.png)
How many ERM softwares do you have, if any at all? To use an analogy: the larger the organisation, the bigger the "spaghetti plate."
Governance, Risk, and Compliance (GRC) systems and data are hot topics in many organisations. From fragmented data and limited visibility to inefficient processes and compliance issues, the lack of a cohesive data and system architecture strategy and target blueprint can severely hinder an organisation's ability to manage risk effectively. It can also turn out to be extremely expensive to maintain.
This article explores these challenges and highlights how technology, particularly Enterprise Risk Management (ERM) and GRC systems, can significantly enhance risk management processes and outcomes. For this article, ERM and GRC will be used interchangeably.
Why do you need a ERM software and data architecture blueprint?
ERM frameworks can generate massive amount of data and for certain functions like stress-testing might also require significant computing power.
Moreover, and especially for smaller organisations, it can be really tempted to go full-blown unstructured Microsoft XLS or Access or equivalent. Without clarity on what you need and what you can realistically afford, you are likely to face several potentially costly challenges:
Issues do not get escalated to the right person promptly. Occasionally, an executive informs a subordinate about an incident in their area, catching them off-guard. In other situations, many people request updates, resulting in material overwork for the affected team.
You receive conflicting and duplicative risk reports and insights. As a result, you do not know what decision to make.
Your team cannot provide you with a data-backed, holistic risk profile. Fragmented systems make it difficult to aggregate risk data comprehensively, impeding a holistic view across your organisation.
You don’t know if your risk, compliance, and business frameworks adhere to regulatory requirements.
Nothing gets documented. If you operate in a non-regulated sector, that might be okay. However, in regulated sectors like financial services, charity, and healthcare, undocumented information is non-existent. It is unlikely you can sustain any in-depth regulatory review.
The cost of your risk and compliance architecture is substantial. Maintaining multiple disparate and legacy systems is often more costly than a centralised solution.
Your teams fix the same problems in multiple ways resulting in inconsistent application of risk controls and potential oversight of significant risks.
You did not see a major market shift coming, as you lack the capabilities to identify and respond to emerging risks promptly.
This list is by no means exhaustive. But if you are facing any of these situations, you would benefit from urgently reviewing your ERM data and system architecture.
Need some help? Don’t hesitate to reach out to Aevitium LTD and we will help you to disentangle the “spaghetti plan” and transform ERM system and data architecture.
What is the business case for an ERM system?
Naturally, implementing an enterprise risk management system is a strategic investment that can significantly enhance an organisation's ability to manage risks, improve decision-making, and ensure regulatory compliance.
So, when considering such an investment, set the boundaries of what it does in relation to your existing business architecture and the interoperability of the various environments.
For example, a small organisation might decide to use something as simple as the platform GOAT. It has the bare minimum of functionality, it is very cheap and intuitive to use. It can also scale up. This will keep your environment manageable while addressing some of the pain points listed above.
You can also opt for a combination of systems, such as Murex for your trading activities and market risks, ServiceNow or CoreStream for your non-financial risks and audits, Nagomi Security to your Cyber monitoring, etc. These platforms, either individually or in combination, might be necessary for large and complex organisations.
Ultimately, it starts with framing the problem(s) you need to fix and aligning the system and data architecture to your needs. You want to create a proactive, resilient, strategically aligned environment that can grow with you. Equally important, it's crucial to avoid or remove existing duplications, where possible, which can cause significant harm and is unfortunately a common practice in large financial institutions.
Want to learn more about Enterprise Risk Management? Discover our detailed resource page covering all the key ERM components.
What are the core components of an ERM system and its data architecture?
Depending on what your organisation does and its size and complexity, you might need to factor in a multi-layered approach to cater for many different risk types. Or a single system might suffice. Despite the practicality of managing different types of risks, you should consider the following core components, which we co-created with Chat-GPT.
1. Risk Identification and Assessment / Measurement
Risk Register: A centralised repository for all identified risks, including detailed descriptions, potential impact, likelihood, and risk owners.
Risk Assessment Tools: Tools and methodologies for assessing and quantifying risks, such as risk matrices, heat maps, and risk scoring models (Value-at-Risk VaR models, credit scoring, liquidity stress testing, PESTLE analysis, etc.)
2. Risk Monitoring and Reporting
Dashboards and Visualisation: Interactive dashboards that provide real-time visualisation of risk data, enabling quick insights and decision-making.
Automated Reporting: Scheduled and ad-hoc reporting capabilities that generate comprehensive risk reports for different stakeholders.
3. Risk Mitigation and Control
Control Framework: A structured framework for implementing and monitoring risk controls, including preventive, detective, and corrective controls.
Action Plans: Detailed action plans for mitigating identified risks (e.g. hedging strategies, standard operating procedures or SOPs), including assigned responsibilities and timelines.
4. Incident Management
Incident Reporting: Tools for reporting and logging incidents as they occur, including detailed incident descriptions and impact assessments.
Incident Response Plans: Predefined plans for responding to different types of incidents, including communication protocols and recovery steps.
