CASE STUDIES

Client Requirement:

To undertake a firm wide review the existing risk management practices and:

• Enhance the existing risk management framework (processes, procedures and policies)
• Review all management risk reporting processes and enhance/optimise where possible to meet best practice and regulatory requirements
• Enhance the firm’s risk management culture and employee buy-in to risk management practices.

GRC Approach:

GRC’s approach was to quickly gain an understating of the firms business model and operational landscape through one on one interviews with a number of key stakeholders in each business unit

• Undertake a high level risk assessment across the business and with some of the company’s portfolio companies (investees)
• Review and gap assess all components of the Company’s risk existing risk management framework, processes, procedures and risk reports
• Make a series of recommendations for improvement, outlining key benefits vs costs and risks
• Seek buying from key internal stakeholder such as COO, CFO, Partners, Head of Compliance, General Counsel (US & UK)
• Develop a project plan to deliver the proposed enhancements throughout each quarter aligned to key benefits that could be tracked when realised.

Results:

After a year of delivery both remotely and at the client’s Mayfair office, GRC had successfully:

• Restructured the company’s risk management framework to meet global best practice and to meet the FCA’s domestic requirements
• Developed and embedded a formal Three Lines of Defence approach to risk management within the company
• Drafted and had approved by the Board formal terms of reference for: Board, Group and Operational Risk, Valuation Committee, Exco Committees
• Developed risk based/structured Operational and Group Risk reports
• Developed risk based MI reports for the Board and key Chaired the Operational Risk Committee
• Restructured the key risk reports and risk MI to ensure accurate reporting to the key stakeholders
• Restructured the company’s three risk registers into a signal Group risk register, that structured around a board approved risk taxonomy
• Designed, developed and had approved a formal risk taxonomy
• Developed a methodology for carrying out ‘deep dive’ risk assessments with business units and aggregating risks into the group register
• Developed a number of key risk related polices including: Risk Management and Critical Outsourcing/Vendor Management
• Developed and delivered a number risk management educational/training/mentoring sessions.

Client Requirement:

Review the banks Operational Risk Management Framework and improve where required in line with best practice in preparation for change in ownership.

GRC Approach:

• Information Gathering: Interviews with key stakeholders
• Data Consolidation and Problem Identification: Review and consolidate data to identify key areas of concern / problems.
• Gap Analysis: Carry out detailed gap analysis of existing framework (structure, processes and procedures) against best practice (COSO2, Basel 2/3, ISO31000).
• Findings Validation: Validate findings with key Stakeholders.
• Delivery Plan Development: Develop project plans to remediate and improve problem areas identified.
• Progress Reporting: Report on progress, problems and successes. Delivery managed within a formal project risk management approach.

Results:

• Identified a number of areas for improvement, particularly in relation to risk and issues data quality – non compliance with current and future regulations (Basel 2/3, ICAAP, IT Risk Management process, BSCB239).
• Gaps in formal process for risk data aggregation and Issue management.
• Lack of integration of IT risk assessment results into Group Operational Risk register.
• Development of consistent risk evaluation and reporting data set (Key Data Elements – KDEs).
• Structuring of risk reporting formats for internal Committees (Op Risk, Board Risk, Exco) and external stakeholders (RBS, regulators).
• Risk identification and awareness workshops.
• Improvement of the risk data capture process.
• Improvement of the RCSA process.
• Enhancement of the GRC data capture tool – to better capture, consolidate and report risk data.
• Development of a formal architecture to meet BCSB239 requirement.

Client Requirement:

• Undertake an assessment of Internal Capital Adequacy, write and submit to the regulator an annual ICAAP submission.
• Develop a process that could be replicated across the Group to complete ICAAP submissions in a consistent way annually.

GRC Approach:

• Background / information gathering: Interviews with key stakeholders, across domestic and international entities.
• Gap analysis: Carry out detailed gap analysis of Dutch and UK regulatory requirements and existing internal processes.
• Process development: Develop ICAAP and adapt to the organisation’s structure.
• Stakeholder analysis: Determine who the key stakeholders were in order to conduct the risk evaluation workshops, and approval of collected data.
• Risk assessments: Conduct detailed risk assessment across all key business units and critical processes (structured interviews).
• Develop Risk Scenarios: Develop a series of risk impact scenarios to help define the potential risk impact probability and cost.
• Data consolidation and exposure calculation: Consolidate the obtained data and model the potential frequency and cost of potential scenarios.
• Organise and run scenario validation workshops: Plan and run a series of scenario validation workshops with identified key stakeholders.
• Findings validation: Validate findings (risk, gaps & improvement actions) with key Stakeholders.
• Regulator discussions and approval: Frequent discussions with local regulator in relation to ICAAP results.
• ICAAP submission drafting: Write formal ICAAP submission using validated workshop findings.
• Formal ICAAP Submission Approval: Seek formal approval of ICCAP data and draft submission document.

