One of ORX’s main priorities in 2023 is to create a Reference Risk Indicator Library. This will help organisations in benchmarking their current risk indicators, support enhancements, and accelerate the internal development of risk indicator libraries, which can otherwise be a costly and time-consuming process.
Working with Oliver Wyman and over 60 leading financial institutions, the Reference Risk Indicator Library will be created through the analysis of member data, as well as input from experts in the ORX community.
Following the work already completed on this project with our members in 2022, we published a guidance paper on how to make risk indicator practice more effective. From this we highlighted seven things to think about to streamline your processes.
7 ways to improve your risk indicator practice
1. Increase 1st line of defence (1LOD) management involvement in the risk indicator process
Around 50% of ORX members believe 1LOD management need to be more involved in the risk indicator process. There are a range of views as to what this involvement should be. The greatest variation is around the 1LOD’s role in the identification of risk indicators and threshold setting. In almost all cases, the 1LOD are responsible for taking appropriate management action and therefore need to view the identification and monitoring of risk indicators as value adding. Greater 1LOD involvement in the identification process can potentially help identify and source better quality risk indicators, and breaches are more likely to drive 1LOD action.
2. Standardise the process by developing a risk indicator library
A majority of ORX members are engaged in or planning to standardise their risk indicators. These initiatives follow a similar process to the standardisation of their risk taxonomy and control libraries. Standardisation may include the development of an internal risk indicator library, which is usually co-ordinated by the operational or non-financial risk (ONFR) function and supported by 2LOD risk function specialists (for example. the Global Compliance Team), often with 1LOD collaboration.
3. Identify better quality risk indicators focused on understanding inherent risk and monitoring controls to inform pre-emptive management action
A key focus of ORX members’ risk indicator change programmes includes the identification of better-quality risk indicators which support proactive management action. Some members have been focusing specifically on risk indicators that measure their inherent risks and/or the effectiveness of their controls as this can provide timely warning of a change in risk profile before an event occurs. This presents the advantage of making risk indicators more actionable.
4. Make backward-looking indicators more predictive and comparable by using trend analysis and relative measures
Approximately 75% of risk indicators submitted by members to inform the development of the ORX Risk Indicator Library are considered to be backward-looking or ‘lagging.’ Therefore, in a significant number of cases, risk indicator reporting is telling 1LOD management something they already know. While most members are aiming to address this by prioritising the identification of more forward-looking risk indicators, many are also seeking to maximise their use of lagging indicators, for example by using trend analysis.
5. Identify opportunities for greater automation of risk indicator collection and reporting to improve timeliness and accuracy of data and reduce the manual burden
Increased automation is viewed as a key enabler. More than half (57%) of ORX members are already introducing, or have plans to introduce, greater automation into their risk indicator process. Members have shared that the ideal approach is to establish automatic feeds from source business systems directly into a GRC system and/or reporting systems. This reduces the burden of manual collection, avoiding double keying of data and freeing up time for more value-add activities.
6. Make the main emphasis of risk indicator reporting a clear message focused on what has changed in the risk profile and suggest what action should be taken
A number of ORX members shared how they have moved away from reporting a complete list of risk indicators to the Board and management. Instead, their focus is on exception reporting and providing a supporting narrative that tells a story of how the risk profile has changed. This may be informed by the ONFR function’s consideration of several risk indicators in conjunction with each other. For example, increased staff attrition, increased change activity and new regulations could combine to create an overall picture of a heightened risk profile where action is required.
7. Integrate risk indicators into broader ONFR processes, in particular the RCSA and risk appetite reporting processes
Risk indicators are an important component of an ONFR management framework, supporting the identification, assessment, and monitoring of key risks and controls within an agreed threshold or appetite. However, if a risk indicator is used in isolation, it may provide limited or no insight to management. A recent poll of ORX members showed approximately a third of risk indicators are effectively linked to RCSAs, a third to controls and a third are not linked to anything. Almost half of ORX members are focused on enhancing linkages to other ONFR processes.
How to access the library
ORX members will be able to access the library for free as soon as it is published towards the end of Q2 2023.
Or, if you're not a member, you can sign up to our interest list to receive updates and be the first to know when it is available to purchase.