ripple change asindividual matrix KPIs or KRIs change.

It is the correlation effect that can be effective inalerting a risk management hierarchy enmasse to respondto an emerging situation.

Attestation – Operational Risk Management whilsthaving benefits in its own right in managing risk andreducing exposure and loss is not the only reason it ison the agenda of organisations.

Regulation and Compliance have brought ORM to the foreand therefore the auditability of an organisation’s ORMpractices and their effectiveness are vital. This isessentially policy driven and must show an auditedprocess of plandocheckact in the effective managementof risk.

Review

Maintain& Manage

Assess& Attest

Risk Cockpit(Group View)

Risk Cockpit(LOB View)

RiskManagementLifecycle

Review

Maintain& Manage

Assess& Attest

Risk Cockpit(Group View)

Risk Cockpit(LOB View)

RiskManagementLifecycle

This creates new possibilities and the characteristics ofthe risk agile organisation will be:

A common language and understanding of risk,consistently applied through out the organisationunderpinned by an aggregated and correlated riskmodel.

A culture of risk management with everyone aware ofhis or her contribution to risk management and risktaking.

An organisation with a culture of risk ownershipdevolved to the most effective point of managementwith centralised oversight. Responsibility forcompliance, effectiveness and performance ofcontrols can now rest with the control owners withthe Risk Cockpit providing the means to achievecontinuous compliance.

An organisation with the burden of compliance reducedand automated releasing internal audit to add greatervalue through themed risk and performance basedaudits driving focused investment and action.

An organisation that understands both its capacity forrisk and its appetite for risk across its operations andcan relate these to its corporate objectives.

An organisation that understands their costs ofmanaging and treating risks and can make informeddecisions on the right levels of investment yieldingthe best possible returns.

An organisation that can target both its risks andcontrols towards a desired level of performance.

An organisation that has understood its internal andexternal environment and can use forward lookingtechniques to make better strategy decisions, adaptor indeed preempt changes in these environmentsand leverage this for competitive advantage.

An organisation that can articulate clearly to supplierswhat they require to manage risks effectively interms of supply chain and managed or outsourcedservices.

The Emerging Risk Agile SupplierOrganisations now more than ever run on information andthis information is in motion or at rest in the integratednetworked IT infrastructure. This infrastructure is thecirculatory and nervous system for the body of mostorganisations.

The networked IT environment on which this depends hasbecome ever more complex and IT systems risk is a majorrecognised area of operational risk. In light of this,regulation and compliance frameworks aroundinformation and security have come into play to ensurethat organisations take these risks seriously and put inplace the right set of controls.

“90% of IT security will be outsourced by2010 due to the complexity of risk &compliance ... the managed service forsecurity market is forecast to grow to$3.7bn by 2008 in US”

Matthew KovarVP Security Solutions, Yankee Group

The levels of complexity and therefore the levels of skillsand investment needed to sustain the right levels ofcontrol against risk and compliance mean that for manyaspects of networked IT this has gone beyond the corecompetence of the organisation’s own IT department. Inany event, this is often not the core business of theorganisation.

The best way to gain and sustain the expertise is to go toa supplier organisation whose business it is not just toprovide this networked IT, but who can also deliver theservices in such a way that reliably deals with theoperational and enterprise risk. This is certainly critical

for the emerging risk agile organisation described in theprevious section.

“Successful outsourcing is built on soundrisk management because customers andvendors are entrusting each other to beable to jointly managetransition/transformation, deliveryoperations, and financial risks. Whenthings do go wrong, it’s usually because ofmismatched expectations, and these canoften be traced back to a strategy decisionmade earlier.”Paul Roehrig – “How To Manage Enterprise Risk In an

Outsourcing Deal”April 2006, Forrester Research, Inc.

Organisations should seek out suppliers willing to engageand support the ORM framework described in this paper.As they are a supplier of risk treatments, they should beable to articulate their services in this context andprovide the necessary performance indicators for theorganisation to continue to manage their risks effectivelyand efficiently.

The supplier should show they use these techniques aspart of managing their own operations and have theappropriate evidence and accreditations to prove it.

The age of the commodity supplier is ending and theage of the risk aware and agile supplier is dawning.

Managed services and outsourcing are an effective meansto control costs in operations whilst maintaining quality ofservice. This is of poor longterm value if it exposes theorganisation to greater risk, volatility and unpredictabilityand for the risk agile organisation, this will become thelimiting factor in driving operational risk for performanceand competitive advantage.

Where to Begin?The journey to achieving the levels of risk understandingand management proposed by this paper cannot beachieved overnight. It will require a sustained and coordinated effort to bring together the procedural,technological and cultural changes necessary.

There is a danger that with such a large and farreachingoverall programme the benefits realisation may become“lost in time”. This would not be a failure of the riskmanagement proposed in this paper but rather a failure inthe manner in which it is being implemented.

The best way to implement the programme is to break itdown into manageable, benefits driven investmentsaligned to the corporate goals of the organisation. The

paper has demonstrated that the ORM Framework can beapplied at any level in the organisation as it utilises astandard set of principals.

