RCSAs
An exercise
in self-control
In a series of articles for ORR, Gene Álvarez and Phil Gledhill provide a comprehensive risk and
control self-assessment methodology, and an associated scenario analysis approach. In this, part III
of the series, they complete the development of the RCSA metric
T
his article is the third and final installment in the series dedicated to
presenting a comprehensive RCSA methodology. The first article
presented an intuitive, structured, and powerful RCSA framework
that enables and empowers management to transparently identify and assess the
firm’s risk exposures and gauges the strength or weakness of the control activities
put in place to manage, while the second article started the development of its
complimentary RCSA metric. Briefly, the prior article presented a mathematical
expression relating inherent risk, control effectiveness, and residual risk, and an
© not for reproduction
approach to frame subjective assessments in a consistent, quantitative manner
so that the RCSA metric can be compared across the firm. This article aims to
complete the development of the RCSA metric.
or distribution
Calculating inherent risk exposure
To summarise progress so far, inherent risk is defined as the naturally occur-
ring risk exposure within the business process, whereas residual risk is defined as
the risk exposure that remains after controls are implemented. The relationship
between inherent risk and residual risk is clarified by a, which is the control effec-
tiveness spanning from 0% to asymptotically 100%. Equation (1.1) reveals that
residual risk is simply the product of the inherent risk and control effectiveness
values once they are both assessed.
Residual risk = (1 − α ) × Inherent risk (1.1)
Before the multiplication is performed, however, a mathematical definition
that quantifies inherent risk exposure must be developed. As demonstrated in last
month’s article, ‘frequency’ and ‘severity’ are quantitative components of risk that
use the same risk assessment scale (see table 2 or table 3 from the second article).
Intuitively, inherent risk exposure can thus be calculated by multiplying the sever-
ity and frequency components, as follows:
Inherent risk = severity × frequency
= base( nS − 1)base( mF − 1) (1.2)
= base( nS + mF − 2 )
where base is any positive, real number greater than one that describes the ratio
February 2011
among the severity levels and the frequency levels, and nS and mF are the respec-
tive risk levels for the severity and frequency rating scores. The result of this calcu-
lation is the quantitative level of inherent risk exposure.
As a reminder, control effectiveness for the control portfolio (α CP ) was previously
defined as:
ncontrols
α CP = ∑ αi ω i (1.3)
i=1
Substituting equations (1.2) and (1.3) into expression (1.1) yields a revised
computation for residual risk, which is:
⎛ ncontrols ⎞
Residual risk = ⎜ 1 − ∑ α i ω i ⎟ × base (nS + mF − 2)
⎝ ⎠ (1.4)
i=1
Using inputs from the frequency, severity, and control weight tables (repre-
senting the manager’s assessment of frequency, severity, and control weights)
presented in the prior article, equation (1.4) quickly calculates the residual risk
value for an identified risk exposure.
Multiplying the severity and frequency components defines the dimensional-
ity of the RCSA metric. The unit of risk, within the context of the RCSA, is
severity-frequency (or frequency-severity due to the commutative property of
multiplication).
Calculating residual risk
Equation (1.4) provides the manager with an understanding of residual risk based
on the values for inherent risk. Now the manager needs to know what the severity
and frequency components of residual risk are, so that he/she can gain further
insight into whether or not the exposure is being managed at or below an accept-
able tolerance level; if not, management must consider other mitigation options
for reducing it.
Decomposing the severity and frequency components of residual risk is
achieved by realising that the residual risk result can be represented by the base
raised to some exponent (for example, Residual risk = basek) and by using the
following three logarithmic properties:
35
RCSAs

1) Log base base = 1 nSResidual + mFResidual = ( nS − 1) + ( mF − 1) + Logbase (1 − α )

