NFR STRATEGY AND FUNCTIONAL DESIGN

The development of an NFR risk strategy requires a review of business ambitions, with a focus on developing a robust control framework. NFR teams need to understand how the business functions. A lack of understanding can lead to friction when designing risk control targets. Dedicated control units can help senior management identify and design improvements.

When it comes to organizational design, there is no one-size-fits-all approach, but it is essential that organizations define a consistent set of principles that reflect governance structure, operational complexity, and specific regulatory requirements. These principles need to be flexible enough to guide future adjustments to the organization and operating model. They should clarify the organizational separation of the first and second lines of defense to ensure independent control by second-line areas while permitting them to perform activities as an advisor or servicer. This is culturally important so that second-line areas are seen as vital to an organization's business model.

A principles-based approach must promote a change in the organization’s thinking so that risk management and controls are foremost in the minds of senior management and employees. Balanced scorecards, which measure control effectiveness and review thresholds, and penalties for breaching them, can also help.

BBA recommends that the NFR strategy is based on a sound foundation of risk ownership. The blueprint of organizational design can then be devised by consolidating and aggregating risks by business and type.

INTEGRATED RISK TAXONOMY

If NFR management is to be integrated, all parties must speak the same language. Yet, it is common for second-line functions to use different taxonomies with overlapping types of risk and different definitions of those risks. This creates inconsistencies when applied in different risk assessments and reports or used to assign responsibilities. The number of taxonomies within an institution can easily exceed a dozen and may contain several hundred risk definitions. Consolidation into a single taxonomy can reduce the number of risk types, which can then be assigned to second-line functions. Our principles-based approach to designing the risk taxonomy focuses on proportionality, materiality, and performance.

CONTROL FRAMEWORK

It is important to deal with risk efficiently when it arises. More important still is to prevent risks from materializing in the first place. BBA recommends an end-to-end business view, enabling organizations to review their business complexity in the light of control requirements. Controls might be unnecessary if underlying processes and systems, or product complexities are addressed in ways that improve the robustness of the business model, which would also reduce the cost of control.

BBA recommends two principal ways to develop and improve control frameworks. First, organizations should map risks along entire value chains and processes in order to understand where they might lie and include their interdependencies. Second, wherever possible, controls should be top-down, as opposed to bottom-up.

INTEGRATED & FORWARD-LOOKING RISK AND CONTROL ASSESSMENT

The evidence of audit findings and risk incidents calls into question the comprehensiveness and effectiveness of internal control frameworks. Traditional risk assessment (especially of operational risk) often focuses exclusively on avoiding risks that have led to losses in the past. But it is a reasonably safe bet that many of the risks that will trip up organizations in the future are not yet on their radar.

Using forward-looking scenarios, BBA’s assessments consider emerging risks and monitor developments in other companies and even other industries for clues as to where new risks might arise. BBA's rigorous assessment of the adequacy of controls examines the following elements:

CYBER RISK ASSESSMENT

The digitization of personal and business interactions is dramatically changing the cyber-attack surface. BBA's Cyber Risk Assessment is based on the following key elements:

ESG FACTOR SCORING TO SHOW IMPACT OF ESG ON CREDIT AND OPERATIONAL RISK

In recent years, there has been a growing focus on looking beyond the balance sheet. Investors demand answers to questions, such as:

BBA assists stakeholders in integrating Environmental, Social, and Governance (ESG) risks for each portfolio enterprise to highlight its key ESG challenges and opportunities.

BBA's ESG factor scoring covers all asset classes, with the main focus on non-financial corporates. Using both qualitative and quantitative factors and proprietary algorithms, BBA's ESG approach fills a market gap by developing ESG scores, demonstrating the effect of scores on a company's credit and operational risks. While the number of ESG scoring KPIs may vary by company, depending on the sector and the quality of the company’s ESG management system; however, establishing company-specific ESG scoring KPIs is now considered as a standard in the 100-day post-acquisition plan.

BBA's quantitative ESG management approach helps investee companies prepare in advance of the investment and credit rounds. Other services that we provide, include best practice benchmarking of ESG risks, compliance roadmap, effective risk governance, and quantification.

QUANTIFICATION OF NON-FINANCIAL RISK

Management guru Peter Drucker once said, “what gets measured, gets managed.” BBA offers high-quality quantification of NFR that enables better risk management – at a lower cost.

