Add to collection(s) Add to saved
  1. Business
  2. Finance

Giles Triffit Plenary

Institute of Operational Risk
The Cost of Control –
Getting the Balance Right
Giles Triffitt
1st November 2013
Institute of Operational Risk - November 2013
The Cost of Control – Getting the Balance Right
The pressures on risk management functions and processes are at an
all time high.
Demand from shareholders, customers,
politicians and regulators is for greater
transparency, accountability and governance in
the day to day management (and taking) of risk
at all levels in the organisation.
But are we creating a control and command
culture that will mask the true risks for years
to come?
Performance
Biased
Performance
and
Compliance
Performance
This gives rise to conflicting pressures:
increasing profitability, improving customer
service, strengthening capital position and
reducing costs; whilst at the same time
strengthening risk management and
demonstrating regulatory compliance.
Performance
Focused
Balanced
Compliance
Biased
Compliance
Focused
Compliance
© 2013 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.
1
Institute of Operational Risk - November 2013
The Cost of Control – Getting the Balance Right
I believe most organisations are destroying value through their
approach to controlling risk.
Most large organisations have a significant proportion of controls that are pure waste.
Commonly we are over controlling, reducing the effectiveness of operational risk methods
and compromising the opportunity for risk teams to add value.
In this session I wish to explore some ideas to counteract this trend.
© 2013 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.
2
Institute of Operational Risk - November 2013
The Cost of Control – Getting the Balance Right
Understanding the cost of control relative to underlying risk is key
Control effectiveness is also often tested. But not
control efficiency.
Corporate memory fades as to why many controls
are in place.
Controls tend to become layered and rarely
challenged.
This can lead to a process which is too slow and
costly to be competitive, and it breeds a
dangerously false sense of security.
Cost of control
But are the controls proportionate to the
underlying risk and risk appetite ?
Is this potential
waste?
Could this cost be
reduced by
automation?
Can more risk be
accepted?
Is further investment
required?
Are there options we need to consider when
designing an appropriate control framework?
Inherent risk
© 2013 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.
3
Institute of Operational Risk - November 2013
The Cost of Control – Getting the Balance Right
When you have sight of ‘cost vs risk’ several strategies become possible
Consolidate, remove, automate.
1
Identify duplicated control activities
1
3
duplicate controls within single business units
and across end-to-end processes could be
consolidated to ensure efficient management of
risk.
2
Become more risk efficient
target the symptoms of an inefficient control
environment, e.g. over controlling some risks
whilst under controlling others.
3
Locate poorly designed controls
leverage technology and automate controls;
design optimal controls at the right point within
new processes.
2
© 2013 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.
4
Institute of Operational Risk - November 2013
The Cost of Control – Getting the Balance Right
The results can be amazing:
Banking: Reduction of 20% process cost in
over 15 projects using a standard risk vs
cost challenge method.
Introducing a mindset that operational risk
and control people can contribute value
creation in a business.
Telcos/ oil and gas: Removal of over
80% of controls through automations and
re-design.
Tremendous buy-in to Risk and Control
Assessment tools in business units and
back office.
Public sector: A pay back of 7:1 across
multiple cost of control programmes.
Banking: Analysis of control portfolio and
simplification of controls results in
reduction from 12,000 year one controls to
1,000.
Greater involvement of risk professionals
in strategy, architecture and design
decision making.
© 2013 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.
5
Institute of Operational Risk - November 2013
The Cost of Control – Getting the Balance Right
An example: A path to rationalisation…
Observations:
Benefits:
Analysis completed on where it was spending the most
in each category of control activity.
The control environment was heavily focused
on
Efficiency
manually intensive controls.
Increased automation has led to increased coverage,
less room for human error and quicker adaptation to
changes
in processes. Shared
Automation
An increase in preventiveservice
controls limits time and cost
spent correcting errors.
Three strategies were employed in this assignment: redesign / automation / new operating model.
Total
number
of
controls
and tests
9500
380 controls in
25 locations
6900
276 controls in
25 locations
3300
150 global
controls
performed once
125 local
controls in 25
locations
1540
150 global controls
performed once
80 regional controls in
3 locations
46 local controls in 25
locations
© 2013 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.
6
Institute of Operational Risk - November 2013
The Cost of Control – Getting the Balance Right
In summary. An approach to challenging the cost of control.
Analyse repetitive high volume, multi-locational
processes.
