A personal account of managing risk, through the eyes of our CEO


Steven Marshall, CEO





For over 20 years, I ran various trading desks at several large regulated financial institutions. During that time I had to contribute to, review, and act upon risk assessments carried out on the businesses I ran. While I managed the financial and market risks of those desks on a day-to-day (sometimes minute-to-minute!) basis, things like operational, compliance, and regulatory risk were reviewed on a much slower cadence, measured in months rather than hours.

While trading heads tend to focus on market risk, the reality is that if you’re covered by the FCA’s Senior Manager’s Regime as an ‘SMF’ or by internal responsibilities as ‘desk head’, then there are a lot more risks you’re required to be fully aware of, and take responsibility for. Since the financial crisis, it’s no longer acceptable to assume that things like trade reporting, client onboarding, and regulatory compliance is solely “someone else’s” responsibility; it’s yours, so you’d better be aware of what is going on – and that’s where a good risk assessment comes in.

That means the quality of risk assessments is critical. And too often the process looks like this;

A visit from the relevant risk or compliance officer, with a printout of a spreadsheet with text which needs a magnifying glass to read and twenty appendices in order to understand what everything means.

No easy way to look back to see why some control was previously ranked as “inadequate”, or who changed it, and when? And what changed as a result of the incident that occurred with a failed payment four months ago? It’s just a view of a static point in time.

“Want to make a change?” Scribble on the sheet of paper and hope the changes are reflected in the huge grid that will come back for you to review via email at some point in the future.

“Oh yes, we have 4 ongoing remediation plans now, we’re moving to a better place… How will the risk assessment grid look then?” Ah, no. Can’t do that.

And while we’re at it, why do I have to look at everything in an unreadable grid? Can’t I just rank the residual risks and see where the high ones are? Don’t worry – you can hunt out the red ones – or maybe dark grey if we don’t have the colour print out, like a corporate version of “Where’s Wally?”

I think you get my point. Suffice to say, most risk assessments try to carry out the process, but they don’t help with the real problem – which is creating a clear and actionable outcome for how to easily identify, manage and control your high residual risks.

That’s why we built RISKGRID the way we did.

An easy-to-access online web-based platform with lots of ability to filter and view the data in a modern and easy-to-digest format.

The ability to look historically at changes that have been made. Who made them, when, and why? Update your risk assessment directly as a result of risk incidents rather than months post-event.

Drill into your risk assessment, view it how you want to, and update it in real-time, attributing relevant comments to the changes so that everything can easily be reviewed in the future by yourself or auditors.

Put in place remediation plans, link them to your risk assessment, and see the future outcome on your risk assessment now.

All of this with multi-user role-based access controls, and a huge step forward from managing the process on spreadsheets and SharePoint.

The outcome is a system that you can rely on; one that gives you a real-time overview of your risk assessment and a view into the future; something that gives you control and confidence, and the ability to take real action and responsibility for risk.

You could say it reduces the risk of your risk assessment process. Which is exactly what we set out to do.