Results:

• Compliance with regulatory requirements.
• Improved understanding of the need for risk management across the group.
• Improved, repeatable ICAAP development process.
• Developed ICAAP data library and use process.
• More confident management.
• More confident regulator as to the robustness and sustainability of the company.

Client Requirement:

Assess and improve the IT Risk Management process to meet best practice and help improve risk management effectiveness within a multi-billion euro change program of work (Run the Bank / Change the Bank).

GRC Approach:

• Background / Information Gathering: Discussions with key stakeholders to identify, what works, what doesn’t, and required improvements.
• Gap Analysis: Conducted formal gap analysis (against regulatory requirements (Basel2/3, COSO2, ITIL, COBIT5).
• Risk Assessments: Conducted a number of risk assessment workshops to understand process and gaps on key projects, locally and internationally.
• Results Consolidation: Consolidated / aggregated results.
• Findings Presentation: Presented findings to key stakeholders and made recommendations for improvements.
• Project Planning: Developed program plan to implement improvement actions.
• Policy Review: Reviewed and gap assessed a number of key policies.

Results:

• Reengineered the IT / Operational risk management processes and risk register data capture investigative question sets. Resulting in more efficient framework processes. More accurate & meaningful data. More effective management reporting.
• Aligned and integrated the IT risk taxonomy with Basel 2 risk types for operational risk classification.
• Improved understanding of risk management use and process.
• Identification of the fact that there were too many similar processes operating at different levels within the Bank and that there was significant data duplication that contributed to the operational risk – poor management, duplicated effort, confusion, inaccurate reporting.
• Delayered & consolidated a number of redundant / duplicated risk management processes.
• More accurately defined IT risks, that clearly articulated the inherent exposure and its impact on the banks operational processes.
• More efficient and effective mitigation actions – to reduce the identified risk exposures.
• Better informed stakeholders and management.

Client Requirement:

Review current operational risk management framework, gap identification, make recommendations for improvement. Key considerations: ensure risk management practices are embedded within the business and management are conforming to risk management practices / culture. Be able to:

• Provide the Board and senior management with an accurate risk profile of the business.
• Provide the Board with assurance that effective risk controls where operating.

GRC Approach:

• Risk Maturity Assessment: Reviewed the maturity of the current risk management framework and process – via stakeholder interviews.
• Gap Analysis (against best practice): Benchmarked the current risk management framework structure and processes against industry best. practice and identified areas for improvement.
• Detailed Risk Assessment: Detailed risk assessment undertaken across entire business with key stakeholders. Data consolidation undertaken, and key risks and controls presented to the board and management.
• Risk Culture Assessment: Carried out assessment of risk culture to determine stakeholder knowledge levels and attitudes to risk ownership’ Recommendations for improvement and delivery plan developed.
• Framework Development: Development of all framework components (processes, procedures & policies), where gaps and improvement actions identified. Including risk appetite and tolerance statements and metrics.
• Framework Documentation: Development / enhancement of all framework documentation (processes, policies & training material).
• Training and Awareness: Developed and delivered formal risk management training for a range of stakeholders (Board members, senior managers, & suppliers).
• Stakeholder Communication: Developed consistent stakeholder communication in relation to the to the rolling out of the framework and ensuring that key partners and stakeholders, understood need to use and complied.
• Risk Profile: Company’s risk profile developed, refined and keys risks communicated to risk owners and management.
• Risk Appetite / Tolerance: Risk Appetite and Tolerance parameters and statements developed and agreed by the Board.

Results:

• Greatly improved risk management processes. Increased understanding of importance of risk management.
• More confident and engaged workforce.

Client Requirement:

Review the existing payments services business in line with PSD2 regulations.

