ISACA Journal
Volume 3, 2,016 


Strengthening Value and Risk Culture Using a Real-time Logical Tool 

Simon Grima, Ph.D., Robert W. Klein, Ph.D., Ronald Zhao, Ph.D., Frank Bezzina, Ph.D. and Pascal Lélé, Ph.D. 

While many lessons were learned from the 2007 global financial crisis, the Basel Committee on Banking Supervision identifies as one of the most significant the fact that the IT and data architectures used by banks were inadequate to support comprehensive management of financial risk. Many banks lacked the ability to aggregate risk exposures and identify concentrations quickly and accurately at the bank group level, across business lines or between legal entities. Some banks were unable to manage risk properly because of weak risk data aggregation capabilities and risk reporting practices. These weaknesses had severe consequences for banks and for the stability of the financial system as a whole.

For their part, insurers (the US National Association of Insurance Commissioners [NAIC], also known as US Solvency, and the EU Solvency II Directive [Solvency II]) repositioned the problem at the heart of enterprise risk management (ERM) with the Own Risk and Solvency Assessment (ORSA) requirement and, later, the Forward Looking Assessment of Own Risk (FLAOR). ORSA and FLAOR have two primary goals:

  1. To foster an effective level of ERM at all insurers, through which each insurer identifies, assesses, monitors, prioritizes and reports on its material and relevant risk, identified by using techniques that are appropriate to support risk and capital decisions
  2. To provide a group-level perspective on risk and capital as a supplement to the existing legal entity view. FLAOR is also forward looking, assessing risk on the budgetary figures based on the future strategy and objectives.

Large and medium-sized US insurance groups and/or insurers are required to conduct a FLAOR by 2016, and the guidelines for the internal model for Solvency II came into effect in April 2015.1

ORSA and FLAOR require the insurance company to describe the accounting or valuation basis for the measurement of risk capital requirements and/or available capital. Information Technology-Investor Relationship Management (IT-IRM) is used to implement the economic approach based on expected losses (EL). This cost-accounting approach is commonly accepted by the requirements of Basel III, Solvency II and NAIC.

Custom configurable, the IT-IRM is designed to meet common challenges posed by ORSA and FLAOR in insurance firms as part of ERM. Although specific to insurance firms, the ORSA and FLAOR calculations can be used by other similar firms to capitalize risk and calculate the economic capital required via calculation of the value at risk (VaR) and risk appetite threshold, performance programming, mobilization of human resources (HR), evaluation and real-time control of potentially recoverable losses, thus reducing uncertainty in value creation.

The IT-IRM is a unique internal model (intranet) of cost accounting, articulating the internal control functions (finance, HR and cash generating units [CGU] of the operations management function) to calculate the economic capital by the formula of the absolute VaR (EL + UL). The absolute VaR is different from the relative VaR (VaR = UL) by which the stochastic tools calculate regulatory capital. The IT-IRM application is in line with expectations of ORSA and FLAOR globally.

The need for cost-accounting applications articulating all internal control functions follows the new regulatory requirements that place chief financial officers (CFOs) in the first line of value creation. Previously, CFOs were almost exclusively preoccupied with raising and controlling capital movements. These new financial services regulations, including Basel III, US Solvency and Solvency II, require CFOs to interrelate strategy with the CGUs (typically defined as the smallest identifiable group of assets that generates entrances of cash widely independent from entrances of cash generated by other assets or groups of assets) and with the risk appetite and tolerance threshold of the board of directors (BoD) on behalf of the shareholders. This makes CFOs also responsible for monitoring the employment and profitability of HR and IT systems as a means of value creation and integrated reporting (IR).

This article focuses on what US Solvency and Solvency II have in common rather than on what differentiates them and considers the questions: What are the specific risk and opportunities that affect the ability of the organization to create value in the short, medium and long term? How will the organization capitalize on these to obtain a competitive advantage?

