We call it Integrated Assurance. Decision Focus provides all the capabilities needed by the key GRC disciplines of Risk, Compliance, Quality Assurance and Audit, across all three lines of defence. We feel these disciplines should not
operate in silos. Decision Focus records all GRC data in a single repository. All the disciplines contribute to, and draw from this single source, rather than each creating its own island of knowledge, within its own ‘point solution’ tool. Each data item is held once, and once only so the opportunity for inconsistency is removed. Furthermore, all the important relationships and dependencies between data can be recognised, bringing the whole together.
Decision Focus supports data sharing between GRC stakeholders, but in a controlled way. One example is: all 2nd
and 3rd line users may view a shared register of which controls exist across the entire organisation and their status.
Another is: business users cannot review and respond to findings made by the Underwriting Quality Assurance Team
until they are approved for disclosure. Communication between GRC stakeholders also happens within our integrated tool, instead of trying to stay in sync via a myriad of emails. Often the communication is about taking action. Decision Focus provides full action tracking support, with clear ownership and prioritisation ensured. Actions can be initiated and tracked by multiple stakeholders (the business, risk, audit, committees, and the Board). Each is provided with real-time status dashboards and ‘due soon’, ‘completed’ and ‘late’ notifications. In short, less overlap, less chasing, and less confusion as to ‘who’ should do ‘what’, ‘when’.
With this integrated approach, holistic, cross-discipline views of risk and compliance status become feasible. These are essential for effective governance-level reporting. Decision Focus automates the generation of Board and committee-ready reports that draw from across the entire, centralised data repository. These reports are truly ready to table with no manual intervention required, providing a clear, one stop shop for understanding status and driving action. Ours is a ‘big picture’ vision. However, the capabilities required by each GRC discipline can be added in a ‘plug and play’ fashion. There is a clear path to integrated assurance which you can travel at your own speed. As each
discipline migrates across, you eliminate the cost and effort of maintaining their current, point solution and the benefits of integration grow.
Here at Decision Focus we have a detailed understanding of the challenges; our Head of GRC Product Strategy has over 12 years CRO experience in the Lloyd’s and Company Markets.
We thought hard about how we can help with the real pressure points, and then engineered some novel and powerful
capabilities into the Decision Focus toolset. You generally will not find them in other GRC products; certainly not all in
one place, interoperating seamlessly, as we provide.
Our solutions are used by over 70,000 professionals across the globe, meeting the needs of Fortune 100 corporations as well as smaller organisations. Within the insurance sector we support both broking and underwriting firms, including Lloyd's Managing Agents. Whatever the context, people find the system highly intuitive to use. Net Promoter Scores of over 50 attest to that.
Let’s look in more detail at the capabilities Decision Focus provides to tackle insurers’ GRC challenges head on.
They address Risk Management, Compliance (including policy management), Regulatory Reporting, Audit Quality and Assurance. For insurers operating a capital model we also have some very specific and powerful support which you will not typically find in a GRC tool. These are described last.
Decision Focus leads you intuitively through the process of identifying risks and assessing their inherent exposure.
Decision Focus leads you intuitively through the process of identifying risks and assessing their inherent exposure. This allows you to prioritise risk treatment through the design and operation of mitigating controls. With the controls now in operation, the next step is to obtain an objective, evidence-driven assessment of the residual exposure. Decision Focus enables the business to undertake a periodic self-assessment of control effectiveness. It then presents this data or evidence, to the risk owner. The presence of preventative controls, assessed to be effective in operation, enables the risk owner to justify that the residual likelihood of the risk crystalizing is reduced. Similarly, the effective operation of corrective controls drives down the assessment of residual impact.
But this is just one dimension of the assessment, based on a view of how successful we expect controls to be in
mitigating risk. Decision Focus also brings risk experience into the assessment, i.e. a view of what is actually happening, despite the presence of controls. It supports the definition and tracking of key risk indicators (KRIs), and the collation of risk events. A KRI might be ‘the number of policy cancellations within the 14-day cooling off period’, and a rise in its value could indicate the risk of mis-selling is greater than anticipated. A risk event records the actual
occurrence of a risk (despite preventative controls) and its actual impact. It’s important to bring views of both control
assessment and risk experience together. For example, a risk owner cannot argue, based on control evidence alone, that residual likelihood and impact of a risk are low, when risk event data shows that the risk has crystalised three times in the last quarter, with an aggregate operational loss of £350,000. Decision Focus excels at driving a reliable view of risk status by surfacing all the relevant data, via the one integrated platform.
