CASE STUDIES

Examples of some of GRC current and previous clients. GRC has successfully delivered projects across a range of sectors and industries.

OPERATIONAL RISK MANAGEMENT

Client Requirement:

To undertake a firm wide review the existing risk management practices and:

  • Enhance the existing risk management framework (processes, procedures and policies)
  • Review all management risk reporting processes and enhance/optimise where possible to meet best practice and regulatory requirements
  • Enhance the firm’s risk management culture and employee buy-in to risk management practices.

GRC Approach:

GRC’s approach was to quickly gain an understating of the firms business model and operational landscape through one on one interviews with a number of key stakeholders in each business unit

  • Undertake a high level risk assessment across the business and with some of the company’s portfolio companies (investees)
  • Review and gap assess all components of the Company’s risk existing risk management framework, processes, procedures and risk reports
  • Make a series of recommendations for improvement, outlining key benefits vs costs and risks
  • Seek buying from key internal stakeholder such as COO, CFO, Partners, Head of Compliance, General Counsel (US & UK)
  • Develop a project plan to deliver the proposed enhancements throughout each quarter aligned to key benefits that could be tracked when realised.

Results:

After a year of delivery both remotely and at the client’s Mayfair office, GRC had successfully:

  • Restructured the company’s risk management framework to meet global best practice and to meet the FCA’s domestic requirements
  • Developed and embedded a formal Three Lines of Defence approach to risk management within the company
  • Drafted and had approved by the Board formal terms of reference for: Board, Group and Operational Risk, Valuation Committee, Exco Committees
  • Developed risk based/structured Operational and Group Risk reports
  • Developed risk based MI reports for the Board and key Chaired the Operational Risk Committee
  • Restructured the key risk reports and risk MI to ensure accurate reporting to the key stakeholders
  • Restructured the company’s three risk registers into a signal Group risk register, that structured around a board approved risk taxonomy
  • Designed, developed and had approved a formal risk taxonomy
  • Developed a methodology for carrying out ‘deep dive’ risk assessments with business units and aggregating risks into the group register
  • Developed a number of key risk related polices including: Risk Management and Critical Outsourcing/Vendor Management
  • Developed and delivered a number risk management educational/training/mentoring sessions.

Client Requirement:

Review the banks Operational Risk Management Framework and improve where required in line with best practice in preparation for change in ownership.

GRC Approach:

  • Information Gathering: Interviews with key stakeholders
  • Data Consolidation and Problem Identification: Review and consolidate data to identify key areas of concern / problems.
  • Gap Analysis: Carry out detailed gap analysis of existing framework (structure, processes and procedures) against best practice (COSO2, Basel 2/3, ISO31000).
  • Findings Validation: Validate findings with key Stakeholders.
  • Delivery Plan Development: Develop project plans to remediate and improve problem areas identified.
  • Progress Reporting: Report on progress, problems and successes. Delivery managed within a formal project risk management approach.

Results:

  • Identified a number of areas for improvement, particularly in relation to risk and issues data quality – non compliance with current and future regulations (Basel 2/3, ICAAP, IT Risk Management process, BSCB239).
  • Gaps in formal process for risk data aggregation and Issue management.
  • Lack of integration of IT risk assessment results into Group Operational Risk register.
  • Development of consistent risk evaluation and reporting data set (Key Data Elements – KDEs).
  • Structuring of risk reporting formats for internal Committees (Op Risk, Board Risk, Exco) and external stakeholders (RBS, regulators).
  • Risk identification and awareness workshops.
  • Improvement of the risk data capture process.
  • Improvement of the RCSA process.
  • Enhancement of the GRC data capture tool – to better capture, consolidate and report risk data.
  • Development of a formal architecture to meet BCSB239 requirement.

Client Requirement:

  • Undertake an assessment of Internal Capital Adequacy, write and submit to the regulator an annual ICAAP submission.
  • Develop a process that could be replicated across the Group to complete ICAAP submissions in a consistent way annually.

