Chapter 5 Key Learning Questions Flashcards
Examine the nature of risk and control self-assessments in the management of operational risk
Risk and Control Self-Assessment (RCSA) is a process for identifying, recording and assessing risks and controls. It enables firms to proactively manage key risks to avoid impacting objectives.
It involves identifying, assessing, monitoring and reporting on risks and controls. RCSA can be undertaken at various organizational levels and is more effective when integrated into the operational risk framework, with clear governance and senior management engagement.
(Introduction, 5.1)
Describe the benefits of risk and control self-assessments
Benefits include: cultural change with operational risk management embedded across the organization; alignment of risk management to strategy and performance; open discussion and consensus building on risks; clear accountability through assigned owners; anticipating threats; process efficiencies and improvements.
(5.2, Table)
Explain the role of risk and control self-assessments in identifying operational risk.
RCSA has a key role in proactively identifying operational risks, both new/emerging risks and existing risks. Failure to identify risks prevents understanding of likelihood and impact. Information sources for identifying risks include the risk categorization scheme, internal/external loss data, indicators, objectives, complaints, planning outputs and upcoming changes.
(5.3, 5.3.1, 5.3.2, 5.3.3)
Consider the advantages and disadvantages of different methods for undertaking risk and control self-assessments.
Methods include workshops, questionnaires, interviews, hybrid approaches. Relative advantages/disadvantages of each cover aspects such as time, participation, consensus building, consistency, bias. Need to consider governance, culture, size and complexity when selecting approach.
(Table 5.4)
Explain the concepts of likelihood and impact in assessing operational risk and controls.
Assessing risks involves judging likelihood (possibility) of occurring and expected impact (consequences) if it does occur. Impacts cover financial/non-financial, direct/indirect. Likelihood and impact are combined on a matrix showing level of exposure. Assess before and after controls to understand exposures and reliance on controls.
(5.5, 5.5.1, 5.5.2, Fig 5.5.3)
Examine the nature and role of controls
Controls aim to reduce likelihood or impact. Types include preventative, detective, corrective and directive. Key controls provide most defence. Assessing design and operating effectiveness determines if controls are effective overall.
(5.6, 5.6.1-5.6.4, Fig 5.6)
Explain the roles and relationships between risk owners and control owners.
Risk owner manages identification, assessment and reporting of risks. Control owner designs and operates controls and monitors effectiveness. Close communication needed to align mitigation with risk exposure.
(5.7, 5.7.1)
Describe common methods of reporting risk and control self-assessments.
Reporting includes executive summary, scope, changes in profile, assessments, actions, heat maps. Should be relevant, guide decisions, timely and evolve to meet needs. Present data and interpretation. (5.8, 5.8.1-5.8.6)
(5.8, 5.8.1-5.8.6)