Founded in 1807, JohnWiley & Sons is the oldest independent publishing company in

Download 5,45 Mb.

Pdf ko'rish

bet	31/114
Sana	23.07.2022
Hajmi	5,45 Mb.
	#845333

1 ... 27 28 29 30 31 32 33 34 ... 114

Bog'liq
chapelle a operational risk management best practices in the

Qualitative
rating
Medium
High
1 year or less
>50%
Likely to occur
within one year
More likely than not of happening within a
year; historical evidence indicates that
such event occurs once or
m
ore per year
Likely to occur at least once in a five-year
horizon (e.g. strategic plan horizon)
A re
m
ote possibility exists for such an
event to occur, less than 10% chance
of occurrence within a year
V
ery unlikely,
m
ay occur in exceptional
circu
m
stances. Has not occurred yet in
the co
m
pany but the possibility should be
envisaged
Likely to occur in
the
m
ediu
m
ter
m
Unlikely to occur in
nor
m
al business
circu
m
stances
Should not
happen, unless
very rarely
10–50%
2.5–10%
<2.5%
>1–5 years
>5–20 years
>20 years
Low
Rare
Frequency of
occurrence
Probability of
occurrence %
(at one-year
horizon)
Definition
Guidance
F I G U R E 6 . 2
Example of likelihood scale
a 10% chance of occurring next year. It is particularly important to be aware of this
distinction when assessing risks that are rapidly evolving, such as cyberattacks, tech-
nological changes or regulatory sanctions. Figure 6.2 presents an example of likelihood
scales. Here again, the general practice has evolved from a 5-point scale to a 4-point
scale. Workshop facilitators should ensure that all participants in the risk assessment
use the same definitions, thus avoiding conflicting interpretations when qualifying the
risks.
I n P r a c t i c e – H e l p i n g w i t h R i s k A s s e s s m e n t
Although simple on paper, risk assessment can prove particularly tricky in practice. The
two suggestions below might help risk managers to run RCSA workshops. Figure 6.3 is
an example of an overall impact scale definition – valid at firm level – aggregating the
various possible impacts into a more intuitive definition, and provides parallels from
recent market events to help put the assessment in perspective.
On a less serious note, but probably just as revealing, are the responses illustrated
in Figure 6.4. A “low” impact would be the equivalent of a shrug of the shoulders
(“Whatever . . . let’s fix it and move on”). A “moderate” impact would be a major
embarrassment but with no major consequence – like the time when, as a young credit
risk professional, I accidently deleted hundreds of documents from the department
server, destroying hours of some of my colleagues’ work. I apologized profusely, IT
brought in the overnight backup and things got back to normal within a few hours.
Operational risk wasn’t even defined in banking in those days, whereas today such an

56
RISK ASSESSMENT
• I
m
pact that could threaten the fir
m
’s survival. Exceptionally high i
m
pact that should
never happen, large enough to trigger a crisis
m
anage
m
ent process.
• Market exa
m
ples:
V
W pollution testing scandal, JPMC London Whale.
• Doesn’t threaten fir
m
’s survival, but large enough to trigger i
mm
ediate top-level attention
and involve
m
ent, and with long-ter
m
consequences in ter
m
s of re
m
ediation plans.
• Market exa
m
ples: BNPP e
m
bargo fines, HSBC AML fines.
• Significant i
m
pact within the fir
m
, but
m
ostly circu
m
vented to internal effect and li
m
ited external
i
m
pact. Li
m
ited or no reputation da
m
age toward the direct stakeholders and regulators.
Will trigger internal re
m
ediation and action plans if any
m
ore than exceptional in occurrence.
• Market exa
m
ples: usually don’t hit the press, besides passing e
m
barrass
m
ent.
• Big enough to qualify as an incident, but generally accepted as the cost of doing business.
To be treated, but without putting current risk
m
anage
m
ent practice into question, as long as
it does not reveal a syste
m
atic weakness in controls or processes.
Extre
m
e
Major
Moderate
Low
F I G U R E 6 . 3
Impact scales – intuitive definitions
F I G U R E 6 . 4
Risk assessment hint: what would be your reaction if it happens?
incident would probably require an action plan for read and write access to server files.
A contemporary example would be an employee clicking on the link of a test phishing
attempt while having access to highly restricted information. In contrast, a “major”
event would trigger immediate alerts to senior management, while an “extreme” event
would place the firm in crisis management mode.
In my experience, many risk assessments tend to overestimate impact and to under-
estimate likelihood. The overestimation of impact comes from the fact that assessors
fail to take into account the important role of incident management in reducing net
impact. Rapid reaction and effective crisis management plans can do wonders in reduc-
ing the actual impacts of material incidents. I will come back to this in Chapter 20.

Risk and Control Self-Assessments
57
C O M B I N I N G L I K E L I H O O D A N D I M P A C T : T H E H E A T M A P
The probability/impact matrix, or “P/I matrix,” combines two dimensions of risk and
is often called the RCSA matrix or heatmap (Figure 6.5). It is, or at least should be, the
most tangible expression of a firm’s risk appetite. It determines the limits of risk-taking
and exposure, and leads to further mitigating actions when residual risks are assessed
and land on a map zone that is outside of risk appetite. The various combinations of
impact and likelihood correspond to colors that denote the intensity of the risk. The
colors most commonly used are red-amber-green or red-amber-yellow-green. Some
firms have shades of red, black or even purple for the highest impact and likelihood
combinations. Other firms have shades of green for the lowest risks. More rarely, shades
of blue are used, sometimes because management is reluctant to use red; the darker the
blue, the higher the risk.

Download 5,45 Mb.

Do'stlaringiz bilan baham:

1 ... 27 28 29 30 31 32 33 34 ... 114