Enterprise Risk Management: How to Get There

Clients: Fusion Risk Management and Salesforce (Lightning Platform and Einstein).

First Published on TabbForum, September 25, 2019


This post is the third in a series that includes “Operational Risk Management is Exciting!” and “Unified Risk Management Is Absolutely Achievable,” respectively. It continues the story with how an organization can go the next level in developing a proactive enterprise risk management program. It narrates how a solution that was implemented by one risk group can be scaled to others and it also provides an example of how artificial intelligence can be applied.

Eight-year-old Bobby was boasting to his classmates that his mom, an operational risk manager, has the most exciting job ever. Based on the career day presentation she gave last month, his classmates tended to agree, but some were upset that their firefighter, rocket scientist, and rock star parents weren’t getting enough attention. Bobby’s mom explained to him that every parent’s job is important and, although he dialed down the braggadocio, Bobby remains unconvinced.

Bobby should be proud of his mom, especially after she and her team got promoted. The work they did to transition from a reactive operational risk management program to a proactive one got a lot of attention from executive management after they crushed a surprise audit review from their regulator, who then congratulated them for their effective and practical use of artificial intelligence (AI).

Acknowledge the Problem

Soon after, Bobby’s mom was asked to chair a working group with a mandate to establish a unified enterprise-wide risk management program. Her first action was to get the stakeholders to acknowledge that they had a problem. The risk functions across the organization were operating in silos. Some were using legacy vendor platforms, while others were building home-grown systems in isolation. As a result, the knowledge gap and lack of interoperability between risk groups such as business continuity, operational risk, cyber risk, third-party vendor risk, and disaster recovery posed systemic risk across the organization.

Case in point is third-party vendor risk. A few large vendors provide services that are pervasive throughout the organization. Although a failed delivery of service to one group might pose a moderate risk in isolation, diminished quality of service across multiple groups could impact the reputation of the whole organization. Of concern was fourth- and fifth-party risk because an issue with a vendor’s vendor could trigger a chain of events that hinders the organization’s ability to fulfill its client, investor, and regulatory obligations.

Know Who, What, Where, and When

With the images below, Bobby’s mom provided an example of how various components of an enterprise risk management framework would be integrated to maximize the operational understanding of the organization and to action an effective response to the multi-faceted risks that are endemic to multi-party relationships.

Source: Fusion Risk Management

Source: Fusion Risk Management

1. Visualize 3rd, 4th, and 5th party relationships to quickly lay bare the services supply chain. Explore each node to determine if duplicative services could be pruned away and gain insight into potential points of failure.

2. Integrate authoritative data sources such as external credit ratings, financial crime indices, news sources, and location data that, together, could surface hidden risks caused by adverse weather effects or geo-political turmoil.

3. Track internal assessment processes to know the certification status of any party, and collaborate with other teams to triage issues as they arise. When all actions are recorded, an archive of “lessons learned” is created that can be referred to later.

4. Drill down to review and validate documents in detail and on demand. The holistic view provided here might unearth gaps within contractual obligations.

1. Back to #1. This is an iterative feedback loop that increases in value over time, building knowledge upon knowledge in a comprehensive way.

Discover, Predict, and Recommend

The above represents the aggregation of a variety of data types (structured [tables] and unstructured [documents]) and the sophisticated analytics and automated workflows needed to create meaningful linkages between them. But what about the AI that Bobby thinks is so cool?

AI is used to put that data to work. To do that in an effective and practical way, frontline managers and analysts need the tools to discover insights, predict outcomes, and recommend next steps without needing a team of PhD data scientists. This is what Bobby’s mom’s team was able to demonstrate to their regulator when they crushed last month’s audit, using Salesforce Einstein.

Working off the data described above, below is an example scenario:

  1. Discover insights: A fourth party was identified (#1 above) and flagged due to its location in a High Intensity Financial Crimes Area (HIFCA). Also, a news report noted that it was under investigation. Business credit data (#2 above) showed that this entity was developing a pattern of non-payment to its vendors.

  2. Predict outcomes: The relationship is flagged with a high-risk rating because the related third party provides correspondent banking services to the organization, an area that gets a lot of regulatory scrutiny. The trigger is that the fourth-party entity is showing signs of financial distress while also providing services from an area known for financial crime. By accepting services from the third-party entity, there is a risk that the organization could indirectly facilitate a money laundering scheme.

  3. Recommend next steps: Einstein can surface best actions based on the history of actions taken around similar scenarios (#3 above) and automatically generate and assign tasks, such as:

    1. Notify the third party of the issue and assess contractual obligations (#4 above).

    2. Evaluate all transactions related to this channel (an alert would be sent to the operations team).

    3. Escalate as per standard procedures (steps would be detailed in the alert).

Unified Enterprise Risk Management

The above seems simple when listed out as bullet points, but keep in mind that this insight is hidden under thousands of overlapping relationships and associated transactions. Unearthing it is only possible with a unified enterprise-wide risk management framework. In this series of stories, we started by moving from a reactive operational risk management program of monitoring spreadsheets to a proactive one that utilized automated workflows, collaboration, and AI with Salesforce Lightning Platform and Einstein. Then, shown through the Fusion Risk Framework, we scaled up to an enterprise-wide platform that leveraged best-in-class deployments so that you focus on the features that meet the unique risk objectives of each of your businesses.

Unified enterprise risk management absolutely is achievable, and hopefully these stories simplified the concepts of how to get there.