CFO Piloting System

The system of management accounting (cost accounting and business accounting) used by CFOs is called the internal model, which is defined by the International Association of Insurance Supervisors (IAIS) as a risk measurement system developed by an insurer to analyze the overall position risk, quantify the risk and determine the economic capital required for such risk.2

Technological progress in IT-IRM is based on solving the problem of interaction of internal control functions (finance, HR management and operations management) for structured decision making based on processed data of operational risk losses by human capital on the front line, in real time. That is, IT-IRM automatically measures the value created in real time on each of the five indicators noted in figure 3 (factors or root causes of operating losses) at all workstations by gap analysis—resulting in value-creation levers on which each staff member can act.

IT-IRM provides custom dashboards configurable by organizations in all sectors to build an internal model (Intranet) to automate interactive processing of cost savings covering operational risk. The dashboard allows for storing data to be considered for IR content, including risk and opportunities, performance, and outlook (risk, opportunities and results).

Without changing anything in the existing IT configuration, three types of applications can be articulated in the following order to set up the custom-made configurable internal model:

  • Applications for the interaction of the finance function:
    • Module IT-IRM M1—Plan of performance
    • Module IT-IRM M6—Feedback dashboards for integrated reporting

      The CFO intervenes once a year. The first year to enter the data of the three-year plan performance targets (operational risk event data recorded over the last five years), then again one year later and thereafter to capture updates.
  • Applications for the HR management (HRM) interaction (HR motivation and mobilization by the corporate dialogue/decentralized in real time at the work stations):
    • Module IT-IRM M2—Employee satisfaction
    • Module IT-IRMI M5—Psychosocial risk
  • Applications for the interaction of the operations management (OM) function (business lines):
    • Module IT-IRM M3—Cost savings (measurement of the value created in real time by the gap analysis)
    • Module IT-IRM M4—Performance bulletins (Codes are assigned to each member of staff to monitor performance indexed to the operational risk indicators—the levers on which the employee can act in real time.)

The scheme illustrated in figure 1 is the IT system by which one can automatically coordinate and report on IR elements of value creation:

  1. The interaction of internal control functions in real time
  2. The interaction of each internal control function (Software as a Service [SaaS] client) with the server of the Online Analytical Processing Center (OLAP)

Impact of HR on Risk and Operating Income

Operational risk is the risk of direct or indirect loss resulting from inadequate or failed internal processes, people and systems, or from external events. It is about human error, failures of information systems, problems related to personnel management, commercial disputes, accidents, fires, floods, etc. These events cause losses that differ from EL. They can also include other classes of risk, such as fraud, security, privacy protection, legal risk, and physical (e.g., infrastructure shutdown) or environmental risk.

ORSA and FLAOR assist insurers in analyzing all reasonably foreseeable and relevant material risk (i.e., underwriting, credit, market, operational, liquidity risk) that could have an impact on an insurer’s ability to meet its policyholder obligations. ORSA/FLAOR is not a one-off exercise; it is a continuously evolving process and should be a component of an insurer’s ERM framework.3

Losses related to operational risk are overloads of management accounts, leading to unrealized income. The operational risk losses have a clear impact on product cost, capital, competitiveness, income statement and counterparty risk, and HR has a dominant effect on this area of risk. Therefore, operational risk affect the risk of each entity:

  • For the insurer, operational risk has an impact on counterparty risk, market risk, life-underwriting risk, nonlife-underwriting risk, health underwriting, etc.
  • For the bank, operational risk has an impact on market risk, credit risk or counterparty risk, liquidity risk, interest rate risk, country risk, etc.
  • For industry and services, operational risk has an impact on market risk, credit risk or counterparty risk, liquidity risk, interest rate risk, currency risk, etc.

IT-IRM incorporates the concept of “risk interdependence”—the recognition of risk diversification during the aggregation process—required by US Solvency and Solvency II for ORSA and FLAOR. This depends on the ability of companies in all sectors to develop the risk management tools to implement the internal model. IT-IRM shows this development in figure 2. The risk register (or risk mapping) and the actuarial calculation and modeling tools (statistics and probability) are the upstream of the IT-IRM system of risk treatment.

IT-IRM allows for interactions between machines (interconnectivity: interactions within systems). This innovation enables companies to perform integrated risk management or manage their performance based on EL. This interaction of machines through IT-IRM allows compliance with expectations, including ORSA and FLAOR.