GRC Approach:

  • Background / information gathering: Interviews with key stakeholders, across domestic and international entities.
  • Gap analysis: Carry out detailed gap analysis of Dutch and UK regulatory requirements and existing internal processes.
  • Process development: Develop ICAAP and adapt to the organisation’s structure.
  • Stakeholder analysis: Determine who the key stakeholders were in order to conduct the risk evaluation workshops, and approval of collected data.
  • Risk assessments: Conduct detailed risk assessment across all key business units and critical processes (structured interviews).
  • Develop Risk Scenarios: Develop a series of risk impact scenarios to help define the potential risk impact probability and cost.
  • Data consolidation and exposure calculation: Consolidate the obtained data and model the potential frequency and cost of potential scenarios.
  • Organise and run scenario validation workshops: Plan and run a series of scenario validation workshops with identified key stakeholders.
  • Findings validation: Validate findings (risk, gaps & improvement actions) with key Stakeholders.
  • Regulator discussions and approval: Frequent discussions with local regulator in relation to ICAAP results.
  • ICAAP submission drafting: Write formal ICAAP submission using validated workshop findings.
  • Formal ICAAP Submission Approval: Seek formal approval of ICCAP data and draft submission document.

Results:

  • Compliance with regulatory requirements.
  • Improved understanding of the need for risk management across the group.
  • Improved, repeatable ICAAP development process.
  • Developed ICAAP data library and use process.
  • More confident management.
  • More confident regulator as to the robustness and sustainability of the company.

Client Requirement:

Assess and improve the IT Risk Management process to meet best practice and help improve risk management effectiveness within a multi-billion euro change program of work (Run the Bank / Change the Bank).

GRC Approach:

  • Background / Information Gathering: Discussions with key stakeholders to identify, what works, what doesn’t, and required improvements.
  • Gap Analysis: Conducted formal gap analysis (against regulatory requirements (Basel2/3, COSO2, ITIL, COBIT5).
  • Risk Assessments: Conducted a number of risk assessment workshops to understand process and gaps on key projects, locally and internationally.
  • Results Consolidation: Consolidated / aggregated results.
  • Findings Presentation: Presented findings to key stakeholders and made recommendations for improvements.
  • Project Planning: Developed program plan to implement improvement actions.
  • Policy Review: Reviewed and gap assessed a number of key policies.

Results:

  • Reengineered the IT / Operational risk management processes and risk register data capture investigative question sets. Resulting in more efficient framework processes. More accurate & meaningful data. More effective management reporting.
  • Aligned and integrated the IT risk taxonomy with Basel 2 risk types for operational risk classification.
  • Improved understanding of risk management use and process.
  • Identification of the fact that there were too many similar processes operating at different levels within the Bank and that there was significant data duplication that contributed to the operational risk – poor management, duplicated effort, confusion, inaccurate reporting.
  • Delayered & consolidated a number of redundant / duplicated risk management processes.
  • More accurately defined IT risks, that clearly articulated the inherent exposure and its impact on the banks operational processes.
  • More efficient and effective mitigation actions – to reduce the identified risk exposures.
  • Better informed stakeholders and management.

Client Requirement:

Review current operational risk management framework, gap identification, make recommendations for improvement. Key considerations: ensure risk management practices are embedded within the business and management are conforming to risk management practices / culture. Be able to:

  • Provide the Board and senior management with an accurate risk profile of the business.
  • Provide the Board with assurance that effective risk controls where operating.

GRC Approach:

  • Risk Maturity Assessment: Reviewed the maturity of the current risk management framework and process – via stakeholder interviews.
  • Gap Analysis (against best practice): Benchmarked the current risk management framework structure and processes against industry best. practice and identified areas for improvement.
  • Detailed Risk Assessment: Detailed risk assessment undertaken across entire business with key stakeholders. Data consolidation undertaken, and key risks and controls presented to the board and management.
  • Risk Culture Assessment: Carried out assessment of risk culture to determine stakeholder knowledge levels and attitudes to risk ownership’ Recommendations for improvement and delivery plan developed.
  • Framework Development: Development of all framework components (processes, procedures & policies), where gaps and improvement actions identified. Including risk appetite and tolerance statements and metrics.
  • Framework Documentation: Development / enhancement of all framework documentation (processes, policies & training material).
  • Training and Awareness: Developed and delivered formal risk management training for a range of stakeholders (Board members, senior managers, & suppliers).
  • Stakeholder Communication: Developed consistent stakeholder communication in relation to the to the rolling out of the framework and ensuring that key partners and stakeholders, understood need to use and complied.
  • Risk Profile: Company’s risk profile developed, refined and keys risks communicated to risk owners and management.
  • Risk Appetite / Tolerance: Risk Appetite and Tolerance parameters and statements developed and agreed by the Board.

