As the importance of risk management continues to grow in a volatile risk environment, organizations are seeking to examine risk metrics from their key risk indicators (KRIs) to gain insights into top risks and forecast future risks.
In this episode of AuditTalk, Scott Cronin (Global Head of SOX Compliance & Controls at BNY Mellon), Serhat Khan (VP of Internal Audit at McDermott International), Kevin Rohrbach (Managing Director, IA and Financial Advisory at Protiviti), and Mary Tarchinski (Market Advisor, Risk and Compliance at AuditBoard) discuss emerging risks and how they are managing KRIs today, including:
- Industry risk trend examples: regulatory compliance, digitalization, supply chain, third-party risk.
- KRI challenges and opportunities: siloed data, manual processes, and comparing notes with fellow risk professionals.
Watch the full conversation, and read the can’t-miss highlights below.
Industry Risk Trend Examples: Regulatory Compliance, Digitalization, Supply Chain, Third-Party Risk
Scott Cronin, BNY Mellon: “I think the word “key” is the most important part… you need to quickly hone in to ask what are those key risks and key elements? For myself, and many of you in the financial services or banking industry, there’s an increasing degree of regulation that brings a large degree of regulatory compliance risk… What are our blockers to being compliant with various regulations, whether it’s the U.S. Federal Reserve or regulators around the world — and how do we manage that risk? One of the things that we’ve seen as we’ve explored that topic within my team is that you may start off thinking, ‘We have a risk that we’re not complying with regulations and what do we do about it?’ As you start to investigate that and discuss that with our business partners, we find out there’s a lot of underlying risks that contribute to it. For us, one of the areas — and many large companies deal with this — is risks around our data. What kind of data do we have? How good are we at automating our data flow, our lineage of data from point A to point Z across the company? How do we hone in on that and figure out what are the risks we can accept? What are the risks we want to mitigate? What’s the timeframe that we want to do that under? Broadly, you have to partner with the business and really understand their objectives to figure out what are the key risks that you’d want to mitigate.”
Serhat Khan, McDermott International: “Business has become complicated, and there is a genuine desire from our major stakeholders, the audit committee and executive management, to assist them with a forward-looking view of risk. They want to be able to see the forest for the trees, and they want us to partner more effectively with other second line assurance functions… If I can give an example of McDermott, we are a premier engineering construction company building some of the world’s largest oil, gas, and energy transition projects — just think about the supply chain disruption for our business. To draw a parallel with, say, an airplane, a typical Boeing 777 has three million parts sourced from 30-odd countries. Trying to manage all of that right now in this environment where you’ve got a shortage of chips, supply chain, expediting pressures, and so forth — it’s like herding cats. For us, that problem is magnified at an even larger scale. If we go to our stakeholders and say, ‘hey, we’ve got a situation here where five POs have not signed out of a sample of 30,’ there’s going to be no engagement. They’re just going to say, ‘thank you very much, stop wasting our time.’ Our stakeholders want to know what’s going to move the needle for the company, and they want to know with as much advance notice as possible… We as auditors and risk management associates must take a meaningful approach to articulate the short, medium, and long-term risks in these areas, and present it and support it to business where possible.”
Serhat Khan, McDermott International: “I’ll give more detail to the example from our industry of a typical offshore project and supply chain disruption that I spoke about earlier… what are some of the risks with supply chain disruption? Let’s start with a delay in ordering the material, which leads to material not arriving on time, which leads to fabrication delays. Idle labor leads to delays in marine schedules. Some of our vessels cost hundreds of thousands of dollars a day to operate, so each day that they run idle is significant. These marine delays put pressure on the project where construction activities have to be done offshore instead of in our yards — and trust me, there’s no Home Depot when you’re a hundred miles out in the North Sea, so if you need some material you have to get a speed boat out there, and that costs money. Finally, the delays in the structure installation leaves the door open for a client to apply penalties called liquidated damages for the delays, especially if it’s linked to hydrocarbon production. If an auditor says to key stakeholders, “Listen, we’ve analyzed that we’ve got a 20% delay trend in placing our POs. This is going to lead to expediting delays, needing to have stuff air freighted instead of sea freighted, fabrication delays and so forth. The total exposure ballpark is X billion dollars.” If your calculation and logic is sound and practical, there is going to be interest in hearing more. That interest is going to be even further amplified if you can offer this insight as early as possible so that mitigation plans can be considered. This rear view mirror view that we’ve had in the past, it needs to be projecting forward.“
Scott Cronin, BNY Mellon: “I think third-party risk becomes an emerging area that we all need to focus on almost regardless of what industry we’re in. When we talk with business partners, it can take a little bit of time for them to appreciate the concept that you’re outsourcing part of what you do, but you’re not entirely outsourcing the risk. How does that tie into your metrics? How does it tie into your overall risk management approach? How does it tie into your relationships with vendors and what’s acceptable and not acceptable to vendors? I think third-party risk, as well as all the things Serhat just mentioned has become an emerging area of focus.”
