Your Risk Taxonomy should be a subset of your Management Information Taxonomy

Your Risk Taxonomy should be a subset of your Management Information Taxonomy

“We have 285 risks and over 875 controls within our risk and controls framework...reporting anything sensible and meaningful on a monthly basis is a real struggle. Given the technology we use (spreadsheets and PowerPoint), the effort required to ‘hand crank’ the reporting pack production and the effort required to chase people across the business for data, the executive team receive the monthly report roughly six weeks after the end of the month. As the bank’s IT function, you would think we could do a lot better.”

Sound familiar?

“We are really happy with our management reporting. At the end of day 5 in the month, the executive team receives a monthly executive report with a personalised ‘slice’ of that report based on their accountability with the RACI. This personalised ‘slice’ of the executive report is more detailed than the main pack, highlights current and emerging issues to be discussed, and means everyone turns up to the monthly executive meeting well prepared and ready to go. The days where we spend half the meeting arguing about the numbers and reporting format are gone. 

Does that sound familiar? 

Three Use Cases for External Loss & GRC Benchmarking data

Three Use Cases for External Loss & GRC Benchmarking data

With the launch of the StratexStream Early Adopter Program (EAP), Ascendore is reaching out to Challenger Banks, Building Societies and Asset Managers and asking them to play an active role in the design of the new StratexStream External Loss & GRC Benchmarking service.

Here are three potential use cases for external loss and GRC benchmarking data.

  1. Drive continuous improvement with Operational & Cyber Loss Events data (Hits & Near Misses)
  2. Improve the quality of ICAAP submissions 
  3. Develop better reputational risk insights

Six Potential data sets to be captured within StratexStream

Comment

Six Potential data sets to be captured within StratexStream

With the launch of the StratexStream Early Adopter Program (EAP), Ascendore is reaching out to Challenger Banks, Building Societies and Asset Managers and asking them to play an active role in the design of the new StratexStream External Loss & GRC Benchmarking service.

Here are six potential data sets that could be captured within StratexStream and delivered to its customers. 

  1. Operational Loss Events data (Hits & Near Misses)
  2. Cyber Loss Events data (Hits & Near Misses)
  3. Breaches data
  4. Risk and Compliance Framework statistics
  5. Senior Management Accountability coverage
  6. Social Media Sentiment data

Comment

We need to rethink our approach to risk & regulation

We need to rethink our approach to risk & regulation

This quote makes it clear that the way we develop and implement regulation has to change. How can it be sensible that we are 100 day out and there is still uncertainty about how to interpret the text of the (MiFID/MiFIR) regulation. Watch this space...we will change this!

"Wholesale banks are used to regulatory change and adept at dealing with uncertainty but there are just 100 days before the changes are to be implemented and the industry is left debating key interpretive issues in the text" - Julian Allen-Ellis, Director of MiFID/MiFIR at AFME

PRESS RELEASE: Ascendore announces StratexStream, an External Loss data service

Comment

PRESS RELEASE: Ascendore announces StratexStream, an External Loss data service

Ascendore announces StratexStream, an External Loss and GRC Benchmarking data service, with the launch of an early adopter program.

Prompted by customer frustration at the lack of an high quality External Loss & GRC Benchmarking data service designed for non-Tier 1 Banks, Ascendore is pleased to announce the launch of StratexStream. This service will ‘go live’ in November 2017. To ensure market fit, we are launching an Early Adopter Program (EAP) immediately, to enable collaboration with our customers and other firms in the final design of this new service.

StratexStream is an external loss and GRC benchmarking data service based on anonymised customer data and external sources. It enables firms to access, in real-time, industry and peer external loss and GRC benchmarking data incorporating it into regular and one-off reporting, analysis and capital modelling.

Comment

GDPR - One Year to Go. Ready?

GDPR - One Year to Go. Ready?

On May 25, 2018 the EU's General Data Protection Regulation (GDPR) will come into force and as outlined this morning by CItyAM, it appears we are far from ready.

Some key statistics

  • Research by IPC shows that 25% of European companies are totally unaware of the GDPR and more than half, 52% are unsure of the impact of the GDPR on their organisation.
  • 42% of European organisations say that GDPR is not a priority for them.
  • 84% of UK SME's have not heard of GDPR.
  • CAI/Oxford Economics research shows that after a severe breach a firms share price drops by an average of 1.8% on a permanent basis. After the impact of GDPR, this lost could increase by a factor of 10. 

