Risk & Regulatory reporting must support better management reporting
We have 285 risks and over 875 controls within our risk and controls framework…reporting anything sensible and meaningful on a monthly basis is a real struggle. Given the technology we use (spreadsheets and PowerPoint), the effort required to ‘hand crank’ the reporting pack production and the effort required to chase people across the business for data, the executive team receive the monthly report roughly six weeks after the end of the month. As the bank’s IT function, you would think we could do a lot better.
We are really happy with our management reporting. At the end of day 5 in the month, the executive team receives a monthly executive report with a personalised ‘slice’ of that report based on their accountability with the RACI. This personalised ‘slice’ of the executive report is more detailed than the main pack, highlights current and emerging issues to be discussed, and means everyone turns up to the monthly executive meeting well prepared and ready to go. The days where we spend half the meeting arguing about the numbers and reporting format are gone.
The process is so slick with execution team reporting, it has driven a complete change in reporting, meeting and decision-making culture across IT. Amazing we now have our entire business plan captured in our ‘risk and controls framework’ — we have more risk, controls, indicators and actions, but the data is organised and we are able to use this data properly; to generate insights that support decision making. Almost as a side issue, we are now able to more effectively engage with other stakeholders, such as the wider business and our various regulators.
Does that sound familiar?
What is the difference between these two scenarios? Approximately nine months and some hard work!
The two statements above reflect the change executed within the IT Division of a global Investment Bank, spread over 40 plus locations globally with an executive leadership team of 12 people and more than 700 employees.
So, what was the key factor that drove this transformation?
If there was one thing that was critical, it was a decision that, rather than organising risk and controls data around a Basel style risk taxonomy (this approach had been pursued for almost two years with little real progress), IT performance, risk and controls data would be organised around a management information taxonomy and designed around the management information and decision-making needs of the IT Management at all levels rather than designed to tick regulatory boxes.