Written by John O’Dwyer
The city and tower of Babel, or “The city and its tower” as described in the Book of Genesis 11: 1-9, tells a story of a time when everyone on earth spoke the same language. They collectively decided to build a city and a tower in their own honor that would reach to the heavens. They all worked day and night handing up the bricks, laying mortar and working collaboratively. When God began to take notice and viewed what was happening, he confounded their speech and scattered them around the world so nobody could understand one another. The tower quickly ceased construction with these communication barriers, and thereafter the city was called Babel.
Today, many of the largest financial organizations today have dozens of distinct Lines of Business (LOB’s). Depending upon the industry and size of business, that number could stretch to over one hundred plus distinct LOB’s. Some large financial institutions offer products and services ranging from investment banking, wealth management, retail operations, securities sales and trading, card services, consumer lending, mortgage and institutional lending, both domestically and globally. They may offer additional banking and non-banking services as well.
Operating as a company of this scale necessitates proactively driving, or responding to, constant change. This includes activities such as internal realignments, acquisitions, divestures & spin-offs, lay-offs, competitive responses, regulatory adjustments, and growth opportunities, amongst others.
So, the question becomes “How do large financial organizations effectively communicate internally and respond with agility?”
At the ISACA conference in New Orleans last week, I spoke with dozens of senior executives from IT audit, risk, security and compliance. A recurrent theme was ineffective internal communication. As opposed to being one cohesive entity, many large institutions are cobbled together by merger and still operate in functional silos. This is particularly troubling to internal auditors tasked with identifying risks.
One gentleman shared that they have an area on their corporate intranet dedicated to explaining to one another the oft-used acronyms throughout the organization. This database of terms now totals over 1000. I recognize that the military operates effectively using this type of communication, but military personnel are indoctrinated in the use of “letter-speak” from day one of basic training. Most financial services professionals pick up acronyms in their discipline which is also dependent on the history of companies for which they’ve worked.
Although there are several approaches being implemented to combat this problem, the only true way to communicate effectively is to use a common vernacular or taxonomy. Everyone must speak the same language. In business, we commonly use terms familiar to us that have a very specific meaning. Sometimes we use terms interchangeably that we view as having the same connotation or general application. In my world, I hear terms like “software solution”, “platform”, “tool” or “application” being used to describe the same thing. In risk, we talk about “controls”, “mitigating factors”, “hedges” etc. You get the picture.
A project I’ve been speaking with my clients about involves creating a centralized repository of business processes across the organization. By paring things down all the way to the process level you identify every operational risk and can implement a shared language. Further you create a centralized repository of information that can be consumed by various areas of the firm. I appreciate that this is a herculean task and depending on the size of the institution could take months. That aside, having a single taxonomy, risk terminology, control library and repository of process-driven information is a tremendous competitive advantage.
Both the FFIEC and OCC in the United States are looking at this project as paramount to risk mitigation in large institutions. Although typically non-prescriptive as regulators, some guidance is pointing to this project on the horizon for more mid to large financial institutions. The Basel III framework also establishes similar guidance:
Per the Bank of International Settlements (BIS)…”Basel III” is a comprehensive set of reform measures, developed by the Basel Committee on Banking Supervision, to strengthen the regulation, supervision and risk management of the banking sector. These measures aim to:
- improve the banking sector’s ability to absorb shocks arising from financial and economic stress, whatever the source
- improve risk management and governance
- Strengthen banks’ transparency and disclosures.
Although not explicitly stated, increased internal due diligence and governance is being expected from the financial sector and eventually this will trickle down to a process driven view of the organization.
At Continuity Logic, we view the trend in enterprise governance & GRC moving towards the creation of a digital model of the enterprise. We help companies digitally map their people, processes, technology assets, vendors, facilities, policies & procedures as well as controls. These are all dependency mapped so a disruption of any kind (cyber, natural disaster, regulatory) can be viewed as can the associated impacts on the business operationally. By providing such a view (especially to the executive management team), better decisions can be made with more information in a shorter period. This is the essence of risk management.
To summarize, communication is paramount to the effective operation of any company, large or small. Breaking down walls and speaking the same common language when describing process and risk is essential. No two companies operate the same way whether that be due to risk appetite, culture, management or any other factor. Defining a taxonomy and applying it to every part of the business and then creating a digital model of the operations, including all business processes and controls that span the enterprise, will be the competitive edge moving forward.