LESSON 4: OPERATIONAL RISK APPETITE

Video Activity Text Additional reading and references

5.1 PURPOSE
Understand the assessment of risks and controls – identify, measure and monitor.

5.2 KEY CONCEPTS

Objectives Processes Activities

Risk framework Risk events Process and activity maps
Risk owners Control owners Action plans
Cause or trigger Indicators Effect or consequence
Losses Risk drivers Stress tests and scenarios
Control failures Reputational damage Level and components
Assessing risks Impact or severity Likelihood or frequency
Expected vs unexpected Direct vs indirect Qualitative vs quantitative
Impact components Ranges Periods vs percentages
Back-testing Heat maps Independent controls
Mitigation Types of controls Design and performance
Acceptance of risk Control effectiveness Risk and control assessment
Internal audit Self-assessment Compliance

5.3 LEARNING OUTCOMES

On completion of this lesson, you should be able to

 state the aims of a risk and control assessment

 state the benefits to a business carrying out risk and control assessments
 discuss the prerequisites for conducting a risk and control assessment
 identify the basic components of a risk and control assessment
 review the possible pitfalls encountered when identifying risks
 outline the various factors and alternatives when assessing risks
 distinguish between risk owners and control owners
 outline the various factors and alternatives when identifying controls
 interpret a typical risk and control assessment
 describe how to go about a risk and control assessment
 identify the uses of risk and control assessments in a business
 explain why risk and control assessments may go wrong

5.4 LEARNING MATERIAL

Chapter 5 of the prescribed book

5.4.1 Aims of risk and control assessment

A risk and control assessment (also known as a self-assessment) is the process of identifying, measuring and assessing
potential risks and related controls. It attempts to identify and assess future potential risks rather than current risks or actual
risk incidents. It also identifies and assesses the effectiveness of controls in mitigating the identified risks. Therefore, a self-
assessment

 assists in identifying and recording material risks and related controls

 detects risk levels for evaluation against risk appetites or tolerances
 reviews the effectiveness and efficiency of controls on an ongoing basis
 increases transparency by reporting on the results of the assessment
 provides a ranking to focus on risks requiring a higher priority

Study “AIMS OF RISK AND CONTROL ASSESSMENT” in chapter 5.

5.4.2 Prerequisites

The purpose of an operational risk framework is to identify, assess, control and mitigate operational risk and to promote
reporting of current and emerging risk issues. Risk and control assessments form an integral part of the operational risk
framework by enabling an organisation to integrate and coordinate its risk identification and management efforts and improve
the understanding, control and oversight of its operational risks.

The board of directors approves the operational risk policy and has to commit to the risk control assessments, which must
apply to all levels of the organisation and include the strategic and business objectives of the organisation.

Study “PREREQUISITES” in chapter 5.

5.4.3 Basic components

An operational risk event is the actual occurrence of an operational risk. A cause is the reason for that event happening and
represents the origin of the problem and explains the nature of the risk. An event may be associated with one single cause or
several different causes. The effect or impact is the consequence resulting from an event occurring and can be an operational
loss or gain, a real or opportunity cost, a near-miss or an exposure to other risks.

The risk owner is ultimately accountable for ensuring that a risk is managed appropriately. Various individuals who have direct
responsibility for, or oversight of, risk activities collaborate with risk owners to manage each identified risk.

Risk controls are put in place after determining what event can occur, what would cause it to occur and what the
consequences would be. Every single control within an organisation needs to have a control owner and that control owner is
accountable for oversight of the control and ensuring its effectiveness. Control owners are responsible for updating and
reviewing a particular control over time and keeping the risk owner informed regarding its effectiveness. Action plans modify
or add to existing but less effective controls in order to align risk with risk appetite or tolerance.

Study “BASIC COMPONENTS” in chapter 5.

5.4.4 Avoiding common risk identification traps

There are a number of pitfalls associated with risk identification:

Risk register
An inventory, library or list of risks is constraining since the focus is on the list rather than on the identification of
risks. Start the risk and control assessment from scratch.