Automation of Corporate Dialog (HRM System)

Work teams’ cohesion and consensus on the organization’s objectives are the determinants of their efficiency and competitiveness. IT-IRMM2 is pertinent to this, as it is the module of control mobilizing all company employees—regardless of the number, nationality or location—on the cost-saving and capital-optimization plan. With a few clicks on the confidential IT-IRM interface, the operational risk data required for each employee (e.g., employee satisfaction, opinion, performance) can be collected and measured in real time by the dynamic dashboards of the M3 module (cost saving) of the OM function.

The M2 module provides a satisfaction/dissatisfaction report to evaluate the adherence of all categories of employees. These data allow organizations to automatically schedule the mobilization of employees to take immediate and effective action to address risk on the basis of six key domains of socioeconomic improvement:

  1. Working conditions
  2. Organization of work
  3. Consultation, communication, coordination (3C)
  4. Integrated training
  5. Working time management
  6. Strategic implementation

As illustrated in figure 3, certain risk conditions can arise in each of these six areas on which every employee can act to reduce losses and contribute to favorable working conditions. The weighting rates are provided by the M2 module of the HRM that calculates the median position for priority actions and evaluates performance and variable compensation.

Interaction Between the OM Function and the Finance Function

The events that could impact operational risk are known to the CFO, but deploying the recommendations made in various regulations calls for special treatment and poses a strong requirement on the CGUs of HRM to be in-line with company strategy. Among the areas of special treatment are:

  • Bases to estimate the VaR and potentially recoverable losses (PRL) before the calculations used for programming the OM
  • The calculations of the capital buffer (capital required) by regulations (mentioned previously) for operational risk taken by the financial services industry

These are based on a standard formula determined by using the data of operational losses (sectoral average losses) that have been collected for more than 40 years from socioeconomic analyses in 32 countries on five continents (figure 4). The impact of operational risk losses on performance was confirmed by the data collected by the Risk Management Group of the Basel Committee4 and on assessment of risk not already identified in the standard formula. Therefore, one would need to understand the calculation of the standard formula before addressing the assessment of risk, including:

  • Projected management of the operational performance is based on the interaction of the finance function with the management of operations relative to the CGUs, whose managers or team leaders are equipped with dynamic dashboards (tables with capacity of gap analysis by their SaaS connection with the OLAP server).

    To ensure alignment of real-time operations of each workstation on the cost-savings objectives:
    • The OM function is configured to measure up to eight lines of business by the finance function at the time of opening the intranet IT-IRM software as a service (SaaS) account of the company
    • The OM function delegates the performance management to team leaders who coordinate the activity of employees (a maximum of 20 employees for each team leader)
    • Each team leader registers the list of employees under his/her responsibility on his/her IT-IRM account and accesses the registration forms of daily data to be processed by the server to measure performance on absenteeism, quality defects, work accidents, direct productivity gaps (overtime and additional costs of operations) and gaps of know-how (skills gaps including lack of versatility).
  • Dynamic dashboards of CGUs. The dashboards of the team leaders automatically measure the value created in real time on each of the indicators (factors or cause at the origin of operating losses) in all the posts via their connection with the OLAP server. The process is based on the well-known principles of cost accounting:
    • A gap that is difficult to identify is hardly usable.
    • Employees and persons in charge must be motivated to reduce their costs.
    • Employees must have the means to act to reduce the costs that are allocated to them.
    • Any gap must be connected with a socioeconomic indicator—the lever on which every employee can act.
  • Reporting of projected management of the performance. IT-IRM supplies two types of processed data:
    • For concise, integrated reporting, it supplies two dashboards that provide a synthesis of data relating to: (1) the cost savings of the company and (2) the performance of the company on every indicator of control of the value creation (factors or causes of operational risk).
    • For transparency, it supplies the dashboard of performance by line of activity, team and employee (online bulletin of performance).

