CRAMS risk management platform
Why manage risk?
When we started to design a platform for Enterprise Risk Management (ERM) we were forced to get a wider knowledge about risk in general, to investigate its nature and understand the risk management problem more deeply. And the first question we faced: why risk should be managed at all? The answer was very simple: every business decision, whether it is right or wrong, is related to risk. Every day in each company a lot of decisions have to be made to drive business forward. Any time you want to use a new opportunity in your business, you face with decisions that are related with risk. Once you have a risk, it has to be somehow managed; otherwise it can lead to catastrophic consequences. Over the last few decades there have been a number of high profile corporate failures and disasters that have emphasized the need for improved risk management. A good example of poor risk management is collapse of Barings bank - the oldest merchant bank in London. Thanks to the lax attitude of senior management, one trader was given too much control and he was exploiting much riskier opportunities than he was supposed to do, which finally led to more than 1$ billion of unauthorized trading losses.
What is a risk?
There is no general definition of what is a risk that could be applied in any context. Definitions for risk term can differ a lot depending on the business type and considered aspect. However there are 3 key points that are common for all risk definitions:
- there is always element of uncertainty,
- risk always have impact on objectives,
- impact can be positive (opportunity) or negative (threat).
How risk is managed?
As with various definitions of risk, a number of risk management frameworks have been developed to help organization managing risk. The three prominent models are: UK Standard (risk management standard developed by IRM, AIRMIC, ALARM), Australian / New Zealand Joint Standard (Risk management AS/NZS 4360:2004), USA (COSO Enterprise Risk Management Framework developed by PriceWaterhouseCoopers). As a base for risk management framework realized in CRAMS was used Australian standard. The process is seen as an organization-wide and on-going process. The principle steps being repeated periodically are:
Establish the context – organization’s strategic objectives that the process seeks to manage and parameters in which the process is conducted has to be defined. As an example, the objectives of customs can be collection of customs duties, interdiction of contraband; from the other hand we can state that we want to manage risk related only to goods import procedures – these defines the context.
During risk assessment step risks has to be identified, analyzed and evaluated. In case of customs, examples of risks identified are risk of smuggling and risk of reduced customs duties. During the analysis step we analyze the behavior of defined risks, its background and then define a model that will be used to assess and control risks. In the next step probability of risk versus its impact on the objectives has to be evaluated (ranked) and based on that risks can be prioritized for further treatment.
Risk treatment - once risks are evaluated and prioritized, appropriate measures to modify the risk, has to be selected and implemented. Risk can be treated before the occurrence of risky transaction (pre-transaction), at event occurrence (on-transaction) and after the transaction subject to risk assessment has been processed (post-transaction).
Communicate and consult – considers how information on risk is communicated both internally and to external stakeholders.
Monitor and review – risk management is a dynamic process, it changes in time as the business develops, so the whole risk management process has to be periodically monitored and reviewed.
It is important to emphasize, that risk management is not only a set of polices, rules and procedures – it is a part of the Enterprise CULTURE. For example, the safety of workers in a construction place highly depends on how the work is organized as well as on behavior of each worker himself. No doubt, the messy environment in construction place greatly increases the probability of injury risk.
Four aspects to risk management
From the organization’s point of view a source of risk can be internal or external. On the other hand there’s a positive and negative aspects of managing risk. Traditionally risk management has been associated with the negative side. For customs, negative risk management means finding fraudulent events and punishing dishonest traders. An example of positive risk management is implementing simplified procedures for trusted traders. And also implementation of risk management system itself is a positive risk management because it reduces the human factor in the decision about controlling the goods.
What is CRAMS?
There are two aspects of how CRAMS can be defined. On one hand, it is a Comprehensive Risk Assessment and Management Suite (CRAMS) of pre-defined risk assessment models, analytics, reporting and management workflows for effective ERM in selected industries including government, financial services, insurance, telecommunications, etc.
On another hand, CRAMS is a platform for solving diverse risk problems by systematic application of management policies, procedures, practices and technology to the tasks of communicating, establishing the context, identifying, analyzing, evaluation, treating, monitoring and reviewing risks. Examples of common risk problems include fraud management, credit risk scoring, underwriting risk management, compliance risk management, etc.
CRAMS architecture
CRAMS architecture is conceptually based on three core components themselves standing for platforms in corresponding class of fundamental enterprise systems:
- Enterprise Decision Management (EDM)
- Business Process Management (BPM)
- Enterprise Content Management (ECM)
Risk assessment process is just another type of decision making process representing the logic of reaching some conclusion by assessing facts available from external sources or inferred during the process execution. The most effective way to deal with risk assessment is to leverage the advantages of EDM platform consisting of two main components: Business Rules Management System (BRMS), acting as decision processes authoring, management and runtime environment, and Analytics.
When risk is identified the risk treatment procedure should be applied. Some times the treatment process could be fully automated leaving no space for manual work. In other cases, the corresponding risk treatment workflow is initiated. For process automation, fully or partial including manual steps, best fits BPM platform.
The risk management process is accompanied by many types of information gathered either directly through investigation or audit procedures or indirectly coming as a result from risk assessment processes. Leveraging key functions of ECM platform enables to create highly efficient, multi-aspect, centralized repository of risk related information.
It needs to be emphasized, current ECM offerings, commercial as well as open source, include BPM component as part of the platform thus the role of risk management process automation will be assigned to ECM platform further in the text.
