Chapter 5 Operational Risk Tools PDF
Document Details
Uploaded by ColorfulBildungsroman
The Institute of Risk Management
Tags
Summary
This chapter from a book discusses operational risk tools and risk and control self-assessments. It covers the nature, benefits, and role of self-assessments in managing operational risk. It also details approaches, methods, and reporting.
Full Transcript
7/29/24, 10:04 AM Chapter 5 Back Up Book for Printing Chapter 5 Back Up Book for Printing Chapter 5: Operational Risk Tools – Risk and Control Self -Assessment Learning outc...
7/29/24, 10:04 AM Chapter 5 Back Up Book for Printing Chapter 5 Back Up Book for Printing Chapter 5: Operational Risk Tools – Risk and Control Self -Assessment Learning outcomes and assessment criteria 5. Understand the nature and role of risk and control self-assessments in the assessment and management of operational risk. 5.1 Examine the nature of risk and control self-assessments in the management of operational risk. 5.2 Describe the benefits of risk and control self-assessments. 5.3 Explain the role of risk and control self-assessments in identifying operational risk. 5.4 Consider the advantages and disadvantages of different methods for undertaking risk and control self-assessments. 5.5 Explain the concepts of likelihood and impact in assessing operational risk and controls. 5.6 Examine the nature and role of controls. 5.7 Explain the roles and relationships between risk owners and control owners. 5.8 Describe common methods of reporting risk and control self-assessments. https://www.irmvle.org/mod/book/tool/print/index.php?id=4163&chapterid=2322 1/35 7/29/24, 10:04 AM Chapter 5 Back Up Book for Printing Key themes The key themes of this chapter are as follows: The benefits and uses of risk and control self-assessment (RCSA). Approaches to RCSA. Identifying operational risk. Assessing operational risks and controls. Taking action and monitoring. Reporting operational risk and control information. https://www.irmvle.org/mod/book/tool/print/index.php?id=4163&chapterid=2322 2/35 7/29/24, 10:04 AM Chapter 5 Back Up Book for Printing Introduction to Chapter 5 Risk and Control Self-Assessment (RCSA) is one of the most important tools in a firm’s operational risk management and control framework. The purpose of RCSA is to enable a firm to manage the key risks it faces to avoid these adversely impacting on the business line's or broader organisation’s objectives. This involves identifying, assessing, monitoring and reporting both new or emerging risks and existing risks, together with related controls. Figure 5: Components of risk assessment https://www.irmvle.org/mod/book/tool/print/index.php?id=4163&chapterid=2322 3/35 7/29/24, 10:04 AM Chapter 5 Back Up Book for Printing 5.1 Examine the nature of risk and control self-assessments in the management of operational risk RCSA is the process of identifying, recording and assessing potential risks and related controls. The process also identifies and assesses the effectiveness of controls in reducing risks. RCSA can be undertaken at various levels in a firm, for example ‘top-down’ aggregate risk and control reviews performed on behalf of the governing body and senior management, or ‘bottom-up’ reviews performed in business entities and central functions. It is common practice for RCSA to be performed at each level of significant decision-making within the firm (for example by business line) and also to be applied to end-to-end processes (for example, in financial firms, from trade inception through to booking, valuation, risk and back office processes). In the case of multinational organisations RCSA may also be scoped to address specific geographical locations. RCSA is more effective when it is an integrated part of an operational risk framework. Clear risk governance and the engagement of senior management are the most important factors behind an effective approach to RCSA. Executive and senior management support in the form of sponsorship and participation is essential in clarifying ownership of the risks and controls to be managed. https://www.irmvle.org/mod/book/tool/print/index.php?id=4163&chapterid=2322 4/35 7/29/24, 10:04 AM Chapter 5 Back Up Book for Printing 5.2 Describe the benefits of risk and control self-assessments Before addressing the ‘what’ and ‘how’ of RCSA it is useful to understand the ‘why’ – the reasons organisations do RCSA in an integrated way involving both their risk process and their business processes. What are the benefits and uses of RCSA? The basic answer is to enable strong control support for the environment in which businesses and functions operate. To enable risks to be proactively managed and timely actions to be taken to address unacceptable levels of exposure. By demonstrating that this is indeed the case, regulatory requirements are also fulfilled. When carefully designed, planned and executed, RCSAs can be expected to provide a range of potential benefits and uses, including the following: Benefits and uses Cultural change, helping operational risk management to become embedded at all levels of the firm, with respect to both day-to-day activities and longer term business decision making. Cultural A focus on proactive management of risk (as opposed to a simple reaction to events). A practical way of applying and informing people about the firm’s risk appetite and tolerance. Alignment to strategic A documented way to align business strategy and objectives with risk management processes, providing a means direction of establishing a link between risk and performance. Open discussion of risk and control matters amongst staff and management, leading to better transparency and Interaction & consensus understanding of risk and its implications across the firm, and the design and effectiveness of related controls. Clear and specific ownership of action plans. Ownership & accountability Responsibilities assigned to individuals for delivering and monitoring action plans. A mechanism to record and rank the priority of risks that exist within a firm. A common language and set of values across the firm. Supports a ‘top down’ and ‘bottom up’ view allowing for material risks identified at executive level to be cascaded Record capture (auditable & down the firm, with appropriate actions being captured in lower level RCSA outputs. evidence based) Risks identified at lower level RCSA workshops should have an escalation route up to senior management in order to provide visibility of potential newly emerging threats that may require executive consideration. Providing evidence of analysis and remedial action to external stakeholders. https://www.irmvle.org/mod/book/tool/print/index.php?id=4163&chapterid=2322 5/35 7/29/24, 10:04 AM Chapter 5 Back Up Book for Printing 5.2 Describe the benefits of risk and control self-assessments Cultural change, helping operational risk management to become embedded at all levels of the firm, with