On May 25, 2018 the EU's General Data Protection Regulation (GDPR) will come into force and as outlined this morning by CItyAM, it appears we are far from ready.
Some key statistics
- Research by IPC shows that 25% of European companies are totally unaware of the GDPR and more than half, 52% are unsure of the impact of the GDPR on their organisation.
- 42% of European organisations say that GDPR is not a priority for them.
- 84% of UK SME's have not heard of GDPR.
- CAI/Oxford Economics research shows that after a severe breach a firms share price drops by an average of 1.8% on a permanent basis. After the impact of GDPR, this lost could increase by a factor of 10.
Microsoft has agreed to acquire cyber security firm Hexadite for $100 million, Israeli financial news website Calcalist reported on Wednesday.
Hexadite, headquartered in Boston with its research and development center in Israel, provides technology to automate responses to cyber attacks that it says increases productivity and reduces costs for businesses. Read more
When deploying StratexPoint, there are two questions that are often asked (and we often ask our customers to consider).
- How much of our data should we aim to automatically extract and load into StratexPoint from Line of Business (LOB) systems vs manually updating data
- What data should we automate vs manually enter.
The simply answer is that as much data as possible should be extracted automatically from Line of Business and/or Data warehouse repositories and loaded into StratexPoint to minimise the cost and time of periodically updating items within your framework.
However, the real answer is a little more involved.
Whilst the general approach should be to automate as many data extracts and updates as possible, typically the items that have the highest level of data automation are indicators, and a general rule of thumb would be that you can expect to automate the extraction of this data and load up to 80% of your indicators. Indicators are generally relatively easy to automate because they are often derived from underlying business data which is routinely captured in an existing LOB system or Data warehouse.
When deploying StratexPoint there are always data sets that make up the strategic management and/or risk management framework which are normally only held in ad hoc spreadsheets. Equally information such as organisational structure and related accountabilities are also often held in spreadsheets or word documents rather than LOB systems. This framework and accountabilities data must be entered/imported manually and maintained. Typically, StratexPoint becomes the system of record of this type of data.
There are many item types within StratexPoint which are typically manually updated, again because the underlying data is not held within LOB systems. These include risks which are assessed using a qualitative, expert-led risk assessment; controls whose effectiveness are manually assessed or where control testing results are added; Initiatives, Actions, Audit Actions, Issues and Audit Issues which all have % Complete status that are typically manually updated. This is data that often doesn’t reside in any LOB system and with StratexPoint in place, StratexPoint becomes the system of record for this type of data.
In addition to extracting and automating the load of data into StratexPoint, data can be extracted from StratexPoint and loaded automatically into other systems. An example from a recent customer project was to use StratexPoint to capture and hold initiative status, initiative risk and control effectiveness data which is periodically extracted and automatically loaded into a corporate project management tool. In this case, StratexPoint provided an integrated suite of management reporting to senior management and the board who wanted to see strategic, operational process and initiative related status, risk and control assessment information within their reporting pack. By sending data back to the corporate project management tool, it also provided initiative status, initiative risk and control effectiveness information back to programme and project managers which enabled them to more effectively execute their individual project plans.
In another project example, StratexPoint was used to capture risk and control assessment data which was then aggregated as business unit level summaries which were automatically sent, at the end of the month, to the corporate data warehouse, enriching the available data for operational reporting.
As a closing recommendation, automate as many data updates as possible, leveraging existing LOB systems and/or data warehouses. For data, which is currently captured within ad hoc spreadsheets or other office documents, and not captured within a LOB system, manually capture this data using StratexPoint and make it, the system of record for this data going forward. And finally, consider how data captured and generated within StratexPoint can be leveraged to enrich operational data warehouses.
This should prompt firms to look at the effectiveness and efficiency of their current Compliance and Operational Risk Management activities.
Effectiveness is about doing the right things to completing activities and achieving objectives, whereas efficiency is about doing things in the right or most optimal way for example the fastest or least expensive way.
