Executive Summary

Managing Risk

Risk is the effect of uncertainty on the outcomes of an organization’s objectives.

Just in the last 20 years, there have been several risk-related events that have impacted individual organizations, an entire industry, and the entire world – Enron (2001), WorldCom (2002), Financial crisis (2008-09), Madoff (2008), Fukushima (2011), UBS/JP Morgan trading (2011-12), Libor-fixing (2012), Volkswagen diesel (2015), Wells Fargo (2016), COVID-19 (2019-).

Almost every week, there is a news story about the failure of risk management and the resulting impact, both financial and non-financial. Some of these are operational failures – cyber breaches, regulatory issues, fraud; others are strategic – strategic goals not achieved, reputational damage to the brand, etc. In many cases, there may have been ignored warning signs – and in some instances, the risk events were unanticipated.

Effective risk management is how organizations can 1) become more proactive in identifying and managing key risks and 2) get more resilient if risk events, known or unanticipated, impact them.

What makes risk management crucial?

– Just like high-performing automobiles, high-performing businesses require reliable brakes. They enable the driver to slow down the vehicle and stop it safely. They also inspire the motorist to drive faster, which is as crucial.
– The adverse effects of poor risk management are very costly and may lead to a company’s bankruptcy. Pay now or pay later—and paying now is typically less expensive—by investing in risk management.

Service Methodology

Theoretical risk frameworks, such as from the Committee of Sponsoring Organizations of the Treadway Commission (COSO) and the International Organization for Standardization (ISO), are typically industry-agnostic. Based on 20+ years of track record of implementation of such frameworks in different industries and organizations, two critical elements stand out:

– Effectiveness of risk management framework: Understanding the different categories of risks that impact business objectives, implementing appropriate process/control mechanisms, and ensuring adequate resources and accountability to manage/oversee risks.
– Strength of risk culture: Various elements such as values and belief systems, rules and boundaries, psychological safety, escalation, and governance play a role in strong risk culture.

There is no “one size fits all” approach. Risk management will be most effective when it matches the inherent nature and controllability of the organization’s different types of risk. There are three broad risk categories: “Category I/preventable,” “Category 2/strategic,” and “Category 3/external” – each has a different source, a different degree of controllability, and a different approach for identification, mitigation, and management.

The right risk program and leader should be able to execute risk transformations tailored to the maturity and needs of the organization and with the least disruption to the organization possible.

Approach to assessing and improving the state of ERM:

Service Options

Companies can elect whether they just require Appleton Greene for advice and support with the Bronze Client Service, for research and performance analysis with the Silver Client Service, for facilitating departmental workshops with the Gold Client Service, or for complete process planning, development, implementation, management and review, with the Platinum Client Service. Ultimately, there is a service to suit every situation and every budget and clients can elect to either upgrade or downgrade from one service to another as and when required, providing complete flexibility in order to ensure that the right level of support is available over a sustainable period of time, enabling the organization to compensate for any prescriptive or emergent changes relating to: Customer Service; E-business; Finance; Globalization; Human Resources; Information Technology; Legal; Management; Marketing; or Production.

Service Mission

I aspire to help organizations achieve best-in-class risk management suitable for their present circumstances and anticipated future needs. By doing this, I aim to safeguard and increase the value organizations can offer their shareholders and stakeholders.

Proactive risk management (“Avoiding big surprises”), Business partnerships (“Being on speed dial”), and Reduced bureaucracy (“Agile and Efficient”) are three outcomes that I have used to gauge success.

---

Service Objectives

The following list represents the Key Service Objectives (KSO) for the Appleton Greene Managing Risk service.

Objective 1: Risk Diagnostic

Want to assess how your risk program stacks up against the finest in the business?

A typical risk program includes several crucial elements, including:

– Identification of the critical risks and an understanding of risk appetite and tolerance
– Effective handling of significant risks
– Controls
– Governance and Resources
– Reporting and Metrics
– Ongoing improvement, etc.

Different frameworks (such as COSO and ISO – see below) have attempted to define standards for enterprise risk management.



While these are helpful, they do not get into nuances that must be addressed while implementing risk management frameworks. Supplementing these theoretical frameworks with insights from successful practical applications at several leading organizations over 20+ years gives a better assessment methodology.

The organization can choose the targets and subsequent actions for the various program components based on this assessment and what is best for the organization’s requirements.

---

Objective 2: Risk Deep-Dive

Need help figuring out where to start in identifying and managing key risks for your organization? Have specific concerns on risk topics like culture, crisis management, risk committee effectiveness, etc.?

Risk management is most effective when it matches the inherent nature and controllability of an organization’s different types of risk. Each of an organization’s three typical risk categories — “preventable,” “strategic,” and “external”— has a different source, a different degree of controllability, and a different approach for identification, mitigation, and management.

Different frameworks (such as from COSO and ISO – see below) have attempted to define standards for enterprise risk management.



However, such frameworks do not make distinctions in the approach to managing different risk categories under various degrees of uncertainty. The standard risk management approach of “Identify – Assess – Prioritize – Manage” only works when there is a higher degree of certainty about likelihood and impact – for “known knowns” and maybe some “known unknowns.” But this approach does not usually work for “unknown unknowns” (recent examples include COVID-19 and the extended financial crisis in 2008-09).

Supplementing these theoretical frameworks with insights from successful practical applications at several leading organizations over 20+ years gives a better approach for identifying, assessing, and managing significant risks that can impact the achievement of the organization’s strategy.

Based on an assessment of how specific risks are and should be managed, the organization can decide the appropriate targets and next steps for the organization’s needs.

---

Objective 3: Risk Accountability

Does your organization have the proper ownership and governance over key risks?

Having the proper accountability and governance for critical risks is essential for an effective risk management program.

A typical organization has an operating structure and reporting lines to provide clear roles and responsibilities across the three lines of defense for identifying, managing, and overseeing risks.

Sample operating structure for risk management



The level of formality depends on the organization’s maturity; however, some structure is necessary, even for smaller organizations such as start-ups. In addition, adjusting the operating structure based on insights from successful practical applications at several leading organizations over 20+ years provides a more effective solution.

Based on an assessment of how the current operating structure works, the organization can decide the appropriate targets and next steps for the organization’s needs.

---

Objective 4: Fractional Leadership

Have an immediate need for a senior risk executive to step in to bridge the gap to something more permanent?

Sometimes, an organization may have concerns with the current risk environment but may need more resources to invest in a full-time risk leader/organization.

This situation requires a risk leader:

– who has worked in different environments – small and large organizations, various industries, and across geographies – so they can better understand and appreciate the nuances of clients;
– who can hit the ground running to address urgent risk matters while at the same time strengthening the foundation;
– who is well-connected in the risk profession to identify a permanent risk leader; and
– can impact the risk culture in the organization through soft skills such as executive presence, influencing, active listening, and coaching are as important.

Based on the short-term actions and longer-term proposals of the temporary risk leader and discussions with senior leadership, the organization can decide the appropriate targets and next steps for the organization’s needs.

---

Achievements

Experian

In 6 years of leading risk and compliance programs, Mr. Chari has several success stories across the consulting services he will provide.

A few of these that Mr. Chari has been recognized for (by his direct manager as well as other senior leaders):

– Improving the maturity of the risk and compliance programs, as validated by internal and external benchmarking.

– Building a cohesive three lines of defense by bringing together leaders and teams from across governance functions to serve a common broader objective for the organization.

– Authoring a data breach response plan tailored to the unique needs of Experian and based on lessons learned from external breaches.

– Implementing a risk-based approach to different enterprise risks, including third-party risk.

– Simplifying enterprise governance policies.

---

PIMCO

In 3 years of starting and leading the enterprise risk program, Mr. Chari has several success stories across the consulting services he will provide.

A few of these that Mr. Chari has been recognized for (by his direct manager as well as other senior leaders):

– Developed Enterprise Risk framework and implemented various components such as risk assessments and key risk indicators.

– Coordinated the agenda and activities of the Global Risk Committee.

– Influenced senior management and embedded functional risk representatives to ensure consistent implementation of all aspects of the Risk Framework.

– Promoted risk awareness through training and newsletters.

– Led various governance forums such as vendor oversight and business continuity.

---

AllianceBernstein

In 9 years in various roles, including leading the operational risk program, Mr. Chari has had several success stories across the consulting services he will provide.

A few of these that Mr. Chari has been recognized for (by his direct manager as well as other senior leaders):

– Chaired various governance committees, such as Operational Risk Oversight, Error Review, Outsourcing Oversight/Vendor Risk, and Operations Risk Council.

– Contributed to various other committees, such as New Product Initiative and Investment Risk Oversight.

– Maintained “Top Operational Risks” scorecard.

– Worked with senior management to ensure consistent implementation of all aspects of the Operational Risk framework.

– Key Risk liaison for various activities such as SSAE16 and SOX.

---

Louis Hornick

In 11 years in various roles, including leading the quality assurance program, Mr. Chari has had several success stories across the consulting services he will provide.

A few of these that Mr. Chari has been recognized for (by his direct manager as well as other senior leaders):

– A vital member of the executive steering committee that worked on setting and monitoring goals on labor costs, budgets, and process improvements. Typical savings of $1Millon+ annually.

– Championed culture change for the company using Six Sigma and Lean principles. This resulted in proactively identifying issues and improved process capabilities by more than 25%.

More detailed achievements, references and testimonials are confidentially available to clients upon request.

---

Industries

This service is primarily available to the following industry sectors:

Banking & Financial Services

The financial services sector affects almost everyone, whether directly or indirectly, through employment, personal or business clientele. The worldwide financial services industry is thought to account for around 20 trillion dollars, or about one-fourth, of the global economy. Despite the COVID-19 pandemic, the sector has kept expanding at a healthy rate and is projected to continue through 2025 at a CAGR of 5-6%.

The inherent risks in the sector have increased because of the rise of cryptocurrencies, fintech, and other start-ups in recent years. As more customers become accustomed to digital assets, digital technology—including those utilized in payments—will continue to advance.

As one of the most heavily regulated sectors, internal and external stakeholders have high expectations for effective risk management (including compliance). Despite these expectations, there is a wide range in risk management performance. Risk management is essential because failures and fines have occurred even in banks, which are typically subject to the most intense monitoring.

While the overall risk management process (identification, assessment, management, reporting, and governance) is industry-agnostic, each industry has unique characteristics that should be considered.

Financial services entities may be influenced by any or all of the following external factors:

• Regulatory scrutiny and heightened expectations of staff conduct, lending, and sales practices, and the effectiveness of enterprise risk management programs.

• The local economy’s health is typically strongly correlated to the ability to increase deposits and lending activity and is affected by financial downturns.

• Economic implications from the distribution of wealth and institutions financing new opportunities and businesses.

• Disruptions to the traditional banking models as new technology becomes available (e.g., e-banking).

• Significant capital and liquidity requirements imposed by regulators to solidify financial institutions’ financial foundations and resilience.

• Social expectations of corporate philanthropy and support of community causes.

They may also be influenced by internal factors:

• The need to manage new and increased capital requirements imposed by regulators.

• Competition for talented employees in new areas such as e-banking, model development, and credit risk management to support initiatives and respond to changes in the market.

• Stable, long-standing relationships centered on understanding customers’ businesses, risk profiles, and capacity to meet their financial obligations.

• A relationship-based approach to lending that relies increasingly on qualitative information from customers, given the availability of audited financial statements, tax returns, or other verifiable information.

It is essential to determine the current areas of weaknesses, pick the right opportunities to address them, and embrace a culture of continuous improvement.

---

Consultancy

The estimated size of the worldwide consulting market is between $200-300 billion. The largest consulting markets are in North America and Europe, while Asia offers promising growth prospects. The highest market share belongs to the Big 4 accounting and management consulting firms, including McKinsey and Boston Consulting Group. The value supplied by consultants (such as strategic industry knowledge, management expertise, and understanding of new trends) should continue to sustain the growth of this market, notwithstanding a slowdown during COVID-19 and subsequent spending reductions because of economic uncertainties.

Recent internal failures in the consulting sector, such as insider trading and “poor advice” (the impact of their services on their clients/end users), have drawn intense regulatory and political scrutiny. Although consulting firms have become experts at offering a range of services to their clients, internal risk management at these firms has occasionally been lacking.

While the overall risk management process (identification, assessment, management, reporting, and governance) is industry-agnostic, each industry has unique characteristics that should be considered.

In the case of consulting entities, external factors (such as economic uncertainty, regulatory scrutiny, political pressure, and social expectations) and internal factors (such as talent shortage, sales practices, ethics, and culture of compliance) can influence risk management.

It is essential to determine the current areas of weaknesses, pick the right opportunities to address them, and embrace a culture of continuous improvement.

---

Technology

The worldwide IT market is valued at more than $5 trillion, with North America accounting for 35%, Asia for 32%, and Europe for 22% of