Enterprise Risk Management – Traditional and Emerging Components

1. RISK
FRAMEWORK

2. Enterprise Risk Management – Traditional and Emerging Components
Today’s ERM is composed of both traditional and emerging risks – both being key considerations for risk frameworks.
ERM
TRADITIONAL RISK
EMERGING RISK
Cyber – Data Privacy, Terrorism,
Cyber Threats
Disruptive Innovation – FinTech,
Digital Profiles, Technologies (AI,
Blockchain..) & Social Media
Other…
Conduct and Culture – Ethics,
Behaviour and MI Reporting
CRO – Operational, Regulatory and
Compliance Risk
CIO – Data, Analytics and Security
CTO – Systems and Technology
Infrastructure
Progressive,
integrated, and
thematic
Hierarchal, siloed
and aligned to ‘three-
lines of defence’
model

3. Enterprise Risk Framework – Integrated Risk Framework
Cyber
Disruptive
Innovation
Conduct and
Culture
Metrics and Reporting
Investigation Management and Financial Intelligence Unit
Case Management
Analytics
Data Management
Data Storage
• KPIs/KRIs
• Operational MI
• Visualisation
• Data aggregation
• Model performance
• Risk assessment
• Holistic customer risk
• Cross Function investigation
• Case management analytics
• Document management
• Work flow
• Consolidation & scoring
• Case analytics
• Holistic data view
• Model optimisation
• Model management
• Anomaly /Pattern analysis
• Predictive analytics
• Peer analysis
• Data policy & governance
• Data integrity
• Data Compliance & Protection
• Data validation
• Data interfaces
• List management
• Internal data
• External data
• Relational data
• Unstructured data
• SLA management including third parties
Common KPIs, metrics or functional accountabilities /
capabilities (Industry wise & Country wise)
Emerging Risks
Framework aligns closely with business units and technology groups to enhance risk capabilities, focusing on developing more adequate
models for addressing the emerging risks.
Traditional
Risks
DISCOVER
with insight
DESCRIBE
with impact
CO-CREATE
with agility
SUSTAIN
with improvement
SCALE
with excellence

4. Infringement of the EU GDPR can result in administrative fines of up to 4% of annual global
turnover or €20 million – whichever is greater.
CCPA (California Consumer Privacy Act) penalties in the law can include up to $7,500 per
violation. Effective from Jan 1st 2020
Erwin’s 2018 state of Data Governance Report states that only 6% of the companies are
prepared for Data Compliance & Protection regulations.
Brazil’s version of GDPR going live in February 2020, followed by 104 more countries who are
in process of drafting their own Data Compliance & Protection regulations.
Challenge -> Opportunity
Upcoming Challenges leading to huge opportunities
Note: In this case considered Data Compliance & Protection Risk Opportunity
From Burden… ..to Opportunity…
…to Strategic Market
Differentiation…
Target Audience: Across all Industries, Mid level Enterprises in respective countries where DCP law is applicable.

5. Risk Based
Decision Making
Digital Experience
Agile Enterprise
Enterprise Risk Framework Capability
Customer
Digital Experience
Enables the office of the CRO to drive digital
capabilities and minimize brand and reputational
risk through digital technologies. Includes:
• Upskill capabilities and improves risk culture
• Mitigate loss to customers and shareholders
• Value Realization
• Customer security and experience
Risk Based Decision Making and Profitable Growth
Uses a single-source of data and predictive analytics to measure and
assess value creation opportunities across the enterprise. Includes:
• Business risk analysis
• Integrated Risk Investment decisions
• Quantification of risk impacts
• Reduced risk capital allocation
• Risk based pricing and scenario analysis
Cost to Serve
Agile Enterprise
Helps clients strategise and design new digital risk
operating models that integrate front to middle
and back office activities across multiple
processes risks focused on achieving business
outcomes. Includes:
• Multi functional and empowered workforce
• Scalable and adaptable
• Influence and span of control
• Speed to consumer (both business and end
customer
Strategic Cost and Risk Reduction
Reduce cost of control and cost to serve through rationalization
of control measures and long term operation cost benefit of
improved technologies. Includes:
• Lower yearly rate of internal audit risk services
• Lower cost to serve
• Reduce regulatory cost
What value can be gained across the Organization ?
Enterprise Risk Framework – Value Proposition