Openness and accountability matter at every level - Financial Reporting Council, Corporate Culture and the Role of Boards, July 2016
Many firms find it difficult to create a culture of openness and accountability within their firms, as suggested by the Financial Reporting Council in their recent report, Corporate Culture and the Role of Boards published in July, 2016. Below are three things to do today that can improve accountabilities with your organisation
1. Cut through complex organisational structures by embedding RACI within your organisational culture.
Too often, the organisational structure gets in the way of embedding openness and accountability within organisational cultures, this is particularly true of matrix organisations or where the structure has evolved over time (reflecting the political and power structures at the time). One of the best tools to cut through this ‘organisational complexity’ is the RACI model (known by various other names including Responsibility Assignment Matrix - https://en.wikipedia.org/wiki/Responsibility_assignment_matrix). Experience shows that implementing the RACI model either on its own or as part of an organisational change project can significantly improve clarity around organisational decision-making and action-taking. Additionally, as many people are in roles where they have multiple reporting lines, the RACI model provides not only clarity but is a great tool for managing up and down.
2. Stop measuring indicators (KPIs, KRIs and KCIs) using RAG – use RAGAR instead
he mantra “Measure what matters” is often preached but less often practised. The quality of indicators within use in many firms is poor, with typical problems including (but not limited to), lack of balance between financial and non-financial indicators, lack of balance between leading and lagging indicators, and poor overall definition of indicators. This lack of quality results in poor management conversations focused on a small number of easy to measure, often financial measures, which promotes, encourages and rewards short-term target chasing with an emphasis of getting all indicators on the dashboard green. Measuring using a RAG (Red, Amber, Green) approach is part of the problem. Instead use a RAGAR (Red, Amber, Green, Amber, Red) approach as per http://tinyurl.com/j27embg
This type of measurement is slightly more challenging to define but the resulting improvement in management conservations, decision-making and action-taking means the investment is worth it. RAGAR reduces ‘target chasing’ and promotes a culture where people operate within known and clear boundaries.
3. Use Action Registers and Checklists
One of the often neglected aspects of embedding a culture of accountabilities is managing the actual doing and follow through. Re-designing an organisational chart with names in each box is relatively simple and can improve decision-making but doesn’t fully address the follow-through – making sure that when people are busy day-to-day, agreed actions are completed on a timely basis. For regular, recurring actions that are designed to ‘run the firm’, checklists can be a powerful tool for ensuring that the recurring actions are completed in the right sequence. For ‘one-off’ actions, those that are designed to ‘change the firm’, Action registers with due dates are powerful drivers of change, and contribute to improving the quality of management conversation and accountabilities within the firm. Of course, improvement exists by overlaying the RACI model onto your Action Registers and Checklists to ensure everyone knows what they should be doing and by when, and by using a RAGAR based dashboard to visualise.
Risk taking is a fundamental part of growing a successful business and companies should not seek to eliminate risk. They [Boards] should be ensuring that their approach to risk taking – their risk appetite – is aligned to their values and an intrinsic part of their culture. Financial Reporting Council, Corporate Culture and the Role of Boards, July 2016
Our new address is
33 Cannon Street, London EC4M
Understanding the Copy & Move webpart
This presentation is part of the StratexPoint How-to series to help customers, partners and prospects to understand the StratexPoint Integrated GRC solution.
The next StratexPoint User Group meeting will be held 15:00, 15 September, 2016 and is been kindly hosted by Artemis Asset Management Limited.
The meeting will start at 15:00, 15 September, 2016.
1 AUGUST, 2016 – FOR IMMEDIATE RELEASE
Ascendore: the new name for StratexSystems
It's an exciting time for the provider of Integrated GRC software as the company embarks on a new chapter in its history
StratexSystems is rebranding. As of today the Governance, Risk and Compliance (GRC) software provider will be known as Ascendore.
There’s one question everyone asks us: “Why did you build your GRC application on SharePoint?”
It’s a great question and one of my pet subjects. I love answering it.
We’ve even produced a white paper on the topic. But if digesting white papers is not your thing, read on…
1 June 2016 – FOR IMMEDIATE RELEASE
StratexSystems unveils new R&D centre in Seville
Nearshore operation will complement the work of London team and bring benefits in cost and time to market for provider of SharePoint-based Enterprise Governance, Risk and Compliance (GRC) software
StratexSystems today announces the opening of a branch office in Seville, Spain. A major new initiative, it will operate primarily as a research and development facility, and support a wide range of activity across the company's global customer base.
How would you define culture? Many definitions include the words: attitudes, customs, beliefs, goals, values or behaviours, particular to a group of people or a community.
In the context of a firm, culture often gets segmented into different aspects depending on the topic in hand eg ‘customer service culture’, ‘quality culture’, ‘risk culture’, ‘reward culture’, ‘change culture’, ‘empowerment culture’… the list goes on.
