Agile Risk

New Thinking to Enhance Effectiveness

of All Three Lines of Defense

While Stabilizing or Lowering Costs

22nd Annual Risk Minds International

Amsterdam, The Netherlands

December 9, 2015

© 2015 Protiviti Inc.2

Agenda

Challenges Faced Today 3

Agile Risk Management 6

Risk Management Practices: Target State and Benefits 8

Risk Reporting Innovations 12

© 2015 Protiviti Inc.3

Challenges Faced Today

© 2015 Protiviti Inc.4

Inherent Risk Profile Is Continuing to Increase

IR0 IRF

Baseline inherent risk of retail financial services activities

Customer Growth &

Deepening Relationships

Dramatic Changes in

Processes & Technology

Manual Processes &

Siloed Functions

Dynamic & Changing

Market Landscape

Product & Service

Innovation

Ignoring the enhanced heightened regulatory environment – there are a number of factors

driving inherent risk higher increasing need for agile risk and compliance management

© 2015 Protiviti Inc.5

Sli.do Poll #1 – Challenges

What do you think is the biggest challenge your organization faces

regarding risk management?

Lack of skilled and knowledgeable resources

Stagnant risk and compliance operating budgets

Regulatory scrutiny and enforcement actions

Inefficient risk management processes and limited technology

Majority of time spent fixing problems rather than value-add activities

© 2015 Protiviti Inc.6

Stage One Attributes

• Duplication

• Manual processes

• Bad data

• Ineffective reporting

• Unclear accountability

Stage Two Attributes

• Control functions align

• Technology and data are common and

shared across control functions

• Risk and compliance management is

connected but fragmented

• Solutions fix problems but not root-

cause

Stage Three Attributes

• Consistent, efficient, effective, and

connected processes

• Risk radar

• Risk informed decisions

• Risk addressed in design

• Strong process management

• Clear accountability and

continuous engagement

• Optimized technology

• Customer focus

Risk Management Evolution

Reactive and

Siloed

Business of

the Control

Functions

Customer

Centric

Typical

Current State

Future State:

Synergy / Efficiency

Operational &

Customer Excellence

Internal

Audit

RiskCompliance

Internal

Audit

Risk

Business

Units

Compliance

Customer

Risk

Compliance

Internal

Audit

Business

Units

Business

Units

© 2015 Protiviti Inc.7

Optimized PerformanceFocus on Growth

Agile Risk

Management

Customer

Satisfaction

Operational

Excellence

Aligned

Organization

Agile Risk Management Framework

© 2015 Protiviti Inc.8

Un

ifie

d P

rocess

DefineStrategy Assess

Define Risk

Appetite

Market

Opportunity

Define

Products &

Services

Define

Enterprise

Standards

Identify

Inherent

Risks

Define

Performance

Needs

Design

Process

Ensure Initial

Performance

Achieved

Operate

Ensure

Process

Adherence

Communicate

to

Stakeholders

Identify Risks

Greater Than

Appetite

Identify

Impacted

Processes

Implement

Process

Bu

ild

ing

Blo

cks

1 – Risk Informed

Strategy

3 – Risk

Governance

Framework

2 – Compliance

Requirements

Inventory

5 – Risk

Identification and

Assessment

6 – Risk in Design

7 – Process

Management,

Monitoring and

Testing

4 – Accountability

and Incentives

11 – Integrated Risk Technology

10 – Quality Data and Governance

9 – Aligned Reporting and Actionable Analytics

Perform

Continuous

Improvement

8 – Issue

Management

Target State Operating Model – Agile Risk Management

Implement Sustain

© 2015 Protiviti Inc.9

Time Re-Allocation Benefits

-

20,000

40,000

60,000

80,000

Governance Identify andAssess

Measure Monitor andTest

Report ManageChanges

Admin/Other

Ho

urs

14%13% 17%19% 13%11%14%

23%17% 10%23% 5%13%12%

BEFORE AFTER

Issues

identified

faster

Time spent

on value add

activities

Redeploy or

reduce resources

© 2015 Protiviti Inc.10

Sample FTE Benefits

Asset Size*

FT

E p

er

Billi

on

*

1.36

2.53

1.02

1.85

7.32

2.24

1.38

$100 B $200 B > $300 B

0

.5

1

1

.5

2

2

.5

>

3

.82.87

1.61

*Asset size was based on Bank Holding Company size for applicable Banking benchmarks

Bank

Diversified/

Insurance

Current

State

2.28

Future

State25 Fewer FTE

~$3-5 MM savings

© 2015 Protiviti Inc.11

Sli.do Poll #2 – Risk Reporting

What do you think is the biggest challenge your organization faces

regarding Risk Reporting?

