As part of applying the ORF, you have identified the exposure, and you have designed and implemented effective controls to ensure that the risks (potential losses) are within the Risk Appetite. You have also put in place resilience to rapidly recover after experiencing a loss and the proper governance is in place to manage the entire process.
How do you ensure that over time that the identified exposure and the effectiveness of the controls to keep potential losses within the Risk Appetite, resilience and governance remain current?
You would have to determine what changes have occurred in the current Internal and External Business environment and what effect those changes have on the current exposures. For example, the Internal Business environment may have changed because you have undertaken a new activity. Or the External Business environment has changed because a new regulation has been introduced. A new exposure profile would then be constructed to include any changes to the exposure from these environmental changes.
Once this exposure is updated, you would then evaluate the effectiveness of the current controls for the updated exposure, and determine what new controls would be needed, and which old controls are no longer required to keep the updated potential losses arising from the updated exposure within the Risk Appetite. The same would be done for resilience and governance.
That is how you ensure that the application of the ORF is kept current over time
A structured documented process for achieving this is generally called the Risk and Control Self Assessment RCSA). It is a self-assessment in that it requires the owner of the activity that gives rise to the exposures, the need for controls, resilience, and governance to complete the assessment. The assessment is afterward usually reviewed and challenged by an independent Risk Management group, and further periodically reviewed by Internal Audit, following the 3 lines of defense practice
Although it should be comprehensively completed for all 4 components of the ORF, it is commonly completed only for Exposure and Controls within one process and separate processes are completed for Resilience and Governance, hence the name RCSA.
Generally, RCSA is completed at a certain level within the firm's hierarchal business organization. For example at some firms, it may be completed at the Retail Banking, Trading and Sales, and other LOB level but this may be too aggregate to be effective and so most firms conduct the RCSA at levels below the LOB, such as Account Opening within a private bank, within Retail Banking. Sometimes firms create their own separate units of assessment for RCSA purposes, to capture end-to-end processes but this unnecessarily complicates matters. It is best to stick with the existing hierarchal business organization structure and capture the end-to-end process by including dependencies on other units.
To ensure that the RCSA is consistently completed across the firm, firms create libraries of taxonomies for Activities, as shown above, Exposures (for example the Basel op risk event types),
and Controls (https://www.opriskmanagement.net/post/controls )
For the purposes of RCSA, each Exposure (at whatever level the firm has decided to use) is rated both in terms of likelihood/ frequency and impact/ severity using a 5-point scale for each dimension.
The result would look something like this. R1 represents Risk/Exposure Number 1, which may be Suitability for instance, and it has been rated Very High in both likelihood and impact, resulting in a VH overall rating. Whereas, R2, which may be credit card fraud has been rated Very High in likelihood but Low in impact, for an overall H Risk rating
Firms would have specific criteria for determining each rating. Often it is a combination of quantitative and qualitative factors. A qualitative factor could be something like this: if the impact would materially affect the entire firm for Very High and Low if the materiality is relevant only at say two layers down or more of a specific LOB. A quantitative impact could be the dollar amount of the potential loss.
Two types of ratings are assigned. Sequentially, the first rating is Inherent Risk and takes into account the risk level associated with the environment in which an activity is taking place. For example, driving a car on a highway filled with transport trucks, during a severe storm at night is inherently more risky than driving the same car with the same driver on a sunny day on an empty country road. The first would be rated High on the three-point scale and the second would be rated Low. The Inherent Risk risk rating reflects the risk from environmental factors, such as night, stormy, etc, from the example. Similarly, it is inherently riskier from an operational risk point of view to trade highly structured exotic OTC derivatives than trading plain vanilla exchange-traded futures. There are simply more things that can go wrong with trading highly structured exotic OTC derivatives.