Accurate capital quantification is important, especially given the growing levels of risk-weighted assets banks and credit unions are obliged to hold to cover operational risk. In light of regulatory developments (such as the Basel Committee’s proposal to abolish the use of advanced internal models for calculation of Pillar 1 capital requirements for operational risk), DAIR can be used to run a sanity check on capital requirement determined using the standardized approach.

BBA focuses on high priority “tail risks,” i.e. risks that can severely impact the capital position of an organization. By modelling at lower confidence intervals, DAIR can also be used to quantify risk indicators. For example, for high frequency, low severity risks, we can apply DAIR to identify quantifiable risk indicators, such as an acceptance threshold for error rates or earnings shortfall, etc. If selected appropriately, these indicators capture the true drivers of NFR exposure and the quality of controls, in turn providing a more robust foundation for risk assessments, risk-appetite definition, and capital calculations. It is important that the risk indicators have thresholds attached to them that trigger a specific, ideally pre-defined action, which reduces the exposure to this particular risk.

Finally, DAIR reporting consolidates the risks by business unit and type of risk. Customized reporting coverage can be designed to address the demands of various stakeholders. For example,

CYBER RISK QUANTIFICATION USING THE DAIR APPROACH

DAIR uses a three-dimensional approach to capture and size, organizational cyber risk:

Delivered in an easy-to-use, web-based front-end platform, Operational and Business cyber risk modules are included in BBA's ECAPLeader and the Systemic cyber risk module is in our ScenarioFrontier application. Users have the option to either use a cyber-risk specific module or the entire suite.

Download the Distribution Analysis for Information Risk (DAIR) at globalriskinstitute.org.

Next Generation of AML Surveillance System: BBA’s Approach

Financial crime driven by money laundering has reached global and stratospheric proportions. Funds laundered are estimated to run into trillions of dollars annually, estimated to be between two to five per cent of the world’s GDP.

As the quantum of laundered money increases, so do the suspicious transaction reports (STRs), corresponding investigations and prosecutions. Each STR form provides valuable clues about the behavioral aspects of the financial crime and should not be overlooked. Using information about the transaction or the individual, we can identify key discrete factors to rank order STRs from high to low risk. Such analysis can be undertaken using the logit function, thereby, assigning score to each factor as a function of the successful prosecution. Highly predictive factors can then be presented in the form of a multivariate discriminant analysis model. Using receiver operating characteristic (ROC), we can test the predictive power of the behavioral factors shortlisted for the model.

Data-driven STR analysis can help surveillance and monitoring agencies develop a national alert system. Customized alert queries can also be designed, such as, “Create an alert when over the past X days at least Cash deposits were made with an amount between the fixed threshold value($10,000) and X% of that amount”.

AI learning can take place for uncalibrated scenarios, e.g., emerging use of P2P transactions, mules augmented by industry-based intelligence. Such alert queries can generate additional transaction alerts that usually do not get caught in the filter.

To run this analysis, we require aggregate data of the total number of STRs received and successful prosecutions per year. Where prosecution data is unavailable, we use the benchmark case-law from similar jurisdictions.

BankingBook Analytics (BBA) uses accelerators to develop a data and analytics operating model, combined with process-mapping, to assist FIUs with the implementation of the next generation of money laundering analytics and monitoring tools.

BBA’s microservice architecture uses behavioral analytics and ROC accelerators, providing an assurance that each factor included in the model is based on minimum acceptable predictive power, reducing or avoiding false-positive alerts, to avoid expensive administration and investigation efforts. Using technology enablers, such as, Optical Character Recognition (OCR), we can transform STRs into data readable files.

When seeking to upgrade or develop your system’s surveillance capabilities, you should insist on an integrated AML system that has the following capabilities:

Risk-based analysis of suspicious transaction reports can help national Financial Intelligence Units transform from being reactive to proactive regulatory organizations. It is also  one of the highly regarded strategic competencies particularly in anti-money laundering efforts, because meaningful risk assessment must  be almost by-the-minute analysis due to the accelerated pace of changing financial, technology and social realities. Our system comes equipped with a real-time executive dashboard.

Our easily accessible archiving system, vintage risk-record keeping further empowers investigative capabilities to prevent financial crime proactively, while fighting financial crime on an ongoing basis.

Click here to book a discussion today.

KEY METRICS & DELIVERABLES

Software:

Services: