Operating one integrated Governance, Risk and Compliance system to store, maintain and manage the Society’s risk assessment and assurance data

INDUSTRY
Financial Services

LOCATION
United Kingdom

NUMBER OF EMPLOYEES
c.3000

The Background

Founded in 1864, the Yorkshire Building Society is the third largest building society in the UK, with its headquarters in Bradford, West Yorkshire, England. The Society employs c.3,000 colleagues throughout the UK.

The Challenge

As a mutual organisation, Yorkshire Building Society are answerable to their 3 million members rather than shareholders and maintaining high standards in risk management, compliance and governance is a high priority.

Across the Society, a number of disparate software applications and systems were in use for risk management, compliance, legal, and internal audit activities. To assist in successfully executing the organisation’s strategic risk management priorities, YBS wanted a solution that could be used as a central repository for Society-wide risk data, to enable disconnected data silos to be demised.

The successful solution would have to meet the key component requirements of risk, compliance, legal, and internal audit. At a time of ever-increasing regulatory standards and expectations within the financial services sector, the Society wanted a cloud-based solution that could deliver automatic system updates, thereby easing the burden on the organisation’s IT colleagues.

From initial engagement through to implementation, the Riskonnect team worked alongside us as an extension of our in-house team. From the beginning, we had a trusted relationship with the Riskonnect team that continues today.

Ben Johnston, Senior Manager – Risk Framework and Reporting, Enterprise Risk Management, Yorkshire Building Society

The Solution

Having defined the requirements for each business area, the Society evaluated several solutions in the market place through demonstrations and by creating internal scoring matrices. Riskonnect Operational Risk Manager (formerly known as Magique) and Riskonnect Audit Manager (formerly known as Galileo) were selected after scoring highest in their supplier tender process.

The solution was able to deliver the functionality required by the Society to meet its key principles of:

  • Providing a central record of the internal control and assurance activity undertaken by teams across the three lines of defence model.
  • Enabling the Society to demonstrate adequate and effective risk management to internal stakeholders and external regulators in line with industry standards.
  • Operating one integrated Governance, Risk and Compliance system to store, maintain and manage the Society’s risk assessment and assurance data.

Ben Johnston, Senior Manager commented that, “Feedback from our colleagues in the business confirms our original view that the solution is intuitive and simple to use, delivering a great end-user experience. Through the supplier tender process, we found the solution to be more cost-effective for the Society than other solutions offering similar features.”

Greater visibility delivering a single risk universe view

Riskonnect Operational Risk Manager has made it much easier for the Society’s risk profile to be understood by using it for their Risk Control Self-Assessment (RCSA) process. Previously, RSCA information was MS Excel based using multiple spreadsheets completed by 30 business teams. The Enterprise Risk Team would collate and manually aggregate this information into one spreadsheet, attempting to provide management with an accurate and single view of risk across the organisation. The process was time-consuming, As a mutual organisation Yorkshire Building Society are answerable to their 3 million members rather than shareholders and maintaining high standards in risk management, compliance and governance is a high priority.

Across the Society, a number of disparate software applications and systems were in use for risk management, compliance, legal, and internal audit activities. To assist in successfully executing the organisation’s strategic risk management priorities, YBS wanted a solution that could be used as a central repository for Society-wide risk data, to enable disconnected data silos to be demised.

The successful solution would have to meet the key component requirements of risk, compliance, legal, and internal audit. At a time of ever-increasing regulatory standards and expectations within the financial services sector, the Society wanted a cloud-based solution that could deliver automatic system updates, thereby easing the burden on the organisation’s IT colleagues, due to manual data collation and entry.

Riskonnect Operational Risk Manager has streamlined processes, with colleagues able to access the system via Single Sign-On functionality from the YBS intranet site to attest to the performance of internal controls. All information is stored within the cloud-hosted solution, with dashboards and data reports providing information at the individual department level and a single view of risk across the whole Society. Use of the system provides managers and executives with easier and timely access, greater insight, and a much higher degree of confidence in the risk data and its accuracy.

Automating the RCSA process is helping to embed risk management practices into the organisation’s risk culture and is enabling business teams to assess risk against business objectives.