Managing risk to a defined appetite
With this objective assessment of the residual exposure made, the obvious question is: are you comfortable with this exposure? Decision Focus provides both qualitative and quantitative ways to answer the question.
Risk owners can define a target exposure for a risk using the same qualitative scales they used to assess the risk’s inherent and residual exposures. For example, the current residual exposure might be ‘medium-high’, but the target is ‘medium-low’. Decision Focus also supports the definition of quantitative risk appetite statements and monitoring of risk status against them. Each statement has numerical target and early warning thresholds. The current value of the relevant metric is compared to these thresholds in real time. RAG reporting lets you see immediately if and where you are ‘outside appetite’. Decision Focus distinguishes between statements which represent formal (e.g. Board level) appetite, and those which are simply operational limits.
Whichever the approach, if a risk lies outside your comfort zone, remedial action is required to enhance the risk’s mitigation. Decision Focus provides comprehensive support for action tracking. Clear ownership and prioritisation are ensured and real-time status reported. Actions can be initiated and tracked by multiple stakeholders (the business, risk, audit, committees, and the Board). Each is provided with real-time status dashboards and ‘due soon’, ‘completed’ and ‘late’ notifications.
Adjustable assessment criteria
Decision Focus automatically derives the residual exposure based on the owner’s assessment of residual likelihood and impact. The scoring scheme used to assess the risk and the logic used to derive the residual exposure is entirely configurable, so it is as you want it to be. We make no imposition. Furthermore, Decision Focus permits controlled
variation in the schemes used to assess and report on risks. For example, the residual exposure RAG thresholds employed locally may differ from that at group level. Whilst a risk may be assessed and reported as ‘high’ locally, it may be regarded and reported as ‘low’ (or even disregarded) at group level, where materiality is judged using higher severity thresholds. Decision Focus takes care of this translation for you.
The Risk library
Decision Focus supports the creation of a Risk Library where a master set of reference risks are held. These may then be ‘cloned’ as necessary to form localised risk registers, tailored to the nature of that part of the business and the trading and regulatory environment in which it operates. In this way the local definition of risk is consistent with the group framework, but it leads its own operational life and will be assessed accordingly. Central ‘landscape’ views show the status (e.g. residual exposure) of all cloned risks, across the entire organization, in a single, graphical view.
Tools for managing specific risks
Beyond this broad support for your risk management framework, Decision Focus also provides technical capabilities for managing some specific risks. These include Operational Resilience (including Business Continuity Management), IT security (including ISO 270001 compliance), Data Privacy and Vendor Management.
The first question is: comply with what? Whilst Regulatory compliance is dominant for insurers, there are also legal
requirements such as Privacy, Sanctions, Anti Bribery and SOX.
Additionally, there are internationally recognised quality standards which are often mandated by trading partners, covering topics like IT security, business continuity and social responsibility. Finally, there are self-imposed requirements which must be met, such as underwriting and claims handling standards.
Decision Focus manages compliance by enabling the authorship of appropriate policies that drive operational activity in a way that ensures the legal and regulatory and other imperatives are satisfied. It recognises the individual mandates contained within a policy and maps from these to specific operational requirements contained in underlying
Business Standards. For example, a Board policy for Financial Crime may mandate that no trade sanctions shall be breached, and this may be mapped to several specific screening requirements, specified in an underlying Sanctions Screening Business Standard. Each requirement in a Business Standard is then mapped to the controls operated within the business to ensure the requirement is satisfied. These are interlinked within the tool as depicted on the next page.
This structure enables top-down and bottom-up analyses. Top-down, if there is a change at Policy level, an impact assessment can be readily made via the mapping. This identifies all requirements in underlying Business Standards, and in turn all the operational controls, which may need to be adjusted or enhanced to accommodate the policy change.
Bottom-up, if all the controls relating to a requirement in a Business Standard are effective, then the requirement is satisfied. In turn, if all the requirements relating to a mandate in a Board Policy are satisfied, then the business is complying with the mandate. Requirements and mandates can be accorded a weighting factor and simple roll-up arithmetic can provide a ‘percentage compliant’ score at both the Standard and Policy level.