Understand
process
Be empirical before you get radical. Take a close look at a part of
the organisation which informed participants believe is over
controlled. This can blaze a trail for other projects
Relate risk to control costs.
Assess
risks
Build efficient
outcomes
Just as in an old overhead projectors, you need to lay the cost
picture over the risk picture end to end to see whether spending is
matched to areas of serious risk. Any inverse correlations will then
be plain to see
Develop realistic options.
Correctly engineering a process can reduce costs, improve
customer service and provide greater transparency over effective
risk management and regulatory compliance.
Monitor the effectiveness of the changes you make.
Greater transparency of control cost allows a balanced approach to risk management and the
knowledge that you are operating within a defined appetite and tolerance for both risk and cost.
© 2013 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.
7
Institute of Operational Risk - November 2013
The Cost of Control – Getting the Balance Right
Underst
and
process
cost
reduction;
operational
efficiency;
lean.
Assess
risks
Build efficient
outcomes
Diagnose
risk appetite;
dashboards
and
reporting.
Cost of control
Identifying opportunities
Is this potential
waste?
Could this cost be
reduced by
automation?
Can more risk be
accepted?
Is further investment
required?
Inherent risk
data and
technology
architecture;
process
redesign.
risk
framework;
governance
model;
control
review.
© 2013 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.
8
Institute of Operational Risk - November 2013
The Cost of Control – Getting the Balance Right
Building a journey towards effectiveness and efficiency
Pre steering committee
Division xxx. Sample 3. January 2012. Version 2.11.
The more mature the
organisations ability to
manage risk …
Many organisations are
targeting effective control
while driving down cost
through unrelated initiatives.
Efficiency doesn’t have to
follow effectiveness.
Build on
• Well structured response, strong degree of
challenge
• Strong draw on existing data.
• Increased focus on data quality in OR systems
• Good linkage between policy, risks and
controls
Relevance to the organisation
…the more it is able to
balance risk against control
cost at a defined tolerance
or appetite.
Stage V
Stage IV
Stage III
Stage II
•
•
•
•
Stage I
•
•
•
•
•
•
•
Well integrated risk strategy
Risk appetite clearly defined
A greater focus towards quantitative aspects
Consideration given to cost of control
Controls challenged based on balanced appetite
Use of risk assessments in decision making
• Most of the elements are formalised
• High level elements are well integrated, though integration
of tools is less so
• Control environment challenged based on past experience
• Full complement of tools in place, though of limited use in
day to day decision making
• Consistent risk language and ranking
Individual components in place
Somewhat formalised
Lack of a joined up approach
Basic tools provide adequate coverage and refreshed
periodically
• Formal risk assessment policies but inconsistent
application
Minimal risk awareness
Extremely informal
Inadequate in some aspects
Possibly ineffective
Probably non-compliant
Basic tools employed but add limited value
Informal risk assessment methodologies
•
•
•
•
•
•
• Different elements fully integrated
• Risk appetite well defined and embedded with bottom up
tolerances
• Well implemented and value added
• Clear feedback loop between various tools
• Active role in decision making throughout the business
lifecycle
Areas for enhancement
• Enhancement of minimum standards around
controls testing
• Greater consistency in risk ratings
• Greater consistency in language
• Integra ting the finance and risk control reviews
Value to organisation
© 2012 KPMG LLP, a UK Limited Liability Partnership and a member firm of the KPMG network of independent member firms affilia ted with KPMG International Cooperative (‘KPMG
International’), a Swiss entity. All rights reserved.
© 2013 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.
10
9
Daily Telegraph – 20 September – page 1
Protect yourself in battlefield of business
Inadequate or cumbersome risk management can be damaging to
your business, so how can you find the right balance of control?
Buying a suit of armour was a difficult decision
for knights of yore. It had to be strong enough to
withstand attacks by anything from a poniard
to a battleaxe but light enough for the knight to
be able to fight back. Plus, of course, armour was
cripplingly expensive and the knight had to leave
some money over to pay for his horse, squire and
all his retainers.
Today’s corporate warriors are discovering
they face the same compromise when it comes to
risk management. Failure to invest in adequate
processes and systems will result in disaster sooner
or later, but install an unnecessarily strong system
of checks and the operation may become too slow
and costly to be competitive.
It is essential for managers to understand the
controls they are imposing on the company’s
processes, and the impact each control has on the
risk level. It is also important to set the risk level
to an acceptable level, says Giles Triffitt, director
of risk consulting at KPMG. “Unless you have a full
understanding of the controls, you can’t be sure you
are managing the risks,” he says.