 

 

Microsoft to buy cyber security firm Hexadite

Microsoft has agreed to acquire cyber security firm Hexadite for $100 million, Israeli financial news website Calcalist reported on Wednesday.

Hexadite, headquartered in Boston with its research and development center in Israel, provides technology to automate responses to cyber attacks that it says increases productivity and reduces costs for businesses. Read more 

When to automate and when to enter data manually

When to automate and when to enter data manually

When deploying StratexPoint, there are two questions that are often asked (and we often ask our customers to consider). 

  1. How much of our data should we aim to automatically extract and load into StratexPoint from Line of Business (LOB) systems vs manually updating data
  2. What data should we automate vs manually enter.

The simply answer is that as much data as possible should be extracted automatically from Line of Business and/or Data warehouse repositories and loaded into StratexPoint to minimise the cost and time of periodically updating items within your framework. 

However, the real answer is a little more involved.

Whilst the general approach should be to automate as many data extracts and updates as possible, typically the items that have the highest level of data automation are indicators, and a general rule of thumb would be that you can expect to automate the extraction of this data and load up to 80% of your indicators. Indicators are generally relatively easy to automate because they are often derived from underlying business data which is routinely captured in an existing LOB system or Data warehouse. 

When deploying StratexPoint there are always data sets that make up the strategic management and/or risk management framework which are normally only held in ad hoc spreadsheets. Equally information such as organisational structure and related accountabilities are also often held in spreadsheets or word documents rather than LOB systems.  This framework and accountabilities data must be entered/imported manually and maintained. Typically, StratexPoint becomes the system of record of this type of data.

There are many item types within StratexPoint which are typically manually updated, again because the underlying data is not held within LOB systems. These include risks which are assessed using a qualitative, expert-led risk assessment; controls whose effectiveness are manually assessed or where control testing results are added; Initiatives, Actions, Audit Actions, Issues and Audit Issues which all have % Complete status that are typically manually updated. This is data that often doesn’t reside in any LOB system and with StratexPoint in place, StratexPoint becomes the system of record for this type of data.

In addition to extracting and automating the load of data into StratexPoint, data can be extracted from StratexPoint and loaded automatically into other systems.  An example from a recent customer project was to use StratexPoint to capture and hold initiative status, initiative risk and control effectiveness data which is periodically extracted and automatically loaded into a corporate project management tool. In this case, StratexPoint provided an integrated suite of management reporting to senior management and the board who wanted to see strategic, operational process and initiative related status, risk and control assessment information within their reporting pack. By sending data back to the corporate project management tool, it also provided initiative status, initiative risk and control effectiveness information back to programme and project managers which enabled them to more effectively execute their individual project plans.

In another project example, StratexPoint was used to capture risk and control assessment data which was then aggregated as business unit level summaries which were automatically sent, at the end of the month, to the corporate data warehouse, enriching the available data for operational reporting.

As a closing recommendation, automate as many data updates as possible, leveraging existing LOB systems and/or data warehouses. For data, which is currently captured within ad hoc spreadsheets or other office documents, and not captured within a LOB system, manually capture this data using StratexPoint and make it, the system of record for this data going forward. And finally, consider how data captured and generated within StratexPoint can be leveraged to enrich operational data warehouses. 

Compliance & Operational Risk Management staff pay to increase by 11.7% in 2017

Compliance & Operational Risk Management staff pay to increase by 11.7% in 2017

This morning CityAM reports on a Robert Half salary report that shows Compliance and Operational Risk Management staff salaries are set to increase by up to 11.7% in 2017.

This should prompt firms to look at the effectiveness and efficiency of their current Compliance and Operational Risk Management activities. 

Effectiveness is about doing the right things to completing activities and achieving objectives, whereas efficiency is about doing things in the right or most optimal way for example the fastest or least expensive way.

