Continuous Risk Management for Financial Institutions
CRM (Continuous Risk Management) is a discipline that runs through a step-by-step cycle of ‘Identify, Analyze, Plan, Track, Control’ – back to Identify and at all times preparing to communicate and share results to document the process.
The first step is Risk Identification, writing risk statement for those risks, and discussing mitigation strategies and selecting those strategies that are deemed to be the most efficacious. Risks should be measured both qualitatively and quantitatively so that a discussion can be had about the “Likelihood of the risk”, X “The severity of the Risk”, Y and to derive a risk weighed answer.
Key is the identification of risks early in the game to enable more efficient use of resources. To do this one MUST involve personal from ALL levels within the organization as well as from key supplier and customers. There are information trade offs based upon priorities and assessments – but these are part of finding and addressing these issues early and increasing the chances of a given project’s success.
Identify – The purpose is to locate risks before they become surprises. It is part of the process of transforming uncertainties about a project into distinct (tangible) risks that are both described and able to be measured.
Analyze – The purpose is to convert risk data into choice making tools. The process is the examination of the risks in detail in order to determine the extent of the risks, how they relate to each other and what risks that are deemed to be significant.
Plan – This is translating the risk information into decision making and mitigating tools and to implement those actions. Choosing what should and should not be done about risks and then doing it is key to implementation.
Track – Monitoring your chosen risk indicia and mitigation, transference or acceptance pals tied to those risks is a must. The collection of the data from tracking is your feedback on how well you planned and if the plan needs to be revisited or adjusted.
Control – This is about making timely and informed choices on your risk management plans, and reporting to all of the stakeholders involved.
Communication – The feedback from those who are monitoring the plan to the stakeholders is key both to dealing with the risk you have identified, but also of new risks or risks that have not been considered, or even a risk that needs to have its weighting re-assessed.
92% of those polled who use CRM said it was helpful to very helpful in understanding how a project was moving forward and their place in working on the project.
CRM – reducing “surprise fires”, plans for contingencies so a risk is identified before it manifests itself. It also formalizes the analysis and documentation of the risks and how the risks are to be addressed.
CRM is mentioned as most of the regulatory failures, and subsequent fire drills and fines that we have seen from the inside have all come from financial institutions that did not have, use or even understand CRM. One claimed to have CRM – but it was a top down directive that was not to be shared. So it was not CRM.
CRM for a financial institution is not just about the regulators. Think of the investments, the officers and directors, the advisors, the products, the “Enterprise Solutions” which are often neither enterprise wide or a solution, whose risks could have been addressed so long ago, but remained nothing but the larvae of fire drills and fire just waiting for the wrong time to erupt.
Please do consider CRM as well as a very broad and decentralized approach to risk management. It might be amazing what you will learn and what you can do.