Results:

  • Greatly improved risk management processes. Increased understanding of importance of risk management.
  • More confident and engaged workforce.

Client Requirement:

Review the existing payments services business in line with PSD2 regulations.

GRC Approach:

  • Annual assessment of the adequacy and effectiveness of policies and procedures in place
  • Implemented appropriate procedures to mitigate the internal and external financial crime risk trends
  • Developed new risk scoring based on the Wolfsburg principles for the AML controls
  • Reviewed the reporting and escalation procedure of the significant financial crime risk issues and exceptions
  • Supported the AML teams’ reviews across the business and confirming all risks are dealt with appropriately
  • Managed the monitoring of FCC indicators

Results:

  • Audit Framework: Establishment of the framework for annual assessment of financial crime compliance policies and procedures
  • Wolfsburg principles adopted, and associated controls implemented
  • Audit maturity level: Complimented with the maturity matrix showcasing the maturity level of the Financial Crime Compliance
  • Compliance monitoring streamlined and put to effective operation
  • Financial crime risk trends: Instances of internal collusion eradicated, KRIs reported against the baseline. Procedures and controls put in place to identify and manage external financial crime risk trends

Client Requirement:

Review the existing payments services business in line with PSD2 regulations

GRC Approach:

  • Responsible for developing the PSD2 gap assessment report
  • Evaluated the existing policies, procedures and systems/controls to advise appropriate action plans to comply to PSD2
  • Suggested the complaints handling procedure changes per the regulatory standards
  • Risk assessed the two factor authentication requirements to identify the system level changes required
  • Detailed the new reporting requirements
  • Articulated the key requirements in business continuity and disaster recovery policies, procedures, systems and controls

Results:

  • Business Impact Assessment: Detailed report on as-is to expected practices in all the PSD2 required disciplines. Rapidly adaptable proven recommendations that addresses the gaps identified to become PSD2 compliant
  • Policies, Procedures, Systems and Controls: 360-degree assessment that helped the client to see their current position in existing policies, procedures and systems/controls, and advising appropriate action plans for the required improvements
  • Complaints Handling: Design strategy and planning to implement the necessary changes in complaints handling procedures and associated operational changes
  • Strong Authentication: Recommendations on system level changes towards implementing strong authentication and dynamic linking of the payment transactions
  • BCP and DR: Plausible scenarios identified, and appropriate mitigation strategies and planning put in place to address the BC/DR situation should the need arise. Witnessed the implementation of the required changes in BCP & DR policies, procedures, systems and controls
  • New reporting and Notification requirements: Articulated the new reporting obligations and assisted the client to formulate required procedures and controls to implement them
  • Operational and Security Risks: Assisted the client for establishing a robust risk management framework that focusses on security measures to mitigate the operational and security risks. The framework addressed right from the governance arrangements to identification of risks and their assessment, to data protection and detection of the risks and subsequently addressing the business continuity arrangements.