Cause or trigger
Preventing a cause or trigger should prevent a risk event, but triggers of risk events change over time. One cause
can trigger many risk events and a risk event can be triggered by many causes. Therefore, causes are more
useful in developing an efficient action plan.
Effect or consequence
The outcome of a risk event is often easier to control or manage than the event itself. However, the risk which
precipitated the effect demands a more meticulous analysis.

Indicators
Existing key indicators are useful in identifying the risk and controls an organisation focuses on. Key risk indicators
and key control indicators are often mixed with key performance indicators and require sorting into logical and
consistent sets – an activity separate from and outside the scope of a risk and control assessment.

Losses
A loss causal analysis will identify risk events and failed controls but the risks are often understood to be control
failures relating to causes rather than risk events resulting from control failures. Additional work is required for
this analysis to be used in a risk and control assessment. Losses provide a historical view of risk events and
there are many more potential risk events to be identified via a risk and control assessment.

Stress tests and scenarios

A risk and control assessment must precede stress testing and scenario building to gain insight into the likely causes
and effects of risk events and to separate causes from effects.

Link to objectives
A risk and control assessment should start as a strategic assessment linked to business objectives, thereby directing
the risk and control assessment and enabling risks to be identified within a framework at an appropriate level.

Risk drivers, themes and categories

A risk and control assessment is a comprehensive and low level (i.e. detailed) report on risks and controls. Risk
drivers (single items containing closely linked risk causes) and risk themes (sets of similar risks), on the other
hand, are high level collections of data. The risk and control assessment will uncover related risks, allowing
users to compile sets of similar risk events (i.e. risk categories).

Link to products and geographic regions

Similar or equivalent risk event and control combinations exist between related products. Specific geographic
regions will also have unique risk and control pairs. An in-depth understanding of a business is therefore
essential when undertaking risk and control assessments in order to ensure that these similarities and
relationships are taken into account.

Frequency of identification
Risk identification is part of doing business and should not be fixed to certain periods or limited to whenever full
risk assessments are done.

Immutable
Risk causes or triggers may change, but risk events are immutable (i.e. fixed or unchanging), allowing for the
development of an ideal set of controls for each risk event. Consistency promotes analysis and evaluation.

Triggers, consequences and control failures

It is important to differentiate between risk triggers/causes, events and consequences/effects in order to mitigate
and control the event. Incorrectly identifying a trigger as an event will shift the focus onto control failures.
Identifying a control failure as an event may result in putting a new control in place instead of fixing the failed
control. Incorrectly identifying a consequence as a risk event will shift the focus onto the effects of the event.
The mitigating controls will therefore become less efficient at reducing the effects of the risk event due to
varying consequences.

Reputational damage
 Reputational or reputation damage is generally a direct result of risk controls failing and a risk event occurring. It
should therefore not be double counted by identifying it as a risk in its own right and also including it in an
operational risk and control assessment.

Levels and components

Risks should be identified at their appropriate levels. Risks can feature on a strategic, objective, process, activity,
business unit or departmental level. Breaking risk down into its components allows for a detailed analysis of
the underlying risks while retaining focus on the appropriate level.

Study “AVOIDING COMMON RISK IDENTIFICATION TRAPS” in chapter 5.

5.4.5 Assessing risks

A number of rules or standards are used when assessing risk:

Gross risk, net risk and target risk

Risks are assessed at different levels of mitigation – namely, gross or inherent risk (no controls), net or residual risk
(with existing controls) and target risk (with optimised controls for a preferred level of risk).

Frequency of assessment
Related to the frequency or regularity at which individual risks change.

Likelihood or frequency and impact or severity

Likelihood is reviewed on the basis of how frequently a risk event will occur over a given period. Alternatively, the
percentage likelihood of a risk occurring in one year is used. Impact or severity is reviewed in terms of the
possible cost should a risk event occur.

