Risk and Control

Self-Assessments
The Role of Assessments
 Identify, assess, monitor, control, and mitigate events that have not
yet occurred.
 Loss data look backward; RCSA looks forward.
 RCSA results often provide the best leading indicators of where risk
needs to be mitigated.
 Provide transparency into risks.
 Collection tool for business environment and internal control factors
(BEICF).
 Helps identify key risk indicator (KRIs).
Reporting

Governance and Organization

Measurement and Modeling

Risk Appetite
Internal
Loss Data
Scenario Key Risk
RCSA
Analysis Indicators
External
Loss Data

Policies and Procedures

Culture and Awareness

RCSA as BEICF Collection Tool
 Basel II rules state:
– “… a bank’s firm-wide risk assessment methodology must
capture key business environment and internal control
factors that can change its operational risk profile
– These factors will make a bank’s risk assessments more
forward-looking, more directly reflect the quality of the
bank’s control and operating environments, help align
capital assessments with risk management objectives, and
recognize both improvements and deterioration in
operational risk profiles in a more immediate fashion.”
Types of Assessments
 Control assessments:
– Tests a control’s effectiveness against set criteria and issues a pass/fail or level of
effectiveness score
– A control assessment is often done to the department by a third party, perhaps audit,
compliance or the Sarbanes-Oxley team
– Output can (and should) be used in RCSA program
 Risk and control assessments:
– Applied to an area by a third party
– Includes a risk assessment in addition to a control
– Output can (and should) be used in RCSA program
 Risk and control self-assessment (RCSA):
– Subjective
– Scoring of risks and controls reflects not the view of a third party but the view of the
department or business itself
RCSA Subjectivity Advantages and
Challenges
 Advantage:
– Embeds the culture of operational risk management
• Business self-assesses operational risk
• Business can then prioritize mitigating actions and escalate risks
 Challenge:
– A subjective view can be considered as less accurate than an
objective view, and there may be some skepticism over the
scoring in the assessment
 Standards must be established:
– Audit should measure business performance of RCSA against
these standards and against loss data
– Validation
RCSA Methods
 Questionnaire approach:
– Uses a template
– Standard risk and control questions
– Controls scored and risk levels assessed
– Distributed to selected participants
 Workshop approach:
– Group setting:
• Several hours
– Facilitation
– Each risk is discussed, and related controls are scored for effectiveness
– Residual risk is scored, often on a high, medium, low scale, along with related
probabilities
• Alternatively, the exposure might be expressed in financial terms
• Some workshops also collect other impact data, such as possible client impact, legal or
regulatory impact, reputational impact, and life safety impact
Advantages and Disadvantages
Questionnaire RCSA
Advantages Disadvantages
 Standard risks and controls ensures consistency.  Possible to miss risks or controls that are not already
 Consolidated reporting is simple. listed.
 Use of standard expected controls helps ensure  Possible "check all" approach.
thoroughness.  Irrelevant questions can cause frustration.
 Good with standard processes (e.g., retail branches).  Can focus too heavily on control assessment.
 Can utilize technology for decentralized data entry.  Might have limited participation.

Workshop RCSA
Advantages Disadvantages
 Taps management expertise and engages  Time consuming.
management team in OR awareness and mitigating  Might miss a standard risk and control.
action decision making.  Requires more complex data gathering.
 Allows for raising of all risks and related controls.  Can focus too heavily on risk assessment.
 Avoids irrelevant sections.  Harder to consolidate or compare output.
 Allows for uniqueness of each area, good with differing
processes (e.g. wholesale securities business lines).

 Hybrid RCSA methods:

– Cycle both approaches to benefit from both
– Questionnaire approach as base with workshop only if certain triggers are met
RCSA Scoring Methods
 Consideration must be given to:
– Scoring inherent and residual risk
– Scoring control effectiveness
– Impact and frequency
– Nonfinancial impact
Scoring Control Design and
Performance
 Subjective approach Low Medium High
The design provides The design provides
The design provides
only limited excellent protection
Design some protection when
protection when used when used
correctly. used correctly.
correctly.
The control is rarely The control is The control is
Performance
performed. sometimes performed. always performed.

 Set criteria approach

– List of attributes for control design:
• Preventative might score higher than detective
• Automated might score higher than manual
– Performance might be measured using KPIs

 RAG reporting for overall effectiveness

Risk Impact Scores
Impact type Low Medium High
Financial Less than $100k Between $100k Over $1m
and $1m.
Reputational Negative Negative Negative
reputational impact reputational impact reputational impact
is local is regional. is global.

 Financial impact score: Legal or

regulatory
Breach of
contractual or
Breach of
contractual or
Breach of
contractual or
regulatory regulatory regulatory
– Maximum loss obligations, with no obligations with obligations leading
costs some costs or to major litigation,
– Maximum plausible loss censure. fines, or severe
censure.

– Likely loss amount Clients Minor service

failure to non-
Minor service
failure to critical
Moderate service
failure to critical

 Other impact types critical clients client(s) or

moderate service
clients or major
service failure to
failure to noncritical clients.
 Using a rating scale Life Safety An employee is
noncritical clients.
More than one Serious injury or

 Consider inherent and residual scores slightly injured or

ill.
employee is injured
or ill.
loss of life.
Probability or Frequency
Scoring
Annual probability approach:
– For example, if the event is likely to happen
five times in the next 12 months, the
probability would be 5
– If it is likely to happen only once in the next
10 years, then the probability would be 0.1
 High, medium, low approach
Low Medium High
Length of time Between 1 and 5
> 5 years < 1 year
between events years
Risk Severity
 Combine impact and frequency to find overall risk
severity.
H M H H

Impact
M L M H

L L L M

 Mitigate depending on risk severity. L M

Frequency
H

Rating Category Risk Mitigation

Low Severity is not a concern
Medium Severity may be a concern
High Severity is a concern
RCSA Best Practices
 Interview participants beforehand
 Review available background data from other functions
 Review past RCSAs and related RCSAs
 Review internal loss data
 Review of external events
 Carefully select and train participants
 Document results
 Score appropriately
 Identify mitigating actions
 Implement appropriate technology
 Themes identified
 Leverage existing assessments
 Schedule appropriately
 Ensure completeness using taxonomies
Taxonomies
 Can be used to demonstrate completeness of
operational risk framework including RCSA
 Levels of hierarchy
 Taxonomy candidates:
– Organizational hierarchy
– Process inventory and hierarchy
– Risk event types:
• Level 1 of the risk taxonomy is usually the Basel II 7 categories.
– Control type
Validation of RCSA
 Validation conflicts with the inherently subjective
nature of an RCSA but is a regulatory expectation
 Methods:
– Compare loss data results with RCSA scores
 Backtesting and validation should be independently
undertaken by the second line of defense:
– Corporate-level operational risk function or
– Independent validation team
Key Points
 RCSAs provide an opportunity to look forward and consider what could occur in the future,
whereas loss data focuses on what has already occurred in the past.
 RCSAs come in many different forms, and an appropriate method needs to be developed at
each firm to meets its particular regulatory and business needs.
 RCSAs can be used to collect scores for the effectiveness of controls, the potential size and
probability of a risk event’s occurring, and the overall risk severity associated with a
potential event.
 Workshop method RCSAs focus on group scoring and discussion, while questionnaire
method RCSAs often use standard templates and automated delivery methods.
 The qualitative nature of many RCSA methods raises challenges in interpreting and applying
the results to ensure that appropriate risk management and mitigation activities can be
implemented.
 Best practices for RCSA have matured in the past few years and can be leveraged to ensure
a successful program is implemented.