Making the business case for C4RISK databasebased Operational Risk Management software

(1)

Making the business case for

C4R

ISK database- based Operational Risk Management software

A robust Risk Management and Control process is an integral part of the business infrastructure to enable the Board to create develop and sustain a successful business. Given the importance of this process, any justification of a new system to the CEO/MD/FD needs to be rigorous.

Armstrong Consultants Ltd has published an excellent paper detailing the process for justifying software systems (http://www.emedia.co.uk/FM/GetFile.aspx?id=69392). We have followed the principles in that paper to show how C4Risk can be presented in a persuasive manner. Although the detail of this paper is aimed at the replacement of spreadsheets by a new database-based system, the principles are also likely to apply to replacement of an existing database system.

There are seven sections to this paper:

1. Is the current way of doing things “fit for purpose”?

2. If you do not change what is the impact on the Company?

3. Benefits and Spin-offs 4. How do I quantify the ROI?

5. Who benefits?

6. Objections 7. Summary.

1. Is the current way of doing things “fit for purpose”?

What is the purpose?

 To manage and minimise as far as commercially sensible the Operational Risks¹ to the profitability of the business, thereby helping to ensure its long-term viability.

 To show that this is being done, to regulators, auditors and other interested parties, and to provide relevant Risk-related information when required.

How is the job done now?

Typically, you are using spreadsheets, perhaps a simple set of linked sheets in a workbook or perhaps a more complex spreadsheet system created over a period of time. You record the basic details of your company’s risks and the controls applied to each of those risks, with the individuals responsible and a

“score” for the net or residual risk in each case. A Risk Committee may be in place, giving its approval.

 The process may in effect be a manual one, transcribing the data from the traditional clipboard to a spreadsheet

 You may be using multiple means of storing data – perhaps the “event” data such as actual losses or near-misses is stored separately? Some data – in respect of some Key Risk Indicators for example – may not be stored at all

 Different versions of the spreadsheets may be in existence. The data for different Business Units may be kept separately

 Management Reporting is a time-consuming process. The supply of Risk Capital data to a regulator (if relevant) may be a totally separate, additional, manual exercise.

Positives of the current approach

It works, and however much of a devil it may be, the devil you know may be better than the one you don’t:

1 Operational Risks being those risks which arise from business activity, irrespective of the nature of the business.

The standard definition for financial institutions is “the risk of loss resulting from failed or inadequate internal processes, people or systems, or from external events”.

(2)

Making the business case for C4RISK database-based Operational Risk Management software

 The spreadsheets are independent and under your control, held on the network and fully backed up every night

 There are probably no issues with data volumes, at least at present

 You can change these spreadsheets yourself when you need to, and thereby deal with change to the business requirements as they arrive. You are not “working for the system”

 It looks cheap, even free, as the company has already paid for the spreadsheet software

 The staff that do use the spreadsheets are familiar with them and understand them.

Negatives of the current approach

These will vary, dependent on individual corporate circumstances but may include:

 Limited involvement of your colleagues in the Risk Management process. A manual approach is probably too time-consuming to involve a lot of people

 Staff do not fully buy into Risk Management. It may be regarded as a chore that has to be dealt with once in six months or once a year as opposed to a natural part of doing business

 Less information may be collected than you would want, with less objectivity that you would like to see in the assessment of risk

 Verification that controls are really working (or will work if/when the time comes) is not as objective and transparent as it should be

 Reporting from period to period to show improvement (or deterioration) is complex and gets more so as time goes by, particularly if separate business units use separate spreadsheets

 Often the “soft” elements are not recorded – the “qualitative” as opposed to “quantitative”

elements of Risk Management; the comments that your staff make can be as useful as their views on a score for a particular risk, and yet in a manual process it is expensive to get to talk to everyone and time-consuming to record everything

 Typically in spreadsheet records, Controls are added independently to each risk, making it harder to identify which controls are important

 Dependencies between risks are harder to identify

 With the growth in the use of Key Risk Indicators it is more complicated to link the relevant related data to each risk. If there really are no issues with data volumes it is probably because you have not yet had to go into depth in respect of Key Risk Indicator requirements.

The negatives may well outweigh the “Devil you know” viewpoint.

2. If you do not change what is the impact on the Company?

As the job gets more difficult, so it will get more expensive.

 The Risk Department spends more time playing spreadsheets than managing Risk

 Unless you add more and more people to the Risk Department, even limited in-depth analysis of risk and control is difficult across departments.