respect to both day-to-day activities and longer term business decision making. Cultural A focus on proactive management of risk (as opposed to a simple reaction to events). Improved efficiency in business processes and operations and thus customer outcomes. Where an ‘end to end’ view is taken, it promotes a holistic view considering critical processes or specific business Driving efficiencies lines, capturing key controls that should operate across different areas of the organisation. Workplace reflection Check whether, and if so how, your organisation uses the outputs of RCSA exercises to support management and business decisions. https://www.irmvle.org/mod/book/tool/print/index.php?id=4163&chapterid=2322 6/35 7/29/24, 10:04 AM Chapter 5 Back Up Book for Printing 5.3 Explain the role of risk and control self-assessments in identifying operational risk Identification of risk is an important function of the RCSA. Failure to identify risks and related required controls may result in financial loss and adverse consequences for the firm that could have been anticipated and avoided. If you fail to identify a risk you won’t understand its potential likelihood or impact. To enable a firm to assess its risks and respond appropriately, it must first identify the risks it faces. 5.3.1 Role of RCSA in the operational risk framework The diagram below demonstrates the role of the RCSA process in the broader operational risk framework, including interactions between framework components. https://www.irmvle.org/mod/book/tool/print/index.php?id=4163&chapterid=2322 7/35 7/29/24, 10:04 AM Chapter 5 Back Up Book for Printing 5.3 Explain the role of risk and control self-assessments in identifying operational risk Figure 5.3.1: RCSA in the operational risk framework Workplace reflection Explore how the RCSA in your organisation interacts with other parts of the operational risk framework. https://www.irmvle.org/mod/book/tool/print/index.php?id=4163&chapterid=2322 8/35 7/29/24, 10:04 AM Chapter 5 Back Up Book for Printing 5.3 Explain the role of risk and control self-assessments in identifying operational risk 5.3.2 Identifying operational risk framework sources Different components of the operational risk framework generate information that can assist the identification of new or emerging risks. Risk categorisation: The firm’s recognised risk categories (see Chapter 4) can be reviewed for risks that may be relevant currently even if they weren’t considered previously, due to changes in the internal or external operating environment. Internal loss Events: Actual events may provide details of ‘new’ risks not already captured by previous RCSA exercises. If a risk has been identified by a previous RCSA, actual events can help to validate previous estimates of impact and likelihood. External Loss Events: Actual events that have materialised in other organisations should prompt the question ‘could it happen here?’ and, if so, may provide details of ‘new’ risks obtained from loss data consortia. Risk Indicators: In the case of ‘leading’ indicators (see Chapter 6), adverse trends in underlying causes may suggest the possibility of an ‘emerging’ risk or could prompt a re-assessment of an existing risk. 5.3.3 Other sources Apart from the operational risk framework, a firm will usually have additional sources of information that can help identify new or emerging risks, including the following: Business line or wider firm’s objectives – Identify what the firm is looking to achieve (its objectives) and consider what could go wrong and prevent it from achieving these objectives (i.e. risks). Further consideration of what absolutely must go right to deliver the objective can assist in identifying key risks. Customer complaints: Feedback from customer satisfaction surveys can identify flaws in customer-facing processes and approaches. Outputs from business planning processes, e.g., ‘PESTLE’ (Political, Economic, Social, Technological, Legal, Environmental) or ‘SWOT’ (Strengths, Weaknesses, Opportunities, Threats) analysis. Business performance management information. Failures to meet performance targets may point to inherent risk or control failures Details of planned change and transformation. Any change in process, products or strategy should be taken as an opportunity to review potential operational risks. Loss or event analysis reports. Internal audit reports. Workplace reflection Find out how your organisation identifies operational risks and whether you can add any sources of information to the above list. https://www.irmvle.org/mod/book/tool/print/index.php?id=4163&chapterid=2322 9/35 7/29/24, 10:04 AM Chapter 5 Back Up Book for Printing 5.3 Explain the role of risk and control self-assessments in identifying operational risk Learning activity Consider whether a firm’s risk categorisation scheme should be used as (a) the starting point for risk identification; or alternatively (b) as means of validation, to ensure that all relevant risks have been identified by other means. https://www.irmvle.org/mod/book/tool/print/index.php?id=4163&chapterid=2322 10/35 7/29/24, 10:04 AM Chapter 5 Back Up Book for Printing 5.4 Consider the advantages and disadvantages of different methods for undertaking risk and control self-assessments There are three main approaches that can be applied when performing an RCSA. Each firm should consider which approach or combination is best suited to its governance, culture, operating environment, size, complexity, structure and geographical dispersion. Workshop approach A workshop approach to RCSA provides interaction and enables guidance to be provided during the RCSA process. Workshops can either be held internally or seek the support of the Risk function or internal audit to facilitate these. The approach entails getting a small number of key representatives together (usually 6-8, no more than 12). Although time-consuming, a workshop approach to RCSA often produces appropriate and relevant data. The objective of a workshop approach is to get people engaged in talking about their risks, and to gain consensus in the identification and assessment of risks, controls and required improvements. It can also bring experience of loss events into focus and can be run in conjunction with business process checklists and procedural reviews. Questionnaire approach Some firms have established comprehensive standardised questionnaires, with questions allocated to respondents based on their respective responsibilities. Others have developed questionnaire-based RCSAs, with each central function setting its own questions and a centralised operational risk oversight function ensuring the completeness, consistency and quality level of the questionnaires and responses. A questionnaire-based RCSA approach can be used as a desktop review, as a structure for interviews with subject matter experts (SMEs) or risk and control owners (face to face, by telephone or otherwise), or