Greater profiling of risks through risk event management functionality

The Society has created risk event functionality accessible via their intranet system. Any colleague can raise events for investigation and reporting purposes without the need to have their own system user license. The data is submitted directly to the Enterprise Risk Team, who triage and liaise with relevant departments as needed to ensure the event is managed effectively and captured for regulatory reporting purposes.

This automated and streamlined process will be implemented during 2020, with the goal of increasing the timeliness of events being reported and in turn further improving the efficient management of risk events.

Seamless integration delivering excellent user experience

Riskonnect Operational Risk Manager fully integrates with Riskonnect Audit Manager, providing a risk-based internal audit and compliance solution that enables data from the Society’s risk register to be used in planning activity.

YBS view the solution as being intuitive and easy to use, delivering an excellent user experience whilst minimising the time spent on training colleagues. The Society has enabled fast and secure access to the solution application through the Single Sign-On functionality.

Consistent processes across risk management and compliance

The Compliance team have adopted the risk event reporting functionality to enable any colleague to submit regulatory breach incidents via the intranet. Similar to the risk events process, regulatory breaches are sent directly to the Compliance team for triage.

When this is implemented during 2020 YBS anticipate this automation will reduce the administrative burden associated with this activity, and ensure any regulatory breaches are be dealt with efficiently, enabling timely internal and external reporting.

Second Line of Defence Monitoring and Assurance Reviews

The Compliance, Prudential Risk and Enterprise Risk Teams use the solution to conduct Monitoring and Assurance Reviews in line with their Board approved annual review plans. All key information relating to the review such as Terms of Reference, Working Papers, Draft and Final Reports, Management Actions will be stored within the solution.

When an action associated to a review is assigned to a manager in the business, an e-mail can be generated by the system. The e-mail includes a url link which takes the business colleague directly to the action within the system. The manager can review, update and complete the action themselves. This functionality will help to ensure there is full management over sight of actions at all times.

Strategic planning

The Society regularly undertakes ‘Regulatory Horizon Scanning’, looking at the future regulatory developments that will require action or implementation. The Compliance team will record this within the system and share with management, enabling the Society to strategically plan with regulatory changes in mind, create business awareness and launch new internal initiatives as applicable.

Functionality used by the Legal Team

Yorkshire Building Society has identified how the solution can be adapted to benefit their legal team. Matters can now be logged within the solution and a workflow process is in place to triage and assign new cases amongst the individual legal team colleagues. This will replace the long standing use of spreadsheets and shared folders which did not provide any form of automated Management Information.

Service Level Agreements are tracked and the feature rich reporting functionality ensures granular visibility on the status of each case. Reports can be produced showing the number of live cases and the current status. This will result in a greater level of visibility on active cases and allow for proactive management of time and resources within the department.

In just the first 12 months of using Riskonnect Operational Risk Manager, we have increased the visibility of the benefits of the RCSA and risk management activities across the Society. We are confident of our data integrity due to our new automated and streamlined processes. The Riskonnect team has been a true partner throughout this project and we are genuinely excited to see what more can be achieved going forward.”

Ben Johnston, Senior Manager – Risk Framework and Reporting, Enterprise Risk Management, Yorkshire Building Society

Business Benefits

Riskonnect Operational Risk Manager and Audit Manager are enabling Yorkshire Building Society to increase its operating efficiencies by automating processes, maximising resources and eliminating data silos. The business benefits being seen include:

  • A reduction in the time spent on risk management administration activities through the automation of data sourcing, aggregation and reporting.
  • Reduced direct and indirect system costs by leveraging common architecture.
  • Improved decision making through access to richer and more consistent risk data that is easily accessible for reporting and analysis.
  • Embedding risk awareness and management practices into the culture through increased visibility of accountability and responsibility.
  • Providing risk management information visibility and clarity that enables the Society to review and improve processes, controls and resource management.
  • The cloud-based solution is easing the burden on the IT department as agreed system updates are applied directly by Riskonnect with no operational disruption. A small number of system administrators manage local configuration changes.
Ben Johnston concluded that, “We have reduced labour intensive risk data collation, analysis and reporting activities through using the software, freeing up resources for additional value-adding activities which overall helps to reduce our operating costs. We now have Internal Audit reviews being completed on the system and with the Compliance, Prudential Risk and Enterprise Risk teams gearing up to complete their Monitoring and Assurance reviews on it, by the end of 2020 we will be seeing and feeling the broader range of benefits we set out to achieve.”