Author: Richard Pike, Non Executive Director, Permanent TSB
“Without data you’re just another person with an opinion” W Edwards Deming, Data Scientist
“Reports should be easy to understand yet comprehensive enough to facilitate informed decision-making. Reports should include meaningful information tailored to the needs of the recipients”
This is a very true statement, however it can equally said that too much data with too few opinions is equally ineffectual. Therefore the balance between too much and too little data is a key one in ensuring the good governance of firms. The area of non financial risk is one presents some of the most challeneges where this problem is concerned.
In any medium to large financial organisation the amount of data that senior executives have to understand, in order to manage the non financial risk, is becoming a major risk in itself. Hundreds of pages in preparation for meetings are not uncommon and one’s ability to ‘see the wood from the trees’ is greatly impaired.
So your governance of non financial risk needs to be focused on those items that represent the most risk to your firm.
Governance of financial firms has undergone a major upheaval in the last few years.
Countless reports, reviews, guidelines, codes and regulations have been produced and most firms have made large leaps forward in their governance practices.
In the case of non financial risk, senior executives are struggling to understand what is the relevant information at a point in time. This is a key determinant in enabling them to govern effectively.
One of the reasons for the recent emergence of large non financial risk reporting packs is the very reasonable requirement of regulators to be able to ‘look over the shoulders’ of the risk executives. In the past senior executives were guilty of assuming that what they were presented with was correct and not effectively challenging the data. So, when you challenge a one page overview of a risk or opportunity, the gut non financial risk executive’s reaction is often to present you with all of the facts devoid of any summary or conclusion.
There are currently five major problems causing this to be very difficult to achieve in a medium or large financial institution:
- The Goldilocks Problem: Too much or too little information in reports and board packs
- The Basis Problem: Data is often presented in different bases e.g. qualitative (traffic lights, number of issues), quantitative (VaR, days survival, duration)
- The Interdependencies Problem: The recording and visualisation of relationships between different entities and risks is not possible in current systems.
- The Taxonomies Problem: Non financial risk is riddled with too many differing taxonomies (Basle Op Risk Types, Compliance categories, IT Risk categories,etc). There taxonomies are confusing and are often not mutually exclusive.
- The Line Of Sight Problem: Data is not aggregated in a cohesive and structured manner, so hindering lone of sight into the business
Senior executives need to push back hard if they see this ‘dumping’ of management data on them. Not only does this create a huge reading and understanding overhead but also more importantly it adds to their personal risk. If you have been presented with the data then the regulator may assume that you have understood the relevance and consequences therein.
So what might a good non-financial risk pack look like?
There are essentially two types of information in a reporting pack:
1. Information concerning the status of ongoing operations, risks and projects within the firm
For the first type of information it is vital that this is placed in context. There is no point in showing the level of ATM uptime as 98.78 if you don’t also explain what the expected value is, what the trend is and what, if any, impact this had had on customers. So what context is relevant? At senior executive level the context must be the strategy and risk appetite of the firm. If a piece of information cannot be put into one of these contexts then it may not deserve to be in a status information pack.
Once the executives have the context for the status updates they can focus on those items that seem to be out of kilter with the expected values and spend time discussing items that show the business is running off course regarding strategy or risk appetite.
2. Information concerning new initiatives that the management wants to undertake or the results of which they want to share with the board
Regarding information about initiatives, the problem is a different one. Too little information risks the ‘have to look over their shoulder’ challenge and too much information makes it nearly impossible to have a structured debate and make a decision. A middle ground is where the risk team is required to present a set of options, and the supporting data, to the executives. The Operational Risk team will indeed have a preferred option but the challenge of providing multiple other reasonable options will present the senior executives with enough information to have a challenging debate.
The field of non financial risk has coe along way in terms of its frameworks and ability to record data. The next serious challenge is to represent that data effectively and to be able to communicate the results of data collection and analysis in a manner that gets the point across so that executives see the benefits that are being delivered for the firm.
In order to ensure the above, non financial reports need to always be set in the context of the risk appetite or the strategic goals and objectives of the firms. Also, where a course of action is presented it needs to be accompanied by other choices so that the senior executives have clear options. Better non financial risk reporting and communication leads to better overall non financial risk at your firm!
You can hear more from Richard Pike at the New Generation Operational Risk: Europe Summit taking place in London 14-15 March 2017, where he will join a speaker line-up of more than 20 senior operational risk professionals. For more details and information on how to register for the operational risk management conference, you can contact email@example.com or call +44 (0) 207 164 6582.