Authorship and Maintenance
Decision Focus supports the authorship and approval of Board Policies and their supporting Business Standards. All such documents are held centrally within the Decision Focus repository. The ability to create, approve, publish, modify, and re-approve polices can be restricted to selected individuals. Workflow logic will control progression
(e.g. a policy cannot be published until it has been approved) and co-ordinate participants (e.g. approvers will be notified when approval is needed). The Decision Focus notification engine can schedule the periodic review, update, and re-approval of these documents to ensure they remain fit for purpose. Different review frequencies can be set
for each document and all participants (authors, reviewers, approvers) will be notified of the action required by them at the appropriate time. Decision Focus maintains an audit trail of all document creation, editing, approval and versioning actions. Date, time, user and ‘from – to’ data are all captured.
Dissemination & Attestation
Decision Focus enables selected users to publish newly created or updated Polices and Business Standards to defined readership groups. Workflow ensures only approved documents may be published. The Decision Focus notification engine can automatically inform the relevant readership groups when a document has been published.
Some policies require that staff attest that they have ‘read, understood and will comply’. The Decision Focus notification engine can seek this attestation from members of readership groups via system generated emails.
Decision Focus supports the allocation of Policies and Business Standard to different parts of the organisation. In the
case of functional areas, this may be subject matter driven. In the case of countries, regions or regulated entities
Decision Focus supports variant documents which can contain both standardised, group-wide requirements along with locally specific requirements. For example, documents relating to Conduct of Business need to be tailored to
local, country-specific rules.
Whilst some Policies simply require attestation, others require compliance to be measured and evidenced. For this reason, Decisions Focus maps from the requirements set out in Business Standard to the operational controls designed and operated to ensure those requirements are satisfied. Authorised users can either create and link new controls, or map to existing controls.
Decision Focus then uses control assessment and testing evidence to determine the degree of compliance with
Business Standard requirements, and in turn Polices. The tool schedules periodic self-assessment of the controls by the first line. Participants are automatically notified by email; assessment progress can be tracked and reminders sent. Assessments of both design adequacy and operational effectiveness are supported. Control attestations requiring responses to defined question sets are also supported as well as independent assessment (e.g. by compliance monitoring) of the controls, using the same mechanism as the first line.
Finally, formal control testing is also supported (e.g. as undertaken by Internal Audit). This capability includes definition of test samples and scripts, and the collation of test results. These second and third line reviews can be planned, executed, and reported on using Decision Focus’s independent assurance capabilities. Remedial actions to close Policy and Business Standard compliance gaps can be initiated and tracked to completion by first, second and third line users. Where necessary, Decision Focus can mandate that an action owner’s assertion that an action is complete must be confirmed by the second or third line party that initiated the action.
Compliance and the Individual
Regulators are placing an ever-increasing focus on individual accountability for responsible conduct. Using the UK’s Senior Managers and Certification Regime as an example, Function Holders must be pre-approved by the regulator and a Statement of Responsibility must be produced for each, identifying the specific Prescribed Responsibilities they have. Collectively these form the Management Responsibilities Map for the firm. The regulator describes these statements and maps as required documentation, but Decision Focus captures them as structured data, and from this data automates the generation of the documents for submission to the regulator.
Decision Focus’s data approach enables firms to go beyond documented clarity about who is responsible for what, to help individuals understand the status of those specific risks, controls, policies and business standards relevant to their allocated Functions. Individuals are provided with status dashboards tailored just for them, and the action initiation and tracking capability they need to take timely and effective action and drive it to completion.
Regulatory Reporting Workflow
Regulators require numerous submissions from the entities they regulate. Submissions are also required by various
legal and statutory stakeholders, reinsurance pools, and trade bureaus such as the MIB. For example, the Lloyd’s
Business Timetable alone cites around 250 potential submissions.
Whilst some submissions will be annual, others are required at higher frequencies, such as quarterly. Furthermore, most submissions must be made separately for each entity within a trading group. Internationally active groups also face submission requirements from multiple regulatory jurisdictions around the globe. The burden can readily amount to 100s of submission within a year for such groups. There are two basic expectations: the submission is made on time and its contents are reliable. Submissions often require complex data transformation, and several functions may need to collaborate, making ‘on time and right’ far from simple.
