Integrating ERM with Other Risk and Assurance Functions
Elona Ruka-Wright, Chief Risk and Compliance Officer at Finastra shares with Mark Beasley, Alan T. Dickson Distinguished Professor and Director of the ERM Initiative, her experiences of integrating ERM with other risk and assurance functions at Finastra.
Finding Efficiencies from Aligning ERM with Other Risk Functions
One of the challenges ERM leaders sometimes face is helping business leaders understand ERM’s role and focus relative to other risk and assurance roles within an organization, such as compliance and internal audit. Sometimes business leaders perceive there to be overlapping duties and unnecessary duplication of effort across the various risk and assurance roles that may exist. Elona Ruka-Wright talks about how Finastra has designed an integrated approach to ERM, global risk management, internal audit, operational risk, compliance, and resiliency.
Separate But Aligned Risk Functions
Aligning the various risk and assurance functions doesn’t mean the functions have been consolidated or eliminated. But, it allows greater visibility into the various roles, responsibilities, initiatives and different processes. At Finastra, the various risk and assurance functions continue to have separate leaders and separate teams, which helps protect the objectivity and independence needed in the entity’s highly regulated environment. Integrating them under a common umbrella helps the organization align each function’s key goals and priorities to pinpoint opportunities for efficiencies. That includes specifying key areas of risk and compliance responsibilities, coordinating methodologies used across the various risk and assurance functions, and leveraging common metrics and tools for use across the various functions.
Use Three Lines Model to Align Risk and Assurance Functions
Finastra’s approach to risk and governance uses a traditional three-lines model. The company tries to be proactive in meeting regulatory expectations and they use that understanding to back into what each of the risk and assurance functions needs to conduct to fulfill their specific roles in the three lines model to meet external expectations. That helps the company order the scheduling of different assessment activities in a logical order to see how they fit within the three lines model.
Education on the Importance of Risk and Assurance Roles
While the “tone at the top” regarding the importance of risk and assurance is important, an often overlooked aspect of culture is the “tone in the middle.” Helping those in the “middle” (middle management and the business function leaders) understand the importance of the various risk and assurance functions to the business helps those in the “middle” to better understand the unique roles the various risk and assurance functions play.
Coordinate Versus Centralize Risk and Assurance
Lots of things don’t have to be centralized but they can be coordinated. Business risk champions embedded in the business become the “culture carriers” to help many across the business better understand the importance and role of ERM and other risk and assurance roles. The goal is to leverage as much information as possible to eliminate any unneeded duplication. Risk and control information is coordinated into a common risk terminology, control libraries and mapped to the various industry frameworks.
Interested in this topic?
Watch our separate video interview of Elona Ruka-Wright who discusses the importance of “Tone in the Middle”.
Read more about the Three Lines of Defense Model.