Advisory Risk management and the transition of projects to business as usual Financial Services kpmg.com
2 Risk Management and the Transition of Projects to Business as Usual Introduction Today s banks, insurance companies, and other financial organizations must address a growing number of change management issues, including Basel III compliance and the adoption of new enterprise-level technology. Sound project management practices have been used by these organizations to mitigate change-driven operational risk. However, another area of risk one that is often overlooked or underestimated is the transition phase from project mode to the business as usual (BAU) state. This risk can lead to financial loss, service disruption, or reputational damage. To identify and help mitigate BAU transition risk, organizations can develop risk management frameworks that support the critical and complex transition to BAU. More often than not, introducing change to a financial organization leads to operational risk. This risk can manifest itself through the following categories: People, involving staffing levels, subject matter expertise, training, supervision, key-person dependencies, or overall control culture Process, including issues such as adherence to policies and procedures, integration of controls with daily processes, availability and quality of management information (MI), ongoing deal maintenance, new product documentation, and documentation for complex, customized, or long-dated transactions Organizational factors or external events, such as management structure, external threats/hazards, volume and market volatility, support for new clients, complexity of product line complexity, adverse changes in regulatory environment and vendor disruptions Technical infrastructure, including factors such as performance, stability, contingency, systems functionality, volume capacity, straight-through processing (STP) capability of complex transactions, dependency on end-user computing spreadsheets, manual intervention due to system constraints, single point of failure of hardware and software, or unauthorized access to systems. Risk and BAU transition Change-driven operational risk generally originates from five categories of projects: strategy and reengineering, Six Sigma/ efficiency, new business, department-specific, and regulatory compliance such as Basel III or Regulatory Reform. A critical dimension of operational risk is the institution s exposure to poor change management during the transition period from project mode to the BAU state. When closing out a project, the drive to the finish line can naturally lead to overlooking critical controls designed to ensure that end-user needs and business cases are met. BAU transition failure is frequently the result of poorly executed implementation plans rather than inadequate project management methodologies. Organizations need to ensure that when introducing a new process or product to their user community, they take the necessary steps to get it right the first time. For example, as banks progress through their parallel run for the Basel II Advanced Measurement Approach (AMA) and prepare for the forthcoming Basel III guidance, project performance may be measured with greater scrutiny, especially if it is tied to capital requirements. Execution of a robust change management plan can be a powerful component to ensure an efficient transition to BAU. This plan should include: Adequate risk identification and impact A strong relationship between project benefits and BAU transition planning
Risk Management and the Transition of Projects Section to Business or Brochure as Usual name 3 Adequate project staffing and management of project risk vs. process risk. We can gain a better understanding of these three elements by looking at each one in greater detail. Adequate risk identification and impact The effectiveness of a bank s risk and control self-assessment (RCSA) process is fundamental to the success of an AMAbased operational risk program. The RCSA process should be inclusive of all production, infrastructure, and governance divisions. It should also be focused on prioritizing outstanding issues pertinent to the entire organization. A substantive portion of the RCSA output will arise from key control deficiencies, some of which will be attributed to risks tied to projects aimed at organizational change. Stakeholders, including the board of directors and management committees, should understand the connection between their organization s risk profile and status indicators from critical projects. Project proposals and implementation planning should include measures to ensure adequate mitigation of operational risks during a project transition to BAU. These measures can be introduced through the following actions: Disaggregate and detail the risks inherent to the project. Establish specific categories of underlying risk that the business will undertake and outline a strategy for managing or mitigating the risk. This can include dynamically managing open risks while microhedging risks that are undesirable or not readily manageable. Establish relevant risk limits with respect to the proposed initiative. Include as appropriate credit limits, Value at Risk (VaR), and stop-loss. Describe any reputational risk factors requiring consideration when assessing the proposed initiative. Where specific reputational risks are present, describe how the risk will be mitigated to acceptable levels. Describe key operational risks associated with the proposed initiative. With tools such as key risk indicators (KRIs), define how these risks will be monitored and mitigated where appropriate. Account for regulatory considerations impacting the proposed initiative, including required licenses and/or new product approval. Define the project s value proposition. Detail opportunities to pursue and identify key drivers for success. Define potential pitfalls and a mitigation strategy to minimize their risk impact. Establish a desired end state, with an outline of recommended steps to attain it.