5. Compliance Management
Regulatory Database: A repository of relevant regulations and compliance requirements specific to the organisation’s industry and geography.
Compliance Tracking: Tools for tracking compliance activities, including audits, assessments, and remediation efforts.
6. Data Integration and Management
Data Repository: A centralised data warehouse for storing all risk-related data, as well as an ETL (extract, transform, load) tool to ensure data consistency and accessibility.
Data Integration Tools: Tools for integrating data from various sources, including internal systems, external databases, real-time data feeds (e.g., Reuters or Bloomberg market risk data), and third-party services.
Data Quality Management: Processes and tools for ensuring data accuracy, completeness, and timeliness.
7. Advanced Analytics and Reporting
Predictive Analytics: Advanced analytics capabilities, including machine learning and AI, to predict potential risks based on historical data and trends.
Scenario Analysis and Stress Testing: Tools for conducting scenario analysis and stress testing to evaluate the impact of different risk scenarios on the organisation.
8. User Access and Security
Access Controls: Role-based access controls ensure that users have appropriate permissions based on their roles and responsibilities.
Security Measures: To protect sensitive risk data, robust security measures such as encryption, authentication, and intrusion detection are required.
9. Integration with Other Systems
APIs and Connectors: Application programming interfaces (APIs) and connectors for seamless integration with other enterprise systems, such as ERP, CRM, and HR systems.
Interoperability Standards: Adherence to industry standards for data exchange and system interoperability.
10. Continuous Improvement and Feedback
Performance Metrics: To monitor the effectiveness of the ERM system.
Feedback Mechanisms: Channels for users to provide feedback and suggest improvements to the system.
Regular Updates: Processes for regularly updating the system to incorporate new features, address emerging risks, and adapt to changing business needs.
What is an ERM System and Data Architecture Blueprint?
An Enterprise Risk Management (ERM) system and data architecture blueprint is a comprehensive framework that outlines how your organisation will manage its risks through integrated systems and structured data management.
This blueprint functions as a strategic roadmap for the effective implementation of an ERM system, guaranteeing the alignment of all risk management processes with the organisation's objectives and the efficient collection, processing, and utilisation of data.
Here are the key components of your architectural blueprint:
Vision and Objectives: Define the ERM system's overarching purpose and objectives in alignment with your organisation's strategic goals and risk strategy. This includes what the organisation aims to achieve, such as enhanced risk visibility, improved decision-making, regulatory compliance, and operational efficiency.
Scope and Boundaries: Specify the types of risks that the ERM architecture will address, such as operational, financial, strategic, and compliance risks. Furthermore, it's crucial to pinpoint the departments and processes that the ERM system will incorporate, including stress testing, liquidity management, and risk measurement. To prevent scope creep, you need to clearly define what the ERM system will and will not cover.
Risk Management Framework: Outline methods and tools for managing through the cycle, including risk identification, risk assessment, risk mitigation and management, and risk monitoring.
Data Management: Identify sources of risk data and methods for collecting and validating it. Next, contemplate the integration of data from diverse sources into a centralised data repository, like a data lake. Establishing standards and processes for ensuring data accuracy, completeness, and timeliness is crucial, particularly for financial purposes in the context of BCBS 239 on Risk Data Aggregation. Finally, your data needs to be secured, and you will have to implement role-based access controls and data security measures to protect sensitive information.
Technology and Tools: Select the ERM software and tools you will be using for risk management, including the features and capabilities required. Gartner and/or specialist risk consulting can provide an overview of the best platforms available. Then, to complete your architecture, you will have to describe the tools and technologies needed to integrate the ERM system with existing enterprise systems (e.g., ERP, CRM, and APIs). Finally, and crucially, given the multitude of tools out there and the inherent weaknesses of many GRC solutions, your team will need to outline the use of predictive analytics, machine learning, and other advanced tools for enhanced risk analysis.
Governance and Oversight: A robust risk governance structure, which defines the roles and responsibilities of individuals and committees involved in risk management, must support your risk management. Governance also includes policies and procedures governing risk management activities. Finally, you will have to establish mechanisms for ensuring compliance with regulatory requirements and conducting internal audits.
You have now defined your blueprint, and you need to implement it. The execution could typically form part of a larger risk transformation programme, depending on the breadth of changes considered. As for any transformation or change initiative, you will develop a phased implementation plan, preferably starting with a pilot phase and gradually rolling out the ERM system across the organisation. Your employees will need to be educated and trained, as well as supported before, during, and after the rollout of the target blueprint.
Addressing the “spaghetti plate” is difficult and, at times, can feel like just managing a series of issues. But ultimately, a well-thought-out ERM system and data architecture are vital for overcoming the challenges of fragmented data, limited visibility, and inefficient processes in risk management. By simplifying and potentially centralising risk data, enhancing analytics, improving communication, and ensuring compliance, such an integrated blueprint can significantly improve the efficiency and effectiveness of risk management processes and materially contribute to your bottom line.