The logical architecture of CRAMS platform is presented in the following picture.
The core of CRAMS is Operational Risk Management (ORM) component. It helps to identify risk problems and assess on how to treat them in a proper way. Applying pre-defined or custom defined risk analysis models and various analysis and evaluation tools component fully or semi-automatically processes the operational data, evaluates risk, makes decisions and generates instructions for risk treatment. Risk assessment results are then either interfaced to end-user for further processing using tactical risk management component or corrective actions applied automatically through interaction with corresponding systems.
ORM component is backed up with analytical and decision optimization tools. Analytical tools are used to create analytical models that greatly improve the precision of risk assessment processes. Commonly used analytical models developed using analytical tools include score cards, decision trees, neural networks, etc. Optimization tools helps to make constant adjustments to risk assessment models based on information extracted from operational data as well as feedback from tactical risk management or other data sources in order to maximize the efficiency of risk management.
ORM itself consists of three logical components representing different aspects of risk assessment based on timing of risk exposure: On-Fact, Post-Fact and Pre-Fact.
On-Fact risk assessment service is usually invoked in real time at the point of exposure of a risky fact, for e.g. risky business transaction. On-Fact risk is usually evaluated by applying pre-defined risk assessment model on fact data and available external information, e.g. from 3’rd party data services. Depending on the business type, risk nature and the way it is treated, different analytical models and risk analysis tools are used for constructing the on-fact risk assessment model. The real-time risk assessment is widely used in financial services, e.g. for credit card transactions, government, e.g. for customs clearance process, telecommunications, e.g. for calls fraud management, insurance, e.g. for online auto insurance services, etc.
Post-Fact risk assessment is done at some point of time after activities or transactions under risk have been completed. Post-Fact risk assessment is usually performed in two scopes: local and global. Local scope helps to assess risks of individual objects where as risk assessment performed in a global scope helps to identify risks in the context of all data population. The global scope of risk assessment is a powerful technique for identifying risks that are invisible when analyzing single object.
Pre-Fact risk assessment is usually part of positive risk management, which frequently applied for compliance risk management. For example, service provider could issue simplified procedure or better financial conditions for its loyal customers. This kind of privileges is usually backed up with the agreement specifying a set of requirements the customer must comply with. The pre-fact risk assessment component automatically monitors those agreements and creates a risk exposure notification whenever fact of incompliance is detected.
Tactical Risk Management (TRM) component plays several roles in CRAMS architecture. It supplies the whole risk management chain with a feedback on risk treatment results that are used to monitor the efficiency of working risk assessment model and improve it constantly. It is the main environment for risk operators, who deal directly with handling risk events and can quickly take required tactical actions in response to detected risks as well as to gather loss data. TRM works as e-Case Management System (CMS), where user can quickly find all needed information concerning risk subject, analyze it and take final decision on treatment actions.
Strategic Risk Management (SRM) component helps to define strategic areas of risk management and risk minimization goals aligned with business plan. Once risk areas and goals have been established it is important to define risk area context rules, set up objectives and their quantitive parameters and link them with risk minimization goals for ongoing monitoring and control. It is possible to have several strategies for certain risk area at the same time which can be applied in parallel using champion-challenger method.
Data warehouse holds most information about risk objects, needed for risk assessment. It also supplies the data for reporting system (usually implemented using Business Intelligence (BI) products), used to create analytical and statistical reports concerning analyzed data, risk assessment results and risk treatment activities.
When we are talking about risk management, basically we are referring to some kind of activity, which is related to risk. If we treat such an activity as a business transaction, then we have some Online Transaction Processing (OLTP) System, which needs to make risk assessment at some point of time during the transaction execution. This system actually lies outside of CRAMS architecture but for the sake of completeness and due to the fact that OLTP system plays a very important role in ERM and often stands as a starting point in risk management process it is included in CRAMS architecture picture.
Summary
Every business decision is related to risk resulting in a positive or negative impact on enterprise performance. Taken risks could help to gain additional margin if risks assessed and managed properly.
There are four aspects to risk management falling in to two groups reflecting the source of risks (external / internal) and risk treatment strategy (negative / positive). External risks represent threats/opportunities outside the organization whereas internal – risks inside the organization. Timing is a very important aspect of the risk assessment process and reflects when assessment activities are carried out: in real-time during risky activity (on-fact), after activity or transaction has been completed (post-fact), or in advance of risky activity or transaction (pre-fact). The former two reflects a negative risk treatment strategy where as the latter is usually used in positive risk management strategy.
No matter what aspect to management is applied the core element of dealing with risk effectively – as much as possible precise risk assessment. Thanks to the fact that risk assessment is just another type of decision making process, same principles of EDM applies. Systematic approach to decision management driven by EDM helps to assess risks more accurately, resulting in a more effective resource allocation and business process management. Once the risk assessment model has been designed and deployed it should be further evolved over time due to the ever changing business environment. Enhancing risk management processes – continuous activity, which is based on a closed loop understand-prepare-model-evaluate-deploy decision strategy evolvement.
CRAMS is designed as a risk assessment and management platform for solving diverse risk problems across enterprise. The architecture of CRAMS enables to leverage advantages of EDM components for maximizing the quality of risk assessment models as well as to benefit from ECM platform in realizing effective risk management processes.