Anonymous: ‘Bank A’
£0.75bn in assets and
Bank A has been a registered bank since 2016, but began operating in 2004, initially as a specialist mortgage provider. It recently expanded its offering to include retail banking and currently has more than £0.75bn in assets and 150+ employees at its London headquarters. In 2019, the bank secured a £60m investment from a leading global alternative investment firm. RiskBusiness has been working with the firm since 2016, when it was in the process of applying for its banking licence.
Manager A is Head of Operational Risk at the firm and sees herself as the custodian of the RiskIntelliSet system, primarily using the Incident Management and RCSA modules. She works in the second line of defence and so needs the system for regular reporting to the board and senior executives.
A crucial feature of the RiskIntelliSet for Manager A is its flexibility, allowing her to extract as much vital management information from the data as possible and to present it in a format that is most relevant to the target individual. “We use the RiskIntelliSet as a central repository and then management tool off the back of that,” she explains. “I need to collate all of the information and aggregate the data, and what the system allows us to do is build that infrastructure internally to mirror what our company’s design and organisational charts look like.
Each business unit has the ability to go and look at their own reporting, load their own incidents, their own risks and their own controls. The system allows me to work within those functionality elements to suit my business.
It works well for me because I can isolate [the data] to anything that I would like…I can do it by business unit, I can do it by date stamp etc – so the system allows me to cut and slice the information I need, so that it suits the business, or suits that particular audience.”
As a growing financial institution, the ability to make these adaptations in-house is particularly advantageous, says Manager A. “We’ve changed our risk matrix recently, so we’ve been able to modify that category. I’ve got new business units and I’ve been able to modify that. So it definitely is reactive to us as a new bank, growing in size and scale. I like that we can change and modify things without having to ask RiskBusiness to do it from their side.”
Every module within the RiskIntelliSet has been created with regulatory compliance challenges in mind. For a bank that is rapidly adding new business lines and expanding its offering, having a central repository and a permanent record of all data and relevant activities is vital, from both an internal and external compliance perspective. “It allows us to analyse the data that we have in place and do root cause analysis, so it definitely helps us internally,” explains Manager A. “Also, it keeps a history of what we’ve done, so when we need to reflect or go back, I can look at what’s been done in the past because we keep that information. Also, if we were audited externally as a bank, I can retrieve the information and provide it to auditors.”
When selecting the right GRC solution, a key decision is whether to enlist a third party, or build a solution from scratch in-house. For this bank, having access to a ready built, tried-and-tested system was essential. “Because of the size and scale of our bank, we don’t have the internal knowhow; that technical ability to do it in-house,” explains Manager A. Having access to a team of experts has allowed the bank to focus on their risk management objectives, rather than tackling technical issues. “When we do reach out, RiskBusiness is very quick to return messages or come back to us,” she says. The benefit of working with an independent supplier, rather than a large-scale corporation, has also been apparent. “I definitely appreciate that, because if I went to a massive third-party supplier, I wouldn’t be at the top of their priority list.”
Managing costs can also be much easier when using a third-party, particularly for small and medium-sized institutions. Hours allocated by in-house IT teams can easily spiral, making the scope and budget of a project difficult to curtail. With a third-party like RiskBusiness, costs of enhancements and other services are quoted for beforehand, allowing you to keep a closer eye on precious resources. “What RiskBusiness offers in terms of functionality and the cost associated suits our size of bank,” confirms Manager A.
Having a dedicated risk-management system in place from an expert supplier has helped raised the profile of operational risk at Bank A, with sophisticated reports and data aggregation allowing for better communication of potential threats throughout the organisation. “I think it helps us professionalise ourselves in terms of risk management,” says Manager A. “It forms part of our induction training for all colleagues when they start at the bank. I also refer to it in my actual operational risk policies as a standalone item and have created a new Incident Event and Reporting Policy, which is all designed around colleagues knowing about the RiskIntelliSet system. It’s definitely a critical service that RiskBusiness provides to us as a bank, allowing us to manage risk controls and reporting internally.”