Expected versus unexpected

Risk can be assessed in terms of an expected or unexpected likelihood as well as an expected or unexpected impact.
The expected level (similar to the net risk level) checks on the usual effectiveness of the controls and on the
estimated costs (provisions or reserves). The unexpected level (similar to the gross risk level) provides
information about the amount of capital required to withstand the financial shock from a risk event. Economic
and regulatory requirements are based on the unexpected level of risk.

Qualitative versus quantitative

A qualitative assessment will have a range of values that excludes figures (e.g. low, intermediate and high). In
contrast, a quantitative assessment will have only numbers (R10 million for impact and 10% for likelihood) or
ranges of numbers (R10-R50 million and 10%-25%).

Likelihood – periods
The period for likelihood should be aligned with the level of risk being assessed – for instance, short periods for
activity risk assessments and a much longer period for a strategic assessment.

Impact – direct loss or indirect loss

A direct loss is easy to quantify as it is linked to a specific cost on a financial statement. An indirect loss is more
subjective and based on the total cost (including opportunity costs) of the risk event. Indirect costs often
exceed direct costs and determine the true impact of risk events.

Impact - periods
The financial impact can stretch over a single period or multiple periods. A net present value of the risk event is
valid with business objectives as risk reference and a multi-year period. The impact on shareholder value
requires a multi-year indirect loss figure.

Impact components
 Direct and indirect losses are easier to measure when the impact is broken down into separate components.

Levels of scores for likelihood and impact

Scores are subjective and relative. A lower (higher) number of scores leads to a larger (smaller) difference between
adjacent scores. An odd number of scores allows a mean value (e.g. low, medium and high), whereas an even
number of scores forces a decision on either side of a medium value (e.g. low, medium-low, medium-high and
high).

Periods versus percentages

It is simpler to relate to time periods (twice during the working week) for likelihood than to percentages (2/5 =
40%). Likelihoods are often articulated as time periods and converted to percentages when required for
modelling.

Ranges or single figures

The imprecise and variable nature of operational risk makes it difficult to assess likelihood and impact as a single
figure. A range of values (R8m-R12m) may be more relevant than a single value of R10m.

Setting ranges
Gross revenue (preferred) or net income may be used as a base for the ranges. A useful rule of thumb when setting
ranges is that the top of each range is a multiple of about three to four times the one below. For example:

[High] > three months of base

[Medium-high] three months to one month
[Midrange] one month to one week
[Medium-low] one week to two days
[Low] < two days of base

Pairs of scores
One pair of scores for risk such as impact and likelihood; or
Two pairs – add average and worst-case for each of impact/likelihood; or
Add a third level by taking assessment to an extreme worst-case.
In mathematical terms
- average represents a 50% (1 in 2) confidence level or 0.5 probability
- worst-case represents a 95% (1 in 20) confidence level
- extreme worst-case: 0.995 (1 in 200) or 0.999 (1 in 1 000) probability

Use of losses to back-test impacts and likelihood

Actual losses can be back-tested or compared to the subjective assessments, which considered the likelihood and
impact of risks, provided that the risk profile when the losses occurred corresponds or is adjusted to the risk profile
at the time of the assessment.

Heat maps
A risk heat map represents the results of a risk assessment (i.e. the risk profile) visually and in a meaningful and
concise way.

Study “ASSESSING RISKS” in chapter 5.

5.4.6 Owners

The allocation of roles and responsibilities is fundamental to the risk management process. Risk management policies should
be clear on the ownership of risk and controls and the delegation of authority.

Different levels
 One of the board members must be the ultimate owner of a risk. The management of that risk may be delegated
to a number of people, each owning only a part of that risk. The risk and control assessment decomposes the
risk down to each level – strategic, process and activity. The person responsible for a particular process or
activity that contributes to a specific strategic goal owns the risks inherent in that process or activity.