as a combination of the two. The structure of an RCSA questionnaire should ensure complete coverage of a firm’s operational risks by being aligned to its established risk categorisation scheme. Hybrid approach It is possible to use a range of techniques in combination including not just workshops and questionnaires but also interviews or reviews by third parties. This is termed the hybrid approach. It tends to consist of an initial workshop, facilitated either internally or externally, followed later by a questionnaire or interview process to update the initial findings. This is less time-intensive compared to recurring workshops. It helps to keep the information generated current and relevant without becoming too cumbersome for participants. Alternatively, a top-down workshop involving senior management could be held to identify significant risks to the firm, alongside a questionnaire approach to provide the bottom-up perspective. When considering which RCSA approach to use, an organisation needs to consider the respective advantages and disadvantages of each. The relative merits of each approach are discussed below. https://www.irmvle.org/mod/book/tool/print/index.php?id=4163&chapterid=2322 11/35 7/29/24, 10:04 AM Chapter 5 Back Up Book for Printing 5.4 Consider the advantages and disadvantages of different methods for undertaking risk and control self-assessments RCSA Advantages Disadvantages approach Opportunity to have the right people with the right knowledge and experience in the room. Ability to maintain open dialogue with all members of the group, so everyone has the chance to have their say; gains buy-in from attendees. Platform for open, honest discussion, with various perspectives and good interaction promoting a holistic view. Time intensive - can inhibit attendance of appropriate Outputs are a consolidated view achieved by group contributors/SMEs. consensus. Inappropriate attendees could result in less than optimal Cross reference to the organisation’s risk data outcome. Potential logistical challenges (e.g. geographical). categorisation scheme ensures that ‘missing’ risks are Inadequate facilitation skills may result in the workshop being Workshop identified. dominated by particular attendees or senior managers, leading Ability to include process flow analysis and statistical to poor or unbalanced outcomes. analysis through discussion. Requires an understanding of operational risk roles and Opportunity to clearly define roles & responsibilities. responsibilities of each area of the organisation Ability to raise awareness and check understanding by asking questions. Facilitation ensures balanced input; facilitator can act as ‘devil’s advocate’ to challenge inputs and help mitigate estimation bias in the data. Provides an opportunity for transfer of risk management skills across the firm. https://www.irmvle.org/mod/book/tool/print/index.php?id=4163&chapterid=2322 12/35 7/29/24, 10:04 AM Chapter 5 Back Up Book for Printing 5.4 Consider the advantages and disadvantages of different methods for undertaking risk and control self-assessments RCSA Advantages Disadvantages approach Less time intensive than workshop. Allows individual focus and contribution. Failure to set the ‘right’ questions or correctly interpret the Flexible: can be done as a desktop review or face-to- answers will compromise the quality of outputs. face interview. Limited if any discussion – thus reliance on interpretation of the Can be done remotely or facilitated. questions. Consistent structure to questions promotes better read Can result in differing views and opinions – may not be possible Questionnaire across and easier aggregation. to achieve consensus without additional consultation. Scope Can involve a larger number of participants than a of assessment may not be clear. workshop. Responses can be biased by individuals’ experience. Provides a physical record of contributions (providing Terminology used can be misinterpreted evidence for subsequent reference). Workplace reflection In relation to the approach(es) used in your own organisation, can you identify any advantages or disadvantages to add to the above table? Learning activity What skills are required to achieve effective facilitation of RCSA workshops? What training and development would be appropriate? https://www.irmvle.org/mod/book/tool/print/index.php?id=4163&chapterid=2322 13/35 7/29/24, 10:04 AM Chapter 5 Back Up Book for Printing 5.5 Explain the concepts of likelihood and impact in assessing operational risk and controls RCSA involves the assessment of risks and controls, but note the use of the term ‘assessment’ in preference to ‘measurement’, which implies more precise quantification. Although some aspects of operational risk can be measured with a reasonable degree of accuracy, others can only be estimated. Starting with the assessment of risks, this involves consideration of two key questions: What are the chances of the risk materialising and how often? (i.e., concept of likelihood outlined below) What are the expected consequences if the risk does materialise? (i.e., concept of impact outlined below) 5.5.1 Understand the concept of likelihood Likelihood is defined as the possibility of something happening. It can be expressed in a number of ways, but is commonly conveyed by ranges of values representing a low, medium or high likelihood of occurrence e.g. low likelihood: less than 1 in 10 years; medium likelihood: 1 in 1-10 years: high likelihood: 1 in a 12- month period. Likelihood and probability are often used synonymously but have subtly different uses. Probability refers to chance rather than possibility, i.e. the calculated chance of something occurring based on quantitative parameters, data or a mathematical process. Likelihood on the other hand is more judgmental, based on inference and observation rather than mathematical processes. Typically in RCSA we refer to likelihood rather than probability. 