JOnline: The Value in Using IT-directed Investor Relationship Management 

Download Article

The International Organization for Standardization’s ISO 31000:2009 standard1 reconceptualised the term ‘risk’ for all operations concerned with risk management. In this standard, risk is no longer defined as chance or probability of loss but as ‘the effect of uncertainty on objectives.’ Consistently, Basel III2 and Capital Requirements Directive (CRD) IV,3 the European Union’s Solvency II Directive 2009/138/EC,4 the International Accounting Standards Board (IASB) and the US Financial Accounting Standards Board (FASB) have all recommended the expected loss (EL) approach (amongst others) for risk capitalisation.

Many decision-making techniques based on statistics and probability or stochastic processes are available to help companies to better serve their customers and, hence, are particularly beneficial to customer relationship management (CRM). However, employers and internal auditors have fewer options of structured decision making based on the EL approach. Implemented using an IT-directed investor relationship management (IRM) system, the EL approach regulates the practices of value creation through interaction. This is to rationalise the structured decision making and to utilise real-time operational risk data that are based on the exploitation of the data of losses stored in data warehouses. The scope is to schedule performance on the basis of the deposit of potentially recoverable losses (a source of cost savings) and to process in real time the indicators of productivity.

IT-directed IRM adds value to risk management by strengthening internal controls and audit processes.

Reducing Uncertainty and Creating Value

An information system that focuses solely on the nominal layout and structure of the functions available is disconnected from risk management and corporate governance. This is more or less typical of the current situation whereby IT is indiscriminately dedicated to every function. The requirement of Basel III and the recent progress on CRD IV in the European Union (EU) for operational risk highlight the urgency to solve this problem in order to ensure financial stability. The specific objective of Basel III is to take into account the impact of operating risk management on value creation capacity, thereby allowing enterprises to anticipate and cover counterparty risk (i.e., the risk when the counterparty of a transaction fails to meet its obligations or when it might be incapable of meeting the obligations before the fulfilment of a transaction).

To avoid providing false estimations to meet minimum solvency capital and liquidity requirements, financial reporting should be based on the interaction of two poles of data processing. On the one hand, counterparty credit risk (CCR) data should help reduce uncertainty on the value creation objectives of the enterprise’s business model. This is in conformance with ISO 31000:2009 (risk management); International Accounting Standard (IAS) 75; and the US Statement of Financial Accounting Standards (SFAS) 95, 102 and 104 (cash flow statement), thereby enabling the business to acquire or maintain its credit lines. On the other hand, investment companies, banks, insurance companies and financial analysts need to provide justification to prudential regulators of the origin and traceability of their CCR management data and, consequently, the reliability of their calculations for credit value adjustment (CVA) and forward-looking funding ratios (i.e., probability of default, CCR coverage and stress test of capital adequacy).

The IT-directed IRM supplies applications for executing cost savings through organisational dynamics or synergy by articulating different functions in the internal control system, including finance, human resources, operations management and managerial accounting. These functions can contribute to the piloting of an enterprise risk management (ERM) system by setting up periodic value-creation objectives on a three-year plan.

Understanding Basel III’s Relationship Risk Management

To achieve the objectives of Basel III, it is imperative to understand risk management in relation to both corporate governance and financial reporting.

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) initiated a project in 2001 aimed at developing a framework for management to evaluate and improve organisations’ ERM through internal control systems—Enterprise Risk Management—Integrated Framework. All entities face uncertainty, and the major challenge for management is to determine how much uncertainty to accept as the organisation strives to seek growth in stakeholder value. Management has to set the strategy and should strive to strike an optimal balance between growth and returns goals and related risk. Additionally, resources need to be deployed efficiently and effectively in order to maximise value.

COSO adopted an accounting concept of EL in the 2004-published ERM framework, whereby risk can be solved through avoidance, acceptance, and reduction or sharing. Management is required to elaborate on a set of measures to determine the organisation’s risk-tolerance threshold and risk appetite. This is in contrast to unexpected loss (UL) revealed by the incidents or dysfunctions registered by the internal databases (risk cartographies) installed under Basel II. ELs are known losses because they are revealed in every exercise by the analysis of distances from income statements (profit and loss accounts) published by the entity. Hence, ELs are either accepted or tolerated losses.

The scope of the EL approach is to enable all strategic, managerial and operational tasks of an organisation throughout projects, functions and processes to align with a common set of risk management objectives. However, under the approach, much of the necessary information is not available from financial accounting reports.