Decision Focus have developed a novel solution to ensure you meet the challenge. At its heart is the ability to define reference submissions. These are essentially an instruction set for actual submissions. For example, a reference
submission might say ‘We must make submission X for these three entities in the group, quarterly’. You can then define a workflow for the submission preparation tasks required, each allocated to the appropriate function e.g. risk, actuarial and finance and the named individuals within each function who will be responsible. Task durations and sequence are also defined.
From these reference submissions Decision Focus will automatically generate a register of the actual submissions which need to be made over the year. In the example above 12 actual submissions will be added to the register, three per quarter for each of the three entities, with appropriate start dates and due dates. The total set of actual
submissions for the group form a business timetable, viewed via an outlook style calendar. What’s more, the workflow tasks for each submission in the register will also be automatically generated, all with the required start and end dates and allocated to the person responsible. These are visible as a project Gantt chart.
Now it’s a simple matter of getting those tasks done. Decision Focus excels here with comprehensive progress tracking via live dashboards, automated ‘start soon’, ‘due soon’, ‘ready for approval’, ‘approved’ and submitted notifications to the right individuals.
Nothing stands still, least of all the submission requirements for regulators. With our approach, when the regulator
adds, removes, or retimes submissions you simply need to edit the reference submissions. You can then generate the
business timetable for next year with a single button push. This brings a massive effort reduction and guaranteed consistency.
That deals with being sure you are organised about getting your submissions out on time, but what about the quality of their content? We a have developed a straight forward data quality management capability to tackle this. The base datasets on which each submission relies are identified and data quality criteria defined for each. Each criterion is mapped to the data quality controls you operate to ensure the criteria are met, and these are subjected to assessment and testing. Full deficiency analysis, remediation and reporting is provided. Decision Focus provides comprehensive support for both the timeliness and the quality of your regulatory submissions.
Audit and Quality Assurance
Decision Focus provides complete support for the entire Internal Audit process. This starts the automated, multi-metric prioritization of the audit universe to drive audit planning. Based on metrics of your choosing the tool will propose the scope for the annual audit plan which you can the adjust if necessary and then commit to.
With the plan in place, our support for audit execution includes allocation of audit resources and the capture of audit findings, recommendations and supporting evidence. Dashboards are provided for each auditor showing status for just their audits. Management dashboards show status across the whole audit plan.
Decision Focus frees you from the need to execute audits via a multitude of disparate workpapers and replaces these with real-time, value-add auditing data collected in one repository. All dialogue relating to findings, report approval and action progress can be undertaken within the tool, rather than via numerous separate emails. A complete record of the dialogue and any resulting adjustment to findings and actions is captured. Decision Focus supports this conversation both within the audit team, and between the audit team and the business.
Decision Focus has the unique capability to automatically generate your audit report in the background while you are doing your audit work. As audit findings are captured and remedial actions prescribed, the audit report is automatically built as you go along. Decision Focus can also generate the Terms of reference document for each audit. Since all data relating to all audits are held in Decision Focus's central repository , it can even auto-generate your summary reports to the audit committee.
Finally, there is comprehensive support for action tracking. This is where audit teams spend much of their time, and getting complete closure is a challenge. Decision Focus enables an interactive dialogue with action owners via the tool, live progress reporting and action status dashboards for both audit and the business.
Underwriting and claims quality assurance teams follow a similar ‘plan, execute, report and track’ process. Their audit process is typically questionnaire driven, with the questions directed to individual underwriting or claims files. Decision Focus supports the creation and maintenance of template question sets for each line of business. A variety of response types are supported, such as: yes/no, multiple choice, numerical input and free text. Questions can also be conditional, i.e. whether they are asked or not depends on the response to a previous question. These question sets can then be posed, and responses captured within the audit execution process described above. All the planning, reporting, and tracking capabilities described above are not just for internal audit, they are also available to the QA teams..
In Decision Focus you set your model scope directly from the risk register. Each risk is assessed for model inclusion using user-adjustable criteria, such as materiality or capital relevance, and marked for inclusion where appropriate.
The rationale for excluding risks from the model is also captured. This is the first step in model documentation. Decision Focus helps you develop this further by explicitly linking each modelled risk in the register to the model components, model inputs, methodologies, assumptions, expert judgements and limitations relevant to its quantification. These are also captured in the tool. Model documentation becomes an ordered data structure within
Decision Focus, rather than just prose on paper. The advantage over prose is that data can be queried and used, notably for model validation which is discussed later.
