By Dave Hannon
While there's certainly be a lot of talk about damaging weather here in the US lately, if you still think enterprise risk management means preparing for the next weather event, then you've got some catching up to do.
Today, the enterprise risks that have the C-suite losing sleep include things like increased regulatory pressure, market slowdowns, and government pressure to reduce spending. For example, according to a recent KPMG survey, 59% of C-suite executives at financial services companies and 53% of those in the energy and natural resources executives identified regulation as their top threat. And executives across all industries said regulatory risk is a bigger concern than reputational, credit, supply chain or those security risks that grab all the headlines.
"We found that risk management is not advancing fast enough at most companies in the face of an array of threats in an increasingly complex global economy," said Mike Nolan, KPMG International's Global Leader for Risk Consulting. "But companies can transform these challenges into a competitive advantage. All of their competitors are in the same boat, but very few are going to take advantage of the regulatory onslaught to become more competitive. The companies that do will be in a strong position to turn regulatory risk into an advantage."
So the question becomes "how." How do you turn these issues from ulcer-causing concerns to something that gives you a leg up over your competition? While I might not have the exact answer to that very big question, I'm convinced that the answer should include the terms "aggregated data" and "integrated IT platform" in it somewhere.
At a very high, global, "avoid another major economic meltdown" level, the Basel Committee on Banking Supervision in January released guidance for central banks "intended to strengthen banks' risk data aggregation capabilities and internal risk reporting practices." While there is a lot to take in here one of the recommendations includes: "A bank should design, build and maintain data architecture and IT infrastructure which fully supports its risk data aggregation capabilities and risk reporting practices not only in normal times but also during times of stress or crisis, while still meeting the other Principles...A bank should be able to generate accurate and reliable risk data to meet normal and stress/crisis reporting accuracy requirements. Data should be aggregated on a largely automated basis so as to minimise the probability of errors."
In fact the Basel guidlines provide 15 points and various sub-points on risk data aggregation for banks. While they all make sense, in a blog post on the Basel guidelines, Steve Culp, leader of Accenture’s Risk Management practice globally, pointed out that might not be as easy as it sounds for these megabanks. "The enhancement of banks’ IT and infrastructure capabilities, including upstream and risk systems, risk data and reporting, will most likely require significant investment and change management. This is especially challenging as banks implement other change programs and align these efforts to other regulatory changes."
Why all this talk about global banks' risk management practices? Well I figured if I started you off by thinking about the challenges THEY face, then the challenges you face in your organization to aggregate risk data might not seem quite so daunting. (Did it work?) For SAP customers, it's still a big challenge, but there's a more direct path to aggregating risk data and defining responses to certain risks for those seeking these answers.
According to a report insiderRESEARCH compiled earlier this year polling SAP customers about their risk data, we found "there are pockets of information being collected at the local level that can be used to identify risks that could affect the entire enterprise. The information simply needs to be housed in a central repository and exposed to the right people in the right format...currently, this is not happening. More than half (55%) of the professionals surveyed say that their organizations are using Microsoft Excel or Word to manage their risk programs locally, while another 39% use homegrown systems that have varying levels of integration and automation."
For SAP users the data is available. A suite of integrated solutions is available. They just need, what -- more convincing of the benefits of integrated solutions and aggregating data? Try this: In a recent interview, Werner van Haelst Joint Managing Director of Integrc and I discussed the benefits of an integrated platform for SAP GRC suite users, including the integration of the SAP GRC Risk Management solution. For example, sharing data between organizations and between the various solutions in the GRC suite can bolster that data's value.
"For example, SAP GRC Risk Management can use existing SAP Process Controls as a risk response," he told me. "If Risk Management defines a certain risk and you want to have a certain risk response you can use those in Process Control."
If you need more convincing, don't take it from me. At the GRC 2013 conference next month you can hear from companies like GlaxoSmithKline, Exxaro, and Ericsson as well as see demos and hear solution-specific details from SAP and its partners.
Lastly, just to end off with some fear factor, I'll leave you with this extended quote from the Basel Committee report:
"One of the most significant lessons learned from the global financial crisis that began in 2007 was that banks’ information technology (IT) and data architectures were inadequate to support the broad management of financial risks. Many banks lacked the ability to aggregate risk exposures and identify concentrations quickly and accurately at the bank group level, across business lines and between legal entities. Some banks were unable to manage their risks properly because of weak risk data aggregation capabilities and risk reporting practices. This had severe consequences to the banks themselves and to the stability of the financial system as a whole."