Operational Risk
In the previous videos, Paul Rosen explained how risk appetite and identification allows us to document the processes and risks. In this video, he covers how to evaluate these risks.
In the previous videos, Paul Rosen explained how risk appetite and identification allows us to document the processes and risks. In this video, he covers how to evaluate these risks.
Subscribe to watch
Access this and all of the content on our platform by signing up for a 14-day free trial.
8 mins 40 secs
Risk evaluation allows us to start to plan risk acceptance, risk remediation or other strategies and management and staff responsible for identifying and managing risk as it is a 1st line of defence activity.
Key learning objectives:
Understand the main concepts and risk types within risk evaluation
Understand what are controls and how they help managing operational risk
Understand how risk evaluation process is applied in practice
Access this and all of the content on our platform by signing up for a 14-day free trial.
The two key risk types within risk evaluation;
In risk evaluation, the main goal is to know how large an impact can be and how often it is expected to occur. This allows prioritisation of controls. Data such as past losses and industry loss data are used as backward-looking tools while evaluating risks whilst qualitative judgement is used for forward-looking analysis. Process owners working with their risk and control teams assess the inherent and residual risk.
The inherent risk of theft in the processes at a cash centre is mostly higher than the same risk for branch processes as the large sums of cash in the cash centre are a higher impact than the smaller amounts held in branches. The type of controls in each environment need to be looked at. For both these situations, the risk appetite will be the same however the number of controls required to achieve an appropriate residual risk position may be more or less onerous depending on the activity.
In a bank, we can also see this in terms of the inherent risk of market abuse in a banking book vs. a trading book. Management needs to take assurance that the transformed position (from inherent risk to residual risk) is accurate.
Controls are steps that should reduce risk or the activities that prevent or detect errors and they form a key part of the overall ORM framework and are supported by policies. When effective, controls can prevent errors or detect problems when they do occur. To determine whether a control works we need two steps:
These two steps are widely understood across nearly all ORM frameworks and also align to requirements of the Sarbanes-Oxley Act and external audit practice. There is a deep need to have alignment across the lines of defence and external assurance providers. It is at the control testing stage where divergence can most often be seen and unless clearly rationalised, inefficiency, duplication and wasted resources may occur.
Consider the following scenario:
The business is potentially subject to four separate assurance providers with different agendas, testing the same things across different periods, for different purposes.
Access this and all of the content on our platform by signing up for a 14-day free trial.
There are no available videos from "Paul Rosen"