3. • Risk management is a scientific approach to
dealing with pure risks by anticipating possible
accidental losses and designing and
implementing procedures that minimize the
occurrence of loss or the financial impact of
the losses that do occur. (Fundamentals of
Risk and Insurance, Vaughan and Vaughan)
• Meaning: Risk as uncertainty concerning the
occurrence of a loss.
Definition of Risk Management
4. Risk = Vulnerability x Threat x Impact
*Probability
• Vulnerability = An error or a weakness in the design,
implementation, or operation of a system.
• Threat = An adversary that is motivated to exploit a system
vulnerability and is capable of doing so
• Impact = the likelihood that a vulnerability will be exploited
or that a threat may become harmful.
• *Probability = likelihood already factored into impact.
Risk Equation
5. Types of Risk
• Strategic – Goals of the Organization
• Operational – Processes that Achieve Goals
• Financial – Safeguarding Assets
• Compliance – Laws and Regulations
• Reputational – Public Image
19. The Vision of Operational Risk Management
In 12 to 18 months, your goal should be to create a report for each
department and group that summarizes all relevant information that
gets combined into a rating for operational risk.
22. Control Self Assessment
Control-Self Assessment Definition
Control-Self Assessment Objectives
Enterprise wide Control Self Assessment Framework
Balanced Scorecard
CSA Methodology
Results
Corporate Governance
CSA Rollout - Project Time Line
Appendix - Delivered Solution
1. Risk Map
2. Excel Based Worksheets
3. HTML Interface
4. Excel Based
OutlineOutline
23. Control Self Assessment
Control-Self Assessment is a risk management tool used by business
managers to transparently assess risk and control strengths and weaknesses
against a Control Framework. The “self” assessment refers to the
involvement of management and staff in the assessment process.
DefinitionDefinition
24. Control Self Assessment
Communication
To ensure better communication of CEO’s objectives and strategies to all
business lines
To ensure business line managers communicate their risks and controls more
effectively
Education
To ensure business line managers have a better comprehension of effective risk
control
To ensure business line managers have a better comprehension of risk
management
Proactive Management
To ensure business line managers align their objectives and strategies with the
CEO's objectives and strategies
To ensure business line managers assume greater responsibility and
accountability for their risks and controls
To ensure business line managers monitor their risk effectively and timely
To ensure business line managers utilize and allocate their resources
effectively
ObjectivesObjectives
27. Step 1: Objective Setting
Balanced Scorecard *
A tool that translates a firm’s mission and strategy into a comprehensive
set of performance measures that provides the framework for a strategic
measurement and management system
Objectives
Ensures linkage between the objective of senior management and the
businesses
Increased focus on the appropriateness of the objectives
Reinforced as the central “top down” articulation of goals
Provides a framework within which the oversight functions, risk
management and the business lines operate
28. Step 2: CSA Methodology
ORCA Framework
Objectives
Risk Assessment of Key Processes
Controls
Action Plans
The ORCA framework components fit logically together to form a
comprehensive relationship between firm-wide objectives, processes
and risks, and controls. This relationship may be viewed as the core of
a firm’s internal control.
29. Step 2: CSA Methodology
ORCA Framework
To find equilibrium, the business managers must carefully assess the risks
inherent within their key processes and apply controls that will work at
a reasonable cost.
31. Step 2: CSA Methodology
Key Indicators
Metrics to measure the effectiveness of controls in the mitigating
or managing risks
TO measure operational problems
TO monitor the quality of the services provided
TO provide early warning for problems
TO aid in the containment of losses
TO determine trends
TO set limits for risk or escalation criteria
TO facilitate everyday decisions.
32. Step 3: Results
Qualitative
Bottom-up feedback to executive management to ascertain how
successfully the organization accomplished its strategic vision
Identification of the interdepartmental and thematic risks within the
firm
QuantitativeQuantitative
CSA Metric Score
Inherent & Residual Risks Model
CSA Scenario Engine
34. Step 3: Results
Inherent and Residual risk models provide a sense of the potential monetary
impact before and after the implementation of controls.
CSA scenario engine may shed insight on how the department’s or firm’s
control environment may evolve – for better or worse.