2) Log basea × b = Log base a + Logbaseb
⎧⎪ nSResidual = ( nS − 1) + β × Log base (1 − α )
n
3) Log base a = n Logbasea ⇒ ⎨ Residual (1.7)
= ( mF − 1) + (1 − β ) × Logbase (1 − α )
⎩⎪ mF
Thus, the residual risk components are computed by transforming equation
(1.1) as follows. Capitalising on the design of the control portfolio in mitigating the severity, the
frequency, or both components of the inherent risk (via expression (1.7)) resulted
Residual risk = (1 − α ) × inherent risk
in distinct and simple solutions for equation (1.6).
Residual risk = (1 − α ) × base (nS + mF − 2) Continuing in determining the residual risk components, the following two
basek = (1 − α ) × base(nS + mF − 2) calculations are performed after nSResidual and mFResidual are known.
Log base base k = Log base ⎡⎣(1 − α ) base(nS + mF − 2) ⎤⎦
Residual
Residual severity = basenS
(1.5) Residual (1.8)
k Logbase base = Logbase (1 − α ) + Log base base (nS + mF − 2) Residual frequency = base mF
k = Log base (1 − α ) + ( nS + mF − 2 ) Log base base Lastly, the associated severity and frequency descriptors are determined by
using table 1 (a variant of table 3 found in the second article).
k = Log base (1 − α ) + ( nS + mF − 2 )
Therefore, equations (1.4), (1.7), (1.8) and table 1 provide the assessor with

where k is the overall residual risk exponent that accounts for the residual severity
and residual frequency exponents. In other words, k can be re-expressed as:
k = nSResidual + mFResidual
© not for re
the information needed to understand the effectiveness of the controls mitigating
the risk exposure.
To illustrate, consider a simple RCSA with only one inherent risk exposure that
is mitigated by a control portfolio of exactly one activity that equally mitigates the

or distr
Substituting this expression in the last line of equation (1.5), with additional severity and frequency components of the inherent risk (thus, the control portfolio
manipulations, results in: bias is 50% or 0.5). Moreover, suppose the inherent risk components are Enor-
mous (nS is 5) for severity and Occasional (mF is 3) for frequency, while the control
nSResidual + mFResidual = Log base (1 − α ) + ( nS + mF − 2 ) effectiveness is Effective (calculation value is 0.8). Substituting the numerical values
(1.6) associated with these categories and defining the base as two (‘2’), the RCSA metric
= ( nS − 1) + ( mF − 1) + Log base (1 − α )
calculation becomes:
Mathematically, equation (1.6) is called an indeterminate equation because the
Inherent risk = base(
nS +mF − 2 )
right side of the expression is the known quantity, while there are two unknowns:
variables nSResidual and mFResidual on the left hand side of the equation. However, solv- =2 ( 5+3−2)
= 2 6 = 64
ing equation (1.6) is not hopeless because the risk manager can exploit the control Residual risk = (1 − α ) × inherent risk
portfolio bias of the control activity in mitigating the severity component, the = (1 − 0.8 ) × 64 = 12.8
frequency component, or both components of inherent risk. Control portfolio
nSResidual = ( nS − 1) + β × Logbase (1 − α )
bias comes from management’s design and execution of control activities that
have been tailored specifically for a risk’s severity, or a risk’s frequency, or both = ( 5 − 1) + 0.5 × Log 2 (1 − 0.8 ) ≈ 2.8
together. Here is an example of control portfolio bias. Residual severity = basenS
Residual

Due to heavy daily transactional volume combined with resource constraints

= 22.8 ≈ 7
in the payments area, management decided to control disbursements by verify-
ing transactions above a certain monetary threshold, thus minimising the risk of m Residual
F = ( mF − 1) + (1 − β ) × Log base (1 − α )
releasing a large fraudulent payment. In this case, management’s decision clearly = ( 3 − 1) + (1 − 0.5 ) × Log2 (1 − 0.8 ) ≈ 0.8
focuses on the severity of the inherent risk exposure. Thus the control portfo- Residual frequency = base mF
Residual

lio bias leans toward the severity component of the inherent risk instead of the
frequency component.
Introducing control portfolio bias, characterised by the symbol b, facilitates the
solution for equation (1.6) as follows.
= 2 0.8 ≈ 1.8
What remains is translating the Residual Severity and Residual Frequency
values to their respective severity and frequency descriptors. Re-writing table 1

