This is part 3 of our video series on "Disparate and Disconnected Risk Processes and Information". In this video, David Tattam talks about the eight key steps of the Risk and Control Self Assessment process aligned with the ISO 31000 Risk Management Standards.
Hi, I'm David Tattam, Director of Research and Training at the Protecht Group. We at Protecht believe that there are six key building blocks required to support a strong integrated enterprise risk management framework.
So today, we're going to be looking at the risk assessment process, otherwise known as the risk control self-assessment. Now the objective of this process is to identify, analyze and understand our key business risks, and their related controls and evaluate those against our risk appetite and the desired risk levels and to see if we need to make any improvements.
Now there are many approaches to risk assessment. We will outline Protecht's preferred approach. This is made up eight key steps which really are aligned to the ISO 31000 Risk Management Standards. Now the process begins from the principle of risk as defined in ISO 31000 which is "risk is the effect of uncertainty on objectives".
So step number one, is identification of the business's objectives. Step number two is to identify the operating model, the key processes that need to be working to be able to deliver against those objectives and only now can we then go to step three, identify the risks that could cause the operating model to file or not deliver the expected outcome.
Once we've identified the risks, we then need to assess the risks typically using likelihood and impact. Once we've assessed and analyzed the size of risk, we need to evaluate it against our risk appetite, risk evaluation and determine whether we need to make any improvements if it is outside of appetite.
If we do need to make improvements, this allows us to identify any issues, control weaknesses, and control gaps and from there, we can identify the actions required to remediate those. This then moves us onto this process being repeated on a periodic basis, ongoing monitoring, and review. And finally, the importance of recording and reporting the risk assessment. This is often done on a traffic light report using red, amber and greens.
They're the basic building blocks of the risk assessment process.
So please check out our other videos and blogs in helping you build a strong enterprise risk management process. So hopefully, we'll see you later and until next time, take care.
Do you use Inherent Risk in your risk assessment process? Learn professional hacks for dealing with the common issues around this level of risk and more at our live webinar. Click below to register today:
Author of 'A Short Guide to Operational Risk', David Tattam is an internationally recognised specialist in all facets of risk management, particularly at the enterprise level. His career includes many years working with PwC, as well as two Australian banks. His achievements include the creation of the Middle Office (Risk Management Department) for The Industrial Bank of Japan in Australia and the complete implementation of all Australian operations, systems, procedures and controls for Westdeutsche Landesbank (WestLB).