Mary Tarchinski, AuditBoard: “One common theme here is understanding what is key to your organization. The industries that you’re in — Serhat, you were talking about supply chain risk that is imperative for your business to continue to grow, and Scott, the regulatory frameworks and compliance that’s huge in the banking industry — that understanding of your industry and your objectives is really important for getting everyone on board with making risk a front-of-mind topic and getting the business partners on the same page.”
KRIs: Challenges and Opportunities
Scott Cronin, BNY Mellon: “How do we understand what our core risks are as a business, how do we track that, and how do we get real-time data? I think that’s emerging in most organizations, including mine. In many places KRIs tend to be this manual production where there’s a team of folks tasked with trying to cobble together data. It comes together in a PowerPoint, and by the time it’s presented up to management it almost becomes somewhat stale. How do you move the needle on that? It’s going to be an investment in automation.”
Kevin Rohrbach, Protiviti: “What I’m seeing more organizations strive for now is — as opposed to understanding what our risks are and maybe evaluating those once or at best twice a year — how can we move into more digitalization to understand what’s happening with our risks on a real-time basis as much as we can? Scott mentioned data, how can we start tapping into the data that we have as an organization?… The world is shrinking. Things are moving faster and we’re not keeping up when it comes to understanding what our risk landscape is doing, how it can affect our business, and what opportunities may be out there for us to engage in that we may be missing out on.”
Kevin Rohrbach, Protiviti: “Something that I’ve seen clients struggle with around KRIs is that when you start digging in, you quickly learn: We have a lot of disparate data. We have a lack of control around our data, a lack of governance. I think you have to go in with eyes wide open, thinking about: How well do we do as an organization, you managing the data that we have? I worked with a client recently that was working to build out KRIs and a Power BI dashboard to be able to monitor these things. What they quickly realized is that they knew the organization operated in a very siloed fashion, but what they didn’t realize is that data was also very siloed. There were a lot of sub organizations, business units within this company that had their own Power BI dashboards, they had their own data sets. They were doing their own things with their own tools and their own technology, and no one in the organization had a full grasp of what was happening. That really caused challenges for them. How do we put together this all-encompassing, organization-wide risk dashboard when we’re not even sure where this information’s coming from. How good the data is? Can we rely on it? They had to take a step back a little bit and think about broader data governance and data control concerns that they needed to address first.”
Scott Cronin, BNY Mellon: “Your own peers or competitors in your specific industry can be a great wealth of knowledge. I speak to folks around financial services quite regularly, for example, I see there’s a number of folks from State Street on this webcast who frankly are our biggest competitors. I talk to my peers all the time and we compare notes. Yes, we work for competitors, but we’re not going to run them out of business or vice versa by sharing best practices on risk. I learn a heck of a lot from my counterparts at some selected companies. I think building that network and those relationships is helpful just to compare notes. I’d encourage folks, where possible, to talk to folks in your industry — whether it’s former colleagues or just reaching out to people at similar companies to yours — they’re likely dealing with very similar, if not the exact same pain points as you might be.”
Looking for more thought leadership? Check out our on-demand webinar library, and stay tuned for more AuditTalk videos featuring audit community leaders about industry issues, insights, and experiences.