“We have 285 risks and over 875 controls within our risk and controls framework...reporting anything sensible and meaningful on a monthly basis is a real struggle. Given the technology we use (spreadsheets and PowerPoint), the effort required to ‘hand crank’ the reporting pack production and the effort required to chase people across the business for data, the executive team receive the monthly report roughly six weeks after the end of the month. As the bank’s IT function, you would think we could do a lot better.”

Sound familiar?

“We are really happy with our management reporting. At the end of day 5 in the month, the executive team receives a monthly executive report with a personalised ‘slice’ of that report based on their accountability with the RACI. This personalised ‘slice’ of the executive report is more detailed than the main pack, highlights current and emerging issues to be discussed, and means everyone turns up to the monthly executive meeting well prepared and ready to go. The days where we spend half the meeting arguing about the numbers and reporting format are gone. 

The process is so slick with executive team reporting, it has driven a complete change in reporting, meeting and decision-making culture across IT. Amazing we now have our entire business plan captured in our ‘risk and controls framework’ - we have more risk, controls, indicators and actions, but the data is organised and we are able to use this data properly; to generate insights that support decision making. Almost as a side issue, we are now able to more effectively engage with other stakeholders, such as the wider business and our various regulators”.

Does that sound familiar? 

What is the difference between these two scenarios? Approximately nine months and some hard work!

The two statements above reflect the change executed within the IT Division of a global Investment Bank, spread over 40 plus locations globally with an executive leadership team of 12 people and more than 700 employees.

So, what was the key factor that drove this transformation?

If there was one thing that was critical, it was a decision that, rather than organising risk and controls data around a Basel style risk taxonomy (this approach had been pursued for almost two years with little real progress), IT performance, risk and controls data would be organised around a management information taxonomy and designed around the management information and decision-making needs of the IT Management at all levels rather than designed to tick regulatory boxes.

However, as part of a regulated firm, it was noted that organising data around a risk taxonomy was seen as best practice and seen as a minimum requirement from various regulators. Therefore, the management information taxonomy was designed so that a Basel 2 style Risk Taxonomy became simply a subset of the overall management information taxonomy. 

Using this management information taxonomy, a ‘golden source’ of IT related management data, including performance, risk, compliance, quality and accountability data, was created with simple processes and technology to support the on-going updating and maintenance of the taxonomy and this golden source of data. 

With a clear management information taxonomy (with a risk taxonomy as a subset) and a golden source of data in place, data was able to be ‘sliced’ to meet the information needs of various stakeholders; primarily the IT executive team and other management teams within IT and secondary, ‘external’ stakeholders such as the corporate management board and various global regulators. 

By making the risk taxonomy a subset of an overall management information taxonomy, and supporting it with common information standards, framework and technology, this firm was able to execute a management information reporting, and IT risk and controls transformation that was delivered quickly, which created buy-in across all level of the IT division and externally, and created significant value for both the IT division and external stakeholders, specifically the corporate management board and various global regulators.