5.5.2 Understand the concept of impact The consequences of an operational risk materialising are generally described as the severity of the risk outcome or impact. This impact can be direct or indirect, and financial or non-financial. Direct and indirect impacts Direct impacts are directly attributable to the event and in financial terms would represent incremental costs, e.g. a fine, penalty or overtime payments. Indirect impacts are consequential rather than directly attributable to the event. In financial terms they could include a loss of market share or loss of sales. An important source of indirect impact is increased regulatory oversight, scrutiny or on-site presence, which has in recent years become the most costly indirect impact for many firms. Indirect impacts are also often influenced by other factors and not always solely attributable to the materialisation of the risk in question. They can also arise over a period of time after the event. Financial and non-financial impacts https://www.irmvle.org/mod/book/tool/print/index.php?id=4163&chapterid=2322 14/35 7/29/24, 10:04 AM Chapter 5 Back Up Book for Printing 5.5 Explain the concepts of likelihood and impact in assessing operational risk and controls The financial impact of an operational risk represents a possible outflow of funds from the firm, and accordingly can often be quantified with a high degree of confidence. If such impacts are quantified, the basis for the quantification should be stated alongside the estimate; for example if some kind of scaling has been used. Examples of non-financial impacts include reputational damage, and loss of goodwill or customer confidence. Such impacts can be assessed using a defined range, e.g. Low-Medium-High, calibrated to a measure such as the number of customers involved and the duration of the loss of service. In addition to the consequences for the firm, consideration needs to be given to the impact on customers and the markets in which the firm operates. Operational risks will often have both prudential and conduct implications from a regulatory perspective and these should be recognised in the assessment. Furthermore, there can be situations in which a financial impact will give rise to a non-financial impact, and vice versa. For example: A high value fraud (financial impact) may well be widely reported in the media with adverse implications for its reputation/brand (non-financial impact). Significant IT system outages depriving customers of services (non-financial) may result in redress in recognition of unfavourable customer outcomes and fines from regulators (financial). In the case of both financial and non-financial impacts, estimates can be informed or validated by reference to data sources within the organisation and externally. The following table illustrates how various impacts, both financial and non-financial, can be combined. This involves using a common rating (in this example, High, Medium and Low) and clear definitions. It is worth noting that whilst use of such an approach is common practice, the thresholds may vary from firm to firm to reflect the appropriate level of materiality for that specific firm. https://www.irmvle.org/mod/book/tool/print/index.php?id=4163&chapterid=2322 15/35 7/29/24, 10:04 AM Chapter 5 Back Up Book for Printing 5.5 Explain the concepts of likelihood and impact in assessing operational risk and controls Figure 5.5.2: Types of impact If a particular operational risk is considered to have a number of different impacts, the impact assessed as being the highest should drive the nature and urgency of an expected response. It is worth noting that determination of both likelihood and impact is subjective. Scales such as those described above can provide guidance and drive some degree of consistency in assessments. However, this will be subject to biases which we will consider further in section 8.7. Chapters 7 and 8 provide further discussion as to how risk indicators and risk events respectively can be used to validate these assessments. https://www.irmvle.org/mod/book/tool/print/index.php?id=4163&chapterid=2322 16/35 7/29/24, 10:04 AM Chapter 5 Back Up Book for Printing 5.5.3 Assessment of risk exposure The assessment of operational risk comprises the two dimensions of likelihood and impact. When combined, these provide an indication of an organisation’s relative vulnerability or exposure to various risks. A likelihood and impact matrix is used to combine the respective scores, with the intersection of likelihood and impact on the matrix providing the overall risk assessment. As discussed in section 3.1.2 this can be used to express operational risk appetite. However, it can also be used to understand the relative ranking of different exposures as illustrated in the table below. Figure 5.5.3(a): Risk exposure In this example, six risks have been assessed, all with different combinations of likelihood and impact. Risk 4 is considered to be most likely to occur and also to involve a high impact. Using the risk matrix above it would be rated as a “Red” exposure, and at this stage, represents the greatest risk exposure compared with the remainder which are rated “Amber” or “Green”. Workplace reflection Different organisations use a variety of calibrations of risk exposure, using a matrix of, for example. 3 by 3 as above or 4 x 4, 5 x 5 etc. For your own organisation, investigate: 1. How the risk exposure matrix is constructed. How many ratings are there for likelihood and impact and what are they? 2. The calibration of impacts. What is the rationale behind the values? So far, the assessment has been considered without taking into account the benefits of any controls that may be in place. In operational risk management, risks are generally assessed on both an inherent and residual basis. (These are sometimes referred to as ‘gross’ and ‘net’ respectively.) Inherent risk is an assessment of the level of untreated risk; that is the natural level of risk without controls to reduce the likelihood or impact. For https://www.irmvle.org/mod/book/tool/print/index.php?id=4163&chapterid=2322 17/35 7/29/24, 10:04 AM Chapter 5 Back Up Book for Printing 5.5.3 Assessment of risk exposure example, consider the risk of a building burning down without any controls e.g. sprinklers, smoke alarms or fire extinguishers. Inherent risk is useful for understanding how bad the exposure could be and thus the value and effectiveness of implemented controls. Figure 5.5.3(b): Gross/inherent and net/residual exposures The next step in the RCSA process is the application and assessment of controls, to arrive at a ‘residual’ risk assessment i.e. the level of risk remaining after the effect of existing controls has been taken into consideration. 5.5.4 Assessing the controls A control can be defined as any action taken by the firm to reduce the likelihood of the risk occurring or the impact if it does. The capture of ‘key’ controls in the RCSA is critical in defining and understanding which controls a firm can rely upon for effective operational risk management. The definition of ‘key’ being those controls which provide the most defence against a particular risk. There are three aspects of control assessment to be considered: The types of controls involved; The effectiveness of each control; and The implications for the assessment of the related risks. These are discussed further in the next section https://www.irmvle.org/mod/book/tool/print/index.php?id=4163&chapterid=2322 18/35 7/29/24, 10:04 AM Chapter 5 Back Up Book for Printing 5.6 Examine the nature and role of controls There are various types of controls that can be applied to the management of risks and they are generally used in one of two ways – either before or after the event materialises – as illustrated in the below representation of the bow-tie model which was introduced earlier in this Workbook, in Chapter 1 and Chapter 4. Figure 5.6: Controls before/after the event Controls are categorised as either ‘preventative’, ‘detective’, ‘corrective’ and ‘directive’. 