Helen: Hello and welcome to the ORX Podcast. My name is Helen L’Abbate and I'm hosting today's podcast. And in this episode, we'll cover some of the main findings from our recent publication, looking at practical ways in which firms are currently uplifting and rethinking their approaches to controls. Joining me today in this discussion are two of my colleagues who have been involved in this recent work. Hi, Emilie.
Emilie: Hello.
Helen: And hi, Abi.
Abi: Hello.
Helen: Emilie's our senior research manager and Abi is our assistant research manager on the team. So let's get straight into some of those findings. So from the recent research, I think it's fair to say that firms have put in a lot of work to improve their control data to lay a solid foundation. So Emilie, can you talk a bit more about that?
Emilie: Yeah, no, that's definitely fair to say. So about, coming up to a year ago now, we initiated the study that we're discussing today and we started off with a bit of a group discussion. And what became quite clear quite early on in those discussions was that before the sort of more forward-looking aspirations can be achieved and explored, there are some fundamental things that need to come together and happen first. So again, I think it's fair to say firms have been on a bit of a journey over the last couple of years, bringing all of our controls data together at a group or central sort of level. From different business areas or business lines or inventories, and then bringing that together and then standardising the data, rationalising it, removing duplicates or non-controls or controls that aren't no longer being operated or required.
So ultimately, that journey I just described has been a bit of a data cleansing exercise, and many firms said that they've used AI to help that sanitisation process, but also to help refine the controls descriptions and drive that consistency. But ultimately a journey to standardised and rationalised data.
Helen: Great. And it's fair to say that that's coming together in control libraries?
Emilie: Yes, definitely it is now. So, one of the big findings from our report was that almost all firms that we asked now actually either have set up and developed a central control library, or they're in the process of developing one, or they plan to do that in the near future.
And that is a significant development in just under maybe five years, I would say. So we did a study back in 21, 22 when we published our control library. And at that time, it was only around a third of firms that were doing that.
So control libraries provide that structured and central place to bring together controls, to offer greater visibility of the control environment, to drive a better understanding in the business of controls and how they're prioritised, and potentially also for better governance around controls.
Helen: Great. And Abi, are there any other really fundamental areas firms have been working on?
Abi: Yes, definitely. So one area which comes to mind is around definitions. So around driving a more common understanding of what a control actually is, and maybe importantly, what it is not. And again, it speaks to the point Emilie was making around standardising controls. And a lot of work has been done to drive a better understanding and discipline in language around control descriptions.
Helen: And presumably that extends to the age-old terminology of key controls.
Abi: Yes. So another really important development is a greater focus on control prioritisation. Again, gaining a common understanding of what the firm considers a key or material control is a vital first step, but setting out a clear understanding of how those controls should then be prioritised or treated differently in terms of oversight, monitoring and testing is crucial to the wider effectiveness of risk management.
And firms have different ways of tiering their controls. So in some cases, that is driven partly by regulatory requirements or expectations. Some have multiple tiers of relative importance, while others have simpler structures in place. But there isn't an industry standard of what important looks like or means. But generally, progress is being made within individual firms in terms of setting out what those most important controls are and why.
Helen: Thank you both. So now let's talk about what comes next after those building blocks have been put in place. Emilie, I know there's a real aspiration to become more dynamic and real time in terms of how controls are monitored and analysed. Could you cover that a bit more?
Emilie: Yeah, of course. No, that's definitely that aspiration you just listed there to make monitoring less static and less periodic. So around 70% of firms told us they're working on enhancing their capability around real-time control monitoring. A lot of that comes down to having access to good quality data and then having the tools to monitor it.
But in the past and still today, there's a lot of focus on identifying or enhancing control indicators and then monitoring them on an ongoing basis using things like dashboards or other live reporting tools. But I think it's also fair to say we're starting to see a bit of a shift, a bit more experimentation around real-time monitoring, so leveraging AI and automation a bit more. So some of the examples that we've heard are real-time monitoring via data from automated controls or automated control testing, or even developing AI agents that can support with live monitoring.
Helen: Brilliant. And Abi, our recent report also talks about a broader focus on how controlled data is leveraged for insights. Could you expand on that?
Abi: Yes, so there's a big push to leverage data for greater insights beyond the RCSA. So we've seen an ongoing trend of mapping controls along horizontal, end-to-end processes, services, or value chains.
And often this is initially performed as part of operational resilience activities, but in many cases, it is being brought together with horizontal risk and control data for a more complete picture of the risk profile and a closer integration between risk and resilience.
And we are also starting to see control data be connected to or mapped to regulatory obligations, risk causes, internal guidelines and procedures, and external risk event data. And this is sometimes being done using AI as an accelerator of speed, an enabler of greater quality linkages, and to reduce manual efforts. And the full paper talks a bit more about some of the specific benefits and insights this is driving. But overall, there is an aspiration to drive more informed decisions, better foresight, and ultimately greater resilience.
Helen: Great, thank you. So, let's look ahead a bit more now and in terms of where we see things going. Emilie, do you have any thoughts on this?
Emilie: I do. I would say the direction of travel is towards more real-time monitoring. So, we already talked about that and also more real-time management of controls. So, as I said, I think the industry has been on a bit of a journey and I think that journey is continuing. So, it is a lot more of the same of what we've already discussed.
So, a journey of uplifting controls practices in terms of having a central well-governed library of controls than having greater capability around being able to track and monitor how those controls are performing on a real-time basis. But I also think there's a point here about the wider context beyond controls, and Abi just touched on it. There's generally a push for greater connectivity between data across risk framework and beyond the risk framework too.
So, including also things like bringing in more external data. And that's certainly true for controls too. So, those examples Abi just gave are really good ones. And I think we'll continue to see more of that data connection going forward for an even more data-driven approach. And as Abi said, better decision making.
Helen: Great. Thank you. I'm going to try and attempt to summarise all of that, but obviously really important things for our members and our listeners, given that controls are clearly articulated as a clear priority for many in terms of the conversations that we have on a regular basis, the forums that we've been holding recently, where controls has really been highlighted as a key priority.
So, to summarise, I think the key first step is getting the foundations and building blocks in place. standardising and rationalising control information. And then I think it's about ensuring controls are clearly prioritised and that it is reflected in how they are therefore being treated. There's definitely a move to more real-time monitoring of controls and also connecting control data with other risk data for more greater insights, better decision making and resilience.
So, the paper we published goes into more detail on some of the practical considerations on how technology is starting to be used to explore some of these aspirations in even more detail. And it also features a section on control automation, looking at where firms are starting to realise those significant efficiencies from reducing their reliance on manual effort.
And finally, it talks quite a lot about control libraries and the progress that has been made with developing these. which feels like a good point for me to announce that we are also refreshing our control library this year. So, that work has started. We're asking our members to share their control libraries with us. And we'll go through a similar process that we went through when we created the original control library, where we leverage all of the insight and data that our members share their own control libraries and create an industry best practice reference standard for you all to use.
So, look out on our website for more details on that.
That leaves me to thank you all for listening to this episode of the ORX podcast. If you'd like to explore and access the report we've referenced today or any of our research and resources, you can do so at orx.org. And as always, thanks for joining us.
Abi: Thank you.
Emilie: Thank you. Bye.