Client Requirement:

Assist with the FCA application submission process to register as an API for performing Payment Initiation Service

GRC Approach:

  • Responsible for guiding and supporting with the application submission process
  • Assisted with the business and marketing plan
  • Conducted workshops to identify and articulate how the firm is structurally organised, what are the governance arrangements and internal control mechanisms in place, how the firm manage and report fraud and security related customer complaints
  • Interpreted the requirements on how the firm intend to protect sensitive payment data, business continuity and disaster recovery arrangements
  • Reviewed the security policy document to confirm it demonstrates the operational and security risk management framework in place
  • Reviewed the anti-money laundering and terrorist financing policy that articulates the detailed risk assessment, with associated systems and controls, the officer responsible for reporting suspicious activities to national crime agency
  • Provided guidance to calculate the required amount for professional indemnity insurance

Results:

  • Governance arrangements and internal control mechanisms: Risks identified and mapped for all the business units and at the corporate level. Appropriate governance arrangements witnessed incorporating various committees for approval of capital, strategy, design and execution.
  • Fraud and security related customer complaints: Helped the client to distinguish between the customer complaints raised for security incidents and other customer complaints. Articulated how the existing framework can be utilised for fraud scenarios by creating a subset of risks relevant to security and vulnerability to fraud.
  • BCP and DR: Assisted the client to articulate various plausible scenarios that can disrupt the business and appropriate mitigation strategies and planning put in place to address the BC/DR situation should the need arise. Assisted the client to incorporate the required changes in BCP & DR policies, procedures, systems and controls
  • Security policy: Assisted the client for establishing a robust operational and security risk management framework that focusses on security measures to mitigate the operational and security risks. The framework addressed right from the governance arrangements to identification of risks and their assessment, to data protection and detection of the risks and subsequently addressing the business continuity arrangements
  • Anti-money laundering and terrorist financing policy: Enabled the firm to deter and detect financial crime, incorporated changes to the policy, risks assessed in relation to firm’s customer base, products & services provided, distribution channels used and the geographic areas of operation. Evaluated the risk mitigation strategies and helped the client with planning and subsequently implementing the required controls.
  • PSR and EBA obligations on firms from 13 January 2018: Complimented the application submission with the document on firm’s obligations towards PSD2 regulations.

IT RISK MANAGEMENT

Client Requirement:

Design, develop and implement a best practice and globally compliant IT risk management framework.

GRC Approach:

  • Background / information gathering: Gather information via investigative questionnaires re key process, products, people, ways of working.
  • Best practice gap analysis: Assessed the current international best practices for IT risk management including COBIT, ITIL, ISO270001.
  • Detailed risk assessment: Carried out program of detailed risk assessments (interviews and workshops) across key business units / functions.
  • Risk culture assessment: Carried out assessment of risk culture to determine stakeholder knowledge levels and attitudes to risk ownership.
  • Framework development: Development of all framework components (processes, procedures & policies) .
  • Framework testing: Full testing of all framework components and processes within Insurer locally and with key 3rd party suppliers.
  • Framework documentation: Development of documentation relating to all components of the framework (policies, processes & procedures).
  • Rollout planning & delivery: Developed rollout plan for Europe and US businesses. Fully approved by Exco. Fully delivered.
  • Training and awareness: Developed and delivered formal risk management training for a range of stakeholders (CISOs, Account Managers, senior managers, board level executives & suppliers), in a number of countries.
  • Stakeholder communication: Developed consistent stakeholder communication in relation the to the rolling out of the framework.

Results:

  • Successfully, developed and implemented an innovative and regulatory compliant IT Risk management framework that was classed as ‘Best of Breed’ by PWC’s external auditors.
  • Rolled out framework and training internationally to all of Insurer’s main offices in each country (US, Switzerland, EU and UK).
  • Established and trained a team of 8 internal staff internationally to be competent IT / Operational risk managers.
  • Successfully training all key stakeholders (internally and externally, domestically and internationally).
  • Identified numerous key risks, resulting in re-engineered business processes, replaced a number of suppliers, created new projects.
  • Improved senior management reporting and board level communication in relation to risk.
  • Implemented formal risk culture monitoring and measurement approach.
  • Enhanced business / IT resilience capability.
  • Significant cost savings.

Client Requirement:

  • Design, develop and implement an Enterprise Risk Management (ERM) framework that is IT centric to help reduce the potential for failure of this flagship multi billion £ project.
  • Develop a risk management culture that embraces risk management ‘ways of working’ in everything that is done.
  • Establish effective risk management reporting to enable senior management to report effectively to government sponsors and key stakeholders.

