Professional Documents
Culture Documents
5.1 PURPOSE
Understand the assessment of risks and controls – identify, measure and monitor.
A risk and control assessment (also known as a self-assessment) is the process of identifying, measuring and assessing
potential risks and related controls. It attempts to identify and assess future potential risks rather than current risks or actual
risk incidents. It also identifies and assesses the effectiveness of controls in mitigating the identified risks. Therefore, a self-
assessment
5.4.2 Prerequisites
The purpose of an operational risk framework is to identify, assess, control and mitigate operational risk and to promote
reporting of current and emerging risk issues. Risk and control assessments form an integral part of the operational risk
framework by enabling an organisation to integrate and coordinate its risk identification and management efforts and improve
the understanding, control and oversight of its operational risks.
The board of directors approves the operational risk policy and has to commit to the risk control assessments, which must
apply to all levels of the organisation and include the strategic and business objectives of the organisation.
An operational risk event is the actual occurrence of an operational risk. A cause is the reason for that event happening and
represents the origin of the problem and explains the nature of the risk. An event may be associated with one single cause or
several different causes. The effect or impact is the consequence resulting from an event occurring and can be an operational
loss or gain, a real or opportunity cost, a near-miss or an exposure to other risks.
The risk owner is ultimately accountable for ensuring that a risk is managed appropriately. Various individuals who have direct
responsibility for, or oversight of, risk activities collaborate with risk owners to manage each identified risk.
Risk controls are put in place after determining what event can occur, what would cause it to occur and what the
consequences would be. Every single control within an organisation needs to have a control owner and that control owner is
accountable for oversight of the control and ensuring its effectiveness. Control owners are responsible for updating and
reviewing a particular control over time and keeping the risk owner informed regarding its effectiveness. Action plans modify
or add to existing but less effective controls in order to align risk with risk appetite or tolerance.
Risk register
An inventory, library or list of risks is constraining since the focus is on the list rather than on the identification of
risks. Start the risk and control assessment from scratch.
Cause or trigger
Preventing a cause or trigger should prevent a risk event, but triggers of risk events change over time. One cause
can trigger many risk events and a risk event can be triggered by many causes. Therefore, causes are more
useful in developing an efficient action plan.
Effect or consequence
The outcome of a risk event is often easier to control or manage than the event itself. However, the risk which
precipitated the effect demands a more meticulous analysis.
Indicators
Existing key indicators are useful in identifying the risk and controls an organisation focuses on. Key risk indicators
and key control indicators are often mixed with key performance indicators and require sorting into logical and
consistent sets – an activity separate from and outside the scope of a risk and control assessment.
Losses
A loss causal analysis will identify risk events and failed controls but the risks are often understood to be control
failures relating to causes rather than risk events resulting from control failures. Additional work is required for
this analysis to be used in a risk and control assessment. Losses provide a historical view of risk events and
there are many more potential risk events to be identified via a risk and control assessment.
Link to objectives
A risk and control assessment should start as a strategic assessment linked to business objectives, thereby directing
the risk and control assessment and enabling risks to be identified within a framework at an appropriate level.
Frequency of identification
Risk identification is part of doing business and should not be fixed to certain periods or limited to whenever full
risk assessments are done.
Immutable
Risk causes or triggers may change, but risk events are immutable (i.e. fixed or unchanging), allowing for the
development of an ideal set of controls for each risk event. Consistency promotes analysis and evaluation.
Reputational damage
Reputational or reputation damage is generally a direct result of risk controls failing and a risk event occurring. It
should therefore not be double counted by identifying it as a risk in its own right and also including it in an
operational risk and control assessment.
Frequency of assessment
Related to the frequency or regularity at which individual risks change.
Likelihood – periods
The period for likelihood should be aligned with the level of risk being assessed – for instance, short periods for
activity risk assessments and a much longer period for a strategic assessment.
Impact - periods
The financial impact can stretch over a single period or multiple periods. A net present value of the risk event is
valid with business objectives as risk reference and a multi-year period. The impact on shareholder value
requires a multi-year indirect loss figure.
Impact components
Direct and indirect losses are easier to measure when the impact is broken down into separate components.
Setting ranges
Gross revenue (preferred) or net income may be used as a base for the ranges. A useful rule of thumb when setting
ranges is that the top of each range is a multiple of about three to four times the one below. For example:
Pairs of scores
One pair of scores for risk such as impact and likelihood; or
Two pairs – add average and worst-case for each of impact/likelihood; or
Add a third level by taking assessment to an extreme worst-case.
In mathematical terms
- average represents a 50% (1 in 2) confidence level or 0.5 probability
- worst-case represents a 95% (1 in 20) confidence level
- extreme worst-case: 0.995 (1 in 200) or 0.999 (1 in 1 000) probability
Heat maps
A risk heat map represents the results of a risk assessment (i.e. the risk profile) visually and in a meaningful and
concise way.
5.4.6 Owners
The allocation of roles and responsibilities is fundamental to the risk management process. Risk management policies should
be clear on the ownership of risk and controls and the delegation of authority.
Different levels
One of the board members must be the ultimate owner of a risk. The management of that risk may be delegated
to a number of people, each owning only a part of that risk. The risk and control assessment decomposes the
risk down to each level – strategic, process and activity. The person responsible for a particular process or
activity that contributes to a specific strategic goal owns the risks inherent in that process or activity.
Risk owners
Risk owners may exist at several levels, but there is only one ultimate risk owner (i.e. a board member). Each risk
owner at a particular level is responsible for measuring, monitoring and mitigating that risk within the risk
appetite set by the board. The delegated staff member performing the actual tasks has to report back to the
risk owner.
Control owners
Control owners are responsible for managing the mitigation of a risk via internal controls. They design appropriate
controls and ensure adequate performance of these controls within the board’s risk appetite. Any action plans
to increase the effectiveness of a control are identified and implemented by these control owners.
The next step after the risk assessment and allocation of ownership is to identify the controls. The level at which the control
is identified must correspond with the level of the risk.
Suitable level
Controls should be identified at the same level as their risk – that is, the level of controls should match the level of
risks. It is important to identify and score the strategic controls which are in place to mitigate or adjust the risks
to an organisation’s business objectives.
Independent controls
The objective is to identify and score controls which are independent of each other. Controls which are linked to
each other are only as good as the preceding control – any subsequent controls will not provide an additional
benefit to mitigating the relevant risk(s).
Types of controls
Controls are divided into four types:
Directive controls – policies, procedures and manuals
Preventive controls – preventing risks from happening
Detective controls – after-the-fact identification and mitigation
Corrective controls – mitigation of the effects of a risk event
Number of scores
Using the same number of levels for control scoring as for risk scoring enables comparison between a composite
risk score of likelihood times impact, and a composite control score of design times performance. The same
consideration must be given to using an odd or an even number of control scores as was given for scoring risks.
Use of losses
Loss causal analysis is useful in providing objective knowledge of the probable failure of controls. Losses are
indicative of control failure.
Explicit acceptance of risks or need for action plans – the remaining net risk or residual risk (level of risk after accounting for
existing controls) may be acceptable to the organisation, or there may be a need for an action plan to either enhance the
control(s) or reduce the risk exposure even further.
Action plan details – each action plan is linked to a risk and its relevant control(s). A new or additional control can be put in
place or an existing control can be upgraded or tweaked.
Third-party review, facilitated sessions, self-assessment – the risk department of an organisation and staff from a particular
business line or unit may conduct regular self-assessments. Self-assessments enable a common and consistent approach to
assessments across the organisation and provide a detailed functional knowledge of each risk area while utilising the skills in
that business line or unit. These self-assessment sessions can also be facilitated by a third party (e.g. a risk consultant)
combining external expertise with internal knowledge of the organisation. An independent third-party review provides
benchmarking against similar organisations and may help an organisation to improve its controls and reduce its risk profile.
Workshops, interviews or questionnaires can be used during these assessments. Workshops enable the sharing and
discussion of risks relating to an area. Interviews allow each team member to identify and assess the relevant risks, whereas
questionnaires are useful when the team responsible for a certain risk area to be assessed is widespread or geographically
dispersed.
A risk and control assessment workshop, interview or questionnaire requires follow-up work. Participants may need
additional time to consider scores or devise action plans.
Risk and control assessments are used extensively in business at all levels:
Risks and controls can be compared with an organisation’s risk appetite by illustrating the risk and control assessment
graphically.
The net level of risk can be linked to management provisions and budgets.
Risk and control assessments are used for quantification and modelling purposes and also provide data on internal
as well as external losses.
Risk and control assessments can show the effects of a scenario on the risk profile of an organisation.
An internal audit based on controls perceived to be adequate by management can help to focus remedial action on
controls not operating as intended.
Risk and control assessments are helpful when well designed and prepared accurately and on time. Designing and completing
the risk and control assessments takes significant effort and time and there is usually a large number of people involved in
the process at different levels. The most common reasons for a risk and control assessment to fail are
lack of management buy-in due to little perceived business benefit
paper overload resulting from too many questionnaires
lack of feedback from the risk department to the area being assessed
inflexible software leading to the assessment process being discredited
failure to link indicators and losses to the risks and controls
lack of action and follow-up of ineffective or too few controls
5.4.12 Summary
A risk and control assessment is a process through which operational risks and the effectiveness of controls are assessed and
examined. Management and staff at all levels collectively identify and evaluate risks and their associated controls. It adds
value by increasing a business line or unit’s involvement in designing and maintaining risk and control systems as well as
identifying risk exposures and determining corrective action. It aims to integrate risk management practices and culture into
the way staff undertake their jobs and business units achieve their objectives.
5.5 ACTIVITY
5.7 REFLECTION
Before you continue to the next lesson, reflect on the following personal questions:
a. Where, in your professional life, do you think you will be able to use the skills you have learnt in
this lesson?
b. What did you find difficult? Why do you think you found it difficult? Do you understand it now or
do you need more help? What are you going to do about it?
c. What did you find interesting in this lesson? Why?
d. How long did it take you to work through chapter 5 for this lesson? Are you still on schedule, or do
you need to adjust your study programme?
e. How do you feel now?
5.8 CONCLUSION
The aim of this lesson was to provide you with an overview of the benefits to an organisation when implementing an
operational risk management framework.