Simulation Models of Operational Risk

The pursuit of accounting analysis helps the company make evidence-based decisions. Stochastic5 methods are used to make future data predictions. Some examples include:

  • Using a risk register to record data that are not usually collected. ERM requires the use of a risk register to record data that are not usually collected, are impossible to collect, and are required for the standard formula proposed in the regulations and measured by the standard formula.

    It is important to note that cost accounting and simulation models are complementary tools. Cost accounting and management accounting are the systems on which the business operates, collects and processes UL from daily operational risk data. Without cost accounting UL of indicator data, the simulation method yields poor outcomes because it is purely random and includes margins of error that can be particularly harmful to the business, banking, insurance and financial system, as in the case of subprimes. In fact, the stress tests the banks carried out were inaccurate in most cases, hence the recommendation of ISO 31000: 2009 to abandon the traditional view that risk is the combination of event probability and its consequences for a view driven by the relationship between risk and organizational objectives, i.e., risk is the effect of uncertainty on objectives.6
  • The Basel Committee’s decision to impose a minimum capital operational risk. In December 2015, the Basel Committee eliminated the use of banks’ internal models in calculating minimum capital for operational risk. Banks worried that such a move would discourage investment in operational risk modeling and make the world a riskier place.7

    Most banks have continued to use simulation methods with which they are familiar for determining the capital requirement for operational risk. Because IT-IRM is a new concept, it will take time to be accepted and its benefits noticed in the banking industry. IT-IRM automates processes widely used in management consulting for managing operational risk indicators—a topic that has been a focus of the banking sector since Basel II.

    In 2012, the Committee of European Insurance and Occupational Pensions Supervisors (CEIOPS) began to encourage insurance companies to opt for the internal model by making the standard approach that consumes most of the company equity as a cushion base for taking risk.8 This required the internal model to be based only on accounting estimates, not on expert opinions. Expert opinions become valid only if they are incorporated in a process based on evidence of accounting data.

    In 2010, the Basel Committee recommended the accounting approach of EL, an approach that captures actual losses more transparently and is less procyclical than the current incurred-loss approach.9 Five years later, the Basel Committee in charge of monitoring the implementation of the Basel III agreement and recommending corrections as necessary found that many banks continued to utilize simulation models used before the subprime crisis.
  • Why does the Basel Committee regulation require calculating of UL? The data that are normally registered in business accounting are data related to sales invoices. The accounting rules require that the losses recognized in a financial year must be absorbed in the next exercise. They are EL, as they are revealed by the gap analysis of the management accounts. The history of cumulative gaps also shows that companies do not always absorb EL. Moreover, management of many listed companies does not publish prospective data.10

    From this comes the recommendation (since Basel II) to calculate the VaR by the formula EL + UL.11 The data that are not usually collected are related to malfunctions that generate hidden costs (costs that financial accounting cannot take into account because there are no invoices or material evidences). These are UL. Socioeconomic analysis teaches how to collect these data, particularly in industries and services.12

    Since Basel II, banks, insurance companies and major organizations engaged in industry and services, including governments, have set up databases, cartographies or registers of events of UL of operational risk. As soon as these data are known and their costs accepted or tolerated, they are no longer UL, but EL. They are related to tolerance malfunctions or appetite for risk and must be addressed in the economic capital, which is the amount of capital the company should have to accommodate the risk it takes. Risk measurement must be translated into capital requirements according to the quality of the measurement system and management accounting.

    Operational risk is a substantial risk that must be covered by an equity cushion.13 It is, therefore, important that companies strive to collect data in the risk register (elements that are unknown or, rather, uncollected) and extract risk data that are not usually taken into account.


The requirements in recent regulation and the ORSA and FLAOR related to IR have made it very important for companies to ensure processing of UL data by cost accounting or management accounting. Using stochastic simulation alone gives a false value of risk, which if calculated only on the basis of relative operational risk (OpRisk) (VaR = UL), can prove to be more aggravating for financial firms since few organizations have the capacity to absorb the EL pursuant to this accounting requirement. When calculating operational risk values, one cannot just look at UL alone.

