Chapter 5 Learning Outcomes Flashcards
What is RCSA?
RCSA stands for Risk and Control Self-Assessment. It is a process for identifying, recording and assessing potential risks and related controls.
(Introduction, para 1)
What is the purpose of RCSA and what can it be used for?
The purpose is to enable a firm to manage key risks to avoid impacting objectives. It involves identifying, assessing, monitoring and reporting risks and controls. It enables risks to be proactively managed.
(5.2, para 1)
What are the key elements of an RCSA process?
Key elements are:
* identifying risks,
* assessing inherent and residual exposures,
* assessing controls,
* assigning owners,
* deciding on responses,
* taking action,
* monitoring,
* reporting.
(Fig 5.3.1)
How do you assess operational risk exposure?
By judging the likelihood of occurring and expected impact (financial or non-financial) if it does occur. These are combined on a matrix to show level of exposure.
(5.5, 5.5.1, 5.5.2)
What are the benefits of an effective RCSA process?
Benefits include:
* cultural change,
* alignment to strategy,
* consensus building,
* clear accountability,
* anticipating threats,
* process efficiencies.
(Table in 5.2)
How do you identify which risks to include?
- Use risk categories,
- internal loss data,
- external loss data,
- indicators,
- objectives,
- complaints,
- planning
- outputs,
- performance data,
- upcoming changes,
- analysis reports.
(5.3.2, 5.3.3)
What’s the difference between inherent and residual risk exposures?
Inherent is untreated exposures.
Residual is remaining exposure after accounting for effectiveness of controls.
(5.5.3, Fig 5.5.3)
What 4 types of actions can you take to address risk exposure?
Accept, reduce (add controls), transfer (insure), avoid (eliminate).
(5.7.2)
What’s a control?
Any action taken to reduce likelihood or impact. E.g. preventative, detective, corrective controls.
(5.6)
What roles do controls play in risk management?
Prevent underlying causes, detect if an event occurs, take corrective action, direct through policies. Overall reduce exposures.
(5.6, Fig 5.6)
What key things are included in reporting of RCSAs?
Scope, changes in profile, risk assessments, controls, actions, heat map.
(5.8.1 to 5.8.6)
What’s the difference between a risk owner and a control owner?
Risk owner manages the risk identification, assessment etc.
Control owner designs and operates controls.
(5.7, 5.7.1)