3 things to do now to improve accountabilities with your organisation

3 things to do now to improve accountabilities with your organisation

Openness and accountability matter at every level - Financial Reporting Council, Corporate Culture and the Role of Boards, July 2016

Many firms find it difficult to create a culture of openness and accountability within their firms, as suggested by the Financial Reporting Council in their recent report, Corporate Culture and the Role of Boards published in July, 2016. Below are three things to do today that can improve accountabilities with your organisation
 

1. Cut through complex organisational structures by embedding RACI within your organisational culture.

Too often, the organisational structure gets in the way of embedding openness and accountability within organisational cultures, this is particularly true of matrix organisations or where the structure has evolved over time (reflecting the political and power structures at the time). One of the best tools to cut through this ‘organisational complexity’ is the RACI model (known by various other names including Responsibility Assignment Matrix - https://en.wikipedia.org/wiki/Responsibility_assignment_matrix).  Experience shows that implementing the RACI model either on its own or as part of an organisational change project can significantly improve clarity around organisational decision-making and action-taking. Additionally, as many people are in roles where they have multiple reporting lines, the RACI model provides not only clarity but is a great tool for managing up and down. 

2. Stop measuring indicators (KPIs, KRIs and KCIs) using RAG – use RAGAR instead

he mantra “Measure what matters” is often preached but less often practised. The quality of indicators within use in many firms is poor, with typical problems including (but not limited to), lack of balance between financial and non-financial indicators, lack of balance between leading and lagging indicators, and poor overall definition of indicators. This lack of quality results in poor management conversations focused on a small number of easy to measure, often financial measures, which promotes, encourages and rewards short-term target chasing with an emphasis of getting all indicators on the dashboard green. Measuring using a RAG (Red, Amber, Green) approach is part of the problem. Instead use a RAGAR (Red, Amber, Green, Amber, Red) approach as per http://tinyurl.com/j27embg 

This type of measurement is slightly more challenging to define but the resulting improvement in management conservations, decision-making and action-taking means the investment is worth it. RAGAR reduces ‘target chasing’ and promotes a culture where people operate within known and clear boundaries.

3. Use Action Registers and Checklists

One of the often neglected aspects of embedding a culture of accountabilities is managing the actual doing and follow through. Re-designing an organisational chart with names in each box is relatively simple and can improve decision-making but doesn’t fully address the follow-through – making sure that when people are busy day-to-day, agreed actions are completed on a timely basis. For regular, recurring actions that are designed to ‘run the firm’, checklists can be a powerful tool for ensuring that the recurring actions are completed in the right sequence. For ‘one-off’ actions, those that are designed to ‘change the firm’, Action registers with due dates are powerful drivers of change, and contribute to improving the quality of management conversation and accountabilities within the firm. Of course, improvement exists by overlaying the RACI model onto your Action Registers and Checklists to ensure everyone knows what they should be doing and by when, and by using a RAGAR based dashboard to visualise. 

We have moved!!

We have moved!!

Our new address is 

33 Cannon Street, London EC4M

StratexPoint User Group - 15 September

StratexPoint User Group - 15 September

The next StratexPoint User Group meeting will be held 15:00, 15 September, 2016 and is been kindly hosted by Artemis Asset Management Limited.

The meeting will start at 15:00,  15 September, 2016.

Press Release: Ascendore: the new name for StratexSystems

Press Release: Ascendore: the new name for StratexSystems

1 AUGUST, 2016 – FOR IMMEDIATE RELEASE

Ascendore: the new name for StratexSystems

It's an exciting time for the provider of Integrated GRC software as the company embarks on a new chapter in its history

StratexSystems is rebranding. As of today the Governance, Risk and Compliance (GRC) software provider will be known as Ascendore.

PRESS RELEASE. StratexSystems unveils new R&D centre in Seville

PRESS RELEASE. StratexSystems unveils new R&D centre in Seville

PRESS RELEASE

1 June 2016 – FOR IMMEDIATE RELEASE

StratexSystems unveils new R&D centre in Seville

Nearshore operation will complement the work of London team and bring benefits in cost and time to market for provider of SharePoint-based Enterprise Governance, Risk and Compliance (GRC) software

StratexSystems today announces the opening of a branch office in Seville, Spain. A major new initiative, it will operate primarily as a research and development facility, and support a wide range of activity across the company's global customer base.

Connecting culture

Comment

Connecting culture

How would you define culture? Many definitions include the words: attitudes, customs, beliefs, goals, values or behaviours, particular to a group of people or a community.

In the context of a firm, culture often gets segmented into different aspects depending on the topic in hand eg ‘customer service culture’, ‘quality culture’, ‘risk culture’, ‘reward culture’, ‘change culture’, ‘empowerment culture’… the list goes on.

Comment