IT-IRM uses an absolute OpRisk formula (VaR = EL + UL) to calculate the economic capital. This allows simulation tools to be based on more realistic operational risk values and reduces the uncertainty produced by stochastic calculations. (i.e., complementing stochastic calculus tools with IT-IRM).

The cost accounting process of value creation, coordinated by the CFO, should lead to forward-looking provisioning scenarios. Models are used to predict the capital buffers that the organization needs to cover its own operational risk. The CFO is assisted in this activity by financial analysts or actuaries who use stochastic analysis, a technical indicator normally used in the stock market, to represent the distribution of chance and manage uncertainty. The analyst is responsible for calculations and not for approval.

Contrary to market risk, operational risk management is, therefore, not based, as was believed until the subprime crisis, on the decision-making tool or stochastic calculus used by the actuary. A decision-making system does not replace the operational systems that are in daily use by the company, in particular, in management accounting, cost accounting or business accounting. A decision-making platform is the key element for the analysis, the simulation and the optimization of the performance of the company. But its efficiency and the reduction of its margin of error depend on the capacity of the cost-accounting tool to feed in the forward-looking analysis using the current and historic real data of operational risk of the company.14

It would be particularly difficult or unrealistic to try to ensure the projected enhancement of value creation without having the technical capacity to control the threshold of the real-time risk appetite required and focus all the employees on the objectives of the business strategy. IT-IRM is the technology that provides the CFOs with the synchronization tool that was previously lacking.


1 The Financial Stability Board, Overview of Progress in the Implementation of the G20 Recommendations for Strengthening Financial Stability, 14 November 2014,
2 International Actuarial Association (IAIS), Note on the Use of Internal Models for Risk and Capital Management Purposes by Insurers, November 2010,
3 National Association of Insurance Commissioners, NAIC Own Risk and Solvency Assessment (ORSA) Guidance Manual, July 2014,
4 The Basel Committee on Banking Supervision, The New Basel Accord, April 2003,
5 Gregoriou, G.; Operational Risk Toward Basel III: Best Practices and Issues in Modeling, Management and Regulation, John Wiley & Sons, USA, 2009
6 International Organization for Standardization, ISO 31000:2009, Risk management—Principles and guidelines, 15 November 2009,
7, “Adios AMA: Basel Proposal to Bin Op Risk Models Worries Banks,” 28 October 2015,
8 Egoshina, T; et al.; 2013 Embedded Value Results: Generating Value, Milliman, June 2014,
9 Basel Committee on Banking Supervision, Basel III: A Global Regulatory Framework for More Resilient Banks and Banking Systems, 2010, revised in 2011,
10 Ibid.
11 McAleer, M.; “Has the Basel Accord Improved Risk Management During the Global Financial Crisis?,” revised October 2012,
12 Savall, H.; V. Zardet; M. Bonnet; ISEOR Socio-Economic Institute of Firms and Organizations, ISEOR Research Library, 2015,
13 European Union, Regulation (EU) No. 575/2013 of the European Parliament and of the Council of 26 June 2013 on Prudential Requirements for Credit Institutions and Investment Firms and Amending Regulation (EU) No. 648/2012 (1), paragraph 52,
14 Biesdorf, S.; D. Court; P. Willmott; “Big Data: What’s Your Plan?,” McKinsey Quarterly, March 2013,

Simon Grima, Ph.D.
Is head of the insurance department at the University of Malta, responsible for the degree in insurance and risk management.

Robert W. Klein, Ph.D.
Is an associate professor and director of the Center for Risk Management and Insurance Research in the J. Mack Robinson College of Business at Georgia State University (USA). He can be reached at

Ronald Zhao, Ph.D.
Is an associate professor of accounting at Leon Hess Business School, Monmouth University (New Jersey, USA). He can be reached at

Frank Bezzina, Ph.D.
Is head of the department of management and deputy dean of the Faculty of Economics, Management and Accountancy at the University of Malta. He can be reached at

Pascal Lélé, Ph.D.
Is the research and development director at Riskosoft Corporation. He can be reached at


Add Comments

Recent Comments

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and from opinions endorsed by authors’ employers or the editors of the Journal. The ISACA Journal does not attest to the originality of authors’ content.