Effective process: slash costs and
operation times
“You may not be managing the
right risks anyway because that transparency
just isn’t there.”
The problem is particularly acute in established
systems where controls have been added
piecemeal
over the years. “We have seen – particularly in
highly regulated businesses – a layering effect with
control on control, which tends to mask whether
the risk management is cost efficient,” Triffitt says.
“Unless you know how much you are spending in
proportion to the risk you are managing, it could
be an extremely inefficient equation.”
Understanding the controls allows you to
classify them into essential controls, which are
often imposed by regulatory bodies, and
nonessential
or local controls that are there to provide
the company with the level of exposure to risk
that it feels comfortable with. “If you do a proper
analysis and understand the risk, some of these
local controls can be entirely removed, many
downsized” Triffitt points out. “You can also
reduce costs by automating some of the expensive
manual controls or changing where they are in
the process.”
© 2013 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.
10
Daily Telegraph – 20 September – page 2
Analysis of the process flow should expose
where the risks are and where the controls are
applied, allowing them to be aligned. “Some
checks might be done several times in the process
– perhaps a thorough, automated check could be
done upfront, but done once.”
Once the controls have been placed so they
manage risk effectively, the risk level itself can
be adjusted with confidence. In many cases,
Triffitt has found that risk levels have been set
so conservatively that procedures that should
be routine are bogged down in checks and
counterchecks.
“Staff are often nervous to challenge the value
a control might add because of the possible come
back days, weeks and months later if a loss occurs
on their watch. However it is right to challenge a
zero tolerance approach to control when it does
not add value.”
Risk management is often seen as a drag on
business, but correctly engineering a process can
slash costs and create a more efficient operation at
the same time, Triffitt believes. “You can design
the controls for maximum effectiveness and to
be more cost efficient. It is a process design thing as
much as a risk management thing. Bringing
together the cost reduction challenge with the
risk management challenge leads to great value,”
he says.
Many repetitive procedures in the financial
sector accrete controls that seemed a good idea at
the time but now are either ineffective or outdated,
but nobody wants to remove them because ‘they
must be there for a purpose’. “In some of the
processes I have looked at, some 40 to 50 per
cent of the cost is broadly ‘control’, especially in
the operations of financial services. This in itself
may not be wrong,” Triffitt says,“but equally I
have found a case can be made to remove a large
proportion of this cost (often up to half) based on
proper analysis”.
Decision making in life is often influenced
by prejudices. Risk management is no different.
Recent losses often incur a disproportionate
control response. Overtime these prejudices fade
with corporate memory and the decisions can be
unpicked and challenged.
Giles Triffitt is a Director in KPMG’s Risk Consulting
practice specialising in Risk Efficiency and Operational
Risk.
© 2013 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.
11
Institute of Operational Risk - November 2013
The Cost of Control – Getting the Balance Right
Take a leap.
Understand
process
Assess
risks
Build efficient
outcomes
Cost of control
Pilot: proof of concept
Is this potential
waste?
Could this cost be
reduced by
automation?
Can more risk be
accepted?
Is further investment
required?
Inherent risk
© 2013 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.
12
The information contained herein is of a general nature and is not intended
to address the circumstances of any particular individual or entity. Although
we endeavour to provide accurate and timely information, there can be no
guarantee that such information is accurate as of the date it is received or
that it will continue to be accurate in the future. No one should act on such
information without appropriate professional advice after a thorough
examination of the particular situation.
© 2013 KPMG LLP, a UK limited liability partnership, is a subsidiary of
KPMG Europe LLP and a member firm of the KPMG network of independent
member firms affiliated with KPMG International Cooperative, a Swiss entity.
All rights reserved.
The KPMG name, logo and “cutting through complexity” are registered
trademarks or trademarks of KPMG International Cooperative (KPMG
International).
Related documents
See slides
See slides
Slide pack - WTC Twente
Slide pack - WTC Twente
smcgahan Bio_9-16
smcgahan Bio_9-16
Flash International Executive Alert
Flash International Executive Alert
Mr. Simon Topping - AHK Greater China
Mr. Simon Topping - AHK Greater China
Professor Hilary Thomas - Healthcare Businesswomen`s Association
Professor Hilary Thomas - Healthcare Businesswomen`s Association
Financial Times MBA 2014
Financial Times MBA 2014
ETF 222 - Revised Savings Directive
ETF 222 - Revised Savings Directive
Download