The Situation
- Relying on a 75-worksheet Excel spreadsheet, updated quarterly, creating friction and inefficiency.
- Overlap between Operational Risk and Enterprise Risk assessments led to redundant information requests, causing staff frustration.
- Reporting took weeks and generated few meaningful insights, resulting in delayed action plans and changes.
In the summer of 2018, Farm Credit Canada’s (FCC) Manager of Risk Information, Paulette Beauchesne, came back from vacation to find a huge project on her plate. As a major federal lending body for farmers and agricultural enterprises in Canada, FCC had 75 Risk and Control Self-Assessments (RCSAs) tracked in a 75-worksheet Excel spreadsheet, which they updated quarterly for the Board. This sheet created an inefficient and manual process that poorly served their needs — and was not positioned to add value locally and downstream.
“Every quarter, we would ask people to attest to the effectiveness of the controls in their shop. We would post that spreadsheet via SharePoint so everybody can access it simultaneously.” Beauchesne’s team chased people down via email, asked them to log into SharePoint, and then figured out which of the 75 worksheets was theirs to review. “Scroll down, then there’d be the list of all the controls, and then click a ‘yes’ or ‘no’ to the right, and if it was a ‘no,’ then put in an explanation and close the spreadsheet.”
While Beauchesne’s team focused on Operational Risk, the Enterprise Risk team approached many of the same staff a short while later. “For lots of people, there’s overlap,” explains Beauchesne. Risks identified as strategic to the organization are almost always included in RCSAs from an operational standpoint.
“So Operational Risk would send out this spreadsheet to get an update on the detailed, tactical activities associated with the risk,” Beauchesne describes. “And then, lo and behold, two weeks later, somebody from the Enterprise Risk team would send out an email with a different link asking for an update on the same risk category asking for a higher-level enterprise-wide update on a particular risk. And then, shortly after the end of a quarter, someone from the Strategy team sends out a third email saying, ‘Provide a very high-level update on the risk that we can include to the risk committee of the board of directors.'”
Despite the fact that those three questions looked at risk from different angles, Beauchesne says, “To the individuals responsible for reporting on controls, it felt like the same question coming from three people in a one-month span. That was a big pain point.” Between chasing down information, duplicating work, and needing more definitive oversight over problem ownership and accountability, the process wanted to be thorough but felt cumbersome and inefficient.
Reporting took teams a few days to several weeks every quarter and generated few meaningful insights for leadership beyond control failure. When a risk owner identified a control inadequacy, there were often significant lags before an action plan was put into place and change occurred.