Compliance, changing technology, new customer expectations and an ever-worsening cyberthreat landscape are just a few of the modern challenges facing risk managers. But many banks and credit unions have the added burden of cumbersome processes for overseeing and orchestrating risk management cycles.
For example, proprietary tools, spreadsheets, offline communication and poorly integrated project management solutions can convolute an already complex process. In addition to giving risk managers a migraine, hiccups in these cycles increase the likelihood of oversights that could compromise the integrity of an institution's operations.
To avoid unfavorable outcomes, and to improve the overall flow of a risk management cycle, we recommend the following:
1. Curate task management through a central interface
Financial institutions can no longer afford to assign and manage tasks using primitive task managers such as spreadsheets, word-processing documents placed in a file folder or even email.
For example, spreadsheets in a shared drive might not supply automatic updates when changes are made, or they may fail at providing all the necessary fields to track a task. Such shortcoming may result in assignments based on old information, which can cause duplicate efforts on a single task. That's time and money that could have gone toward other risk management priorities. And, given that there's only so much time in a day, risk managers should spend it managing tasks and projects, not chasing down assignees or fact-checking data and documentation to prevent extraneous work.
To alleviate this burden, we recommend leveraging a highly visible user interface that tracks the status of tasks in real time. This type of central interface would sensibly lay out up-to-date information pertaining to each individual task. Risk managers can then ask the right questions consistently and get the answers they need the first time around.
2. Assess data integrity
"Data integrity assessments essentially act as a risk management safety net."
Another problem with spreadsheets, text-based documents and other productivity tools for risk management is that these documents aren't always well-designed. If a poorly formatted spreadsheet is used to process vital information, the data can easily be misinterpreted. The result is compromised data integrity, which can lead to misrepresentations, such as risk ratings that are based on inaccurate or outdated information.
The causes of low-quality data can be as simple as inputting placeholder values into spreadsheets, or copying and pasting templates without clearing certain data fields. According to Arkady Maydanchik in his book "Data Quality Assessment," another source of misleading data includes the failure to update data values to reflect changes in the physical asset it represents. He also cites poor database consolidation, processing and exporting data at the wrong time (i.e. before the value fields have been updated with the correct data sets) and bad initial data conversions, among other causes of poor data quality.
"In an ideal fantasy world, data entry is as easy to the user as possible: fields are labeled and organized clearly, data entry repetitions are eliminated, and data is not required when it is not yet available or is already forgotten," Maydanchik wrote.
While it may not always be possible to avoid data-quality degradation, risk managers can catch it early if they have a way to assess data integrity. This will help avoid discrepancies in risk managers' and auditors' risk ratings. In other words, data integrity assessments essentially act as a risk management safety net.
3. Consider collaborative project management
Part of what makes risk management so difficult is the need to report information quickly and efficiently. If a risk manager identifies a problem in how a certain policy is enforced, that manager might assign remediation of that control to a specific individual. From here, it's important that the progress of that project is tracked. One way to do this is for the stakeholders to communicate offline, or at least beyond the confines of the task manager.
But a more collaborative alternative is to give assignees limited access to the central management tool. Employee can then update a task's progress without requiring an extra layer of communication or an external project management tool.
Likewise, auditors' efforts can be tracked in real time, assuming they too are given limited access to that single project manager. This would add yet a fourth layer to "asset, risk and control," which is audit. The results of these audits can circle back into the actual risk rating of the asset, which then allows the risk manager to assign a remediation task if necessary based on the feedback of the auditor.
And so, the cycle continues. Only in this case, the greater level of involvement, and the fact that everyone's role has context within the risk management tool, breeds a risk culture within that institution. Not all organizations will necessarily benefit from this way of doing things. Nevertheless it may eliminate the need for certain additional steps, such as manually tracking down task progress, for some risk managers.
Apply the three tips referenced above to your risk management cycle, and you will facilitate a smoother overall process for all parties involved.
Supernal Software has helped thousands of risk managers at banks and credit unions track risk lifecycles in real time. By aligning products, services and vendors with their respective risks and controls in a single web-based interface, Scout risk management software helps ensure that the right risk management questions are being asked and answered. Scout can also be used to foster risk culture, thanks to its collaborative project management capabilities. Other key features include vendor management, compliance, GLBA and FFIEC risk assessments, and enterprise risk management.
To learn more about how Scout can facilitate a smooth risk management cycle, contact Supernal Software today.