GRC Approach:

  • Background / information gathering: Gather information via investigative questionnaires re key process, products, people, ways of working.
  • Risk maturity assessment: Reviewed current risk management framework and process, via stakeholder interviews.
  • Gap analysis (against best practice): Benchmarked the current risk management framework structure and processes against industry best practice and identified areas for improvement.
  • Detailed risk assessment: Detailed risk assessment undertaken across entire business with key stakeholders. Data consolidated, and key risks and controls presented to the board and management.
  • Risk culture assessment: Carried out assessment of risk culture to determine stakeholder knowledge levels and attitudes to risk ownership. Recommendations for improvement and delivery plan for execution developed.

Results:

    Developed and implemented all framework components (processes, procedures & policies), where gaps and improvement actions identified.
  • Developed all framework documentation (processes, policies & training material).
  • Developed and delivered formal risk management training for a range of stakeholders (Board members, senior managers, & suppliers). This included 36 senior project managers.
  • Developed consistent stakeholder communication process in relation to the rolling out of the framework and ensuring that key partners and stakeholders.
  • Department’s risk profile developed, refined and keys risks communicated to risk owners and management.
  • As a result of identifying, evaluating and pricing risk exposures and required mitigation action actions and correct risk ownership of these with key stakeholders, a total of £85 Million of project costs were removed from the various project contracts with key suppliers.
  • More confident senior management and workforce.
  • More efficiently delivered projects, reduced operational costs.

Client Requirement:

Design, develop and implement a best practice enterprise Risk Management (ERM) Framework that can be sustained over the long term to protect and enhance the businesses profitability.

GRC Approach:

  • Background / information gathering: Gather information via investigative questionnaires re key process, products, people, ways of working.
  • Risk maturity assessment: Reviewed current risk management framework and process, via stakeholder interviews.
  • Gap Analysis (against best practice): Benchmarked the current risk management framework structure and processes against industry best practice and identified areas for improvement.
  • Risk assessments: Detailed risk assessment undertaken across entire business with key stakeholders. Data consolidated, and key risks and controls presented to the board and management.
  • Risk culture assessment: Carried out assessment of risk culture to determine stakeholder knowledge levels and attitudes to risk ownership. Recommendations for improvement and delivery plan developed.

Results:

  • Developed all framework components (processes, procedures & policies), where gaps and improvement actions identified.
  • Developed all framework documentation (processes, policies & training material).
  • Developed and delivered formal risk management training for a range of stakeholders (board members, senior managers, & suppliers). Developed consistent stakeholder communication in relation to the to the rolling out of the framework and ensuring that key partners and stakeholders, understood the need to use and complied.
  • Department’s risk profile developed, refined and keys risks communicated to risk owners and management.
  • Developed comprehensive stakeholder management map / engagement plan to ensue that all stakeholders understood the benefits of risk management and risks of not doing risk management well. This extended to Trade Unions, government departments, operational partners, shipping companies, rail companies, transport companies, oil companies, and military.
  • Optimised business continuity plan.
  • Improved operational processes.
  • Optimised Insurance program.
  • More confident board and stakeholders (decision making).

ENTERPRISE RISK MANAGEMENT

Client Requirement:

  • Develop, design and implement an Enterprise Risk Management (ERM) framework to assist with the successful management of the UK government’s Public Sector Agreement targets (PSAs).
  • Develop risk management culture: enhance awareness of risk management requirements across the department. Encourage proactive risk ownership throughout senior management and wider organisation.

GRC Approach:

  • Background / information gathering: Gather information via investigative questionnaires re key process, products, people, ways of working.
  • Gap analysis & maturity review: Carried out detailed benchmark of department’s current risk management practices against recommended best practices (COSO, ISO31000, ISO27001).
  • Risk assessments: Conducted detailed risk assessment across the core business units and functions.
  • Findings consolidation: Review findings and consolidated to produce a consistent / common set of agreed risks across the business.
  • Results communication: Communication of key risks, risk ownership and mitigation processes to key stakeholders within government.

