This post is part of our series Operational Risk Management – Learning from yourself as an expert already!
My last blog highlighted the extensive use of KRIs (Key Risk Indicators) in our personal lives and the incredible KRI system we all have via our five senses. This blog focusses on the Risk and Control Self Assessment process. Again, the expertise we have in our personal lives provides excellent guidance as to how a good RCSA should be carried out in our businesses and the value add of the RCSA process when done well.
In our personal lives, risk assessments are sometimes performed formally, such as for your motor vehicle’s annual service. Other times, however, they are performed informally, from checking the risks and controls relating to your swimming pool to assessing the risks of your house when your first child is born.
The example I will use, is your annual medical check-up. As in the business world, not all of us subscribe to the annual check-up. Maybe we do not see the value. Hopefully after this blog, you will! Let’s take a closer look.
I went for my first annual medical check-up some ten years ago, and annually since then. I organized the appointment, and when I arrived, the doctor had read up on my history, so he had full knowledge of all visits, issues, medications, etc. The first step to a risk assessment is therefore for the risk assessors to prepare, gaining full knowledge of the area (body), being assessed. The doctor then carried out a series of tests and analysis looking for risks. Some time later I received my report; a spreadsheet analysed in Red, Amber and Green for all results (he knows I am a risk manager!).
For the first report ten years ago, it was mostly green with one very bright red – cholesterol, at a level of 8.7. This was my high risk and related medical issue, one I was not aware of at the time. I, therefore, booked a further appointment to discuss the issue and potential treatment methods.
Changing diet was the first suggestion but after six months of eating “salad sandwiches on brown bread and no butter!” the cholesterol reading was still red at 8.4 – the treatment method was not working.
Next suggested action was to implement a medical control, being 20mg of Lipitor per day. After a further six months a retest showed a level of 5.4, still in amber but better than bright red! After further consideration, the conclusion was that there was nothing further I could do to lower the level, and I have chosen to accept the risk at this point.
In subsequent checks ups, it confirms my residual risk remains around 5.4 and shows that my treatment method is still working. A couple of times, I have been asked to cease taking the medication before the check up to measure the level without Lipitor – my inherent risk. This confirms it is still in the high “8’s” and that the control is still important and valid.
In addition to highlighting higher risk areas, where the results are green, this gives me ongoing assurance that all is well as a basis for heading into the next year of meeting my objective of healthy and active life!
Let’s now consider this assessment based on how we should carry an RCSA in the business world:
Risk is the effect if uncertainty on our objectives. We start the process, therefore, with the objectives of the thing we are risk assessing – our body.
Objective: To live a long, active and healthy life.
The second step is to identify the critical things we need to ensure operate well for us to achieve our objectives.
Critical Processes: There will be many which will most likely include such things as:
Risks are things that could stop the critical processes from being achieved, which in turn leads to the objective(s) not being achieved.
Risks will include:
Existing controls will exist over many of these health risks.They may include:
Once the key risks and related controls have been identified, we need to determine the level of risk both before considering controls (inherent risk) and after considering controls (residual risk). Residual risk highlights where current issues exist that need to be addressed, and inherent risk highlights the importance of current controls, such as current medication.
Once analysed, the risks need to be assessed against pre-determined levels (risk appetite). The doctor uses guidance scales for risk levels to assess this.
Risk evaluation then highlights which risks are outside of the acceptable range and as a result, where an issue may exist. Each issue then needs addressing through consideration of possible remedies, from changed diet to medication.
We should apply the same seven steps to the risk and control self-assessment process as part of your overall enterprise risk management framework.
In the next blog, I will apply these seven steps to a business scenario to illustrate how it transports across into any business situation.
If you would like to know more about how Protecht can help enhance your RCSA process and get more value from the effort invested, just click the blue box, fill the form and we will contact you.
Join us in a live webinar as we talk about each level of risk and how each can best be used in a risk management framework to add value:
Author of 'A Short Guide to Operational Risk', David Tattam is an internationally recognised specialist in all facets of risk management, particularly at the enterprise level. His career includes many years working with PwC, as well as two Australian banks. His achievements include the creation of the Middle Office (Risk Management Department) for The Industrial Bank of Japan in Australia and the complete implementation of all Australian operations, systems, procedures and controls for Westdeutsche Landesbank (WestLB).