If you are a Senior Manager in a bank you now have the added incentive of the Senior Managers Regime (SMR) to make sure your decisions are the best they can be.
In October last year the FCA changed its approach regarding the contentious ‘burden of proof’ but the new criminal offence relating to ‘a decision causing a financial institution to fail’ still became law.
In the last 12-18 months, in the lead up to the introduction of the Senior Managers and Certification Regime one of the most talked about topics has been individual accountability. Creating clarity of accountabilities is critical for the success of any organisation.
In light of the SMR and an industry-wide focus on individual accountability, I wonder if now is the right time to propose that as an industry (Financial Services) and as a profession (Risk Management) we agree to kill off the artificial construct that is the Three Lines of Defence model.
On Monday 7 March 2016 the Senior Managers Regime (SMR) and Certification Regime (CR) came into force. The first swath of firms in the regime have invested time and effort into meeting the new regulation but in the eye of the public, what has changed? At the moment, very little as the consequences of SMR will be realised over the coming months and years as we see how the regulators enforce the regime.
Just days ahead of the introduction of the Senior Managers' Regime (SMR) and Certification Regime (CR), Standard Chartered appear to be as focused on Individual Accountability as the PRA & FCA.
On the back of a poor set of results at the tail end of an aggressive growth strategy by its former CEO, Peter Sands, the FT reports that “accountability reviews” have been established to “to investigate if bonuses can be recouped from any people found to be responsible for compliance and risk-management breaches”.
Within a few short weeks the UK Financial Services industry will see a new era of individual accountability and responsibility unfold with the Senior Managers Regime coming into effect on 7 March 2016.
Developed in the wake of the 2008 credit crisis on the recommendation of the independent Parliamentary Commission on Banking Standards (PCBS), the Senior Managers' Regime (SMR) and Certification Regime (CR) is
Citi was in the headlines this weekend for taking a stance on the ‘tough new banker accountability rules’. The FT reported that Jim Cowles, Citi’s EMEA chief executive, believes that the Senior Managers Regime should be applied to the individuals that specifically run European or EMEA business functions, not necessarily the global heads even though they may be based in London.
The details of Citi’s stance are not public but it is important to notice the distinction made by Mr Cowles and the FT’s lead ie his specific reference to the Senior Managers Regime rather than the broader individual accountability regime which also includes the Certification Regime and Code of Conduct (COCON).
In short, you are in the Senior Managers Regime if you perform and Senior Management Function therefore it appears that Citi’s aim is to avoid placing global heads in Senior Management Functions even though SMF6 (Head of key business area) and SMF18 (Other Overall Responsibility) might be considered appropriate.
From a macro perspective the banking business can be described as managing risk to an acceptable level in order to achieve the strategic business goals. The goals typically being profit and growth, often wrapped up with lots of words about customer service and ethical operations. Citi give some insight to their strategy on their Citi at a Glance webpage, they say:
‘Citi and its management team continue to make steady progress toward the successful execution of its strategy, which is to
- Enhance its position as a leading global bank for both institutions and individuals, by building on its unique global network, deep emerging markets expertise, client relationships and product expertise;
- Position Citi to seize the opportunities provided by current trends (globalization, digitization and urbanization) for the benefit of clients;
- Further its commitment to responsible finance;
- Strengthen Citi's performance, including gaining market share with clients, making Citi more efficient and productive, and building upon its history of innovation; and
- Wind down Citi Holdings as soon as practicable, in an economically rational manner.’
Clearly, strategy is set at a global level, presumably with input from global heads. There is little doubt that these strategic goals will cascade down and become more specific objectives for the individuals that manage the risk day to day.
The question is, once these objectives are set do those global heads allow executive autonomy on risk decisions at regional level?
A question that the regulators must be considering before approving Citi’s Senior Management Functions. The onus will sit with Citi to demonstrate at which level decision making takes place and by who; creating an even greater need to accurately capture and record the details that will satisfy the regulators now and in the future.
If the regulator does allow Citi to proceed with their approach it doesn’t mean global heads are off the hook, as the Code Conduct extends to all employees and those people that manage individuals within the Certification regime are also considered to be within the Certification regime.
If you have a subscription to the FT the full article ‘Citi’s top bankers could avoid UK rules’, can be found here.