36 operationalriskandregulation.com
 RCSAs

Table 1: Five-tier frequency and severity risk scales to ascertain residual risk components
seasoned managers understand that some risk exposure always remains. Thus,
when constructing or defining the ai’s, the risk manager makes sure the sum of
Severity scale Frequency scale Residual risk rating score
Residual Residual
the aiωi products is positive and less than one:
Negligible Improbable 0 ≤ base nS , basemF ≤ base 0
nSResidual mFResidual ncontrols
Moderate Remote 0
base < base , base ≤ base1
0< ∑ α iω i < 1
Material Occasional base1 < base nSResidual
, base mResidual
F
≤ base 2 i=1
Major Probable base2 < base nS
Residual
, base mF
Residual
≤ base 3 Further, equation (1.9) highlights two other potential outcomes: 1) a negative
Enormous Frequent
Residual Residual exponent for the residual risk; and 2) a maximum value for both the residual
base3 < base nS , base mF ≤ base 4
risk exponent and the inherent risk exponent. These points are shown math-
Table 2: An application of Table 1 using the base as 2 ematically below.
⎛ ncontrols ⎞
Severity scale Frequency scale Residual risk rating score Exp min = Logbase ⎜ 1− ∑ α i ω i ⎟ < 0
⎝ ⎠
(1.10)
Residual Residual
Negligible Improbable 0 ≤ 2 nS , 2 mF ≤1 i=1

Moderate Remote nSResidual mFResidual Exp max = nSmax + nFmax − 2

1< 2 ,2 ≤2
Material Occasional 2<2 nSResidual
,2 mFResidual
≤4 Because Expmin can be negative, k ranges from a negative number to the maxi-
Major Probable 4 < 2 nS
Residual
, 2 mF
Residual
≤8 mum positive value, which is the natural range of the metric. To avoid any confu-

eproduction
Enormous Frequent 8<2 nSResidual
,2 mFResidual
≤ 16 sion or misinterpretation of either inherent or residual risk exponent, the interval
( Expmin , Expmax ) can be translated to span a generic range (a, b), such as 1 through
by substituting two (2) for ‘base’ achieves this translation. Thus, from table 2, 5 or 1 through 10 – numerical scales familiar to most managers. The interval
the associated severity and frequency descriptors are Major and Remote. (a, b) will represent the range between the ‘best’ (represented by a) possible busi-

ribution
ness environment achievable after implementing effective and efficient control
Converting the RCSA metric into a numerical interval activities through the worst (represented by b) possible business environment that
So far the quantitative discussion has centered on the theoretical construction management must address.
of the RCSA metric. The metric will next be examined to make sure the result is For simplicity, assume a linear relationship between ( Expmin , Expmax ) and (a, b)
meaningful, and helps a manager to decide the appropriate response in mitigat- in order to preserve the positive correlation between the two scales. As a result, the
ing a risk exposure, that is, remediating, monitoring, or accepting the risk as it is. equation transcribing the raw exponent for inherent or residual risk into a value
As shown in the prior example, the inherent and residual risks are 64 and 12.8, within the interval (a, b) is:
respectively. Unfortunately, there is an issue: the resulting values do not lie within
(b − a ) ( x − Expmax )
a numerical scale that is readily understandable. Consequently, the manager f(x) = +b (1.11)
Expmax − Exp min
cannot tell how well the risk exposure is being mitigated by looking at the calcu-
lated inherent and residual risk values. To remedy this shortcoming of the RCSA where x is either nS + mF or nSResidual + mFResidual . The application of equation (1.11)
metric, a general expression can be derived that yields a value within a numerical can be demonstrated using the example discussed earlier.
range that is intuitive and easy to understand. First,
To facilitate the derivation, equation (1.4) can be transformed into: ncontrols 1

∑ α i ω i = ∑ α i ω i = α1ω1 = 0.95 × 1 = 0.95

⎡⎛ ncontrols ⎞ n +n −2 ⎤
i=1 i=1
k = Log base ⎢⎜ 1 − ∑ α i ω i ⎟ base( S F ) ⎥ because the highest attainable control effectiveness value is 95% (see table 7 in the
⎣ ⎝ ⎠ ⎦ (1.9)
second article). Assuming (a, b) is equal to (1,10) and
i=1

Upon closer examination, equation (1.9) will be undefined if ⎛ ncontrols ⎞
Exp min = Log base ⎜ 1 − ∑ α i ω i ⎟
ncontrols ⎝ i=1 ⎠
∑ α iω i = 1 = Log 2 (1 − 0.95 ) ≈ −4.32
i=1
However, this applies only if the control portfolio effectiveness is 100%, suggest- Exp max = nSmax + nFmax − 2
ing the risk exposure is completely managed away. Such a situation is unrealistic; = 5+5−2 = 8