5.6.1 Preventative controls Controls that are designed to ‘prevent’ or deter the risk are important because they seek to address the underlying causes of risks. If they succeed, the event will not arise and there will be no adverse consequences to deal with. In effect, such controls mitigate the likelihood of the risk materialising. For example, in the case of the risk of fire, controls to address the underlying causes could include regular inspections of electrical equipment or a ban on smoking on the firm’s premises. 5.6.2 Detective controls Once the event has materialised, the first type of control is ‘detection’ – that is, to identify the fact that the event has occurred. A smoke alarm would fulfil this function in the example of a fire. Early detection enables appropriate corrective action to be taken on a timely basis. Such controls therefore assist in mitigation of the impact of the risk once it has materialised. 5.6.3 Corrective controls https://www.irmvle.org/mod/book/tool/print/index.php?id=4163&chapterid=2322 19/35 7/29/24, 10:04 AM Chapter 5 Back Up Book for Printing 5.6 Examine the nature and role of controls ‘Corrective’ controls are also concerned with damage limitation – that is to mitigate the impacts of the event. In the example of a fire, recovery controls could include sprinklers, fire extinguishers, fire evacuation procedures and fire exits. Specific details of risk events may be difficult to anticipate or the underlying causes may be external to the firm. In these cases, we rely on generic controls such as business continuity/recovery/resilience planning and crisis management procedures. These kinds of corrective controls are designed to enable an organisation to react quickly and appropriately when an event occurs minimising the impacts of the event. 5.6.4 Directive controls A number of organisations use an additional category of controls, described as ‘directive’. These are usually exemplified by policies that serve to ‘direct’ how controls are to be applied in processes and procedures. They are not included in the ‘before/after the event’ illustration above because they could be relevant either before or after the event, depending on the subject of the policy. For example, a policy dealing with information or data security is likely to focus on controls to avoid or prevent such a breach i.e. before the event. On the other hand, a business continuity or resumption policy will focus on damage limitation measures i.e. after an event has occurred. Learning activity Of those additional or replacement controls introduced in response to recent RCSAs, establish what proportion were designed to mitigate underlying causes of the risks as opposed to the potential impacts. Consider whether this has achieved an optimum balance in mitigating the risk exposure. Within these 4 main categories of control further aspects should be considered: The nature of the control (i.e. whether it is manual or automated) – manual controls involve human intervention, for example a four eye check or dual authorisation of payments. They can be subject to intermittent failure depending on the operator. Automated controls involve computerisation, for example access rights on a payments system which prevent an operator processing a payment above their agreed mandate. Automated controls are generally deemed to be stronger than manual. Frequency of operation – dependent on the control, it can operate daily, weekly, monthly, quarterly or less frequently. It is important that the frequency of control operation aligns with the pace at which the risk materialises. Workplace reflection Consider what proportion of controls on RCSAs within your organisation are manual versus automated. https://www.irmvle.org/mod/book/tool/print/index.php?id=4163&chapterid=2322 20/35 7/29/24, 10:04 AM Chapter 5 Back Up Book for Printing 5.6.5 Control effectiveness To ensure RCSA is robust it is essential that controls are assessed to ensure their effectiveness. The effectiveness of controls can be assessed in two ways – by considering whether they are fit for purpose in terms of design, and the extent to which they are being operated in practice (referred to as ‘performance’). An assessment of design or fitness for purpose involves considering whether controls – individually and collectively – adequately address the causes and impacts of risks they are intended to mitigate. Reviewing all controls associated with a particular risk helps to identify whether some potential mitigation may be missing. Whilst controls may be appropriate in design they may not operate as intended in practice. It is the combination of these which tells us whether a control is effective overall. Figure 5.6.5 Control effectiveness If either the design, or the operation, or both are ineffective, the control will be ineffective overall. There is no benefit in correctly operating a control that is not fit for purpose, and a control that is not operated correctly will not provide the intended benefit. It is only if both the design and operation are effective that the control can be assessed as effective. Risks assessed as insufficiently controlled should be subject to mitigating actions to bring the residual risk exposure to more tolerable levels. In providing its assessment, the firm should consider: Design – Will the controls realistically reduce the risk they are managing? Do they achieve completeness of coverage? Performance – Is the control operating as designed? Are there adequate resources to perform it? Is the control automated or manual? Does the control operate effectively on every occasion? Firms will generally be expected to perform testing of controls and provide validating evidence for their assessment. This is generally done through one of the following means: Formal testing programme – A series of tests are designed to validate and evidence effectiveness of the control. This can include inspection of evidence, re-performance of the control, and / or observation of the control in action. Testing is undertaken on a sample basis by someone independent to that performing the original control. Attestation – A declaration by management confirming their controls are in operation or noting any exceptions. https://www.irmvle.org/mod/book/tool/print/index.php?id=4163&chapterid=2322 21/35 7/29/24, 10:04 AM Chapter 5 Back Up Book for Printing 5.6.5 Control effectiveness Learning activity What testing of controls is done in your organisation? Can you demonstrate it provides sufficient evidence of control effectiveness? 