GRC Approach:

• Annual assessment of the adequacy and effectiveness of policies and procedures in place
• Implemented appropriate procedures to mitigate the internal and external financial crime risk trends
• Developed new risk scoring based on the Wolfsburg principles for the AML controls
• Reviewed the reporting and escalation procedure of the significant financial crime risk issues and exceptions
• Supported the AML teams’ reviews across the business and confirming all risks are dealt with appropriately
• Managed the monitoring of FCC indicators
  

Results:

• Audit Framework: Establishment of the framework for annual assessment of financial crime compliance policies and procedures
• Wolfsburg principles adopted, and associated controls implemented
• Audit maturity level: Complimented with the maturity matrix showcasing the maturity level of the Financial Crime Compliance
• Compliance monitoring streamlined and put to effective operation
• Financial crime risk trends: Instances of internal collusion eradicated, KRIs reported against the baseline. Procedures and controls put in place to identify and manage external financial crime risk trends

Client Requirement:

Review the existing payments services business in line with PSD2 regulations

GRC Approach:

• Responsible for developing the PSD2 gap assessment report
• Evaluated the existing policies, procedures and systems/controls to advise appropriate action plans to comply to PSD2
• Suggested the complaints handling procedure changes per the regulatory standards
• Risk assessed the two factor authentication requirements to identify the system level changes required
• Detailed the new reporting requirements
• Articulated the key requirements in business continuity and disaster recovery policies, procedures, systems and controls

Results:

• Business Impact Assessment: Detailed report on as-is to expected practices in all the PSD2 required disciplines. Rapidly adaptable proven recommendations that addresses the gaps identified to become PSD2 compliant
• Policies, Procedures, Systems and Controls: 360-degree assessment that helped the client to see their current position in existing policies, procedures and systems/controls, and advising appropriate action plans for the required improvements
• Complaints Handling: Design strategy and planning to implement the necessary changes in complaints handling procedures and associated operational changes
• Strong Authentication: Recommendations on system level changes towards implementing strong authentication and dynamic linking of the payment transactions
• BCP and DR: Plausible scenarios identified, and appropriate mitigation strategies and planning put in place to address the BC/DR situation should the need arise. Witnessed the implementation of the required changes in BCP & DR policies, procedures, systems and controls
• New reporting and Notification requirements: Articulated the new reporting obligations and assisted the client to formulate required procedures and controls to implement them
• Operational and Security Risks: Assisted the client for establishing a robust risk management framework that focusses on security measures to mitigate the operational and security risks. The framework addressed right from the governance arrangements to identification of risks and their assessment, to data protection and detection of the risks and subsequently addressing the business continuity arrangements.

Client Requirement:

Assist with the FCA application submission process to register as an API for performing Payment Initiation Service

GRC Approach:

• Responsible for guiding and supporting with the application submission process
• Assisted with the business and marketing plan
• Conducted workshops to identify and articulate how the firm is structurally organised, what are the governance arrangements and internal control mechanisms in place, how the firm manage and report fraud and security related customer complaints
• Interpreted the requirements on how the firm intend to protect sensitive payment data, business continuity and disaster recovery arrangements
• Reviewed the security policy document to confirm it demonstrates the operational and security risk management framework in place
• Reviewed the anti-money laundering and terrorist financing policy that articulates the detailed risk assessment, with associated systems and controls, the officer responsible for reporting suspicious activities to national crime agency
• Provided guidance to calculate the required amount for professional indemnity insurance
  

Results:

• Governance arrangements and internal control mechanisms: Risks identified and mapped for all the business units and at the corporate level. Appropriate governance arrangements witnessed incorporating various committees for approval of capital, strategy, design and execution.
• Fraud and security related customer complaints: Helped the client to distinguish between the customer complaints raised for security incidents and other customer complaints. Articulated how the existing framework can be utilised for fraud scenarios by creating a subset of risks relevant to security and vulnerability to fraud.
• BCP and DR: Assisted the client to articulate various plausible scenarios that can disrupt the business and appropriate mitigation strategies and planning put in place to address the BC/DR situation should the need arise. Assisted the client to incorporate the required changes in BCP & DR policies, procedures, systems and controls
• Security policy: Assisted the client for establishing a robust operational and security risk management framework that focusses on security measures to mitigate the operational and security risks. The framework addressed right from the governance arrangements to identification of risks and their assessment, to data protection and detection of the risks and subsequently addressing the business continuity arrangements
• Anti-money laundering and terrorist financing policy: Enabled the firm to deter and detect financial crime, incorporated changes to the policy, risks assessed in relation to firm’s customer base, products & services provided, distribution channels used and the geographic areas of operation. Evaluated the risk mitigation strategies and helped the client with planning and subsequently implementing the required controls.
• PSR and EBA obligations on firms from 13 January 2018: Complimented the application submission with the document on firm’s obligations towards PSD2 regulations.