printer friendly version

Packaging risk

Risk management is a broad category that encompasses a range of security and non-security related topics. Traditionally, risk management was a manual process that required specialised skills, time and, of course, money. Hi-Tech Security Solutions wanted to know what risk management processes have been automated or computerised (or even outsourced) to streamline compliance and give companies the chance to manage their risks in near real time.

Can risk management be packaged? If so, which parts of it and what services and packages are out there? We spoke to two people actively involved in the risk market, although in very different areas. Mariette Barends is a director at IPAC Risk and Steven Ngubane is senior business development manager, risk at SAS Institute.

Hi-Tech Security Solutions: Can risk management solutions be packaged into an application or an outsourced service? How does the end user decide whether a service offered will deliver the goods and assist his/her company in complying with legislation and best practices?

Barends: The field of human risk management has unfortunately been treated too long as an orphan or as that family member which everybody knows, but doesn’t talk about. Human risk mitigation benefits the risk manager but the processes are within the HR domain. However, if the risk manager is not really involved in human risk mitigation strategy, planning and policies, then the best systems, processes or equipment will not assist in the reduction of pilfering, fraud or even dysfunctional behaviour. Security managers cannot distance themselves from human risk mitigation anymore as the human element is indeed not the consistent factor.

International research conducted by Dr Deniz Ones indicated that the best process to augment any company’s risk mitigation strategy is to ensure that employees be subjected to an integrity assessment process which would provide an holistic or integrated view by analysing different focus areas of the individual such as, the verification of all possible tangible information, psychometric instruments measuring integrity, cognitive and personality and lastly but not least, manifested behaviour.

Today you can open any newspaper on any day of the week and there will be some articles highlighting human risk behaviour such as fraud, corruption, theft and wrong judgement calls. It is of paramount importance that we as risk officers do not become complacent or accept human risk as a fact of life. All should take responsibility and accountability as the problem can be addressed and the individuals who have a propensity towards negative behaviour could either be kept out of the workplace or at least identified and managed with strict governance.

While there are various companies in the market claiming to mitigate human risk, the end user is not always knowledgeable enough to distinguish between the retriever and professional background screening companies. With the current austerity climate it is also a challenge to get a tick in the box versus costs. With this approach, risk is not mitigated, just postponed.

Ngubane: The answer to this question is yes. This obviously is dependent on the size of the organisation, the type of risk being managed as well as where they are in the risk maturity curve. Some companies may not have the necessary skills or the resources to implement some of the more complex functionality that characterises some of the risk management solutions. In this case it makes perfect sense for an organisation to seek to partner or augment its staff with consultants who are experts in the field during the project implementation to bring about efficiency in the process as well as cost and time savings.

In the current climate where most boards are hyper sensitive to costs it is imperative that such projects are able to quickly prove not only the ROI, but the impact to the business and company objectives. Using consultants who are experts in risk management fields may assist an organisation to maximise the success of such projects and therefore prove the ROI and make data more visible to executives. In most companies the value of the risk management function is not immediately visible and so risk managers should seek for projects that have a more direct impact on the company strategies and decision making. This is where risk management should add value.

Outsourcing generally is not a bad strategy and it has proven to be effective in most cases, but it brings significant risks that must be recognised and managed. In outsourcing, a company is relying on someone else to run certain business functions. At the basic level the idea behind using risk management practices is to protect businesses from being vulnerable. Once the risks are identified, the risk manager will create a plan to minimise or eliminate the impact of negative events. Risk management should therefore be embedded in every decision making process of an organisation.

Given the above I do not believe that it would be neither beneficial nor practicable for any business to totally outsource the risk management function to a vendor or third party. Yes, some parts of it such as the same industry models, score cards and risk calculators could be outsourced as these do not necessarily give a competitive advantage and could easily be commoditised, but certainly not the whole risk management function. No business conducts itself in exactly the same manner as its peers and therefore to manage risk efficiently one needs the intimate knowledge about the business of the business.

HSS: What services are currently offered as a package (either as an application or an outsourced service)?

Barends: Although an array of products are provided by IPAC, the solutions are tailored to meet the particular human risk needs of a company and is even scalable to address different risk needs within a company. The service should ultimately be managed as an outsourced function by a company and should augment the HR processes in establishing if the candidate is the right person for the particular job. The benefits will be measurable by both HR and risk measuring with their own metrics e.g. HR for retention, disciplinary, productivity and risk for the fraud, theft, etc.