Basel III has subscribed to this approach and requires real-time operational data in conformance with IAS/IFRS 39 and IAS/IFRS 7. Basel III provides a global regulatory standard on bank capital adequacy, stress testing and market liquidity risk. Basel III is scheduled to be in place between 2013 and 2018. The following have been issued in order to raise the quality, consistency and transparency of institutions’ capital base and to strengthen the risk coverage of the capital framework for the banking industry:

  • The European Parliament has issued a set of rules (CRD IV-CRR/Regulation and Directive) to put in place a comprehensive and risk-sensitive framework and foster enhanced risk management for credit institutions and investment firms.
  • The US has passed the Dodd-Frank Wall Street Reform and Consumer Protection Act (July 2010)6 to increase risk management for investor protection by raising capital levels, improving risk management practices and focusing on allowable activities for banks.
  • In Canada, the Office of the Superintendent of Financial Institutions (OSFI)7 has issued an updated Capital Adequacy Requirements Guideline to implement Basel III capital rules in Canada for the first quarter of fiscal year 2013.

However, from the point of view of the investor, risk is defined as the value expected from return on investment (ROI) at an indicated threshold, reducing the uncertainty on the objectives of value creation of the CCR business model. There is concern that investors will become hesitant to put money into industries that lack evidence-based IT-directed IRM.

According to COSO, ERM is an on-going and living process in an entity, is applicable across all levels and units of the enterprise, takes an entity-level portfolio view of risk, and can identify potential events that might affect the entity. Risk needs to be managed within the entity’s risk appetite. The entity should be able to provide reasonable assurance to management and the board of directors (corporate governance), and it should be geared towards achieving objectives in one or more separate but overlapping categories.

IT-Directed IRM Added Value to Corporate Risk Management

The value in using IT-directed IRM rests on:

  • The interactions of the stakeholders in financial reporting
  • The mutual actions of stakeholders to operational risk data processing
  • The modifying behaviour of stakeholders in structured decision making concerning corporate risk management and investor risk management

IT-directed IRM applications treat the data stored in the data warehouses in a systematic manner. They calculate the recoverable potential on every reporting date (i.e., the data of operational risk cost saving). This enables a more accurate value to CCR. Every CCR becomes capable of articulating the functions of structured decision making, which occur at three stages of operational management:

  1. Finance function—The IRM modules give the finance function the capacity to execute tasks related to the planning of value creation:
    • Recovery of the historical data of losses stored in the data warehouse, calculation of the value at risk (VaR) (i.e., maximum potential loss) and the potential of recoverable losses
    • Distribution of the objectives of cost saving and forecasts of the variable compensation indexed to the performance over the next three years, for every line of activity and for every employee
    • Planning of the objectives of cost saving according to six key domains of socioeconomic improvement for the global control of the piloting of the company: the working conditions; the organisation of the work; the communication, coordination and dialogue (CCD); the working time management; the integrated training; and the strategic implementation
    • Cost saving forecasts made from five control indicators: absenteeism, quality defects, accidents at the workplace, additional costs resulting from direct production (e.g. overtime, additional operational costs) and additional costs resulting from skills gaps (including training and lack of versatility of workers). With this information available through IRM, every wage earner can act in real time to improve output, resulting in direct or indirect cash flow to the firm.
  2. Human resources management (HRM) function—The IRM modules provide the HRM function with the capacity to execute tasks of consultation and of employee motivation. This is achieved through the following:
    • Mobilisation of staff with the objectives of improving on the working conditions
    • Calculation of the level of support of employees for the improvement of key domains
    • Calculation of the median position for the improvement of key domains
    • Joint plan of improvement of the working conditions in line with the objectives of cost saving by key domains
    • Mobilisation of staff with the objective of improving stress management at the workplace (psychosocial risk)
    • Analysis of the level of stress across every line of activity
    • Management of stress levels by using stress indicators8
  3. Operational management function—The IRM modules provide the operational management function with the capacity to execute the task of managerial accounting for lines endowed with dynamic dashboards. This provides the capacity to compute:
    • Weekly calculations of cost savings realised by every line of activity
    • Weekly calculations of cost savings realised by every employee
    • Weekly calculations of the overall cost savings realised. This concerns the application of the IRM modules, giving the HRM function the capacity to execute tasks of consultation and motivating all employees across key domains, including working conditions, organisation of the work, CCD, working time management, integrated training and strategic implementation.
    • Weekly calculations of cost savings realised by every performance indicator, including cost savings related to absenteeism, quality defects, occupational accidents, direct productivity (overtime and additional costs of operations) and skills gaps (including training and lack of versatility of workers)

IT-Directed IRM Added Value for Investor Risk Management

The aim of IT-directed IRM is to feed the information system on which the internal controls of a firm rely in order to analyse financial risk with richer financial management data.