Results:

  • Designed, developed and implemented all framework components, process, policies and procedures.
  • Identified and agreed appropriate mitigation actions with all risk owners.
  • Defined key government and European regulatory requirements and processes to ensure compliance.
  • Developed and implemented a formal risk committee with Terms of Reference to agree major risks and mitigation actions.
  • Ensured that the National Audit Office (NAO) played a key role in reviewing (auditing) and approving the proposed risk management and governance processes and infrastructure.
  • Ensured that risk management and governance processes were incorporated into the formal project management process.
  • Developed key metrics for benefits realisation measurement – of key initiatives, major projects and high value spends.
  • Development and implementation of a formal risk reporting framework and process, for Risk Management Committee.
  • Department’s business objectives were more clearly defined, allowing resources and commitment required to achieve these to better understood.
  • Improved understanding of the need to use risk management to drive performance and deliver results.
  • More confident & engaged workforce.

Client Requirement:

Design, develop and implement a best practice enterprise Risk Management Framework (ERM) that can be sustained over the long term to protect and enhance the businesses profitability.

GRC Approach:

  • Background / information gathering: Gather information via investigative questionnaires re key process, products, people, ways of working.
  • Risk maturity assessment: Reviewed current risk management framework and process, via stakeholder interviews.
  • Gap analysis (against best practice): Benchmarked the current risk management framework structure and processes against industry best practice and identified areas for improvement.
  • Risk assessment: Detailed risk assessment undertaken across entire business with key stakeholders. Data consolidation undertaken, and key risks and controls presented to the board and management.
  • Risk culture assessment: Carried out assessment of risk culture to determine stakeholder knowledge levels and attitudes to risk ownership. Recommendations for improvement and delivery plan developed.
  • Findings consolidation: Findings consolidated to produce a consistent / common set of agreed and prioritised risks across the business.

Results:

  • Developed all framework components (processes, procedures & policies), where gaps and improvement actions identified.
  • Developed and delivered formal risk management training for a range of stakeholders (board members, senior managers, & suppliers). Developed consistent stakeholder communication in relation to the to the rolling out of the framework and ensuring that key partners and stakeholders, understood the need to use and complied.
  • Developed company’s risk profile, refined and key risks communicated to risk owners (management, partners, suppliers).
  • Developed comprehensive stakeholder management map / engagement plan to ensue that all stakeholders understood the benefits of risk management and risks of not doing risk management well. This extended to Trade Unions, government departments, operational partners, shipping companies, rail companies, transport companies, oil companies, and military.
  • Optimised business continuity plan.
  • Improved operational processes.
  • Optimised insurance program.
  • More confident board and stakeholders (decision making).

Client Requirement:

Design, develop, implement and embed, a comprehensive Enterprise Risk Management (ERM) Framework.

GRC Approach:

  • Information gathering: Undertook series of investigative / consultative discussions (interviews) across the business with a range of different stakeholders– business units and functions.
  • Stakeholder analysis: To determine who most the most important stakeholders were and why (internal & external).
  • Gap analysis & maturity review: Carried out detailed benchmark of department’s current risk management practices against recommended best practices (COSO, ISO31000, ISO27001).
  • Risk assessment: Undertook detailed risk review across all group’s operations, business units and functions.
  • Governance & reporting requirements: Establish a formal risk committee with Terms of Reference (ToRs) to agree major risks and mitigation actions. Ensured that risk management and governance processes were incorporated into the formal project management process.
  • Risk culture review: Undertook risk culture review across key stakeholders, to determine level of risk understanding and attitude toward risk management.
  • Findings consolidation: Findings consolidated to produce a consistent / common set of agreed and prioritised risks across the business.