6. REGULATORY CHALLENGE
Increasing demand from multiple regulators in
multiple jurisdictions
TALENT CHALLENGE
Shortage of skills in new and
emerging technologies
Shortage of core risk management
talent and skills
TECHNOLOGY CHALLENGE
Increased velocity, variety and
volume of data
Legacy technologies within the risk function
INTEGRATION CHALLENGE
Lack of integration with other business
functions, e.g. front office, operations, finance
OVERALL RETAIL COMMERCIAL
Sample Research Reports
High
Medium
High
High
High
Medium
How advanced is your institution’s use of the
following technologies?
What technologies enable your risk function to
address cost pressures?
Priority risk management capabilities to strengthen
Lack of integration with other business functions
was a challenge that impeded the effectiveness of
the risk function
Questions to C-Suite
Medium High Medium
High High High
Sample View of Banking Risk Assessment Heatmap
Research Insights across each Industry on Annual basis region-wise can be provided providing heatmaps of Regulatory Challenge, Talent
Challenge, Technology Challenge and Integration Challenge.
78% 81% 75%
78% 78% 78%

7. APPENDIX

8. Cyber & Disruptive Innovation – How to assess and report
Cyber threats are increasing and as the world becomes digitised and sensitive data resides in the cloud, on mobile devices and across the Internet, organizations
need to take an integrated view of their operational risk and cyber security. Disruptive innovations and digital technologies are sweeping across each Industry,
forcing a change in business and operating models. In the digital world, reputation and brand can quickly erode.
1
The Problem?
2
What can Risk do?
3
What is the Value?
Intensified customer power and
behaviour with new competition
appearing overnight
New commercial environment
creates new and unknown metrics
Integrate digital risk operating
model with integrated real time
KPIs/KRIs
Overlay reputational risk
management solutions such as
Social Media Monitoring
Customer Risk Analytics improve
returns and business decisioning (fraud,
marketing, customer, pricing, product)
Employ dedicated resources to sufficiently
understand digital risk and issues
Better devices and better connectivity
improve user experience, but create
an entry point for business risks
Increased knowledge understanding and
capital creates a proactive organisation
Real-time KPI/KRI help make strategic
decisions more rapidly and effectively
minimising cost and loss
Cyber attacks are a matter of
“when” not “if”
Cyber threats are growing and under
increasing scrutiny from regulators
Institutions must build resilience
into their business
Embrace a digital Ecosystem; robust
digital capabilities and technologies
outside the enterprise.
Manage digitally; requires real-
time orchestration of myriad
internal and external services.
Institutionalize resilience; ingrained at the
outset into objectives, strategies, processes,
technologies—and even culture.
Reduce potential business impact by
having robust crisis and continuity data
breach procedure
Proactive detection to identify, assess
and correct weak and vulnerable
operations within your business
Prevent reputational damage and mitigate
potential harm to customers and shareholders

9. Across the three common categories of data governance, vendors are on average very mature with over 66% of companies at growth stage of
development.
Data Privacy and Protection Vendor Sources
DATA CLASSIFICATION
(Few Examples)
ENCRYPTION
(Few Examples)
DATA LOSS PREVENTION (DLP)
(Few Examples)
Other Indicative Data Sources for Proposed Framework
 Assessment & Gap Analysis based on Industry and how big the organization volume of data
 Roadmap Design & Execution - Identify tactical remediation for prioritized areas to ensure key mandatory requirements
 Data Discovery & Knowledge Graphs - Identifying critical data on systems and records of data processing/ storage with data
subjects, legal basis, etc. through machine-learning driven data discovery.
 Continuous Monitoring & Tracking - Execution of tactical remediation recommended from roadmap through changes in processes,
policies and procedures.
 Risk to Advantage – Converting risk into a competitive advantage
Source: DLP, Encryption, Data Classification Individual Website sources and Owler