Industry and internally developed standards are centered on driving adoption of best practices to reduce operational risk, increase compliance with internal policies and regulations, and increase the effectiveness of operating models.
The three lines of defense from the IIA, regulations such as BCBS 195 for sound operational risk management, and BCBS 239 for robust data management, best practice models such as DCAM and DMMSM or internal policies for data retention and privacy each play an important part in that.
Overall, these standards provide a solid framework for structures, processes and capabilities for target operating models of business lines and independent corporate risk functions, such as compliance, data management, operational risk management, etc.
As the implementations of these standards are long running and highly complex initiatives, the importance of consistently measuring your level of adherence to policies, standards, principles, and best practices in line with deadlines is critical to ensure successful execution.
On the contrary, large time gaps in the measurement of adherence introduces operational and execution risks, which prevents timely and cost-effective remediation of inadequacies.
As Peter Drucker is often quoted:
“You can’t manage what you can’t measure”.
In this context that would mean:
“You can’t govern when adherence can’t be measured”.
Institutions and authorities agree, that frequently performed qualitative assessments across the enterprise or relevant business units will enable identification of inadequacies and issues just-in-time.
To clarify, in the context of measurement of adherence, a qualitative assessment is a judgement-based analysis. Individual opinions on adherence to policies, standards, principles and capabilities are collected in a quantitative format through meetings, observations, workshops, surveys, and interviews from a group of relevant participants.
With an early issue detection system like this in place, institutions are able to react in a timely manner, and also prioritize their budgets and resources for the most pressing items. Enacting an early issue detection system would enable managers to keep their implementation of policies and standards across the enterprise on track – They would manage what they can measure.
But institutions have failed so far to implement comprehensive measurement of adherence, because they cannot leverage the power of qualitative assessments to their full extent – mainly because of the following challenges:
|Recurring assessments must be performed on a weekly, monthly, or quarterly basis.|
|Real-time information on state, progress and gaps for adherence must be available just-in-time.|
|All relevant organizational units (often the whole enterprise with all departments and geographic areas) must be included into assessment cycles.|
|Models of any complexity (multi-hierarchical) must be supported.|
|Model Backward Compatibility|
|Trend analysis and forecasting, regardless of changes in the model or framework, must be feasible.|
|Results must be comparable with industry benchmarks, peers, previous assessments, and across organizational units.|
|Granularity and Aggregation|
|Analysis of results from multiple perspectives – enterprise, organizational unit, and dynamic filter – must be performed just-in-time.|
The lack of support of qualitative assessments in existing GRC (Governance, Risk, and Compliance) technologies forces firms to still use spreadsheets, inadequate surveying tools, and manual processes to capture the feedback they need.
This approach is prone to errors and requires significant resources, which pushes companies to reduce the number of participating organizational units or rely on less frequent assessments just to maintain any level of measurement.
It is obvious that operational risk can only be mitigated on a proportionally small basis and that leaves the whole institution exposed to monetary losses resulting from inadequate or failed internal processes, people, and systems.
Institutions must therefore enhance their current GRC platform with complementing technologies that provide capabilities for the measurement of adherence and maturity with qualitative assessments.
A trusted choice to close this gap, is Pellustro, which enables on-time, high frequency, formal, and global qualitative assessments of adherence to policies, standards, principles and best practices and can be integrated with your existing GRC platform.
To learn more about Pellustro, and how leading institutions established global, enterprise wide measurements of adherence and maturity, visit www.pellustro.com.
A market commentary provided by
The opinions expressed are as of May 2017 and may change as subsequent conditions vary