Practical operational risk management: part five - Risk and control self-assessment

Apr 17 2009

This article is the fifth in a series on practical operational risk management. The series looks into the practical aspects of building, maintaining and driving forward an effective operational risk management program.

The first article briefly looked at all the elements that are needed for an effective operational risk framework as below:



The second and third articles addressed the challenges and opportunities of implementing an effective governance structure and the importance of addressing the cultural change that is necessary to succeed, and the fourth article looked at the practical aspects of an effective loss data collection program. This article looks at the methods and challenges of risk and control assessment activities.

RCSAs play an essential role in an effective operational risk framework. The goal of the framework is to identify, assess, control and mitigate operational risk, and to drive behavior through effective reporting of operational risk. Loss data collection provides a valuable insight into risks that have already occurred, but this still leaves the firm exposed to risks that have not yet materialized.

A well designed RCSA program can provide a unique insight into risks that exist in the firm, but that may or may not have occurred. The owners of operational risk are usually aware of these risks, but often do not have a consistent or effective way to assess, prioritize and escalate these risks. RCSAs provide the tools for this and help to ensure that there is transparency for operational risks that have not yet resulted in a loss.

If a firm is pursuing an advanced measurement approach to calculating capital for Basel II purposes, RCSAs can also provide a tool for collecting one of the required elements: business environment and internal control factors. There are several different methods for RCSAs, and each method has advantages and disadvantages. The method selected will depend on the purpose that the RCSA serves in the operational risk framework at the firm. This article will examine the questionnaire method, the workshop method and hybrid methods.

Questionnaire method

A questionnaire approach uses standard questions in a template format. The operational risk team determines the risks and expected controls that will be presented to all participants and the questionnaire is distributed to a nominated person in each department for completion.

In its simplest form, a questionnaire approach requires all participants to answer all questions, and to score risk levels and control performance against standard listed risks and controls. The standard nature of the RCSA allows for the use of database and workflow tools for the distribution, collection and analysis of the data.

There are several advantages of a questionnaire RCSA method. Once the questionnaire has been designed, the process of distributing and collecting the data is fairly simple. Once collected, the data can be easily collated and analyzed, and reporting on this information is straightforward. The use of standard risks and controls ensures consistency across the RCSA exercise, and the use of expected controls helps to ensure completeness.

For these reasons, a questionnaire-based RCSA is particularly well suited to an operational risk framework that is being applied to an organization that has many divisions which undertake the same tasks. A questionnaire-based RCSA approach, for example, is suitable for use in a retail bank, for the identification, assessment, control and monitoring of operational risks in the local branches. Each branch should have the same risks and controls to consider, and a questionnaire-based approach allows for comparisons between branches.

There are also several disadvantages to the questionnaire-based approach. If the divisions of the firm are not standard, then the standard list of risks and controls might be inappropriate. Participants may become frustrated at the number of items that are not applicable to them. In addition, if the operational risk team has missed a risk or control, it might not be raised at all during the RCSA process, as participants may assume that the list is complete.

The distribution of the RCSA to important individuals in the firm might limit the accuracy of the responses. The responses might reflect only a small subset of the firm, and may or may not reflect the views of the whole of the division that the participants are representing. Questionnaire-based RCSAs can sometimes be heavily focused on control assessment, rather than on risk assessment, and should sometimes be more properly named a control self assessment.

Workshop method

The workshop method RCSA gathers risk and control assessments using the interaction of participants in a group workshop environment. Consensus is reached among the participants when identifying and assessing risks and controls. Workshops usually run for several hours, and may need to reconvene for a second session before the RCSA is complete. There are several advantages of a workshop approach. The brainstorming approach allows for the identification of risks that might not have been identified by the operational risk team and it ensures that the assessment reflects the whole group and not just one nominated party. In practice, the workshop also provides an excellent opportunity to embed the operational risk function across the firm and is a valuable contribution to the cultural change that is being sought.

Workshop RCSAs require strong facilitation as they are subject to all of the usual challenges of group activities. One participant may overshadow the rest and the group might become stalled if not adequately managed. There are several disadvantages to the workshop approach. The fluid nature of the workshop can result in RCSA outputs that are varied and, therefore, difficult to consolidate. Workshops can be very time consuming and require a broad level of participation across the firm.

Workshop RCSAs are particularly well suited to organizations that do not have standard processes to evaluate. A bank that is not retail, but has varied equity, fixed income and asset management divisions, for example, may find a workshop RCSA more appropriate.

Hybrid methods

The first year of RCSA workshops tends to be fairly successful and is seen often as an exercise that has added value; however, future iterations of the workshop may meet with less enthusiasm. The second run of a workshop does not have the excitement of discovery, and the list of risks and controls might not change much from the prior year. Hybrid approaches can tap into the advantages of both methods. A firm might alternate questionnaire-based RCSAs one year with workshop-based RCSAs the next, for example. Alternatively, a workshop approach might be used only in the first year, with a questionnaire approach used for all subsequent RCSAs, unless a trigger results in a need for a workshop. If there is a major external event that is of concern to the firm, for example, a workshop RCSA might be held to address that particular risk.

Best practice

There are several ways that you can ensure best practice in your RCSA program:

• You should ensure that extensive preparation is conducted prior to the RCSA. This should include:
  • Interviews with participants, stakeholders and support functions for the area undertaking an RCSA.
  • Review of past audit reports.
  • Review of past RCSAs and related RCSAs.
  • Review of internal loss data.
  • Review of external events.
• The RCSA participant(s) should be selected with care and trained in the RCSA method beforehand.
• The RCSA output should be consistently and carefully documented.
• The RCSA scoring methodology should be appropriate for the firm and should include non-financial impacts, such as reputational, legal, regulatory, client and life safety where appropriate.
• Identified mitigating actions for unacceptable levels of risk should be tracked to completion.
• RCSA technology should be used appropriately to manage the process and to report on the outcome.
• The whole RCSA program should be reviewed for the identification of firm-wide themes that may require escalation.
• Where risk or control assessment processes already exist in the firm for specific purposes (for example, Sarbanes-Oxley, business continuity planning) these assessments should be leveraged and risks and controls should not be rescored as part of the RCSA program.
• RCSAs should be scheduled at appropriate intervals for the firm, i.e., quarterly, annually or ad hoc in response to a trigger event.

Risk and control self assessments provide a window into operational risks that have not yet occurred at a firm, and as such, they have a unique and powerful role to play in an effective operational risk program. The risk management information that is gathered during an RCSA program is often the most valuable source of operational risk management data in the firm. It allows an operational risk department to ensure that there is active risk management activity across the firm. The challenge with RCSAs is to keep them current, keep them relevant and ensure that they produce action.

It is worth spending time planning and piloting RCSA methods before use, and it is important to be open to allowing these methods to evolve as an individual's experience develops.

Author Biography:

is an Of Counsel Attorney at Garrity, Graham, Murphy, Garofalo and Flinn in New York. She was previously global co-head of operational risk management at Nomura.

Free Trial About us

Complinet services are available for a free trial via www.complinet.com
If you have any complaints please contact us immediately.