5.6.6 Assessment of net/residual risk exposure Taking into account the effectiveness of controls, the assessment of inherent risk exposure illustrated above can now be revisited to arrive at a net/residual risk exposure. Taking three of those risks as examples: Figure 5.6.6: Residual risk exposure The controls associated with Risk 4 are mainly preventative and are assessed as being effective. This will result in a reduction in the net risk exposure by virtue of a lower likelihood of the risk materialising. However, the impact is still high and demonstrates the expected outcome if the controls failed. This assessment suggests a significant reliance on the controls, so one response to the assessment should be rigorous and frequent monitoring and testing of the associated controls, to ensure they continue to be effective. Risk 6 has a medium likelihood of occurring, and medium impact. Impact trumps likelihood and so, despite its medium likelihood, additional detective controls are needed to bring it to a low impact and so within risk appetite. In the case of Risk 3 the controls are judged to be ineffective in reducing the inherent risk assessment and therefore the likelihood continues to be assessed as ‘low’ and the impact as ‘medium’. The assessment suggests the response should be to investigate improving or replacing the existing https://www.irmvle.org/mod/book/tool/print/index.php?id=4163&chapterid=2322 22/35 7/29/24, 10:04 AM Chapter 5 Back Up Book for Printing 5.6.5 Control effectiveness controls. Risk 6 has mainly recovery controls which are assessed as being effective. This results in a reduction of the net risk exposure by virtue of lower impact if the risk materialises. In this case a response could be to either accept that the recovery controls are adequate or – if management’s risk appetite dictates that a medium likelihood assessment is too great for this risk – to consider additional/enhanced preventative controls. This example illustrates how assessing the risk exposure from both an inherent and a residual risk perspective helps to identify appropriate responses in the management of the risks. The level of the risk is at the target at which no additional mitigation is required to align it to the governing body’s risk appetite (as set out in Chapter 3). Decisions regarding appropriate controls to be introduced should always be tempered by sound economics. For example, if it has been ascertained that a given risk can be fully mitigated by the implementation of a control costing £500k, but the maximum residual risk exposure is quantified as £100k, alternative control measures to mitigate that risk should be evaluated instead https://www.irmvle.org/mod/book/tool/print/index.php?id=4163&chapterid=2322 23/35 7/29/24, 10:04 AM Chapter 5 Back Up Book for Printing 5.7 Explain the roles and relationships between risk owners and control owners It is common practice for the accountability and responsibility for risks and controls to be assigned to specific roles in a firm’s senior management or executive structure. While ultimate responsibility for the management of a specific risk may rest with a particular executive as the ‘risk owner’, controls that are relied on to mitigate that risk may be ‘owned’ in a different part of the firm. The ‘risk owner’ is responsible for the management of risks, i.e., the identification, assessment, monitoring and reporting of risks within agreed risk appetite/tolerance. Typically it is the business line, the first line of defence, which runs and own the risks. The ‘control owner’ is expected to be responsible for the design and execution of appropriate controls and to have processes in place to monitor and assess control effectiveness. As necessary, the control owner will also be responsible for identifying and implementing required enhancements. In some cases, specific (i.e. more formal) parameters of responsibility between control owner and risk owner may be established. Clearly, in any event, close and regular communication is necessary between risk and control owners to ensure that the level of mitigation is necessary, appropriate, and provided as required. 5.7.1 Recording the RCSA results The results of the RCSA must be recorded for future reference in what is often described as a ‘risk log’ or ‘risk register’. This can be achieved in a formal database which encourages consistency in the way information is recorded and reported. The following list is illustrative, rather than comprehensive, but provides an indication of the type of data that needs to be captured in this database: Unique risk reference (system or manually generated). Risk description (including the event, its causes and impacts). Risk event category. Risk owner. Assessment of inherent likelihood. Assessment of inherent impacts (financial and non-financial). Gross/inherent risk exposure. Summary of controls and frequency of operation. Control owners. Assessment of control effectiveness. Net/residual risk exposure. Response decision based on appetite/tolerance. Actions – detailing what will be done, by whom and by when. Action status. Target/expected risk exposure following completion of actions. https://www.irmvle.org/mod/book/tool/print/index.php?id=4163&chapterid=2322 24/35 7/29/24, 10:04 AM Chapter 5 Back Up Book for Printing 5.7 Explain the roles and relationships between risk owners and control owners 5.7.2 Responding to risk exposures Following the identification and assessment of risks and controls, consideration should be given to how to respond to any risk exposures which exceed the firm’s risk appetite or are otherwise deemed necessary. Any actions so identified need to be documented and tracked. There are four recognised alternative responses to identified risks and any one or a combination of the following options may be utilised by an organisation as appropriate to the risk exposure. Action: Risk acceptance It may be appropriate for risks to be accepted at the net/residual level due to: The net/residual exposure being within appetite/tolerance. The cost of mitigating the risk exceeding the net/residual exposure. If a risk is being accepted, analysis will be needed to support the cost-benefit justification and allow an individual or committee within the firm’s governance structure to make the appropriate decision as to whether or not a risk acceptance is appropriate. Such acceptance decision and its rationale should always be documented. It is recommended that any risk acceptance does not exceed a 12-month period, at which point a review will be required to determine whether any of the underlying assumptions (likelihood, impact, control effectiveness or risk appetite) have changed. Action: Risk reduction through additional controls The introduction of new or additional controls, or enhancements to existing controls, can reduce the impact if the risk does materialise, or reduce the likelihood of the risk materialising in the first place. Action: Risk transfer For some types of operational risks (e.g. relating to loss/damage/theft of physical assets) the purchase of an insurance policy acts as a risk transfer mechanism. A claim on an insurance policy will be as a result of a risk materialising within the firm, and will mitigate the