4 Risk Management and the Transition of Projects to Business as Usual A strong relationship between project benefits and BAU transition planning Project management is a continuous process for banks and financial organizations, with management often assessing value from the cost and benefit perspectives. However, formal plans for project transition into BAU are often absent from even the most mature project management methodologies. Adequate controls and levels of ownership designed to transition projects to BAU mode can increase business value and encourage management to invest in future processes with potential for positive impact on the organization. It is important to highlight that the stronger a project s business case is in terms of realizable benefits, the more effective a BAU transition plan becomes from the internal stakeholder perspective and in some cases from the perspective of regulators. More often than not, a strong business case is the result of a strong project management methodology that includes discipline in tracing requirements throughout the project s life cycle. Adequate project staffing and management of project risk vs. process risk Significant financial losses can result from a lack of clear understanding of project requirements by key stakeholders. Furthermore, projects inadequately staffed with poor subject matter expertise are likely to produce weak business cases, unrealized benefits, and a negative impact to existing day-today operations. Executive sponsorship is another aspect of project management that should not be overlooked. Strong executive sponsorship drives senior management support for the project and promotes a culture where project managers don t hesitate to raise critical issues in a timely fashion. Being a strong sponsor is not simply a matter of approving scope and signing the checks; it means developing awareness for issues and risks critical to reach project success. From the regulatory perspective, strong project sponsorship is a key driver in ensuring that changes or updates to regulations are adequately incorporated into a project s life cycle while maintaining acceptable spending levels. A successful transition from project mode to BAU requires sponsors and management teams to apply mitigation strategies aimed at process risk rather than project risk the latter being more in line with the responsibilities of the project manager. In exercising process risk management, sponsors and senior managers should ensure that: Key process risks are identified and documented. Risk controls meet strong standards and policies and adequately mitigate the risk in accordance with the organization s risk profile. Controls are adequately implemented and performed in the production environment. Internal Audit can also play a critical role in a project s BAU transition. Audit should strive to provide an assessment of level risk to the organization s project portfolio and determine
Risk Management and the Transition of Projects to Business as Usual 5 whether a project s BAU transition process adequately manages operational and reputational risks. This involvement can enable Audit to target other auditable areas of coverage based on risks and/or deficiencies identified in this process. A transparent project management methodology coupled with strong controls to ensure an efficient transition to BAU facilitates mitigation and remediation of risks and deficiencies associated with people, process, and technology. Risk and issue tracking should utilize appropriate operational risk escalation channels to include steering, audit, and risk management committees as well as the board of directors. Managing risk in line with project governance Over the past decade, the financial industry has witnessed development of risk management frameworks closely tied to project management and governance. While differences exist, a common set of traits has transformed some of these frameworks into highly effective mechanisms to manage risk: Understanding of business processes closely tied to operational risk by project teams and sponsors. Understanding the organization s tolerance for change. Alignment of business cases to sponsor requirements. Early identification of potential risks, issues, or problem areas. Prioritization of risks using indicators for probability and impact. Transparency in risk reporting. Prioritization of risk mitigation after project close-out and transition into BAU. Tracking and monitoring of risk mitigation effectiveness by performing pre- and post-implementation quality assurance reviews. Documentation and cyclical incorporation of lessons learned as part of a project s life cycle. Continuous process improvement reflecting market trends and the organization s strategic goals. Conclusion Successful projects require organizational support, ranging from the board of directors and executive management to project teams. The biggest challenges faced by organizations in maximizing the value of their projects are often derived from poor execution of change management plans during transition to BAU state. To summarize, an effective project transition to BAU state can be supported by three drivers: Business value of projects tied to operational and reputational risks and managed in accordance with the organization s risk profile Adequate stakeholder involvement and subject matter expertise used to maximize project benefits and attain a positive business value Risks managed responsibly and aggressively between project close-out and transition into BAU
6 Risk Management and the Transition of Projects to Business as Usual Appendix: Risk and project management In many ways, risk management for BAU transition is supported by the effective management of the project life cycle. Project management offices (PMOs) and steering committees are responsible for ensuring that all critical risks are considered and mitigated as part of project delivery. As part of efforts to mitigate critical risks, management should target specific focus areas at the junction between deployment and project closeout. These focus areas include: Clarity of roles and responsibilities and transparency in project reporting Rigor of formal project governance processes Consideration for on-going BAU state during the project, including knowledge transfer processes and mechanisms Sustainability and operational readiness assessment and confirmation Development of a formal process to track issues, risks, deficiencies and, decision-making Clear definition of roles and responsibilities for closure, including a process for assumption and transfer of authority and accountability. In each of these areas, risks across the project life cycle need to be properly managed by project managers and stakeholders with a strong influence on funding and results.
Risk Management and the Transition of Projects to Business as Usual 7 Risk management for the project life cycle Category Success factor Impact of failure Measurement Strong project sponsorship Key project sponsors identified and buy-in secured Strong communication planning including levels of support and influence from sponsors and stakeholders Diminished priority of key deliverables due to conflicting sponsor or stakeholder needs Negative impact of project deliverables toward expected benefits The establishment of formal mechanisms for continued feedback from sponsors and stakeholders throughout a project Termination of project Management buy-in Management team agrees with project scope and anticipated benefits Reduced project support and low team morale resulting in negative impact against quality of deliverables Continuous communication with teams having an influence on project success and the user community Communication should provide opportunities for ongoing feedback and discussion of concerns. Project roles and responsibilities Agreement on cross-functional roles and responsibilities to manage overlap and reduce duplication of work PMO s role and project control mechanisms are undermined Budget overruns caused by work duplication A formal cross-functional project communication plan outlining roles and responsibilities and level of influence of stakeholders Since a stakeholder s level of influence is likely to change along a project s life cycle, this plan should be adjusted accordingly at each major phase or key decision. Project management Strong project management to ensure optimal project execution and communication based on stakeholder needs and level of influence Negative impact against scope, schedule, budget, and quality of project deliverables Increased potential for unrealized benefits Failure to meet regulatory standards and expectations Quantified metrics measuring project benefits and performance against scope, schedule, budget and quality standards.reports developed by project managers and Internal Audit to determine the level of compliance against regulatory requirements. Client buy-in Client understands objectives and works in partnership with project manager Lack of engagement at detailed levels, resulting in superficial review of deliverables and poor project quality Incorporation of client feedback at detailed levels to understand whether or not expectations are being met Differentiation between project risk management and process risk management Project managers understand the difference between processfocused and product-focused clients. This understanding is developed from both client and project execution perspectives. Negative client feedback and inefficient management of stakeholder needs Continuous client feedback and development of an adequate project management transition to the BAU state
Contact us For more information about KPMG Financial Risk Management services, contact your local KPMG representative or visit www.kpmg.com. Jitendra Sharma Partner Advisory and Global Leader, Financial Risk Management Services T: 212-872-7604 E: jitendrasharma@kpmg.com Josè A. Baraybar Director Advisory T: 617-834-2551 E: jbaraybar@kpmg.com Michael Dempsey Manager Advisory T: 919-664-7157 E: mtdempsey@kpmg.com kpmg.com independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. Printed in the U.S.A. The KPMG name, logo and cutting through complexity are