Risk and Control Self Assessment (RCSA) has become a cornerstone of current Enterprise Risk Management, yet the quality of assessments differ greatly between practitioners.
A risk assessment process commonly involves the identification of risks and related controls within a business area and a determination as to the level of each risk, using an assessment of the risk’s likelihood and consequence, and the effectiveness of controls. Most approaches to risk self assessment involve identifying just one level of consequence and one level of likelihood.
However, for any given risk type there will nearly always be a range of consequence levels, each with a different likelihood of occurrence.
These characteristics are commonly shown as a probability distribution as shown in Fig 1.
In order to understand a given risk, we therefore need to understand the probability distribution line, that is the range of consequences against their related likelihoods.
Theoretically this would require us, as part of the RCSA process, to firstly define the range of possible consequences and, secondly, define the likelihood of them occurring. The question is: “How many consequences do we evaluate and how will those consequences be defined?” By default, and due to time and cost constraints, many RCSA processes require just one consequence but do not define whether this consequence is the average, worst case, or something else. This results in confusion for the assessed business and inconsistency across the organisation.
In order to address this issue and improve the quality of your RCSA process, the following questions should be answered:
As a minimum, ensure that those assessing the risks are aware of how they are supposed to be assessing. Secondly, consider whether the number of consequences you are assessing for all risks is adequate taking into account the extra level of understanding created by multiple consequences weighed up against the extra time taken to carry out multiple consequence assessments.
Note 1: Risk is defined here as the potential for something happening in the future which could have a positive or negative impact. That is, the same risk has a range of potential consequences. Interestingly the ISO 31000 Risk Management: Principles and Guidelines, defines risk in terms of the likelihood of a given consequence. This overcomes the multiple consequence issue but in practical terms still requires us, as part of the RCSA process, to define the consequence of the risk event that we are discussing.
Join our live webinar to learn more about Inherent, Residual and Targeted Risks and how you can leverage each one to bring real value to your organisation.
Professional hacks for dealing with the issues around using Inherent Risk will also be covered. Register below:
Author of 'A Short Guide to Operational Risk', David Tattam is an internationally recognised specialist in all facets of risk management, particularly at the enterprise level. His career includes many years working with PwC, as well as two Australian banks. His achievements include the creation of the Middle Office (Risk Management Department) for The Industrial Bank of Japan in Australia and the complete implementation of all Australian operations, systems, procedures and controls for Westdeutsche Landesbank (WestLB).