'Risk Intelligence' in the context of Risk Management & Key Principles of a Risk Intelligence Program
Taking into consideration the evolution of numerous risk management failures across the global financial services industry, one key theme that has emerged is that in almost all cases, when one would investigate the root causes and undertake deep dive analysis is a visible absence of risk management intelligence and a failure of proactive remediation of risk impacts. Institutions can have strategic, reputational and conduct risk frameworks in place as part of an overall risk governance process however, without the effective support of real risk intelligence, the chances of an adverse risk event causing significant damage can carry a high probability and resulting impact (i.e in the form of reputational and financial damage).
So what is Risk Intelligence?
Risk intelligence is the ability of an organization to gather information that will successfully identify uncertainties in the workplace. Effective risk governance calls for Risk Intelligent governance, an approach that seeks not to discourage appropriate risk-taking, but to embed appropriate risk management procedures into all of an enterprise’s business pursuits.
An important goal of risk intelligence is to help the organization achieve a competitive advantage. Organizations with high risk intelligence tend to make more informed business and security decisions than those with low risk intelligence. Alternatively, risk intelligence can be broadly be defined as the effective ability to optimally utilize data, information and analytics related to an institution's experience of its risk and control environment based on the evolution of patterns of risk events and corresponding lessons learnt. It can been seen as an analytics powerhouse for banks and institutions that provides an early warning alert capability to take action much earlier before a risk event has occurred.
Interestingly, banks can be seen to have dedicated Departments such as for Credit, Market and Operational Risk and supported by Frameworks, policies associated for all other risk types, however, in all cases, a dedicated 'risk intelligence' function is not established. It is often assumed that risk intelligence is a shared institutional capability that is spread across the 3 lines of defense for an institution, with no dedicated or centralized function where all risk intelligence data can be collectively analyzed and from where all decision making can guide the Board, Executive Management and the Chief Risk Officer to enable effective and proactive decision making, regardless of the type of risk threats an institution is facing.
Principles of a Risk Intelligence Program
3. In a Risk Intelligent Enterprise, key roles, responsibilities, and authority relating to risk management are clearly defined and delineated within the organization.
4. In a Risk Intelligent Enterprise, a common risk management infrastructure is used to support the business units and functions in the performance of their risk responsibilities.
5. In a Risk Intelligent Enterprise, governing bodies (e.g., boards, risk committees, audit committees, etc.) have appropriate transparency and visibility into the organization’s risk management practices to discharge their responsibilities.
6. In a Risk Intelligent Enterprise, executive management is charged with primary responsibility for designing, implementing, and maintaining an effective risk program.
7. In a Risk Intelligent Enterprise, business units (departments, agencies, etc.) are responsible for the performance of their business and the management of risks they take within the risk framework established by executive management.
8. In a Risk Intelligent Enterprise, certain functions (e.g., Finance, Legal, Tax, IT, HR, etc.) have a pervasive impact on the business and provide support to the business units as it relates to the organization’s risk program.
9. In a Risk Intelligent Enterprise, certain functions (e.g., internal audit, risk management, compliance, etc.) provide objective assurance as well as monitor and report on the effectiveness of an organization’s risk program to governing bodies and executive management.
A risk intelligent governance process should be strategic in design, promote awareness of the relationship between value and risk, and efficiently and effectively allocate the company’s risk management resources. Effective execution of the process depends on maintaining a disciplined, collaborative approach focused on process design, process monitoring, and accountability.