35. Corporate Governance
Furthermore, the framework readily lends itself to Sarbanes-Oxley and BIS
II compliance
The enterprise-wide CSA framework presented here is a key component of
a robust corporate governance structure. It enables the organization to
inform executive management of the current state of the firm’s risk
environment on an ongoing basis
The expected benefits of a strong corporate governance structure are:
36. Summary
The presented enterprise-wide control self-assessment framework:
Provides flexibility and dynamism to evolve with the changing firm
Allows a firm to manage risks from both the “top-down” and “bottom-up”
perspectives
Is an integral component of a strong corporate governance structure
37. CSA Rollout - Project Time Line
Design and Development (Prototype)
Meet with Business Lines
Gather Key business processes
Establish
Create Data Model
Create Database
Create user interface
Load master tables data into database
Create procedure guide
Deliverables: CSA beta version software, User guide
Analysis
Define Op Risk components
⇒ Firm wide objectives
⇒ Risk map
Define CSA components
⇒ Objectives and key processes
⇒ Risks
⇒ Control Methods
⇒ Action Plans
⇒ Key Risk Indicators
Refine Timeline and estimates
Deliverables: Business requirements, User presentation
Implementation
Rollout Control Self Assessment Software
Data Gathering of Business Units CSA
Support business units performing CSA
Deliverables: Cutover Plan, CSA application
Planning
Project Scope
⇒ Define CSA scope
⇒ Evaluate current firm wide objectives
⇒ Identify key business areas and processes
⇒ Obtain Sr. Management support
Project Planning
⇒ Create project timeline
⇒ Allocate resources
Deliverables: Project Plan, Road map
Close-out
Review user feedback
Establish cyclical review requirements
Update CSA reporting package
MarchFebruary
Planning Analysis
April May June NovemberOctoberAugust SeptemberJuly
Closeout
Implementation
June
Design
December January
Development
38. Internal Control
A strong system of internal
control is essential to effective
enterprise risk management.
39. Relationship to Internal Control — Integrated
Framework
• Expands and elaborates on elements
of internal control as set out in COSO’s
“control framework.”
• Includes objective setting as a separate component. Objectives are a
“prerequisite” for internal control.
• Expands the control framework’s “Financial Reporting” and “Risk
Assessment.”
40. ERM Roles & Responsibilities
• Management
• The board of directors
• Risk officers
• Internal auditors
41. Internal Auditors
• Play an important role in monitoring ERM, but do
NOT have primary responsibility for its
implementation
or maintenance.
• Assist management and the board or audit
committee in the process by:
- Monitoring - Evaluating
- Examining - Reporting
- Recommending improvements
42. Standards
• 2010.A1 – The internal audit activity’s plan of engagements should be based on a
risk assessment, undertaken at least annually.
• 2120.A1 – Based on the results of the risk assessment, the internal audit activity
should evaluate the adequacy and effectiveness of controls encompassing the
organization’s governance, operations, and information systems.
• 2210.A1 – When planning the engagement, the internal auditor should identify
and assess risks relevant to the activity under review. The engagement objectives
should reflect the results of the risk assessment.
43. Example: Risk Model
• Environmental Risks
– Capital Availability
– Regulatory, Political, and Legal
– Financial Markets and Shareholder Relations
• Process Risks
– Operations Risk
– Empowerment Risk
– Information Processing / Technology Risk
– Integrity Risk
– Financial Risk
• Information for Decision Making
– Operational Risk
– Financial Risk
– Strategic Risk
44. Risk Analysis
Control It
Share or
Transfer It
Diversify or
Avoid It
Risk
Management
Process
Level
Activity
Level
Entity Level
Risk
Monitoring
Identification
Measurement
Prioritization
Risk
Assessment
45. Example: Call Center Risk Assessment
Low
High
High
I
M
P
A
C
T
PROBABILITY
High Risk
Medium Risk
Medium Risk
Low Risk
• Loss of phones
• Loss of computers
• Credit risk
• Customer has a long wait
• Customer can’t get through
• Customer can’t get answers
• Entry errors
• Equipment obsolescence
• Repeat calls for same problem
• Fraud
• Lost transactions
• Employee morale
46. Example: Accounts Payable Process
Control Risk Control
Objective Activity
Completeness Material Accrual of
transaction open liabilities
not recorded
Invoices
accrued
after closing
47. Communicate Results
• Dashboard of risks and related responses
(visual status of where key risks stand relative to risk tolerances)
• Flowcharts of processes with key controls noted
• Narratives of business objectives linked to operational risks and
responses
• List of key risks to be monitored or used
• Management understanding of key business risk responsibility and
communication of assignments
48. Monitor
• Collect and display information
• Perform analysis
- Risks are being properly addressed
- Controls are working to mitigate risks
49. Management Oversight & Periodic Review
• Accountability for risks
• Ownership
• Updates
- Changes in business objectives
- Changes in systems
- Changes in processes
50. Internal auditors can add value by:
• Implementing a risk-based approach to planning and executing the
internal audit process.
• Ensuring that internal auditing’s resources are directed at those areas
most important to the organization.
• Challenging the basis of management’s risk assessments and
evaluating the adequacy and effectiveness of risk treatment
strategies.
51. Internal auditors can add value by:
• Reviewing critical control systems and risk management processes.
• Performing an effectiveness review of management's risk
assessments and the internal controls.
• Providing advice in the design and improvement of control systems
and risk mitigation strategies.