The pricing of assets is known to be a major difficulty for investors (banks, insurance firms and financial markets). In the absence of operational risk data, the prudent financial analysis model that prevails is one with weak effectiveness. This concept characterises information emerging from the observation of past income statements or of past stock market prices. An examination of the past asset profits is useful in planning future profitability. The utilisation of EL data and of cost savings, bound with the CCR’s appetite for operational risk, allows the financial analysts to treat the assets in line with the International Financial Reporting Standards (IFRS) and US Generally Accepted Accounting Principles (GAAP)—elements on which firms depend for future economic and competitive advantages.

IT-directed IRM provides three reports that enable investors to reach this objective. In particular, it supplies in mathematical modelling tools (of financial modelling and economic modelling) the data of endogenous interaction of operational risk associated with the CCR for the calculation of the ratios of generalisation or for the macroeconomic projections of long-term provisions. The data provided by the following reports are particularly useful for updating the risk, especially when the financial and social quality of the CCR is deteriorating:

  1. The financial report on realised cost savings (foundation of economic parameters)
  2. The social report on the improvement of working conditions (foundation of social measurements 1)
  3. The social report on the state of psychosocial risk (social metric foundation of data 2)

The financial report on realised cost savings dates back to 1772 when Josiah Wedgwood (the famous English pottery manufacturer) devised an accounting system that valued the cost of each product in monetary terms. The most recent guidelines are those of the regulations transposing the Basel III agreement (e.g., US Dodd-Frank Act, EU CRD IV-CCR, Canada’s OSFI Act), aimed at improving the usefulness and relevance of financial reporting for stakeholders. Article 371-3/CRD/2006 of Basel II had already set an objective of 80 percent cost saving on operational risk over a three-year period, with the risk appetite or the threshold of tolerance (i.e., thresholds of wasting, dysfunctions or carelessness) being set at 20 percent. In the US, the requirement of cost savings is integrated into budget management rules.9, 10

The last two reports mentioned concern social accounting as required by social audit regulations, as well as IFRS 7 ISO 31000:2009 and ISO 26000:2010.

The articulation of the financial reporting (economic metrics database) in social reporting (social metrics database 1 and 2) allows all the entities to translate in their practices the fact that the economy is a social science. In the US, this concern has been registered since 1990 in the missions of the Office of Federal Financial Management (OFFM) and of the Office of Performance and Personnel Management (OPPM). OPPM coordinates the administration’s goal-setting and performance-review process for the agencies’ high-priority performance goals and guides agency strategic and annual planning, performance reviews and performance reporting. OPPM works closely with the US Office of Personnel Management (OPM) to implement effective personnel policies and practices across the US federal government.

The value in use rests on data processing spread over the following two levels:

  1. Data processing of employee and customer satisfaction— Any business sector or government department will become capable of systematically taking into account data of operational risk cost savings to improve decision-making processes. On the one hand, this concerns employees’ satisfaction, particularly the variable compensation; on the other hand, this concerns CRM, notably customer benefits, competitiveness and growth plans.
  2. Data processing strengthening investor capital and liquidity requirements—The aim is to satisfy investors’ needs regarding the resiliency, particularly strengthening the capital framework and creating a stronger liquidity base reinforced by the IRM processes. This can be achieved by conducting:
    • A systematic review that takes into account the data of operational risk cost savings that is associated with CCR in the stress testing of the assessment of capital adequacy for CCR and in the politic of credit (e.g., banks for the modelling of the credits considering the risk profile of the counterparty; insurance companies for the calculation of the insurance premium according to Solvency II-2009 and the Omnibus II Directive)
    • A systematic review that takes into account the data of operational risk cost savings of the establishment in stress testing of capital adequacy, notably the minimum capital requirements for operational risk
    • A systematic review that takes into account the data of operational risk cost savings that strengthen the cash flow of the CCR and the data of operational risk cost savings of the establishment. The purpose is to reduce the capital to be mobilised for the liquidity coverage requirement.

