Quantivate Blog Archives

Monthly Archives:

March 2017

Can Weak & Ineffective Controls Save You Money?

by William Hord

March 10, 2017 10:03 am

I was honored to speak last month at NAFCU’s Strategic Growth Conference about “Transforming Your ERM Program from Enterprise Risk to Enterprise Opportunities.” The topics covered were Risk Appetite Opportunity, Weak & Ineffective Control Opportunity and Effective Key Risk Indicators for Opportunity.

After the presentation, I appreciated the level of questions and comments that came from those in attendance. It was great having discussions across all three topics, but it seemed most of the questions were focused on the second topic, Weak & Ineffective Control Opportunity.

So, with that in mind I thought it might be good to share with you some of the highlights related to that topic.

Got Controls?

First off, what is a Control in the context of Enterprise Risk Management (ERM)? In the simplest of terms, it is a business process mitigation activity designed to reduce or eliminate one or more risks.

As a business, you obviously have hundreds or possibly thousands of controls across your organization within every department. When those controls were first designed and put into place the probability was very good of them being strong and highly effective. However, over time as our business changes, process changes are introduced and therefore potentially new risks. If new controls aren’t introduced or existing ones properly evaluated the probability that those controls are still producing the same risk mitigation as originally designed may be impaired.

When evaluating process risk and controls I can’t tell you how many times I have heard the responses, “I don’t know” or “We’ve always done it that way.” When I’ve asked the question, “Why do you do it that way?” Which brings me to my first point, if the employee responsible for completing a control or set of controls to mitigate risk don’t understand why they do it, its effectiveness is going to be less than ideal. Additionally, in the absence of your control assessment how would risk management even begin to know if the employee can’t articulate its intended mitigation and therefore its perceived deficiency?

However, you generally only find out the answer to that question and others by sitting down and assessing the controls within your organization. My second point is how often are you really evaluating your controls to determine which ones are weak and ineffective to the point that they potentially elevate your process residual risk to levels outside your established risk appetite and tolerances?

Impacting Your Bottom-Line

When you begin to effectively evaluate your controls and determine which ones are weak and ineffective you can truly begin to have a positive impact on your organization’s bottom-line. This can easily be accomplished in a couple ways:

1. Can the control be automated? If a control is still relevant to reducing risk and the deficiency is tied to lack of understanding or lapses on the part of employees performing them, can they be automated?

You could train and counsel the employee(s) but that takes additional time and other resources to maintain and/or improve the control’s effectiveness. If the control can be automated a quick cost benefit analysis can be performed to show how the overall cost of automating the control may not only improve its effectiveness but save the organization resources and money over time.

2. Should the control be removed? If a control is still relevant to reducing risk and can’t be automated or the cost benefit analysis shows the ROI isn’t optimal, then can it be removed

A quick cost benefit analysis here can possibly show that the time it takes to complete the control and continually monitor and train to maintain its effectiveness far exceeds the benefit derived from the control. In this case, risk management can make the sound recommendation for removing the control and document its reasoning.

The Starting Line!

Several conference attendees asked me, “Where is the best place to start?” Well without a full understanding of your organization, its risk management practices and other factors it’s tough to say. However, a baseline place to start would be as follows:

1. Review your existing Control Library;
2. Sort your Weak and Ineffective Controls;
3. From those Controls start with the processes that have the highest level of Residual Risk;
4. Ask the employees responsible for those Controls:
a. “Why do you do it that way?”;
b. “Do you have ideas on how we can improve it?”
5. Begin your analysis
6. Train;
7. Enhance;
8. Automate and/or;
9. Remove.

One of the last questions I got before leaving the conference was “Do you really believe that Weak and Ineffective Controls Save You Money?”

Of course they do, but only if you are effectively assessing them on a periodic basis. Otherwise, the money, time and resources you waste is never truly realized and your perceived risk mitigation is simply that…..a perception. When was the last time you evaluated your Controls?

Read More

Pacific Coast Banking School selects William Hord of Quantivate

March 09, 2017 08:03 am

Pacific Coast Banking School selects William C. Hord of Quantivate to Lead its Enterprise Risk Management Core Curriculum

Woodinville, WA, March 07, 2017 – The Premier National Graduate School of Banking, Pacific Coast Banking School (PCBS) has formally chosen William C. Hord – Vice President of Enterprise Risk Management (ERM) Services for Quantivate, to be part of its world class faculty to lead and create new ERM core curriculum. PCBS provides graduate-level banking and leadership education for executives in the financial services industry. Since 1938 the school has provided its students with a solid grounding in leadership, economics and banking principles necessary for them to anticipate and respond to the ever-changing business, risk, and regulatory environment of the financial services industry.

The new ERM core curriculum, developed by Mr. Hord, will focus on the concepts necessary to develop and integrate an effective ERM program linked to an institution’s strategic objectives and risk categories. The class will utilize theory, practice, discussion, individual and group exercises. Students will leave the class with the ability to create a solid ERM program for their institutions.

“I am honored to be part of such a rich tradition and team of experts providing relevant banking education to financial professionals from all over the country,” said William Hord. “Being able to enhance PCBS’s Enterprise Risk Management core curriculum to help augment other core and elective curriculum is exciting and I look forward to the challenge.”

Mr. Hord and the new ERM curriculum will enhance PCBS’s mission to develop leaders for the diverse financial services industry by offering outstanding graduate-level banking and leadership education, delivered by a world-class faculty, teaching a highly relevant and innovative curriculum.

“As the overall risk environment for the financial industry intensifies, a solid grounding in Enterprise Risk Management is critical for today’s, and tomorrow’s financial leaders.” said William Hord. “I look forward to working with the students and staff of PCBS to enhance their ERM understanding by providing tangible results for both the school and its students.”


Dan Banning
SVP of Marketing

About Pacific Coast Banking School
Pacific Coast Banking School, in partnership with the Foster School of Business at the University of Washington, offers a unique combination of world class faculty, cutting-edge curriculum, and highly qualified participants that defines it as The Premier National Graduate School of Banking™. Now in its 80th year, this prestigious school boasts over 11,000 alumni, with hundreds serving as leaders of financial institutions. PCBS utilizes its vast industry resources to provide tactics and strategies to deal with today’s most pressing banking issues. For more information please visit: www.thepcbs.org.

About Quantivate
Quantivate is an industry-leading provider of SaaS Governance, Risk, and Compliance (GRC) software solutions. Founded in 2005 with the release of its Business Continuity Software, the company has grown to feature a fully integrated risk management suite of modules including Business Continuity, Vendor Risk Management, Enterprise Risk Management, IT GRC, Internal Audit, Regulatory Compliance, and Complaint Management. Organizations, both large and small, use Quantivate’s suite of GRC modules to tear down data silos, manage risk, and efficiently manage the cost of their GRC initiatives across the enterprise. For more information please visit: www.quantivate.com.

Read More