The model can only quantify those risks where sufficient historical data is available. For other risks, notably operational risks, another approach is needed. Decision Focus uses a scenario-based technique for quantifying these risks outside the model and then feeding them into the model as a model input. For each such risk several scenarios can be defined and their impact quantified. Each scenario represents a point on that risk’s frequency/severity curve, so for example might represent the impact of the risk at the 1 in 5, 10, 20, 50, 100 and 200 year return periods.
Bespoke curves are provided for each entity exposed to the risk. The full description of each scenario with its quantification rationale and its result are captured and resulting curves are automatically plotted for use in reporting. The feed to the model can be automated via our open API or undertaken via excel export/import. Our interface with
capital models can be two-way, so quantification data produced by the model can be loaded into the risk register and included in committee and Board reports produced from Decision Focus.
Model Risk Management
Of all Solvency II requirements, this has proven be one of the most challenging and burdensome. Given its pivotal role, the model rightly requires very careful use, maintenance, and validation. Guarding against failures here has given birth to the modern discipline of model risk management. Decision Focus brings help and assurance in several ways.
It is critical that model users understand its limitations to ensure model outputs are interpreted safely. After all, strategic decisions can be informed by what the model is saying. Decision Focus provides a formal limitations log, used to capture all deficiencies and their source e.g. observation through use, validation testing, or regulator inspection. It also captures the impact of the limitation e.g. uncertainty regarding on the one-year capital requirement, the to-ultimate capital requirement or technical provision sufficiency. Importantly, Decision Focus supports action initiation and progress tracking to remediate limitations where feasible. Finally, sharing limitations with users and formal limitation reporting as part of model validation are supported.
The model must be used by the business, rather than constructed for purely regulatory purposes, and this must be evidenced. Decision Focus incorporates a model use log where all use occasions are recorded, and the objectives and benefits of the use are documented. The log can be drawn upon by Decision Focus’s automated validation reporting.
Model Change Control
The model must be stable to be reliable in use. However, changes in the business model and strategic plans will necessitate change, as will addressing model deficiencies. Decision Focus manages the entire workflow for model change: recording proposed changes, capturing rationale, impact analysis, internal approval, external approval (for
material changes), reporting to change Boards and the regulator.
Model Validation Testing
Decision Focus supports a validation test library; a list of all the tests you might make of the model, at some point in time. The test type (e.g. profit & loss attribution, reverse stress test, back-test), methodology and pass/fail criteria are defined for each test. Importantly, the degree of independence required for each test is specified. You may then nominate which tests you will run in each test cycle. These may then be scheduled in time to form a test plan for the cycle.
Decision Focus also helps prioritise which tests to include in each validation cycle. It accords each test an importance factor based on multiple assessment criteria, which you can adjust. These might be one-year model outcome sensitivity or business model change. Decision Focus also provides test aging analysis and will prompt you to include tests which have not been run for a while.
Test tasks are allocated to individual testers and validation forums, such as the Reserving Committee. Decision Focus
then checks that the required degrees of independence are satisfied. Testers are provided with specific views of the scope and progress of their test work. Test managers are provided with oversight views. All test outcomes are documented directly in Decision Focus. Supporting evidence of test outcomes can be uploaded into the tool. The entire test execution process is supported, and its data held in one place, explicitly linked to the model components under test. This enables model test coverage analysis.
This is the infamous ‘garbage in – garbage out’ requirement, and it is onerous. Decision Focus has a dedicated data quality management capability. The data sets on which each model input relies are identified with the tool along with completeness, appropriateness, and accuracy criteria for each. Each criterion is mapped to the data quality controls
design and operated to ensure the quality criterion is met. These are held in Decisions Focus’s control register. Control assessments and testing evidence can then be used to determine whether the criteria are met, and in turn provide an objective conclusion whether each dataset is reliable for model use. All of this can be readily evidenced when you are challenged.
Testing will uncover model deficiencies. Decision Focus supports the initiation and tracking of remedial action and
retesting. Retests can be scheduled for the current cycle or deferred to a later cycle. Intuitive action status dashboards are provided along with helpful email notifications to testers and managers. Through this approach a strong validation loop is evidenced as documented model improvements are tracked through the system.
Decision Focus supports flexible reporting to the validation forums you operate. Reporting is fully automated; no
manual intervention is required. Insurers will recognise the high effort required to do this manually. Decision Focus
removes this burden and ensures reporting integrity.
What’s next? It’s your move...