Results:

  • Identified and agreed appropriate mitigation actions with all risk owners.
  • Developed corporate risk profile and communicated to key stakeholders.
  • Developed company’s risk profile, refined and key risks communicated to risk owners (management, partners, suppliers).
  • Design, development and implemented all risk management and BCP framework components (process, policies and procedures).
  • Designed risk culture enhancement / management framework and achieved management buy-in.
  • Reviewed corporate strategy and linked to key risks and business objectives.
  • Reviewed the company’s physical security plan, identified gaps and outlined areas for improvement.
  • More cost effective insurance program, clearly linked to key risk exposures.
  • Improved understanding of the need to use risk management to drive performance and deliver results.
  • More confident & engaged workforce.
  • Developed and implemented a formal risk reporting framework and process, for Risk Management Committee.
  • Enhanced confidence of key suppliers of company’s performance, sustainability and robustness.

Client Requirement:

Design, develop and implement / embed, a comprehensive Enterprise Risk Management (ERM), Framework.

GRC Approach:

  • Background / information gathering: Undertook a series of investigative / consultative discussions with a range of different stakeholders across the department – business units / functions.
  • Stakeholder analysis: Carried out detailed stakeholder analysis to determine who the key stakeholders were (internally & externally).
  • Gap analysis & maturity review: Carried out detailed benchmark of department’s current risk management practices against recommended best practices (COSO, ISO31000, ISO27001), and local regulatory requirements Improvement actions defined.
  • Regulatory requirement assessment: Defined key local and regional government and regulatory requirements (MAS, SFC). Recommended improvement actions to close gaps to compliance.
  • Risk assessments: Undertook detailed risk assessments (structured interviews), with all key stakeholders, key departments and functions.
  • Critical process definition: Defined (mapped and prioritised), the businesses critical business processes.
  • Findings consolidation: Findings consolidated to produce a consistent / common set of agreed risks across the business.

Results:

  • Designed, developed and implemented comprehensive risk management framework (components, process, policies and procedures).
  • Developed company’s risk profile, agreed all risks with defined risk owners (internally and externally).
  • Identified and agreed appropriate mitigation actions with all risk and identified mitigation owners (if different).
  • Key operational processes definition and optimisation (process mapping, streamlining and prioritisation).
  • Identified and agreed individual process owners.
  • Established a formal risk committee with Terms of Reference (ToR) to agree major risks and mitigation actions for reporting to the board.
  • Ensured that risk management and governance processes were incorporated into the formal project management process.
  • Development and implementation of a formal risk reporting framework and process, for Risk Management Committee (RMC).
  • Improved understanding of the need to use risk management to drive performance and deliver results.
  • More confident partners and suppliers.
  • More confident & engaged workforce.

Client Requirement:

To develop a market proposition (based on the concepts of ERM and TCoR) with the aim of stimulating the cross-selling of existing products and new consultancy linked capabilities. Products are to be based on a client centric view of risk as opposed to insurance classes. This is needed to meet the growing demand to insure intangible risk.

GRC Approach:

Review company’s existing business to evaluate what opportunities exist to develop an Enterprise Risk Management (ERM) consultancy capability as market differentiator to enhance business development opportunities.

Conducted three Gap Analysis (Product, Competitive, Opportunity)

  1. Product Gap – assessed 74 insurance policy products to determine extent they were efficient at mitigating know market risks.
  2. Competitive Gap – Assessed a set of 10 brokers, direct insurers, general insurers for their product and service offerings/ERM capabilities.
  3. Opportunity Gap – Assessed market trends, reviewed results of 1&2, assessed costs vs benefit of product extension.

 

Output:

The proposed initial product structure (5 ERM orientated products, cyber risk, enterprise/strategic risk, reputation risk, Non-Damage Business Interruption (NDBI)),  to be used as conduit through which Enterprise Risk Management (ERM) & Total Cost of Risk (TCoR) products and services could be offered to clients, thereby creating the opportunity for product extension and to ‘bolt’ on insurance products (to transfer risk exposure to the insurance market), as required.

Benefits:

Enhanced: profitability, long term viability, customer relevance / trust, protection of market share.

Business Case:

Developed cost benefit positive business case to demonstrate how the use of the proposed product suit would increase profit.

Result:

The client’s executive Committee approved the development of the proposed products and their integration into the company’s business development strategy. The proposed pricing (business case) and ‘Go To’ market strategy was also agreed.

To see how we can help your organisation, please