In Part 1 of our Risk Register series, we looked at operational risk and resilience and the responsibilities of individuals within a firm to manage these. Part 2 took a closer look at building a risk register, specifically, the control framework and how it works to mitigate risks. Part 3 concludes the series by looking at how the data generated from the risk register can be used with the help of technology to provide a more reliable, accurate and efficient risk management programme.
Spreadsheets vs RegTech
A question we are often asked is, why move away from spreadsheets? To answer this fully warrants an exploration into the common risk management problems we have identified when managing risk using spreadsheets at the heart of the framework:
- It is difficult to disseminate responsibility when working from one spreadsheet;
- As a result, risk management often sits in one department and fails to become a firm-wide responsibility;
- Spreadsheets soon become out of date with unreliable and stale date and version control;
- There is no clear ownership of risks or controls;
- There is no clear financial value of risk exposure;
- Evidencing a working risk management system to regulators becomes difficult;
- It is time consuming to prepare good quality reporting to Boards of Directors and their Committies; and
- There is a lack of engagement amongst the business controlers.
In addition to these points there is the challenge of the ever changing regulatory environment and new unkowns, like Covid-19. So it soon becomes apparent that firms with manual risk management processes are unable to remain efficient, causing risk management frameworks to quickly become out of date, or even fail.
Our knowledge and experience within risk management has seen huge value in the efforts made by firms that have moved away from spreadsheets. The time saved from managing laborious manual processes, combined with the reliable and immediate output software can provide means that risk management can be used to drive the growth of the business instead of being seen as a hurdle. This is a key turning point for firms as executives begin to rely on the information presented to them and use the technology to help achieve the firm’s goals.
The benefits we have seen in firms who have transitioned into the world of RegTech are far reaching:
- Clearer ownership and reporting lines;
- Monetary valuations of risks;
- Near-time monitoring of controls;
- Scalability, allowing risk departments to grow with the business;
- Centralised data, even when reporting to multiple regulators;
- Evidencing robust risk management programmes;
- Real-time high level analytics to help informed decision making;
- Compliance with SMCR requirements; and
- Effective reporting of management information to Boards of Directors.
Compliance teams are able to easily identify regulatory risks and controls, track material events and financial losses, using technology to evidence attestations and adherence.
Senior Managers who now have the added increased personal liability burden as set out in the Senior Managers and Certification Regime especially benefit. They can more easily evidence their reasonable steps with regards to the efforts made to prevent incidents from occurring. More importantly, managers have assurance they will be better informed when an incident has occurred allowing them to quickly respond and put in place preventative measures.
The Executive Team and Board of Directors also benefit as the data reported to them is more reliable and up to date as it is generated from a centralised source, prepared by consistent methodology. This allows for more robust and easily auditable governance and oversight, resulting in better high level decision making.
The advantage of using technology for managing risk means the process becomes firm wide with clear ownership and delegated responsibilities whereby the control processes become part of the day-to-day activities of the business rather than one-off reviews.
This change in culture essentially frees up the firm’s finite resources to start looking ahead at emerging risks. Data from past events can be used to analyse trends and identify key risk indicators and Key Performance Indicators. By linking incidents and breaches to risks and controls and then merging them with compliance activities, a user can create a personalised dashboard which makes reporting quick and easy with customised approval workflows and attestations.
Working in an environment where regulatory changes and external factors can have an immediate and detrimental impact on a firm, it is more important than ever to consider automating manual processes, eliminating working in silos and using risk management to drive and not hinder business growth.
Help and advice
If you would like more information on any of the above, please do not hesitate to contact us.