February 2011 37
RCSAs

the inherent and residual risk results, rounding to whole numbers, are now: Table 3: Summary of RCSA example
( b − a ) ( x − Exp max ) RCSA metric Severity Frequency
Inherent risk: +b
Exp max − Expmin Inherent risk 9 Enormous Occasional

=
(10 − 1) ( 6 − 8 ) + 10 ≈ 9 Residual risk 7 Major Remote
8 − ( −4.32 )

Residual risk:
(b − a ) ( x − Expmax ) + b
Expmax − Exp min
(10 − 1) ( 3.6 − 8 ) + 10 ≈ 7
=
8 − ( −4.32 )
With the interval clarified, the manager has a better understanding of how effec-
tively the controls are mitigating the risk exposure when comparing inherent risk
to residual risk (see table 3) – an intended consequence of the RCSA metric.
Furthermore, by comparing inherent and residual risk scores, the manager has
greater insight on whether business objectives will be achieved.
Note carefully that RCSA metric results should not be interpreted as accu-
Adjacent to the heat map are circles that illustrate the increase of the RCSA
metric values for inherent and residual risks. Each numerical interval value is asso-
ciated to one diameter size (for example, numerical value one is associated with
circle marked as ‘1’ and numerical value seven is associated with circle marked as
‘7’), indicating that the size of the diameter increases as the RCSA metric value
increases. Using a pair of circles in tandem – one representing the inherent risk
and the other circle representing the residual risk, is a useful and helpful way of
reporting the identified and assessed risk exposures concurrently.
Risk portfolio exposure
Up to this point, the discussion has centered on quantitatively assessing an indi-

rate and precise measures of inherent and residual risk exposures; but rather as
comparative values that provide a keener insight on the effectiveness of the control
activities in mitigating inherent risks. The metric results allow the manager to
determine if residual risk is being managed within acceptable tolerances. The
© not for re
vidual risk. Most business processes, however, have multiple risks that must be
aggregated into a “risk portfolio.” There are several approaches to measuring this.
One simplified approach is treating the risk portfolio as one risk and the asso-
ciated control activities as one comprehensive control portfolio. To do this, the

or distr
RCSA methodology presented in this article not only provides the manager with manager can use equations (1.3) and (1.4), assessing inherent frequency and
a process for evaluating and understanding the general magnitude of the risk severity for the set of risks as a whole, rather than individually, for the risk port-
exposures but also the direction toward which the risks are trending. folio. Though this method is easy to use, risk assessment granularity is sacrificed.
The RCSA metric can be used to populate advanced measurement opera- A straightforward method for capturing better risk detail in the risk portfolio
tional risk economic capital models such as the one developed and published involves averaging the individual inherent risks. The generalised expression for
by Álvarez1, providing the qualitative adjustment that reflects the present risk/ aggregate inherent risk is:
control environment. Because the economic capital model in [1] uses historical Number of risks
(nS +mF − 2)i
operational risk loss events as the basis of the calculation, specific conditions ∑ base
that led to some of the losses – such as weaknesses in the control environment – Risk portfolioIR = i=1
(1.12)
Number of risks
may have been better managed and changed. The RCSA metric accounts for the
improvements when calculating the operational risk economic capital charge. Similarly for the aggregate residual risk, the corresponding expression is:
Number of risks
Inherent and residual risks heat map ∑ base
( nS,i +mF ,i −2 )i
As a graphical aid, figure 1 depicts the relationship between the severity and Risk portfolioRR = (1 − α CP ) × i=1
(1.13)
frequency descriptors taking into account the RCSA metric results when using Number of risks
the numerical interval 1–10. Such a heat map provides management with visual
cues into the relative relationship of the inherent and residual risk exposures, but where a – is the mean value for the collection of control portfolios2. Hence,
CP
the information should not be interpreted as absolute. The grid’s practical utility equations (1.12) and (1.13) will yield, respectfully, the inherent and residual risk
is geared to spark meaningful discussion on managing the risk exposures and/or results for a portfolio of risk exposures.
the effectiveness of mitigating controls. The information reflects subjective assess-
ments and not mathematical rigor.
2) If more accurate control effectiveness results are used from sampling or KRIs,
the risk manager may have statistically meaningful data set to calculate the
1) T he Advanced Measurement Approach to Operational Risk: Chapter 4; Risk correlations between controls within a control portfolio and the correlations
Books, London (2006), Álvarez, Gene across control portfolios.

