Interview with Marsha Hopwood, Director, Operational Risk Management and Risk Governance, Allianz Life
New rules and regulations have proliferated across the financial sector, with no end seemingly in sight. Along with fast-paced technology, stirring more competitive pressures than ever; it is essential for banks and financial institutions to instill sound management to properly oversee and control heightened risks.
Marsha Hopwood, Director, Operational Risk Management and Risk Governance at Allianz Life, recently shared with marcus evans how to establish an integrated risk assessment and control framework:
How does an integrated and streamlined risk assessment approach affect control testing?
MH: We have integrated and streamlined our risk assessment and control testing activities across the organization, especially with the 2nd and 3rd lines of defense, including Risk Management, Compliance, Business Continuity, and Internal Audit. We established one risk assessment methodology and control testing approach that is primarily used by the 2nd line of defense. The integration has enabled management to improve productivity by reducing duplication of effort and minimizing disruption to the 1st line of defense (or front line management) since we perform risk and control activities in a more coordinated fashion.
Additionally, we are able to leverage on work performed by various assessor groups, such as Compliance, Risk Management, Business Continuity, and Internal Audit since we all perform these activities similarly across the organization. Overall, by integrating and streamlining risk and control activities, we are able to increase productivity, better prioritize and allocate resources accordingly, and focus on more value-added activities.
What are the difficulties with aligning risk and control activities to an industry conceptual framework?
MH: There are several industry frameworks that are used to assist in managing risk and control activities, including the Committee of Sponsoring Organizations of the Treadway Commission (COSO), International Organization for Standardization (ISO), and Control Objectives for Information and Related Technology (COBIT). For our risk and control self-assessment activities, we enhanced our alignment to the COSO Framework given some recent regulatory requirements and we believe the framework is comprehensive in assisting effective management of risks within our organization. Compliance to the framework is an on-going process requiring resources to maintain and enhance a strong risk and control culture and educate key stakeholders.
Some of the adjustments we made to better align to the framework were ensuring transparency with how the risk and control activities assisted in achieving various business objectives (e.g. improve profitability, promote operational excellence, protect the reputation of the company, etc.) and establishing one common organizational view of the company to determine coverage of such activities. The most significant challenges of the project were to gain buy-in from key stakeholders on our overall approach and to secure funding for acquiring a GRC tool to automate and streamline the process.
What GRC tools are available to companies to help build cross-departmental transparency?
MH: This is a great question since there are many options available for management to choose from within the marketplace. GRC tools have similar functionalities, but some may be very robust while others are more flexible and streamlined. Therefore, it is important to select the right tool for your business.
We categorized the tools into three buckets: (1) Fully loaded tools (or the “Cadillac” options), (2) Mid-range tools, and (3) the Lite tools. The three buckets also significantly vary in price ranging from $30K to >$1M. A great source to research GRC tools is the Gartner website. Gartner is a leading information technology research and advisory company that provides GRC analysis periodically. Some popular GRC tools that are considered the “Cadillac” option are IBM Open Pages and RSA Archer. We had an appetite for the mid-range tools and; therefore, selected an in-house enterprise platform that also had a GRC module. We primarily selected the tool since it is flexible and has customizable functionalities that would adapt and adjust to our evolving integrated approach.
What strategies have you used for developing a Risk Appetite Framework?
MH: We define the Risk Appetite from both a quantitative and qualitative perspective for the company. The quantitative risk appetite is primarily focused on capital ratios, credit limits, financial limits, and market limits. Breaches to the set ratios and/or limits require specific actions by management to execute business transactions within the established risk appetite. The Risk Committee establishes the qualitative risk appetite by assigning all top risks for the company a target risk rating of low, medium or high. Therefore, the actual risk rating is compared to the target risk rating and if greater, then management develops action plans to align actual risk rating to the target risk rating. Within the RCSA program, a risk response of “accept”, “mitigate”, “avoid”, or “transfer” is identified for each risk assessment.
How do you go about scoring risk and developing metrics to test against your Risk Appetite Statement?
MH: We score risks by using frequency times impact severity (we select the higher score between financial and reputational impact scores). The actual risk score is then compared to the target risk rating (or the qualitative risk appetite). If the actual risk score is greater than the target risk score, then management will need to develop actions to bring the actual risk score down to the target risk score.
Join Marsha at the 2nd Annual Operational & Information Risk Management for Banks & Financial Services Conference, September 21-22, 2016 in New York, NY. View the conference agenda to check out Marsha’s case study topic. For more information, please contact Tyler Kelch, Digital Marketing Manager, marcus evans at 312.894.6310 or Tylerke@marcusevansch.com.
About marcus evans
marcus evans conferences annually produce over 2,000 high quality events designed to provide key strategic business information, best practice and networking opportunities for senior industry decision-makers. Our global reach is utilized to attract over 30,000 speakers annually; ensuring niche focused subject matter presented directly by practitioners and a diversity of information to assist our clients in adopting best practice in all business disciplines.