It will become harder to be confident that you (and therefore the CEO and Board) have a complete view of the inherent and residual risks affecting the organisation and the cost/effectiveness of their respective controls:

 Nobody can be sure that every risk has been covered. If your company is of any size you may have your work cut out to obtain all relevant staff views when seeking such assurance

 Can you keep fully up to date?

 Management reporting becomes a lengthy and expensive task to do, potentially perhaps resulting in a lack of confidence in reporting

 It is harder to pick out the important controls and to ensure that all follow-ups are completed and all issues dealt with

 It may be harder to correctly cost-justify the amounts being spent on individual controls.

If you are looking after a group of companies, or even a single company with multiple departments that need to or like to report separately:

(3)

 It may be difficult (or at least time-consuming) to get a Group picture of Risk

 It may even be difficult to get a group approach to risk if the separate spreadsheets are hard to control

 If different areas are actually being reported separately it is much harder to ensure that different parts of a Group benefit fully from the experience of other areas.

Regulators like to see that you have everything under control:

 If you do have a specific regulatory requirement like the demonstration of adequate Risk Capital, it may be more expensive to comply when gathering the data from multiple sources.

 It may be harder to provide justification for the data that you do provide to your regulator.

3. Benefits and Spin-offs

If you do change what are the benefits? Are there spin-offs beyond Risk Management?

Some benefits are generic to a data-based system, while some are specific to the features available in different systems:

 Use of a database-based system should remove the data “issues” that can result from the existence of multiple copies of spreadsheets.

 Reporting progress is much easier, even in a single unit business. In a more complex entity, it should become far easier to report at any level in a company separately, as well as at group level.

 C4Risk includes collaborative risk and control scoring making it much easier and cheaper to involve more and more people directly in the risk process. Assuming that your own people know their business, the effects are that:

o your staff become more risk-aware, and the risk process becomes part of the normal way of doing things

o identification of risks not yet recognised is facilitated

o greater objectivity in assessment of Risks and much more transparency is achieved

 With C4Risk, you should be able to satisfy all interested parties – the Board, shareholders, auditors, regulators and rating agencies if relevant – more easily and cheaply.

There can be other benefits beyond the technicalities of risk management.

A good database-based risk system should include other features such as a task manager, which can be used to automate the follow-up on issues raised on specific risks or controls. Once you have that task manager it follows that you may be able to use it for other things – for example the periodic tasks that have to be done for compliance purposes, or any other tasks on other departments that have to happen but are controlled manually or in spreadsheets. As well as gaining a company-wide task manager you may be controlling tasks that constitute a risk in themselves if not completed on time.

4. How do I quantify the ROI?

For many companies, justifying the ROI² may appear difficult as the whole concept of Operational Risk is to look at risk that you hope will never happen. If you fail to identify risks, what is the likely cost to

2What do we mean by ROI?

When putting together a case for investment – or at least, having some influence over the decision to purchase – it is essential that the benefits can be articulated in financially recognised terms. Finance teams traditionally use three measures to assess what makes a good return on investment:

• Payback – How long will it be before the original investment is repaid through reduced costs or increased revenues?

• IRR (Internal Rate of Return) – The percentage rate of return on the incremental spend, over a selected time period, comparing all the benefits with the original cost (if the IRR is much better than the bank interest rate, this is a good investment)

• NPV (Net Present Value) – A £’s profit measure in today’s terms, comparing costs out, savings in, and an annual cost of money.

(4)

the company in terms of lost sales, damaged reputation and perhaps regulatory censure? However, there are some obvious areas to look at - the direct cost of wasted time and external cost that could be saved:

 Staff costs – how much time is now wasted? For example in o Amending the spreadsheets

o Copying and pasting data from sheet to sheet

o Creating reports that could be run at the touch of a key; this could be a particularly extensive cost element if your company is complex in structure.

 If your business is expanding, extrapolate your staff cost figures to allow for the expansion. A small cost now may become a large cost for a relatively small expansion

 External costs – do your external auditors or consultants do part of the Risk Assessment job?

Are you paying unnecessary fees as a result?

 C4Risk for example can be used to produce an Expected Loss per annum for each Operational Risk and an aggregate figure. By promoting effective risk and control management where the cost of control is less than the Expected Loss, any reduction in the Expected Loss represents a cash benefit

 Capital calculation – if your business is covered by certain aspects of the UK’s FSA’s regulations or by Solvency II you may have a requirement to supply data to justify capital requirements.

