Risk Analytics Driving Performance - MetricStream › ... › case-study-risk-analytics-driving-performance.pdf• Team: The lead senior risk analyst developed and communicated reporting

Risk Analytics Driving PerformanceShelby Stinson, Sr. Risk Analyst, Hancock Whitney Bank

© 2018 GRC Summit All Rights Reserved.

Agenda1. Organization Overview: Vision, Key Facts and Needs

2. GRC Program Governance, Challenges and Community

3. R3: Readiness, Roadmap and Rollout

4. Key Learnings and Best Practices

5. Business Value and Realized Benefits - Before and After

6. BI Reporting with Tableau

7. Audience Questions and Discussion


Hancock Whitney Bank Overview• Risk Management History

• Risk Groups emerged over the years as issues and areas of risk specialization became apparent• Groups worked independently with siloed frameworks processes and technologies• Management and governance committees received disbursed risk and issue reporting

• Management experienced risk assessment fatigue

• Organization’s Risk Convergence Vision • Common Language – Speak the same language when interfacing with risk groups and business units –

what we call things, how we rate things, and how we present results• Shared Information – Easily share / leverage information because it is organized in an agreed upon

manner. Business Units see that information is being leveraged, rework is minimized and experience improved efficiency

• Holistic, Relative Views – Self service one stop shop for viewing and reporting risk information


GRC Program

Governance Model and Decision Making among Stakeholders• The Company’s ERM team owns and administers the MetricStream platform, sets the deployment

strategy, and leads all implementation activities.

• ERM established a Risk Oversight and Alignment Group (ROAG) to develop and carry out our Risk Convergence Mission. ROAG is comprised of senior leaders across our functional risk units.

• The working group co-develops common ways of classify information, describe results, and measure risk to help achieve the best business outcomes -- a common GRC Framework.

Challenges• People – Buy in, resource constraints, willingness to change• Processes – Settling on the right altitude since all groups conduct their work at different granularities,

time spent converting data to the new framework• Systems – Tendency to want to customize the system to fit our current processes, learning curves

associated with a new system


R3: Readiness, Roadmap and Rollout

MetricStream Solution Areas:• Issues Management

• Risk Management

• Metric

• Loss Events

• Compliance

• Vendor Risk Management

• Established Libraries: Risk, Control, Areas of Compliance, Requirements, Functions, Framework

Reference, Financial Accounts, Assets

Roadmap:• M7 Upgrade

• SOX Implementation

• Further extension of BI Reporting with Tableau


R3: Readiness, Roadmap and Rollout

Implementation Rollout Strategy and Tactics:• Strategic Priorities and Governance – Hook to corporate strategies to enable growth and control

costs. Establish governance team to prioritize, ensure ongoing focus and oversee key decisions.

• Think Big, Start Small – Set near, mid-term targets to meet your objectives; GRC is a Journey, not a

project!

• Set Clear Objectives – Spend time on the front end to define clear business objectives and ensure

understanding with MetricStream implementation team.

• Centralized Expertise – Appoint a resident subject matter expert who will gain an advanced level of

expertise within the solution and lead implementation activities.

• Leverage Technology for Change – Obtain agreement that establishing a common framework is a

project requirement, leverage the design of the system and take the opportunity to update your

programs and be creative


Key Learnings and Best Practices

Key Learnings:• Quality and maintained data: Ensure that your data collection processes are sustainable and produce

reliable information.

• Don’t push rope: Unwilling participants can derail the project – focus where you have support from

leadership.

• Onboard AND committed: Success requires time and energy – our prerequisite for an area to be

prioritized for GRC is they must be ready, willing and able.

Best Practices:• Focus on the Foundation: Take your time building the framework – remember to consider how you

want to get the data out.

• Centralized Expertise: Critical to bridging technology with use-case

• Shared Ownership: Leverage your SME’s to take lead on implementations, define processes and

manage shared content.


