Iceberg Visioning & Alignment Workshops; start the journey to a complete view of Enterprise Operational Risk.
Learn how Iceberg recently helped a Chief Operational Risk Officer at a large U.S. Financial Services company begin the journey to achieve a complete view of enterprise operational risk.
This Chicago, Illinois based Financial Services Company provides multiple financial products and services to corporations, institutional investors, and high net worth individuals. It has offices throughout the U.S., Canada, Europe, the Middle East and the Asia-Pacific region.
As the integration of digital technology into all areas of the business grew more complex, it fundamentally changed how it needed to operate and deliver value to all stakeholders. As a result, the organization had a need to mature their processes around operational risk management. They had invested in different GRC and operational risk solutions in certain pockets across the organization, and leveraged Microsoft Office (Excel, SharePoint, etc.) in many others. To further complicate things, different business units were operating in resource and data silos. The ability to access risk data from across the organization in the different business units was an extreme challenge, resulting in a lack of confidence in the ability to present and report on their operational risk posture.
The Chief Operational Risk Officer put it succinctly, “I need to provide a more complete and transparent view of operational risk to the Executives across the global organization.”
The teams under his purview were tracking and reporting their work using disparate systems and worksheets, with no consolidated view of the organizations risk posture. Understanding where the systems of record were maintained was also a challenge.
To top that off, the key stakeholders were struggling to understand if they had the right GRC software tool in place to provide an aggregated view of risk, and where would they begin towards pulling the various groups and activities together.
The firm engaged Iceberg to facilitate and conduct a Visioning and Alignment workshop for their senior risk management executives. The goal was to build a program to move them towards an end-state of a trusted, transparent and aggregated view of operational risk. Prior to the formal executive workshop, Iceberg senior GRC Management Consultants conducted short discovery calls, approximately 30-60 minutes in length with 10 different executive stakeholders to understand their requirements for a successful and effective risk management program. Iceberg also explored existing roadblocks to breaking down the organizational silos and solicit suggestions for how these challenges could be overcome.
Participants at the Executive workshop included operational risk, business stakeholders and the technical owners of the GRC programs. In Iceberg’s view these groups often operate in separate streams but at Iceberg, we’ve found that having a constant dialogue between these groups is a critical success factor.
After the initial discovery, Iceberg GRC Management Consultants conducted a five (5) hour on-site workshop based on the information gathered in the discovery interviews. The first part of the workshop was a summary of what was heard during the interviews, the common themes and goals across the program, observations on areas that were non-functional, areas and opportunities to improve, and finally a summary of the most important success criteria for each stakeholder.
The rest of the workshop had Iceberg’s Management Consultants lead hands-on sessions where participants moved to identify common goals and requirements and how these goals would translate into a common business information architecture. For example, everyone agreed a common repository of business processes, applications, assets, risks and controls was needed but taxonomy became a debate. Iceberg’s lead consultant facilitated a conversation helping the group arrive at a consensus on a common taxonomy for this repository.
With that in place, the group developed a plan to link programs to repositories and common control libraries and identify early targets to build within these libraries.
The overall goal of the workshop was to position Iceberg’s GRC Management Consultants with the right (and enough) information to develop an enterprise operational, risk management roadmap from an executive-level point of view. This deliverable would help build the business case to rejuvenate the GRC solutions and work towards achieving a complete and transparent picture of risk over the next 3 years.
Iceberg’s GRC roadmap and executive report gave the organization the ability to prioritize the work required to put the firm on the path for long-term risk management success. It also identified quick wins that would help gain executive buy-in to keep the project moving forward.
By bringing both the technical and business teams together, everyone developed an understanding that a GRC program was not just a tactical IT project. They started to see how the program could become a strategic tool to deliver significant value to the organization. To that end, more than one executive member commented at the end how refreshing and energizing it was to see the executive team illustrate their desire to take risk seriously as a coordinated team effort.
Breaking down the silos and bringing teams together for strategic alignment provided many tangible results for the organizations. As one participant told us, “I didn’t actually know what some of these people were doing. I didn’t understand their functions or their focus and goals. Everybody walked out with a better understanding of what was important for their peers, and how they could do a better job integrating work between different groups”. These sessions identified several areas where there were overlapping responsibilities and the opportunity to reduce duplication or drive greater working efficiencies.
The group also gained an understanding of the potential capabilities of the GRC platform through a targeted vendor-agnostic presentation by the Iceberg team. They realized that some of their frustrations with the platform weren’t due to the software itself, but in fact mostly due to some gaps and lack of maturity in the underlying processes and policies. Part of the roadmap that Iceberg developed included the foundational work required to get the full value out of their GRC software investment.
Moving forward Iceberg also recommended that the organization develop a much more comprehensive operational risk management business architecture. If the firm is truly going to move towards operational resilience (a key goal for many Chief Risk Officers today), they would need to truly understand where their systems of “truth” are, and how best to integrate and aggregate the data to get the complete, transparent picture. Once this is completed, the firm can then start to evaluate what GRC tool is best for what task, where the central repository should sit, and the ways in which they can best drive integration between systems, to truly achieve an accurate, aggregated view of the risk data.