Manual processes in aggregating and creating

Limited data to support reporting quality or ideal metrics

Inconsistent risk reporting across business units and/or geographies

Reporting does not drive action

Content overload when providing to Executives and Board Members

© 2015 Protiviti Inc.12

Elements of Effective Risk Reporting

Effective

Risk

Reporting

Accuracy

Targeted

Graphical

Consistency

Clarity

Completeness

Actionable Meaningful

Comparative

Clarity

Reports have defined elements, are clearly

labeled, and easy to interpret

Actionable

Reports prompt informed

decision-making

Graphical

Data is depicted pictorially

where possible

Completeness

Reports provide an aggregate

view of risk

Comparative

Risk information is easy to compare

across business units

Consistency

Format and content are consistent across

all reporting

Targeted

Length and granularity are

tailored to target audience

Accuracy

Data is complete and precise

across all reports

Meaningful

Reports contain historical and

forecasted results as well as

environmental analysis

© 2015 Protiviti Inc.13

The Protiviti Risk Index

• Protiviti’s conversations with Board members and executives of leading financial services firms

across the globe have frequently come back to three simple questions:

The Protiviti Risk Index is a powerful solution to focus attention on highest priority items in

an intuitive and straightforward manner. It is designed to capture, calculate and evaluate a

large volume of complex risk data and reduce it to a single-number snapshot of

organizational risk.

Review shifts in performance of underlying factors.

Create a Risk Index that consists of time-oriented measures (past, present, future); Extrapolate future-oriented risk measures.

Am I Going into a

Riskier Time?

What are the

Underlying

Causes?

Generate Risk Index Score based on changes in risk factors’ outcomes.Am I Riskier Today

than I was

Yesterday?

The Protiviti Risk Index is a tool that aims to strengthen the overall well-being of the company’s

risk management capabilities.

© 2015 Protiviti Inc.14

The Basel Committee on Banking Supervision:

Risk Data Aggregation

Protiviti Risk Index

Meet Standard?

Risk Index Directly

Meets Principle

Risk Index Indirectly

Meets Principle

Risk Index Could be

Designed to Meet

Principle

Outside the Scope

of the Risk Index

# BCBS Principle

1 Governance

2 Data Architecture and IT Infrastructure

3 Accuracy and Integrity

4 Completeness

5 Timeliness

6 Adaptability

# BCBS Principle

7 Accuracy

8 Comprehensiveness

9 Clarity and Usefulness

10 Frequency

11 Distribution

• The BCBS Risk Data Aggregation guidance against Protiviti’s Risk Index shows that the index

meets the principles outlined for risk data aggregation practices. Principles beyond the scope of

Protiviti’s Risk Index heavily rely on existing governance, IT and risk infrastructure, and data

accuracy.

Supervisors expect that data and IT infrastructures will be enhanced in the

coming years to ensure that their risk data aggregation capabilities and risk

reporting practices are sufficiently robust and flexible to address all potential

needs through the normal course of business and during time of stress /

crisis.

In January 2013, the Basel Committee on Banking Supervision (BCBS) issued a guidance titled,

“Principles for Effective Risk Data Aggregation and Risk Reporting.”

© 2015 Protiviti Inc.15

Chief Risk Officer View

• CRO view is built to show the enterprise risk index score, the risk outlook of the organization,

trends by geography and line of business, positions of the material risk categories, notable risk

movers, and key matters requiring attention

• Encompasses the CRO span of control in a single, concise dashboard

© 2015 Protiviti Inc.16

Strategic Risk Homepage

• A drill down into one of the material risk categories – strategic risk – moves the user to the strategic

risk homepage

• Illustrates the strategic risk score compared to the prior period score, maintaining a similar look and

feel to the risk index homepage

© 2015 Protiviti Inc.17

0.00

1.00

2.00

3.00

4.00

5.00

6.00

7.00

8.00

Risk Rating Collateral Type Product Type Credit Rating OutstandingBalance

Loss GivenDefault Rating

Charge OffAmount

Data

Qu

ality

Sco

re

Key Data Elements (KDEs)

Protiviti Risk Index Example: Data Quality

6.02Lower

Limit: 5.7

6.69

3.82

5.80 6.22 6.18

Upper

Limit: 6.6

4.03

© 2015 Protiviti Inc.18

Risk Score

9

High8

7

6

Medium5

4

3

Low2

1

Model 1 Model 2 Model 3Individual

Models

Assumptions Source #3 Source #4 Source #5Data Collection

and Quality

Governance

Sources of Model Risk

Risk #5Risk #4 Risk #6Credit Risk #3

Principal Risks

Model Risk

Score

Protiviti Risk Index Example: Model Risk

© 2015 Protiviti Inc.19

Closing Thoughts

Working towards being more agile in risk and compliance management can

begin today – foundations are important.

Risk management enables the business and can support the organization in

achieving operational excellence.

Risk management needs to be a partner – proactive collaboration and

engagement establish credibility.

Efficiency gains can be had without negatively impacting effectiveness.

© 2015 Protiviti Inc.20