Embedding OR

Welcomes you to the Operational Risk ForumRCSAs: Methodologies that work

Helen PykhovaThe OpRisk Company

RCSAs: Methodologies that workHelen Pykhova

The Concept3Identify Key RisksAssess Identify Key ControlsAssessResult: areas where controls do not effectively mitigate risks and require actionTake action

The Questions4Key Risks in what? Process? Department?Top Down or Bottom up? Workshop or Questionnaire?Inherent or Residual?Controls: Assess or Test?Assess: What grading scale?Tester: Independent?Result: how to present?

To achieve the best cultural and organizational fit, derive maximum benefit and demonstrate the use test

From Losses to Risks5

Questions for the 2 most significant OR losses in each of the past 5 years

Was the risk that the event relates to identified before the event occurred? If so, was it escalated to executive management before the event occurred? And if not, why not? If it was identified, how was this done: If your risk identification method has changed since the event, how do you identify risks of this type now? How effective is this method? (provide evidence for this) What prompts the escalation of this type of risk, to what level of management and how does this work?

PRA: Thematic Review on Risk Identification

From Losses to Risks6Top 10 Operational Risks

Top 5 Emerging Risks

Top 5 Scenarios

RCSAs: Industry Benchmark

7RCSAs remain a core tool of the Operational Risk Framework most banks have established a risk and control self-assessment

Many banks are looking to improve the tool RCSAs currently undergoing some form of change or enhancement

Application varies fewer than half the banks indicated that the RCSA was implemented on an enterprise-wide basis

8

The firms must demonstrate the use test - i.e. there is evidence that OR tools and data are used for decision making. To ascertain the use test, it is common for the PRA and the FCA to interview the 1st line of Defence Heads of Departments, Risk Coordinators, RCSA producers. The role of the Head (Department, Business, Function), is to embed Operational risk management, demonstrating the use test. The use testAn even stronger case to make good use of the RCSAs under the SMR ability to demonstrate reasonable steps

The Essence of RCSA9

https://www.youtube.com/watch?v=z55kyR6DSVc

10

Process-based RCSAA bottom-up internal control self-assessment program which focuses on business processes that impact the Companys most significant General Ledger accounts.Identifies significant risks related to those processes and key controls in place to mitigate those risks.Driver : Sarbanes-OxleyWhat is PRSA?High-level Overview:UnderlyingBusinessProcesses

Significant RisksKeyControls

Control Testing

Significant GL Accounts Financial Statements

Strategy-based RCSA11

A Top-down self-assessment program which focuses on strategic objectives of the firm. Identifies risks that can prevent the firm from achieving its objectives and key controls in place to mitigate those risks.Driver: COSO (Committee of Sponsoring Organizations of the Treadway Commission), Internal Control frameworkWhat is Strategic Risk Assessment?High-level Overview:Inherent RisksKeyControlsResidual Risks

FirmsStrategic Objectives

The Approaches12

IdentifyingWhat keeps you awake at night?ProfilingWhat should be keeping you awake at night?CountingHow much do you expect to loose over the next year?

1313most banks indicated that a strong operational risk management culture had been implemented throughout their organisation

13

Culture: Industry Benchmark

1414almost all banks reported that they have fully implemented a code of conduct or ethics policy14

Culture: Industry Benchmark

1515many banks noted that compensation policies appropriately balance risk and reward15

Culture: Industry Benchmark

1616most banks indicated that some form of operational risk training has been established, but had plans to enhance existing training16

Culture: Industry Benchmark

17Measures of Success17Measuring ImprovementsMonetary value of improvement projects and savings achievedStakeholders PerceptionStakeholders rating of the RCSAs, feedback on what worked and what can be improvedRisk AwarenessA number of new/unknown risks identified by Internal Audit (as a % to the total number of risks/issues)

Questions ?18

Helen Pykhova