|
1.
Key risks exposures (inherent risks): a view of the magnitude of impacts if key
controls are missing or failing.
2.
An assessment of controls, both preventive and detective, reducing the risk expo-
sures to residual levels.
3.
Estimates of the expected losses, i.e. the most likely impacts and likelihood of
those risks materializing in normal business conditions and under normal controls
(typical case).
4.
Estimates of stress shortfalls or stressed losses, i.e. a pessimistic assessment of the
impact if the risk materializes in an adverse business environment and/or in case
of multiple control failures; this assessment can be closer in impact to inherent
risks, but with a lower likelihood (adverse case).
5.
A list of further mitigating action plans for the residual risks sitting above risk
appetite. This is the central outcome of an RCSA:
Should we do more
? As a
risk manager in a very secure technological firm once put it: “Risk assessment
is not important; what’s important is what we must do.”
The key value of risk and control self-assessments is to determine whether the
control environment of a given unit or activity is in line with the firm’s risk appetite.
If the answer is yes, then the actions are simply to keep everything as is and continue
monitoring the activity. If the answer is no, there is a need for further risk mitigation in
the form of action plans. Risk mitigation does not necessarily mean adding controls;
other options are available, such as reducing risk exposure by minimizing transaction
volumes, limiting access rights, redesigning or improving existing controls and buying
external insurance. Action plans should have business owners, milestones and dead-
lines. The plans are tracked and reported in a similar way to audit recommendations.
Part 3 details the various aspects of risk mitigation.
Risk and Control Self-Assessments
53
RCSA exercises are typically performed once a year and updated, in mature firms,
after each trigger event, i.e., any significant and relevant change in the firm’s risk envi-
ronment. Most often this will be an incident at a peer firm that changes the perspective
on the risk: for example, cyberattacks, a third-party failure, rogue trading or fines for
misconduct.
I M P A C T A N D L I K E L I H O O D R A T I N G S
A N D A S S E S S M E N T S
RCSA is a straightforward exercise, using a simple tool. Judgment-based assessments
using a heatmap are accessible to almost anyone. However, high-quality output is diffi-
cult to achieve for a number of reasons, including subjectivity of judgments, behavioral
biases and the inability to compare results. The main challenge is to achieve compara-
ble results, which means making sure that the definitions of likelihood and impacts are
calibrated so that “high” risks for some are not considered “low” for others. Without
comparable assessments, there is no ordering of risk and hence no proper prioritization
of risk management actions.
D e f i n i n g I m p a c t s
Operational risk events are not limited to financial impacts: remediation time, cus-
tomer experience, regulatory scrutiny and reputation damage are common by-products
of incidents of a breakdown in processes. Most firms nowadays assess risks against four
types of impact: financial, regulatory, customer and reputation. A common variant is:
financial, regulatory, service delivery, customer and reputation. In the past, most impact
ratings used a five-point scale, ranging from “insignificant” to “catastrophic.” Today,
a four-point scale is more common, with the lowest point from the earlier scale often
removed. Indeed, one can question the benefit of spending time, effort and resources
assessing risk with “insignificant” impacts. Furthermore, it’s debatable whether there
is any value at all in using RCSAs for the inevitable small risk events that are part of
the cost of doing business. Repetitive and minor losses are “expected losses” and are
better included in the cost base and therefore the pricing of an activity.
The impact scales in Figure 6.1 are expressed in relative terms (percentages) rather
than in absolute quantities (dollar amount or number of customers impacted), as well as
in qualitative terms (limited/significant). Relative definitions are slightly more complex
to use, as respondents may not know how much 1% of the budget is in dollars, but they
are much more adaptable to risk assessment units of different sizes.
A major point of debate in the RCSA process is indeed whether to use one risk
rating scale for the whole firm or to allow for different scales. Keeping the same set of
impact ranges for the whole firm will almost inevitably lead to high thresholds being
irrelevant for smaller business lines and divisions, except in the smallest organizations.
54
RISK ASSESSMENT
Do'stlaringiz bilan baham: |