Ngubane: For banking: SAS offers a solution called SAS Risk Management for Banking: This solution provides a complete, integrated and firm-wide solution for risk management in the banking sector. It covers the whole process from data management, business analytics, risk modelling and reporting. The solution is comprised of four integrated risk applications that can be used either together, individually or in any combination. This enables the customer to start in one area, e.g., market risk and then expand usage to other areas such as credit risk, ALM and firm-wide risk. It is an end-to-end solution with an integrated data model, data management, advanced analytics and reporting.

For insurance: In this space SAS offers a solution called SAS Risk Management for Insurance(RMFi): It is a solution for performing risk analysis and risk based capital calculation for insurers. Our solution enables Life and Property and Casualty (P&C) insurance companies to implement the Solvency II standard model approach for calculation of risk-based capital. The solution’s framework approach enables insurers to extend the functionality to support the internal model approach for risk analysis.

HSS: Describe your service/application and the benefits it provides customers?

Barends: IPAC is a professional background profiling company, with emphasis on applying an holistic process and thereby mitigate human risk in a company’s integrity, as well as competency. Profiling is not negotiable when appointing any new employee.

By applying a process such as what IPAC delivers to market, any company or organisation will be able to:

* Proactively prevent human risk.

* Mitigate corruption, fraud, and theft.

* Keep unwanted people out of your organisation.

* Make an informed decision to hire the right people the first time.

* Add to the bottom line.

Ngubane: As described above for banking our risk management solution is comprised of four risk applications as follows:

* SAS Asset and Liability Management for Banking: This solution allows analysts to calculate cashflows, measure funding gaps, and analyse funds transfer pricing.

* SAS Credit Risk for Banking: This solution allows analysts to calculate credit portfolio analytics, counter party exposure analytics, and optimisation.

* SAS Firmwide Risk for Banking: This solution provides users with advanced risk aggregation and performance metrics.

* SAS Market Risk for Banking: This solution allows risk analysts to configure and calculate market value of financial instruments and assets.

Our Insurance solution provides the following:

* Enterprise risk data management.

* Market-consistent valuation of assets and liabilities.

* Stress testing analysis.

* Aggregation of risk capital charges.

* Calculation of Solvency Capital Requirements (SCR) and Minimum Capital Requirements (MCR).

* Regulatory and internal risk reporting.

HSS: Why would customers opt for your service/application instead of an in-house solution?

Barends: Today there are so many facets on the HR and risk officers’ plates because they have to understand business and they have to be on top of their game. Not having a human risk assessment process in-house has the following benefits:

* Dealing with a professional human risk organisation. The focus is placed on the fit of the candidate from a risk view and not all staff have the knowledge or the time to specialise in the field of human risk mitigation.

* IPAC specialises in collecting and analysing data for clients with industry specific risk profiling.

* Integrate all possible risk behaviours.

* IPAC is viewed as a direct extension of the client’s risk or HR departments.

Ngubane: This is an old debate of the build vs. buy. One can build a car themselves, it just would take that much longer to do so. There is then the issue of the product maintenance afterwards. It makes sense to use experts to build the software and let them be the ones to worry about upgrades and maintenance while you focus on running your business.

HSS: What are the key areas a customer should be aware of or take note of when considering using a third party to provide a service/application in the governance, risk and compliance (GRC) arena?

Barends: Although the wording and paraphrasing of a variety of companies that claim to conduct background screening and are mitigating risk could look the same at face value, they are not. The danger is that companies will engage with a process in order to obtain assurance that risk mitigation was done, but the real risk was not addressed. Organisations should not look at price when selecting a company to outsource their human risk processes to, but on what is delivered, how comprehensive the service is, is it modular or scalable, does the company have a proven track record etc?

Customers should be aware of the fact that in the field of background screening, there is a difference between retrievers (of information) and professional background screening companies. The latter integrate all the information to predict behaviour and integrity in the future.

Ngubane: I would say they need to look for a vendor who is able to provide them with a solution that converges all their GRC environments in a single environment and therefore provide them with a single version of the truth for risk management, audit and governance and compliance. They need to make sure that the system they choose provides them with full auditability and is transparent and flexible enough to be adapted to their future business needs.

Share this article:

Further reading: