Operational Risk Evaluation and Response
Paul Rosen
Operational Risk
In the previous videos, Paul Rosen explained how risk appetite and identification allows us to document the processes and risks. In this video, he covers how to evaluate these risks.
In the previous videos, Paul Rosen explained how risk appetite and identification allows us to document the processes and risks. In this video, he covers how to evaluate these risks.
Operational Risk Evaluation and Response
8 mins 40 secs
Key learning objectives:
Understand the main concepts and risk types within risk evaluation
Understand what are controls and how they help managing operational risk
Understand how risk evaluation process is applied in practice
Overview:
Risk evaluation allows us to start to plan risk acceptance, risk remediation or other strategies and management and staff responsible for identifying and managing risk as it is a 1st line of defence activity.
What are the two risk types?
The two key risk types within risk evaluation;
- Inherent risk - risks that exist before applying the controls in the process
- Residual risk – risks that exist after evaluating the adequacy and effectiveness of controls
In risk evaluation, the main goal is to know how large an impact can be and how often it is expected to occur. This allows prioritisation of controls. Data such as past losses and industry loss data are used as backward-looking tools while evaluating risks whilst qualitative judgement is used for forward-looking analysis. Process owners working with their risk and control teams assess the inherent and residual risk.
Illustrating inherent risk in different situations
The inherent risk of theft in the processes at a cash centre is mostly higher than the same risk for branch processes as the large sums of cash in the cash centre are a higher impact than the smaller amounts held in branches. The type of controls in each environment need to be looked at. For both these situations, the risk appetite will be the same however the number of controls required to achieve an appropriate residual risk position may be more or less onerous depending on the activity.
In a bank, we can also see this in terms of the inherent risk of market abuse in a banking book vs. a trading book. Management needs to take assurance that the transformed position (from inherent risk to residual risk) is accurate.
What are controls and how can we have assurance over controls?
Controls are steps that should reduce risk or the activities that prevent or detect errors and they form a key part of the overall ORM framework and are supported by policies. When effective, controls can prevent errors or detect problems when they do occur. To determine whether a control works we need two steps:
- Assess the adequacy of the control
- Test the effectiveness
These two steps are widely understood across nearly all ORM frameworks and also align to requirements of the Sarbanes-Oxley Act and external audit practice. There is a deep need to have alignment across the lines of defence and external assurance providers. It is at the control testing stage where divergence can most often be seen and unless clearly rationalised, inefficiency, duplication and wasted resources may occur.
What can go wrong with the risk evaluation process?
Consider the following scenario:
- Management is accountable for implementing the control framework
- Management designates a team to be accountable for testing controls, but as this team reports through the first line, they themselves are the first line of defence.
- Those who provide oversight are the second line of defence and have a mandate to sample control activity to their own view of risk, guided, but not linked to management’s RCSAs
- Internal Audit, which provides independent review and challenge, may or may not test controls in the pursuit of their audits, which will often have a different ‘audit universe’ of risks than management’s RCSAs
- External Audit, which reviews the Financial Statements and potentially attests to compliance with Section 404 of the Sarbanes-Oxley Act may or may not use management controls and may or may not place reliance on the work of management control testing teams
The business is potentially subject to four separate assurance providers with different agendas, testing the same things across different periods, for different purposes.
Paul Rosen
There are no available Videos from "Paul Rosen"