However, the Inherent Risk of driving a car in the stormy night situation described above can be significantly reduced by having a car in excellent working order and driven by a highly skilled racing car driver. With these mitigating factors in place, the Inherent Risk could be even reduced to the same risk level as the sunny day situation. In operational risk mitigating factors are called controls. As with the car example, the Inherent Risk created by trading highly complex derivatives
with properly designed controls working effectively can be significantly reduced and perhaps even to the level of trading exchange-traded futures. The resultant risk after taking controls into account is referred to as the Residual Risk. Firms have specific criteria for rating the adequacy of controls according to two dimensions: design and effectiveness. In the image to the left, C1 is a control that has a high-quality design, meaning it has been designed to control/ reduce the Inherent risk to a high degree and has been implemented with a very high degree of fidelity to the design, for an overall control rating g of Very High. Whereas, C2 has a Medium design, meaning that even if it was implemented as designed, it would only reduce the risk somewhat. But in this case it was poorly implemented reducing the overall adequacy of this control to VL and would have no impact on reducing the Inherent risk.
The Residual Risk rating is arrived at by combining the Inherent Risk rating with the Control rating, through specific combining rules (a scorecard). A scorecard ensures that the determination of the Residual Risk Rating is consistently applied across risk types and business activities. A scorecard could look something like the image on the right.
This scorecard creates the rules for reducing the Inherent Risk rating after taking the adequacy of controls into account. For example, an Inherent Risk rating of VH is reduced 4 notches lower if the Control adequacy is Very High but not at all if the Control adequacy is rated Very Low. Likewise, if the IR is Medium and High-rated controls are applied, the IR would be reduced by 2 notches down for a residual risk of VL. Following the rule, the first notch down would bring the risk down from Low to Very Low, the second notch down cannot bring the risk any lower since the Residual Risk after the first notch is at its lowest level, and clearly the third notch has no effect either. What does this tell you? Since applying very High Rated controls to an inherent Risk Rating of Low would have the same effect as applying Medium rated control (a one-notch effect), this risk is being over-controlled. Since controls are costly, the extra cost incurred by having VH controls instead of Medium rated controls is a wasted cost.
Suppose the Inherent Risk Rating for a t risk is High (1) and the RA for that particular risk is Medium (2), controls would have to be put in place that have at a minimum a Low (3) adequacy rating to active a Medium Residual Risk—otherwise with controls applied to this High Risk that are rated VL results in a residual risk of High and would be outside the RA.
Suppose that was the case. To reduce Residual Risk to Medium from High, we would have to develop and implement a corrective action plan to improve the adequacy of the control from Very Low to Low. But before Control's adequacy can be changed its implementation would have to be tested in practice over a period of time, usually 2 quarters.
You can practice applying this scorecard by creating your own examples and drawing conclusions about what needs to be done about control if anything. We have focused on improving controls to reduce the residual risk to be within the RA, but action can also be taken to reduce the inherent risk, by say reducing the level of the activity or to the extent possible reducing the risk of either the internal or external environmental factors. In the car example, for example, you can decide to drive at a low speed during a stormy night, or park on the side shoulder of the highway until the storm passes. Can you think of a business example where action can be taken to reduce the in inherent risk as a way to reduce the residual risk to be within the RA?
the following summarizes the RCSA process
The RCSA process's result is not simply to identify and evaluate the risk and associated controls for an activity but to also determine if the Residual Risks are within the Risk Appetite. In cases where the Residual Risks are outside the Risk Appetite, a Corrective action plan must be included which specifies who will do what by when to bring the Residual Risk to within its respective Risk Appetite. Such plans might be to design better controls, add controls, improve the effectiveness of controls, or reduce the level of or nature of the activity by reducing the Inherent Risk, such as exiting the trading of structured exotic complex derivatives.
xbbbbbbbbbbbbbbbbbbxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
A typical RCSA report may look something like this xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
There are a variety of RCSA systems that can be employed by the firm to perform RCSA consistently across the firm. They can be vendor systems or built in-house and are commonly called GRC systems for Governance, Risk, and Control.
The GRC system facilitates the coherent aggregation of individual RCSA results at the assessment units into higher levels of the organizational structure to arrive at RSCA results for the aggregate unit. For example, the RCSA results at the individual third level within the Trading and Sales LOB can be aggregated to get the RCSA result for the Sales component of Trading and Sales and similarly for the other LOBs. Likewise, the RSCA result for Trading and Sales can be aggregated with the RCSA results of the other LOB to arrive at the aggregated RCSA for the entire firm.
Here is a summy of the full cycle of the RCSA Process.