Operational Risk Evaluation and Response

What are the two risk types?

The two key risk types within risk evaluation;

• Inherent risk - risks that exist before applying the controls in the process
• Residual risk – risks that exist after evaluating the adequacy and effectiveness of controls

In risk evaluation, the main goal is to know how large an impact can be and how often it is expected to occur. This allows prioritisation of controls. Data such as past losses and industry loss data are used as backward-looking tools while evaluating risks whilst qualitative judgement is used for forward-looking analysis. Process owners working with their risk and control teams assess the inherent and residual risk.

Illustrating inherent risk in different situations

The inherent risk of theft in the processes at a cash centre is mostly higher than the same risk for branch processes as the large sums of cash in the cash centre are a higher impact than the smaller amounts held in branches. The type of controls in each environment need to be looked at. For both these situations, the risk appetite will be the same however the number of controls required to achieve an appropriate residual risk position may be more or less onerous depending on the activity.

In a bank, we can also see this in terms of the inherent risk of market abuse in a banking book vs. a trading book. Management needs to take assurance that the transformed position (from inherent risk to residual risk) is accurate.

What are controls and how can we have assurance over controls?

Controls are steps that should reduce risk or the activities that prevent or detect errors and they form a key part of the overall ORM framework and are supported by policies. When effective, controls can prevent errors or detect problems when they do occur. To determine whether a control works we need two steps:

• Assess the adequacy of the control
• Test the effectiveness

These two steps are widely understood across nearly all ORM frameworks and also align to requirements of the Sarbanes-Oxley Act and external audit practice. There is a deep need to have alignment across the lines of defence and external assurance providers. It is at the control testing stage where divergence can most often be seen and unless clearly rationalised, inefficiency, duplication and wasted resources may occur.

What can go wrong with the risk evaluation process?

Consider the following scenario:

• Management is accountable for implementing the control framework
• Management designates a team to be accountable for testing controls, but as this team reports through the first line, they themselves are the first line of defence.
• Those who provide oversight are the second line of defence and have a mandate to sample control activity to their own view of risk, guided, but not linked to management’s RCSAs
• Internal Audit, which provides independent review and challenge, may or may not test controls in the pursuit of their audits, which will often have a different ‘audit universe’ of risks than management’s RCSAs
• External Audit, which reviews the Financial Statements and potentially attests to compliance with Section 404 of the Sarbanes-Oxley Act may or may not use management controls and may or may not place reliance on the work of management control testing teams

The business is potentially subject to four separate assurance providers with different agendas, testing the same things across different periods, for different purposes.