Can you save money if the data comes straight out of a new Risk system?

If numbers can be generated from these considerations, the resultant Business Case can look compelling. A small reduction in Expected Loss, allied with potential capital support savings, can produce rapid payback. As there is little or no direct front-end cost of C4Risk (apart from the Licence Fee), the IRR calculation, if undertaken on a annual basis, may not have a meaningful result as we would expect year 1 cash flow to be positive. NPV calculations will also be supportive.

In addition, the intangible benefits of C4Risk add to the case for adoption. C4Risk provides risk information in an efficient, flexible, transparent, customisable and scalable manner. Staff buy-in and risk awareness is promoted, thus improving overall control in the organisation.

For many companies the perceived tipping point may be the bonus aspects of a data-based system where something else can be added easily to a risk system to streamline another function at the same time. The close links between Risk, Audit and Compliance and potential for shared information provides an obvious area for cost savings. Risk-based audit requires good risk information. Regulatory and financial Compliance requires regular monitoring of risk information.

5. Who benefits?

Who do you need to buy in to this proposal? Which stakeholders will benefit?

 The CEO – whether or not you are on the Board, the CEO no doubt takes personal responsibility for many areas of business risk, and relies on you to provide accurate data. The CEO would also like ideas for positive opportunities too – are you able to pick these up in the current approach? If you are subject to external rating agency review or even review by your clients, can you help increase of sales by improving Risk Management?

 The FD – your FD will have a natural instinct to improve risk management but also a natural instinct to avoid unnecessary expenditure. However, he or she may want to see the increased access to reporting of potential problems in advance that a database-based system should

With a combination of all three measures, it is possible to deliver a full ROI based business case for review by the stakeholders who will be making the investment decision. It is worth considering that the stakeholders may also be reviewing other cases for investment, and your case needs to be stronger in order to ensure signoff.

(5)

provide, and may welcome a tasking system that could control any manual processes, even be used by Finance.

 The Board – everyone has an interest. The non-executive directors these days have particular interest in Risk, so much so that the UK’s Financial Services Authority produced a specific “Guide for Non-executive Directors” to their Risk-based approach to regulation.

 Senior Managers – show them that they can get benefit from this too. If you can, make it easier for them to identify issues that may directly affect their own area before those issues cause them problems.

 Compliance – if you have a specific Compliance team you will no doubt be working closely with them already. Can you help them on the task-management side?

 Internal Audit – does the system have additional facilities that would make the life of an internal auditor easier?

 Risk – from the Risk Department’s point of view, if the mundane tasks can be automated and a greater depth of data generated, how much will you improve the job satisfaction of the Risk staff? How much will you be able to improve the company’s Risk status and even bottom line if you are subject to Risk Capital requirements?

 External Audit, Regulators, Rating Agencies – these may not all apply to your company but they are examples of entities to which you may need to show evidence of a Risk process and justification for the statements made about residual risk, for example in your company’s annual report. They all have an interest in the transparency of your risk controls systems.

6. Objections

Some possible objections (with responses specific to C4Risk) are below:

1. “Have we got to do an expensive parallel run?” It will be your call as to when to start using C4Risk, and you can drop the “free” spreadsheets as soon as you are comfortable with the new system.

2. “We have spent enough time getting our staff to understand the current way of doing it” – C4Risk is flexible so that at least the words on the screen will be familiar. If you want to call it

“MyCoRMS” rather than Cognitix 360 you can do so.

3. “I don’t want to put the staff through yet another system training programme” – C4Risk is easy to use, particularly for casual or occasional users. We support all Licensees to ensure that staff are able to use C4Risk to full effect.

4. “We do not need a “Big Bang” change in Risk Management – that will only increase our risk” – C4Risk allows you to start small and grow at your pace.

5. “This is yet another database” – true, but it is a database built by risk managers for risk managers.

7. Summary

Making the case for investment in Risk and Control Management is not straightforward, as it is not always easy to identify clear revenues and costs that are associated with the project. Reducing the impact – at a cost – of something that “doesn’t happen to us”, with the savings that only might arise, could challenge a creative accountant. However, in Cognitix360, we believe that the C4Risk software can stand up to close scrutiny when all considerations, financial and otherwise, are taken into account.

“Do nothing” becomes a decreasingly less tenable strategy as the amount of risk data increases and the wide-ranging capabilities of C4Risk become more valuable.