Founded in 1807, JohnWiley & Sons is the oldest independent publishing company in

Download 5,45 Mb.

Pdf ko'rish

bet	30/114
Sana	23.07.2022
Hajmi	5,45 Mb.
	#845333

1 ... 26 27 28 29 30 31 32 33 ... 114

Bog'liq
chapelle a operational risk management best practices in the

Major Moderate Low

Rating
Financial
Service delivery
Customers and reputation
Regulatory
Extreme
>25% of
yearly budget
>5–25% of
budget
>0.5–5% of
budget
<0.5% of yearly
budget (profit or
cost, depending
on type of
center)
No interruption of service
noticeable to external
party
Noticeable interruption of
service but with no
significant consequence
for stakeholders besides
inconvenience
Significant interruption of
service leading to crisis
m
anage
m
ent
m
ode
internally and custo
m
er
detri
m
ent externally
Critical service disruption
with
m
ajor i
m
pacts to
internal and external
stakeholders
Significant, possibly
long-lasting da
m
age to the
fir
m
’s reputation and trust
toward
m
any stakeholders
Significant co
m
pliance breach
leading to large fines and
regulatory scrutiny
Co
m
pliance breach with or
without fines, leading to lasting
re
m
ediation progra
m
s with
da
m
age vis-à-vis the regulator
So
m
e breach or delays in
regulatory co
m
pliance
necessitating i
mm
ediate
re
m
ediation but with no lasting
i
m
pact
Minor ad
m
inistrative
co
m
pliance breach not
i
m
pacting the fir
m
’s reputation
vis-à-vis the regulator
Large nu
m
ber of custo
m
ers
or stakeholders i
m
pacted,
to be actively addressed
during incident and through
post-incident re
m
ediation
S
m
all reputation i
m
pact
a
m
ong li
m
ited nu
m
ber of
custo
m
ers and stakeholders,
short-lived and addressed
during incident
m
anage
m
ent
No i
m
pact outside of internal
parties
Major
Moderate
Low
F I G U R E 6 . 1
Impact scale per type
Even in mid-size financial firms, what would be a significant impact at division level
might be minor at group level. Similarly, what would be a moderate impact for the
group might be an extreme one for a regional office or a department.
Only a small number of firms keep a unique RCSA matrix for the whole firm.
Some use just a group-level matrix, which may mean there are not enough relevant risk
assessment tools for the business units. Others use a single RCSA matrix that is relevant
at the process level, which brings the significant challenge of aggregating hundreds and
thousands of granular risks. Unsurprisingly, good practice has evolved towards using
different sets of impact scales. Generally there are two: one at group level, collecting
the results of a top-down risk assessment, and one for business units. Additionally, in
many firms each business unit has the freedom to use its own definitions of impact
range, effectively enabling the units to develop customized tools. However, this prac-
tice creates mapping challenges when comparing results. The case study at the end of
the chapter gives an example of RCSA matrices used in a mid-size insurance company
using two ranges of impacts, one at firm level and one at division level. This company
will be mentioned in Chapter 17 as well, when reporting on portfolio of projects.
D e f i n i n g L i k e l i h o o d
Likelihood scales are most commonly defined in terms of timeframes: “occurring once
in
x
years.” Although intuitive and easy to discuss, this definition can be slightly mis-
leading as it actually means: “occurring once if the next year reproduces
x
times.”
When risk managers talk about a 1-in-10-year event, they actually mean an event with

Risk and Control Self-Assessments
55

Download 5,45 Mb.

Do'stlaringiz bilan baham:

1 ... 26 27 28 29 30 31 32 33 ... 114