IMPACT (direct, and, indirect)
F I G U R E 6 . 6
RCSA – a modern representation
Risk and Control Self-Assessments
59
The matrix reflects the risk appetite limits of the company; it even calls it a
“risk appetite matrix.” We focused on the definitions of the zones within appetite
(on or below the curve line and green if using a RAG rating) and outside of
appetite (above the curve line and typically red) in need of further mitigation.
The “tolerated” areas (on or just above the curve line, often yellow or amber) are
limited to one range per type of impact, as they represent the firm’s risk tolerance
thresholds, where managers have a “neutral” view and they should not be bigger
than necessary. Interestingly, this zone appears to follow – closely enough – the
shape of operational loss distribution. This type of RCSA matrix shows how
opinion-based risk assessments are the qualitative counterpart of quantitative loss
distribution modeling. It is also why P/I matrices should always be represented
with the likelihood on the vertical axis and the impact on the horizontal axis.
Over time, risk assessment based on forecasts should be compared with actual
loss experience. In a perfect world, the distribution of loss experience would
match, closely enough, the distribution of the risk assessment. However, because
we don’t live in a perfect world, risk assessments are not very accurate and they
will not match loss experience. Even so, it is good practice, at the end of each
year, to compare the assessment made with the actual realizations in order to
inform the next assessment.
This matrix at group level is complemented, in the firm, by a second matrix,
used for risk assessments at department level. In the departmental matrix, the like-
lihood ranges are unchanged, but the impact ranges are shifted by one notch, the
lowest impact range being €50k–200k and the highest being €5 million and above.
L I N K S W I T H O T H E R P A R T S O F T H E F R A M E W O R K
A single point, a single combination of probability and impact, can hardly summarize
risk assessment. Each risk can materialize at different degrees of severity and, usually,
the larger the impact, the lower the likelihood and vice versa. A simple illustration is
system downtime: minor interruptions of a few minutes are almost certain at a one-year
horizon, while 1–2 hours are less likely and 2–4 hours shouldn’t occur with more than
a 5–10% likelihood (sometimes much less, depending on the type of firm and its sys-
tems). A shutdown of more than a business day is, for nearly every firm, a rare scenario
with extreme impacts. For any risk, there is not one but a multitude of likelihood-impact
combinations. To simplify this continuum of options, firms generally use three types
of assessments:
1.
Mild case of expected loss: incidents resulting from control failure or mishap in
normal business conditions.
60
RISK ASSESSMENT
2.
Stressed case: a pessimistic version of possible losses, following key control
failure or multiple control failures and/or in adverse business circumstances
(accounting error at year-end, system halt in peak time, etc.).
3.
Worst case: lower likelihood, but loss as bad as it can get when risk material-
izes in its extreme version and in particularly adverse business circumstances, or
in conjunction with other aggravating factors (for instance, personal data loss on
high-profile individuals just after an awareness campaign or with massive social
media effect).
Many large institutions assess these three versions of outcomes per risk. Those
assessing only one point focus on stressed case. The least mature firms fail to give
the business guidance on assessing risks, which creates confusion and disparity in the
results and makes them nearly useless. One of the main challenges of RCSA exercises
is to make sure that all assessors are using the same types of assessment to produce
comparable results. In practice, this is difficult to achieve and requires active involve-
ment from the risk function.
A possible alternative used by some mature institutions is to explicitly link the
RCSA matrix to other elements of the risk management framework and in doing so
recognize the continuum between the different severity and likelihood levels at which
a risk may materialize (Figure 6.7). On the left-hand side of the matrix sit the expected
losses (EL); these are the inevitable processing errors, halts and incidents that are
always part of the cost of doing business. It is important to identify and quantify
these losses so they can be included in pricing, but it is a waste of resources to ded-
icate time and effort in RCSA workshops to petty incidents. Good risk management
is good management. On the right-hand side of the RCSA matrix lie the extreme but
hopefully unlikely catastrophic scenarios. While large losses are not rare by nature,
they are rare by occurrence because they are usually prevented from happening when
the right controls are in place. Scenarios are useful for tail risks identification, crisis
I
m
pact
Likelihood
RCSA: risks in adverse conditions
Scenarios: unlikely but severe
Scenarios
EL: cost
F I G U R E 6 . 7
RCSA and risk continuum
Do'stlaringiz bilan baham: |