financial loss involved (apart from the policy ‘excess’ and any amount above the value insured). It must be noted that mitigation by insurance can never be fully guaranteed, e.g. if policy terms/conditions are not met or the risk cause is excluded from cover. Action: Risk avoidance Risk avoidance is achieved by identifying and removing the root cause of a risk before it materialises. Examples of ways to avoid risk include: Deciding not to enter a particular market. Not offering a particular product or service. Not implementing proposed changes to systems or processes. https://www.irmvle.org/mod/book/tool/print/index.php?id=4163&chapterid=2322 25/35 7/29/24, 10:04 AM Chapter 5 Back Up Book for Printing 5.7 Explain the roles and relationships between risk owners and control owners https://www.irmvle.org/mod/book/tool/print/index.php?id=4163&chapterid=2322 26/35 7/29/24, 10:04 AM Chapter 5 Back Up Book for Printing 5.7.3 Monitoring After any mitigating actions are taken, the risks that have been mitigated should be re-evaluated to assess any reduction in likelihood, impact or both. A re-assessment of the risks and controls may be driven by: A change in the likelihood of a risk materialising. A change in the impacts - financial and/or non-financial. The most common approaches to monitoring are explained below. Business as usual (BAU) Building the RCSA into BAU management oversight, decision-making and business reviews can help to establish it as an ongoing management tool. For example, in terms of oversight, incorporating RCSA as an agenda item at governance committees, executive committees or operations committees supports management buy-in to the RCSA process. These committees can use RCSA to monitor the firm’s risk profile by reviewing the current status of existing risks while also considering and recognising any new or emerging risks. Risk and Control Indicators (“RIs” and “CIs”) Having identified the key risks during the RCSA process, relevant indicators can be established to monitor changes to the likelihood, impact or controls ratings. For further information on Risk Indicators and Control Indicators please refer to Chapter 6. Business change If there are changes to the environment (externally or internally) in which a firm operates, a new strategy is implemented, or new products, processes or systems are introduced, the assumptions underlying the RCSA will need to be revisited. Internal audit RCSA output can be a key input to the audit cycle, for example suggesting focus on those risks where there is a wide gap between the gross/inherent and the net/residual exposures. In these cases management is heavily dependent on the controls that are in place and should one of these controls fail the firm could be exposed to a material risk event. 5.7.4 RCSA timing and triggers Most organisations will have an RCSA programme that requires a review and update on a regular basis, e.g. annually or every six months, perhaps aligned to business planning cycles or external reporting requirements. https://www.irmvle.org/mod/book/tool/print/index.php?id=4163&chapterid=2322 27/35 7/29/24, 10:04 AM Chapter 5 Back Up Book for Printing 5.7.3 Monitoring That regular timing may be appropriate if all the assumptions underlying the RCSA continue to be valid. However, a firm must also be able to identify and respond to potential changes in its risk profile by performing an ad hoc RCSA whenever appropriate, i.e. if particular triggers occur. The following list of possible triggers is intended to be illustrative rather than comprehensive: Change in the organisation’s risk appetite. Organisational restructure. New or changed product. New regulatory or legislative requirement. Significant operational risk event within the organisation or externally. Adverse trend in Risk Indicators. Control testing findings. Internal audit review findings. External audit or supervisory review findings. Workplace reflection Check how often your organisation requires RCSAs to be reviewed and updated, then whether there are any examples of updates in between review cycles. If so, why was this? https://www.irmvle.org/mod/book/tool/print/index.php?id=4163&chapterid=2322 28/35 7/29/24, 10:04 AM Chapter 5 Back Up Book for Printing 5.8 Describe common methods of reporting risk and control self-assessments There are various types of RCSA reporting and a combination of formats is usually required to communicate key messages and achieve awareness and understanding. As a guide, a good RCSA report: Is relevant to the audience to which it is being presented. Guides the reader and clearly articulates any action required or decisions required. Is timely and includes the most up to date information available. Continuously evolves to meet the requirements of the organisation. Translates RCSA data into information by giving context and interpretative analysis and commentary. RCSA reports may involve a number of different audiences, e.g. business line management to assist decisions and actions, second line of defence teams to consider aggregate risk exposures and generic control solutions, governance committees for oversight. In each case the level of detail may vary but the essential contents will be the same, as outlined below: 5.8.1 Executive summary This should provide a concise overview of the RCSA outcome with the focus on interpretive information rather than detailed data, and a clear guide as to the expected response, e.g. for information only or for approval of proposed responses. 5.8.2 Scope There should be a clear description of the RCSA’s scope in terms of the subject and extent of the exercise, for example: Coverage in terms of the business area or the central function, geographical location, process, product or service concerned. Coverage of the types of risk included or excluded (with rationale); how the exercise was conducted and who was involved. 5.8.3 Changes in risk profile This should consider any notable movements in the risk profile assessment since the previous report, in particular providing an analysis for the root cause of these, for example: Improving and deteriorating aspects of previously identified risks. Newly identified / emerging risks. Control vulnerabilities. https://www.irmvle.org/mod/book/tool/print/index.php?id=4163&chapterid=2322 29/35 7/29/24, 10:04 AM Chapter 5 Back Up Book for Printing 5.8 Describe common methods of reporting risk and control self-assessments 5.8.4 Residual risk and control assessment results The key data provided by the RCSA exercise should be presented. This is likely to include: A description of each risk and possibly reference to the firm’s risk data categorisation scheme. Identification of each risk owner. The assessed likelihood and impact. Descriptions of related controls. Identification of each control owner. The assessed design and operational effectiveness of each control. 