Risk owners
Risk owners may exist at several levels, but there is only one ultimate risk owner (i.e. a board member). Each risk
owner at a particular level is responsible for measuring, monitoring and mitigating that risk within the risk
appetite set by the board. The delegated staff member performing the actual tasks has to report back to the
risk owner.

Control owners
Control owners are responsible for managing the mitigation of a risk via internal controls. They design appropriate
controls and ensure adequate performance of these controls within the board’s risk appetite. Any action plans
to increase the effectiveness of a control are identified and implemented by these control owners.

Liaison between risk owners and control owners

Good communication between the risk owner and control owner is essential. Risk owners and control owners
should evaluate the effectiveness of controls based on a common understanding of these controls and the
underlying risks.

Study “OWNERS” in chapter 5.

5.4.7 Identifying controls

The next step after the risk assessment and allocation of ownership is to identify the controls. The level at which the control
is identified must correspond with the level of the risk.

Suitable level
Controls should be identified at the same level as their risk – that is, the level of controls should match the level of
risks. It is important to identify and score the strategic controls which are in place to mitigate or adjust the risks
to an organisation’s business objectives.

Independent controls
The objective is to identify and score controls which are independent of each other. Controls which are linked to
each other are only as good as the preceding control – any subsequent controls will not provide an additional
benefit to mitigating the relevant risk(s).

Mitigating more than one risk

Even though a single control may mitigate more than one risk, it is unlikely that the application of that control
remains the same. The application and effectiveness of a control will vary considerably across an organisation.

Controls are only one form of mitigation

Controls are the most common method of mitigating risks. Another method of mitigation is to transfer the risk to
a third party via insurance. A risk can also be removed or avoided altogether – risk avoidance versus risk
reduction. Risk financing involves the retention of risks along with a financing strategy that ensures adequate
funds in case of a risk event occurring.

Types of controls
Controls are divided into four types:
 Directive controls – policies, procedures and manuals
  Preventive controls – preventing risks from happening
 Detective controls – after-the-fact identification and mitigation
 Corrective controls – mitigation of the effects of a risk event

Effects of preventive and detective controls on risk likelihood and impact

Directive and preventive controls reduce the likelihood of a risk occurring, whereas detective and corrective
controls reduce the impact of a risk event.

Design and performance

Controls should be assessed on their design and inherent ability to mitigate risk as well as on their actual
performance. The advantages of this approach:
 differentiation between theoretical and actual effectiveness of control
 who, where, when and what (4Ws) used to assess the design of control
 design is reflective of the underlying systems and processes
 performance is reflective of the people operating a control
 facilitates comparison of control potency with the risk to be mitigated

Number of scores
Using the same number of levels for control scoring as for risk scoring enables comparison between a composite
risk score of likelihood times impact, and a composite control score of design times performance. The same
consideration must be given to using an odd or an even number of control scores as was given for scoring risks.

Use of losses
Loss causal analysis is useful in providing objective knowledge of the probable failure of controls. Losses are
indicative of control failure.

Periods versus percentages

It is easier to relate to time periods for the likely failure of controls. Control owners may assess the design and
performance of controls using time periods. Risk managers convert periods to percentages for monitoring and
modelling.

Ranges or single figures

It is easier for control owners to relate to single figures or periods than ranges of control failure. The use of a range
for the failure of a control is less helpful than a range for the likelihood or impact of a risk.

Importance and compliance

The importance of a control and how compliant an organisation is to the control can be used as an assessment pair
for controls.
Study “IDENTIFYING CONTROLS” in chapter 5.

5.4.8 Action plans

Explicit acceptance of risks or need for action plans – the remaining net risk or residual risk (level of risk after accounting for
existing controls) may be acceptable to the organisation, or there may be a need for an action plan to either enhance the
control(s) or reduce the risk exposure even further.

Action plan details – each action plan is linked to a risk and its relevant control(s). A new or additional control can be put in
place or an existing control can be upgraded or tweaked.

Study “ACTION PLANS” in chapter 5.

5.4.9 How to go about a risk and control assessment

Third-party review, facilitated sessions, self-assessment – the risk department of an organisation and staff from a particular
business line or unit may conduct regular self-assessments. Self-assessments enable a common and consistent approach to
assessments across the organisation and provide a detailed functional knowledge of each risk area while utilising the skills in
that business line or unit. These self-assessment sessions can also be facilitated by a third party (e.g. a risk consultant)
combining external expertise with internal knowledge of the organisation. An independent third-party review provides
benchmarking against similar organisations and may help an organisation to improve its controls and reduce its risk profile.

Workshops, interviews or questionnaires can be used during these assessments. Workshops enable the sharing and
discussion of risks relating to an area. Interviews allow each team member to identify and assess the relevant risks, whereas
questionnaires are useful when the team responsible for a certain risk area to be assessed is widespread or geographically
dispersed.

A risk and control assessment workshop, interview or questionnaire requires follow-up work. Participants may need
additional time to consider scores or devise action plans.

Controls should be assessed in terms of their effectiveness in mitigating risk.

Study “HOW TO GO ABOUT A RISK AND CONTROL ASSESSMENT” in chapter 5.

5.4.10 Using risk and control assessments in the business

Risk and control assessments are used extensively in business at all levels:
 Risks and controls can be compared with an organisation’s risk appetite by illustrating the risk and control assessment
graphically.
 The net level of risk can be linked to management provisions and budgets.
 Risk and control assessments are used for quantification and modelling purposes and also provide data on internal
as well as external losses.
 Risk and control assessments can show the effects of a scenario on the risk profile of an organisation.
 An internal audit based on controls perceived to be adequate by management can help to focus remedial action on
controls not operating as intended.

Study “USING RISK AND CONTROL ASSESSMENTS IN THE BUSINESS” in chapter 5.

5.4.11 Why do risk and control assessments go wrong?

Risk and control assessments are helpful when well designed and prepared accurately and on time. Designing and completing
the risk and control assessments takes significant effort and time and there is usually a large number of people involved in
the process at different levels. The most common reasons for a risk and control assessment to fail are
 lack of management buy-in due to little perceived business benefit
 paper overload resulting from too many questionnaires
 lack of feedback from the risk department to the area being assessed
 inflexible software leading to the assessment process being discredited
 failure to link indicators and losses to the risks and controls
 lack of action and follow-up of ineffective or too few controls

Study “WHY DO RISK AND CONTROL ASSESSMENTS GO WRONG?” in chapter 5.

5.4.12 Summary

A risk and control assessment is a process through which operational risks and the effectiveness of controls are assessed and
examined. Management and staff at all levels collectively identify and evaluate risks and their associated controls. It adds
value by increasing a business line or unit’s involvement in designing and maintaining risk and control systems as well as
identifying risk exposures and determining corrective action. It aims to integrate risk management practices and culture into
the way staff undertake their jobs and business units achieve their objectives.

Study “SUMMARY” in chapter 5.

5.5 ACTIVITY

Self-assessment questions: Go to the Online assessment tool to do activity 5.5.

5.6 SELF-REFLECTIVE ACTIVITY

Identify the types of controls that can be implemented in mitigating risks.

5.7 REFLECTION

Before you continue to the next lesson, reflect on the following personal questions:

a. Where, in your professional life, do you think you will be able to use the skills you have learnt in
this lesson?
b. What did you find difficult? Why do you think you found it difficult? Do you understand it now or
do you need more help? What are you going to do about it?
c. What did you find interesting in this lesson? Why?
d. How long did it take you to work through chapter 5 for this lesson? Are you still on schedule, or do
you need to adjust your study programme?
e. How do you feel now?

5.8 CONCLUSION

The aim of this lesson was to provide you with an overview of the benefits to an organisation when implementing an
operational risk management framework.

Study “Conclusion” in chapter 5.