
This is the third blog in our Operational Risk Management series.
In the first article, I explained the incredible KRI system we all have via our five senses. In the second blog, I discussed the application of the Risk and Control Self Assessment (RCSA) in our personal lives using the example of the annual medical check-up. The seven key steps of the RCSA process were set out as part of this example.
In this blog, we will see how the RCSA works in a business context by applying it to a business process. I will use the process of managing employee expense claims, their payment, processing and recording, a process we can all appreciate from one perspective or another.
This example is deliberately at a granular level to illustrate the principles. The same concepts should be used at any level of the organisation using the appropriate level of granularity. This means that the volume of information should be similar for any risk assessment carried out.
The objectives of this process are to:
The critical processes (things we need to successfully complete in order to meet the objectives) are:
I have listed the critical processes in order of the objectives. However, there is a many to many relationship between objectives and critical processes which means one critical process can meet more than one objective or vice versa.
We can now ask ourselves – what risks exist that could prevent the critical processes from being successfully completed? It is best to address each critical process at a time to ensure all key risks are identified. Again, there is a many to many relationship between critical processes and risks. I have only listed risks relating to the first three critical processes as examples:
For each risk, we then identify the key controls. Below are examples relating to some of the risks noted above.
We can now analyse the risks by assessing their likelihood and impact using the pre-determined scales (I am using a simple 1 = Low and 5 = high rating below). We typically find this is best performed by assessing the residual risk first (as this is the level we understand and experience) and then assess inherent risk by reassessing after assuming the recorded controls do not work / exist. I have only assessed one as an example.
Evaluation of the risk is made against the organisations’ risk appetite, commonly using a risk matrix as follows:
The residual risk for this example is highlighted.
The evaluation into risk levels then prompts how the risk will be dealt with. Depending on the risk appetite levels, the response may be:
The RCSA process when done in this manner has the following advantages:
Learn more about Inherent, Residual and Targeted Risks and how you can leverage each one to add value to your risk management framework. We'll also be sharing some professional hacks for overcoming common issues with using Inherent Risk. Click on the image below to register:
Author of 'A Short Guide to Operational Risk', David Tattam is an internationally recognised specialist in all facets of risk management, particularly at the enterprise level. His career includes many years working with PwC, as well as two Australian banks. His achievements include the creation of the Middle Office (Risk Management Department) for The Industrial Bank of Japan in Australia and the complete implementation of all Australian operations, systems, procedures and controls for Westdeutsche Landesbank (WestLB).