Risk Association With IT-Directed IRM

IT-directed IRM does not contain specific risk. Figure 1 illustrates the architecture of the decision-making IT-directed IRM, which is based on the transparency and traceability of data processing. It works on the classic online transactional-processing bound information in the states generator of decision-making processes. A states generator serves to present the result of the analysis to the end users or the decision makers in the form of business states. To guarantee the traceability of the analysis, the IT-directed IRM states generator uses Microsoft Excel spreadsheets.

Figure 1

Innovation in Processes/Procedures for IT-Directed IRM

The ‘CCR decision makers’ aspect in the architecture illustrated in figure 1 is the point at which the suggested IT-directed IRM innovation lies. The difference with the existing processes or procedures is that decision making was limited to the application of stochastic methods within the finance function. To calculate cash flows expected from an asset, all the hypotheses of the realisation of cash flow are envisaged and each hypothesis is associated with a probability of realisation; the expected value is a mathematical probability of flows updated based on historical data.

Figure 2The plan in figure 2 details the intranet interactive processes of articulation of the functions of internal control—these are necessary to guarantee the execution of the CCR business model of value creation and to reduce uncertainty. The ERM device recommended by COSO’s Enterprise Risk Management—Integrated Framework and specified by ISO 31000:2009 to strengthen the usefulness of financial reporting is binding from 2013 onwards for stakeholder compliance with the new prudent regulations (i.e., Basel III/CRD IV [EU], OSFI Act [Canada], Dodd-Frank Act [USA], Omnibus II Directive [EU-US], IASB, FASB).


Without modifying the existing IT systems/structure, IT-directed IRM introduces modules that allow every function of internal control to execute the tasks of interaction, to measure the performance adjusted for risk, to generate the data for corporate risk management and investor risk management. IT-directed IRM automatically measures the value created in real time based on indicators (factors or causes at the origin of the operational losses) in all work posts through gap analysis. The process is based on the following principles of cost accounting:

  • A gap that is difficult to identify is hardly usable.
  • Employees and persons in charge must be motivated to reduce their costs.
  • Employees must have the means to act to reduce the amount that is imputed to them.
  • Any gap must be connected with a socioeconomic indicator—the lever on which every employee can act.

IT-directed IRM has significant value for risk management as it strengthens internal control and the audit processes of productivity, competitiveness and growth. In line with the objectives of Basel III, IT-directed IRM emerges as a useful tool for businesses and investors in mitigating financial risk.


1 International Organization for Standardization, ISO 31000:2009,
2 Bank for International Settlements,
3 European Commission, ‘Regulatory Capital’,
4 Directive 2009/138/EC of the European Parliament and of the Council,
5 International Accounting Standards Board (IASB), International Financial Reporting Standards,
6 Federal Reserve Bank of St. Louis, ‘Dodd-Frank Regulatory Reform Rules’,
7 Canadian OSFI Act,
8 France Ministry of Labour, Employment and Health, ‘Mesurer les facteurs psychosociaux de risque au travail pour les maîtriser: Rapport du Collège d’expertise sur le suivi des risques psychosociaux au travail’ (‘Measuring and Controlling Psychosocial Risks at Work: Report of the Board of Experts on Monitoring Psychosocial Risks at Work’), France, April 2011
9 The Report of Realized Cost Savings of the State of Oklahoma for the period of 1 July 2010 through 30 June 2011,
10 Cost saving of US President Barack Obama budget proposal for the 2014 fiscal year,

Frank Bezzina, Ph.D., is the deputy dean of the Faculty of Economics, Management and Accountancy at the University of Malta. He can be reached at

Pascal Lélé, Ph.D., is the research and development director at Riskosoft Corporation. He can be reached at pascallele@

Ronald Zhao, Ph.D., is associate professor at Leon Hess Business School, Monmouth University (New Jersey, USA). He can be reached at

Simon Grima, Ph.D., is a lecturer of banking and finance at the University of Malta and the president of the Malta Association of Risk Management (MARM). He can be reached at

Robert W. Klein, Ph.D., is associate professor and director of the Center for Risk Management and Insurance Research in the J. Mack Robinson College of Business at Georgia State University (USA). He can be reached at

Martin Hellmich, Ph.D., is professor of financial risk management at the Frankfurt School of Finance & Management (Frankfurt, Germany). He can be reached at

Enjoying this article? To read the most current ISACA Journal articles, become a member or subscribe to the Journal.

The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.

© 2013 ISACA. All rights reserved.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.