38 operationalriskandregulation.com
 RCSAs

Inherent risk assessment for each risk exposure is itself a potential

Figure 1: Severity-frequency heatmap
future event scenario because inherent risk is defined as the naturally
Inherent Residual occurring risk exposure within the business process, measured in the
Risk Risk absence of applied (or planned) control activities. An assessor should
generally apply the most conservative risk assessment when considering
two or more viewpoints of severity and frequency, which results in a
worst case scenario over a calendar or fiscal year for the business process
being examined.
Altering the control effectiveness ratings is another means of investi-
gating different scenarios. If the worst case scenario is the inherent risk,
then the best possible outcome is effectively mitigated risk exposure. This
simple scenario defines the inherent and residual risk spectrum. The pace
of residual risk degradation, as it approaches the “worst case” inherent risk
assessment, can be examined by adjusting (separately or in tandem) the
control effectiveness rating and control weight ranking.
Two extreme states of the control portfolio bias could also be exam-
ined. One extreme is solely mitigating the severity component of the

eproduction
risk exposure (equal to one), while the other is mitigating only the
Review of the RCSA metric frequency component (equal to zero). Investigating both extreme conditions
In summary, the RCSA metric establishes a simple relationship between inherent provide insight on the impact of the design and execution of control activities
and residual risks that preserves the intuitive expectation that residual risk is less on the residual risk components.

ribution
than or equal to inherent risk. The metric also institutes the rank order, interval,
and ratio measurements for inherent and residual risks. These characteristics are Conclusion
important because an assessor can fairly compare the inherent and residual risk Management is responsible for identifying and understanding the risks and oppor-
results. Moreover, the RCSA metric accounts for the impact of the control portfo- tunities at strategic and tactical levels and for effectively and efficiently managing
lio on the frequency and severity risk components, and allows for the aggregation the reliable performance of processes deemed critical to strategy. Management is
of risks within a business unit, along an end-to-end process, and/or for an entire also responsible for creating and employing processes that provide value to the
organisation. Finally, the metric establishes the foundation for a robust scenario organisation and become integral to business operations and strategy. To meet
analysis methodology, which will be outlined in the next section. those responsibilities, this series of articles presented a rational, intuitive, and
thorough RCSA framework that enables and empowers management to transpar-
Scenario analysis ently identify and assess the firm’s risk exposures and gauge the strength or weak-
One great benefit of RCSAs is the identification of thematic risk exposures – ness of the control activities put in place to manage them.
or prevailing scenarios – across an end-to-end process, organisational structure, The corresponding RCSA metric defines objective criteria to assess the risks
or enterprise. The identification of any thematic risk exposure can underscore a and controls consistently throughout the firm, thus reducing subjectivity and
vulnerability that could debilitate a process, business unit or firm. Scenario analy- allowing comparison between inherent and residual risks on an equal scale.
sis, based on RCSA, can provide insight into these thematic risks3. By adopting this RCSA methodology, management will gain insight into the
Fundamentally, scenario analysis considers possible future events according to effectiveness of its actions in mitigating risk exposures and will determine if the
alternative possible outcomes. The RCSA metric in the previous section facilitates risk exposures are commensurate with risk tolerance levels in the context of the
scenario analysis by establishing a mechanism for varying the primary inputs (e.g., organisation’s objectives. ■
the control weight or control portfolio bias), and observing the impact of those
changes to the business process and associated risk and control environments. Philip Gledhill is director – operational risk services, at IMAG, and has more than
30 years of experience in operational risk management and banking, treasury and
capital markets operations.
3) To succeed in identifying risk themes requires a sound, logical format to Gene Álvarez is executive director – operational risk management at JPM-
categorise risk. More information on the importance of a well thought out risk Chase, and has almost 15 years experience in risk management and banking and
schema can be found in reference [1]. capital markets.

February 2011 39