"Technology is an enabler, it helps in establish ing consistent practices and standards am ong all our risk

d iscip lines“Zach Sokolski, H ancock W hitney

B ank

W atch Zach Sokolski at G RC Sum m it 2016

https://w w w .m etricstream .com /grctv/custom er-talk-zach-

sokolski.htm

B EFO RE

• M ultip le siloed fram ew orks and processes• D isbursed risk and issue reporting• Low coordination betw een risk team s

• Risk assessm ent fatigue by m anagem ent

Hancock Whitney BankA regional midsize banking institution on the Gulf Coast

MetricStream Apps: Integrated GRC including Enterprise and Operational Risk Management, Compliance Management, and Third Party Risk• Enables 100 employees to execute risk processes across three lines of defense• Catalyst for GRC Program that established common risk processes, methods and classifications• Improved risk visibility, accountability, and confidence by leadership and Board• Accelerated risk management maturity and capabilities in first line of defense• Energized coordination among risk teams including planning, teaming, sharing, and leverage• Establishes continuous monitoring through our risk, issue, loss, and KRI processes, • Reduced number of risk issues, severity risk ratings, and improved timeliness to address• Streamlined risk processes and achieved significant efficiency improvements with management

A FTER

• Com m on fram ew ork, standards, and processes• Centralized aggregated risk and issue reporting• H igh coordination and leverage by risk team s

• B ecom ing recognized as efficient by m anagem ent

Business Value and Realized Benefits

https://www.metricstream.com/grctv/customer-talk-zach-sokolski.htm




GRC Reporting with TableauGRC Reporting with Tableau


GRC Reporting with Tableau

Tableau - Business Intelligence Reporting tool with strong analytical capabilities that helps you create visually-appealing reports, charts, graphs and dashboards using your data. The reports are interactive and can be easily shared with anyone.

• Tableau software is connected to MetricStream as the data source and installed on Authoring User’s desktop.

• The Authoring User has the ability to build and publish reports with MetricStream data for consumption by the business users.

• Business Users access the reports through the Tableau Server URL. User access is granted on a licensing basis.

Tableau empowers business users to explore and develop actionable insights from their

GRC data to drive business performance.



• Tableau Implementation Strategy• Scope: GRC Libraries, Risk Management, Issues Management, Loss Events, Metrics• Team: The lead senior risk analyst developed and communicated reporting requirements to

implementation team, attended training and led UAT activities.

• Training Approach: Lead analyst attended two 2-day in person training sessions hosted by Tableau–

Fundamentals (pre-UAT) & Intermediate (post-UAT)

• Timing: UAT testing took approximately 1 month. Signed off in 2Q17 and went Live with first report

in 3Q17. • Proof of Concept: Recreate current single- dimension Excel reports in Tableau for quick efficiency

wins.



• Risk Reporting Strategy Phase 1 (Pre-Tableau)• Raw data was downloaded from MetricStream on a periodic basis and published to SharePoint for

risk partner visibility – Issue list report, Risk Register, Internal Loss Event List Report, Metric Data Entry Report

• ERM used raw data to create single dimension dashboards in Excel for risk committee reporting - Ex: Quarterly issue report, RCSA summary report, etc.

• Challenges:• Analysts spent weeks refreshing and analyzing GRC reports each quarter

• Dashboard reports were at a point in time basis (as of each month end)• Difficult for managers to draw quick insights from raw data



• Risk Reporting Strategy Phase 2: • Leverage Tableau to provide our partners across the 3 lines of defense with a single tool

to view, analyze and communicate risk information - and in real-time.

• Develop integrated reports that combine data from multiple solutions into a single dashboard in an interactive format. Drive adoption through our first line of defense and

risk subject matter experts

• Layer dashboards into periodic risk management discussions as a consistent baseline



• Realized Benefits• Reduced time spent on manual report production by building one-time report templates

with automatic and/or scheduled updates. • Business users spend less time analyzing data to draw insights for their own report

production.• Tableau features and techniques make it easier to effectively communicate and identify

areas of concern. • Real time self-service reporting means risk groups spend less time filling requests for

information• Provides an easy mechanism to compare and calibrate data


Tableau Report Examples – Quarterly Issue Report

**The data presented above was created for illustrative purposes and is not reflective of Hancock Whitney’s issue landscape.


Tableau Report Example - Operating Unit Dashboard

**The data presented above was created for illustrative purposes and is not reflective of Hancock Whitney’s risk landscape.


Tableau Report Example – Risk Category Dashboard

**The data presented above was created for illustrative purposes and is not reflective of Hancock Whitney’s risk landscape.


Tableau Server – Analyzing your data







Q&A

Thank YouContinue the conversation on #GRCSummit

Documents

Risk Analytics Driving Performance - MetricStream › ... › case-study-risk-analytics-driving-performance.pdf• Team: The lead senior risk analyst developed and communicated reporting