Enterprise Risk Management

Requirements for introducing a risk management system often come from company owners rather than the regulating authorities. The proper setup of the sub-processes of this system is a necessary prerequisite for its correct and efficient operation. The outputs of an effective risk management system can be used in key decisions on the strategic direction of the particular institution.

However, it is important to bear in mind that the implementation and maintenance of the risk management system is often required by regulations (e.g. Basel II / III or Solvency II), and standards (e.g. ISO 31000). ARM offers its services in the area of introducing or revising the risk management system for all companies interested in managing their risks.

Services Offered:

• Set up of risk management system processes
• Methodologies for identification, valuation, and risk management
• RCSA – method for an effective risk management system
• Creation of a risk catalogue (map)
• Set up of incident collection
• Set up of key risk indicators and internal limit system for continuous internal management
• Set up of Risk Appetite
• Set up of internal reporting

The Processes in a Risk Management System

• Design of the key processes necessary for effective operation of the risk management system with regard to:
  
  • Company management requirements and goals
  • Size and complexity of the relevant institution
  • Relevant regulatory requirements and related standards
  • Ability of the system to respond flexibly to changes
• Ensuring interconnection with other institution processes (e.g. supplier evaluation process, evaluation of suitability of future projects, business relations risk analysis, etc.)
• Definition of target organizational arrangements and clarification of the individual roles in the risk management system.
• Integration of the risk management system into the strategic management of the institution:
  
  • Definition of powers and responsibilities
  • Risk management system operation schedule with regard to the related processes
• Risk management strategy creation/revision, with the output of the above-stated areas taken into account

Methodology for Risk Identification, Evaluation and Management

• Design of rules for risk identification:
  
  • Appropriate method selection
  • Description of the principles of the selected method
• Design of principles and rules for:
  • Assessment/measurement of impact of identified risks
  • Assessment/measurement of frequency of identified risks
  • Determination of the overall severity of risks
  • Incident (event) collection
• Design of risk management rules:
  
  • Taking into account the overall severity of risks in the development of the risk management procedures
  • Principles for creating corrective measures, approval, interconnection with business/financial plans and related controls
  • Monitoring methods for the implementation of the proposed measures
• Creation/revision of methodology (or internal guidelines) for the risk management system taking into account the outputs of the above-stated areas.
• Provision of training and workshops on the risk management system in the individual departments of the institution:
  • Introduction of the created methodology to the company management (summary of the main principles and the direction in future periods)
  • Preparation of training materials for the departments involved (based on the principles of the prepared methodology)
  • Presentation of the training materials (this can be left to the relevant institution risk manager upon agreement)

RCSA Method for an Effective Risk Management System

• Creation of a template for recording:
  • Identified risks, including their valuation/measurement in terms of impact and frequency
  • Currently performed controls and implemented corrective measures with regard to individual risks
  • Newly defined controls and corrective measures, the person responsible for its approval and implementation
• Definition of impact assessment scales with regard to the business area, size and complexity of the institution (e.g. financial impact, reputational impact, impact on end customers, legislative impact, etc.)
• Definition of the frequency valuation scale with regard to the type of institution and the duration of its business (taking into account the competitive environment)

Risk Catalogue (Map)

• Assistance in identifying and assessing risks or verification of the proper operation of this process
• Creation of a risk catalogue framework with regard to the established risk management system or the RCSA template
• Set of rules to maintain the current risk catalogue
• Database incident analysis to identify the parts of the institution that are more exposed to risks, including analysis of the reason for this greater exposure 

Incident (Event) Collection

• Assessing an existing (or creating a new) system for incident collection to:
  • Capture all relevant information on operational risk incidents
  • Ensure the comprehensibility of the system for individual users
  • Eliminate errors in the input information
• Assessing whether users are well acquainted with the collection system (including the possibility of training users - for example, designing an electronic wizard to guide the user through the process of entering an incident)
• Set up of an incentive program to motivate system users to enter information on incidents that have occurred
• Designing or implementing a system for collecting incidents in case a system of this type does not exist in the institution

Key Risk Indicators and Internal Limit System for Continuous Internal Management

• Assistance with identification and creation of indicators for significant risks of the institution
• Setting of indicator limit values, which, if exceeded, will indicate an increased level of the relevant type of risk
• Creating escalation mechanisms and follow-up steps in case of set limit values being exceeded
• Designing or implementing a system for regular monitoring of indicators
• Establishment of a methodological procedure for the revision of indicators and a related system of limits 

Risk Appetite

• Designing company Risk Appetite and ensuring its interconnection with:
  • The institution strategy
  • The business plan
• Setting rules for Risk Appetite revision in the event of a change in input assumptions (e.g. when introducing a new product or a change in the external legislative environment, etc.)
• Defining rules for Risk Appetite evaluation:
  • Evaluation frequency
  • Escalation mechanisms
  • Incorporating the evaluation into the internal reporting

Internal Reporting

• Creation of internal reporting rules in relation to the risk management system, incident collection and internal limit system:
  • Provision of an information framework and level of detail with regard to various managerial levels (line management vs. senior management vs. board of directors)
  • Reporting frequency
  • Information flows
• Assistance with creating a relevant company risk report (basis for regular meetings of the board of directors, the supervisory board)