The framework will ensure that the right level ofinvestment is made in the risk capture, monitoring andmitigation through control.

Not all parts of the organisation or all operational riskswill require the same levels or rigour of capture,monitoring and treatments. This is a risk decisionreflecting the risk appetite of the organisation and theframework ensures the right decision is made based onthe right information.

Where to begin? This paper has emphasised that riskmanagement and mitigation is an investment that must bealigned with corporate objective for performance,stability and effectiveness.

A Model for the Modern OrganisationIt is worth then stepping back to consider a model for themodern organisation that helps frame the strategy asillustrated below.

At its core is the fundamental operation of theorganisation with is made up of People, Process andTechnology. A featureless three layered landscape but thecore ecosystem of where the enterprise operates. Abovethe ground, the organisation is answerable to stakeholders– board, shareholders, regulators, auditors, customers andother businesses. These dictate the features needed onthe landscape for a wellgoverned and compliantenterprise that profitably delivers the key businessoutputs and provides the key business functions requiredof it by its supply chain.

The People and Processes are dependent on the provisionof integrated Technology solutions across all the Locationswhere the organisation operates. That technology, in itsability to support the operations against a background ofrisk and compliance, is dependent on the subterraneanpillars that provide the networked IT infrastructure andsolutions required.

Typically then, there are three main views of anorganisation depending on where one is situated but allare impacted by compliance and risk. Historically the

difficulty has been in establishing the full picture acrossthe organisation from a common set of information suchthat these people can act as a team with commonobjectives. This is the drive behind the Risk Cockpit forthe enterprise.

As clearly shown in the model modern organisations arereliant on their networked IT services to operate and it ison these that an organisation’s people and processes rely.It is here then that proper risk and control needs to beapplied with the expertise of risk agile suppliers ofnetworked IT services.

Setting the GoalsIf the goal is to establish the principals of the ORMFramework as a seed for wider deployment, then an areaof risk and control that is understood and manageableshould be chosen to effectively demonstrate thoseprincipals in action for the organisation as an exemplar.

If the goal is to bring areas of unacceptable risk underproper control and monitoring (either for risk exposure orcompliance reasons) then these areas should be analysedand prioritised for implementation in the Risk Cockpit,with a set of benefits led business performance cases forthe implementation.

As the nature of risk is to change over time thispaper contends that implementation of risk,compliance or control areas should be scoped andtime boxed into 90 day implementation cycles basedon a 1020 day capture, analysis and prototypingphase. This ensures focus is achieved from theoutset as well as establishing an unwavering questfor benefits realisation i.e. driving risk forperformance and competitive advantage.

Executing the TransformationOver the period of transformation it must be recognisedand accepted that two modes of operation will exist inthe organisation – the “asis” and the “tobe”. Thetransformation process is governed by the selection of theareas of focus for transition and these should be selectedbased on the criteria above.

ORM Transformation

““AsAsIsIs””

““ToToBeBe””

PlanDo

CheckAct

Plan

DoCheck

Act

Business Performance

Business Performance

& Compliance Objectives

& Compliance Objectives

IndependentIndependentRisk Processes

Risk Processes

DisconnectedDisconnectedAudit & RiskAudit & RiskRegistersRegisters

DisparateDisparateRisk TreatmentsRisk Treatments

InformalInformalRiskRisk

StrategyStrategy

FormalFormalRisk StrategyRisk Strategy

Risk CockpitRisk Cockpit

InstrumentedInstrumentedRiskRisk

TreatmentsTreatments

RiskRiskManagementManagement

LifecycleLifecycle

This will safeguard the investment and ensure theprogramme remains rooted in its founding principles.

The programme should not be approached likesurgery – i.e. the patient is put to sleep, a team ofexperts perform some wizardry, the patient wakesup a little sore but very soon realises the benefits ofthe procedure without any understanding of whattook place.

The programme must engage with the organisation,receive the proper and sustained senior stakeholdersupport and leadership, remained owned by theorganisation but utilise a team of experts skilled in theORM Framework, approach, toolkit and cockpit to make iteffective and sustained. It is a partnership with the“surgical team” promoting sustained wellbeing andagility for the organisation.

Steve Benton,Senior ORM Consultant, BT Global Services.

About the AuthorSteve Benton is a senior ORM consultant in BT’s BusinessContinuity, Security and Governance Practice. He has over10 years experience, working with global clients, advisingon operational risk management strategy and services.

For more information visitwww.bt.com/globalservicesor contact your BT account manager.

http://www.bt.com/globalservices

Offices worldwide

The services described in this publication are subject to availability and may be modified from time to time. Services and equipment are provided subject to British Telecommunications plc’s respective standard conditions of contract. Nothing in this publication forms any part of any contract.

© British Telecommunications plc 2006Registered office: 81 Newgate Street, London. EC1A 7AJRegistered in England No. 1800000.

All Rights Reserved. Reproduction and distribution of this publicationin part or whole, in any form, without prior written permission is forbidden.

creating€and€sustaining€risk€agility€and compliance€with...

Documents