Institute of Operational Risk Operational Risk Sound ...

1 Institute of Operational RiskOperational Risk Sound Practice GuidanceRisk control self AssessmentMarch2010 Risk control self AssessmentInstitute of Operational Risk- Sound Practice GuidanceCopyright 2009 Institute of Operational Risk2 The Institute of Operational RiskEstablished in January 2004, the Institute of Operational Risk is a professional body dedicated to thepromotion of skills and standardsassociated with Operational Risk is available to Operational Risk practitioners at all levelsand there are four gradesof membership: Fellow, Professional Member, Member and Institute supports its members through the provision of: High standards-against which membership and professional competency is judged External events-for the promotion of ideas, ongoing professional development and networking Research-to assist the above and ensure the continual improvement of methods, techniques andknowledge A Knowledge Centre the development of a robust and informative knowledge centre foroperational risk management Sound Practice Guidance the development of a seriesof Sound Practice Guidance papersproviding the know-how for a variety of risk management practicesMembers are located in theUK, Europe, Middle East, Nigeria, South Africa, Hong Kong.

2 Australiaand New find out how membership can benefit you, visit our website: Practice Guidance PapersIt is the intention of the Institute of Operational Risk that the Sound Practice Guidance papers beupdated and improved from time to time. If any reader of any Sound PracticeGuidance has anyexperience or opinions that they believe may enhance the guidance offered, they should of Development of / Value Characteristics of an RCSA and Operating of control Approaches and Should and Cons of Inviting Many Should Structure of Down and Bottom Many Sessions Should Be Long Should the Workshop and Other Required Key the and Questions (Structure and Number).

3 Responses (Style, Respondent and Hierarchical Sign-off).. Use of RCSA within a Fully Integrated Operational Risk Management and Internal Loss and External and Scenario It Alive (post RCSA exercise)..18 Risk control self AssessmentInstitute of Operational Risk- Sound Practice GuidanceCopyright 2009 Institute of Operational Risk and of RCSA Quantitative vs. and Internal Audit Record Example No Record Example No Map RCSA End to End Process Evaluation : Risk control self AssessmentDate issued:10 March2010 Version: name:IOR RCSA Final VersionUpdate date: 03 Jan 2010 Risk control self AssessmentInstitute of Operational Risk- Sound Practice GuidanceCopyright 2010 Institute of Operational Development of September 1992, theCommittee of Sponsoring Organizations of the Treadway Commission(COSO) released a four volume report entitledInternal control Integrated Framework.

4 Thisreport presented a common definition of internal control , providing a framework against whichinternal control systems could be assessed and improved and later became a standard that now use to evaluate their compliance with the Foreign Corrupt Practices Act (FCPA).Around the same time in the UK, the Combined Code and Turnbull guidance was underdevelopment, requiring UK companies to demonstrate a Sound system of internal control and riskmanagement and to review the effectiveness of their internal controls, providing a meaningfuldisclosure within their annual two initiatives largely lead to the creation of Risk control self assessment (RCSA)

5 Andhave since become an integral element of a firm s overall Operational risk management andcontrol aim of an Operational risk framework is to identify, assess, control and mitigate operationalrisk and to champion effective reporting of risk and emerging risk forms an integral element of the overall Operational risk framework, as it provides anexcellent opportunity for a firm to integrate and co-ordinate its risk identification and riskmanagement efforts and generally to improve the understanding, control and oversight of itsoperational provides a systematic means of identifying control gaps that threaten the achievement ofdefined business orprocess objectives and monitoring what management is actually doing toclose these gaps.

6 It is therefore an integral component of good Operational risk findings from a RCSA can be used to formulate appropriate action plans to addressidentified control gaps, taking into account risk-reward (cost-benefit) considerations. Withprogress against these plans monitored as part of the overall Operational risk managementapproach. In this respect RCSA promotes analysis and monitoring of factors that affect the levelof Operational risk further driving force behind the growth and emergence of RCSA is the fact that RCSA acts asa complementary audit and management tool, as well as being the generally accepted means tosatisfy corporate governance and regulatory / Value AddA well designed and properly managed RCSA programme will offer significant insight into afirm s risk and control , it will provide: A mechanism to place front line responsibility for Operational risk management and controldirectly with management (where it firmly belongs!)

7 ; A common language and common set of values across the organisation; Clear and specific ownership of action plans;Risk control self AssessmentInstitute of Operational Risk- Sound Practice GuidanceCopyright 2009 Institute of Operational Risk6 Open discussion of risk and controlmatters amongst staff and management, leading to bettertransparency and understanding of risk and its implications across the business; and Cultural change, helping Operational risk management to become embedded at all levels ofthe organisation, with respect to both day to day activities and longer term business , the RCSA needs to be carefully designed, planned and executed to provide themaximum opportunity for success and achievement of its full range of benefit Characteristics of an RCSA ApproachThe core generic characteristics of a typical RCSA will consist of: The identification of business objectives, which can be defined either in terms of businesstargets or process delivery goals.

8 The identificationof risks that could threaten the achievement of those objectives and theactivities and processes affected by the different risks identified; Identifying the controls in place intended to prevent the risks from crystallising; Determining where responsibility for performing those controls lies; and An assessment of the effectiveness of the controls in operation and the level of residual riskremaining after is often beneficial to consider structuring the RCSA in order to risk assess an entireprocess orbusiness line from end to end (as per the principles established by SOx 404), or to define theRCSA by specific location where a standard process may be operating in different geographiclocations such as the account opening procedure within branches of a building risks are sometimes referred to as a firm s intrinsic or inherent potential exposureand in addition to the internal environment, should consider factors arising from the externalenvironment including industry trends as well as taking into account any upstream or newlyemerging risks .

9 New risks can emerge daily and may take on new dimensions, for example,consider how internet security, phishing, privacy and discrimination risks have escalated inrecent a rule of thumb the term risk is generally defined as something that hasnotyet caused adirect Operational problem for the firm however there remains some degree of uncertaintyconcerning future outcomes. Whereas issues or events aremore commonly referred to asactual problems, thathavematerialised within the work environment. When prompted to identifykey business risks , most people have an almost natural inclination to identify issues that theyknow are current problems in the workplace.

10 Firms are thus well advised to provide someguidance to aid the internal understanding of the differences between risks , issues and , some firms find it valuable to outline high level categories of Operational risk in order toidentify more specific risks linked to a particular activity, whilst others might use headings suchas governance, reporting and compliance to facilitate their risk identification the purposes of self - assessment (and indeed throughout the wholeoperational riskframework), other ways of characterising and describing risks beyond specific event categoriesshould also be considered. For example, examining cause and effect factors can provide majorRisk control self AssessmentInstitute of Operational Risk- Sound Practice GuidanceCopyright 2009 Institute of Operational Risk7insights into a firm s risk profile and are oftenuseful in identifying the most effective riskmanagement mitigation strategies (in terms of cost of correction and level of risk reduction).