5.8.5 Action plans Proposed responses to the reported risk exposures detailing what will be done, by whom, and by when. See preceding sections 5.7.2, Taking action to address risk exposure, and 5.7.3, Monitoring, for further details. 5.8.6 Heat maps Heat maps are a visual presentation of the risk profile of an organisation and are a common form of reporting allowing management to quickly identify priorities for attention and compare different risks against the organisation’s risk appetite. Risks are plotted on the map using risk and control assessments by combining the likelihood and impact ratings. https://www.irmvle.org/mod/book/tool/print/index.php?id=4163&chapterid=2322 30/35 7/29/24, 10:04 AM Chapter 5 Back Up Book for Printing 5.8 Describe common methods of reporting risk and control self-assessments Figure 5.8.6: Heat map A heat map can display risks either in residual terms only or also including their inherent status, to highlight the reliance on controls. The heat map can also be used to illustrate movement over time, e.g. residual exposure in the current reporting period compared with the previous reporting period. Heat maps provide a visual summary and are useful to focus management attention. However, in isolation (without the benefit of supporting detail) they are not sufficient. Recipients of high-level reporting such as heat maps need to be fully conversant with the parameters determining the Red, Amber or Green status, to avoid confusion and ensure that appropriate management and staff time is devoted to both reporting and follow-up action. https://www.irmvle.org/mod/book/tool/print/index.php?id=4163&chapterid=2322 31/35 7/29/24, 10:04 AM Chapter 5 Back Up Book for Printing 5.8.7 Plain English vs jargon Reporting is an essential aspect of the RCSA process and the information presented must be complete, accurate and timely to provide the basis for management decisions and actions. Reports of any kind should always be prepared with the target audience in mind. Some messages are conveyed more clearly by presenting data, and others by providing text descriptions or a combination of both. In general, it is better to use ‘plain English’ or business terminology rather than risk jargon, and abbreviations should always be articulated in full at least once. 5.8.8 Risk Systems Technological solutions to support RCSA vary from firm to firm. Three common approaches, along with their relative merits, are discussed briefly below: System Solution Advantages Weaknesses Lack of robustness and stability. Manual maintenance and reporting of data which is labour intensive and prone to error. Spreadsheet Minimal additional implementation or licensing costs. Data integrity difficult to control particularly in a larger software packages Users familiar with functionality. organisation with multiple users requiring access to the data. (e.g. Excel) Potential for disconnect between elements of the framework stored in separate spreadsheets. Can be designed to address bespoke needs of the firm’s particular operational risk framework System usually deemed non-core to the broader firm resulting processes. in a reliance on key individuals to maintain and develop, In-house developed Usually provides automated reporting functionality which gets lost over time and failure to maintain and develop systems and data integrity checks improving the efficiency and to meet ongoing needs. robustness of the operational risk framework. https://www.irmvle.org/mod/book/tool/print/index.php?id=4163&chapterid=2322 32/35 7/29/24, 10:04 AM Chapter 5 Back Up Book for Printing 5.8.7 Plain English vs jargon System Solution Advantages Weaknesses Robustly developed and tested, including ongoing support and developments to maintain pace with industry developments. Third party Generally contain automated reporting enabling users Cost may be restrictive, particularly for smaller firms. dedicated risk across the firm to produce key risk reports system themselves. Automated controls to protect data integrity including backups and data recovery. Many firms' operational risk frameworks have developed iteratively, sometimes with use of a combination of the above for different elements of the framework. When considering the approach to systems used to support operational risk management and the RCSA, it should not be forgotten that a poor choice may in itself create operational risks for the firm. Workplace reflection Find out what systems your organisation used to support operational risk management and identify what operational risks may be posed as a result of this choice. Workplace reflection Find examples of how your firm reports RCSA information and the extent to which the underlying data has been interpreted through commentary. Learning activity Review a selection of RCSA reports to see whether any potential improvements in business processes or customer outcomes were identified. If so, were these implemented and with what results? https://www.irmvle.org/mod/book/tool/print/index.php?id=4163&chapterid=2322 33/35 7/29/24, 10:04 AM Chapter 5 Back Up Book for Printing Summary RCSA is a key tool in the management of operational risk. Rather than reacting to risk events after they have materialised (and the organisation has suffered the adverse consequences), RCSA represents a strong basis for anticipating potential future risks to the organisation and thus provides the opportunity to mitigate them before they happen. The RCSA is therefore a means by which operational risk can be managed proactively, and helps operational risk and control awareness to become fully embedded in the firm’s business and management processes. Learning activity Review this chapter of the Workbook and make a list of the key learning points that you should take away from it. The core elements include: The role of RCSA in the management of operational risk. The advantages and disadvantages of different approaches to RCSA. How to identify and assess operational risks and controls. Responding to the RCSA by taking actions and monitoring. Reporting the outputs of RCSA. Key learning You will be ready to move to the next chapter when you can confidently answer the following questions: 1. What is RCSA? 2. What is the purpose of RCSA and what can it be used for? 3. What are the benefits of an effective RCSA process? 4. What are the key elements of an RCSA process? 5. How do you identify which risks to include? 6. How do you assess operational risk exposure? 7. What’s the difference between inherent and residual risk exposures? 8. What 4 types of actions can you take to address risk exposure? 9. What’s a control? 10. What roles do controls play in risk management? 11. What key things are included in reporting of RCSAs? 12. What’s the difference between a risk owner and a control owner? https://www.irmvle.org/mod/book/tool/print/index.php?id=4163&chapterid=2322 34/35 7/29/24, 10:04 AM Chapter 5 Back Up Book for Printing https://www.irmvle.org/mod/book/tool/print/index.php?id=4163&chapterid=2322 35/35