Risk Profiling

Question 1

What are the 3 chapters of Risk Profiling?

Answer 1

1. Complete MRE determination
2. Complete L3 risk assessment
3. Complete L1 risk assessment

Question 2

How are applicable MREs determined?

Answer 2

Workshop held:
* Identify processes owned by the DoCO
* For each (43) L3 risk, ask: Can a Risk Event eventuate from any owned processes.
* If yes, the L3 Risk and supporting MRE will be included in the Risk Profile.

Question 3

Are risk records required for applicable risks/MREs?

Answer 3

Yes, GRACE will mandate the creation of a risk record.

Question 4

Are rationales required for non-applicable risks/MREs?

Answer 4

Yes, rationale will be required.

Question 5

What are 3 reasons we want to categorise risks and events properly?

Answer 5

• Correctly reflect the risks the BU or enabling unit is facing.
• Impacts ability to identify gaps in process/controls and uplift as required.
• Affects quality of reporting to Senior Management, Board Committees and regulators, and impacts their confidence in our ability to manage risks.

Question 6

What does MRE refer to?

Answer 6

The type of risks that may occur.

Question 7

Who will own Risk Profiles?

Answer 7

Risk Owner, being:
* Divisional executive for divisional profiles.
* CO Owner for CO profiles.

Question 8

Which persona is to support the Risk Owner with specialist risk advice and complete tasks?

Answer 8

Risk Manager (DCO, GRC Facilitator, or equivalent).

Question 9

What does 2nd Line Risk do?

Answer 9

Facilitates workshop and provides independent review.

Question 10

What are the 6 steps of Chapter 2 - L3 risk assessment?

Answer 10

1. Create L3 risk record(s)
2. Prepare L3 risk description
3. Complete CCA
4. Complete RRA
5. Complete TRA
6. Determine L3 Risk response

Question 11

Who performs Chapter 2 - L3 risk assessment?

Answer 11

Risk Manager (DCO or equivalent)

Question 12

In L3 Risk assessment, what L3 risks are assessed?

Answer 12

The L3 risks identified in Chapter 1 – MRE determination

Question 13

When writing risk descriptions, what taxonomies need to be used?

Answer 13

Cause and Impact Taxonomies

Question 14

When writing risk descriptions, what should be included to align with bow-tie approach?

Answer 14

• Cause – what causes risk event to occur
• Event – what could go wrong
• Impact – implication of risk event on NAB

Question 15

Who performs Chapter 3 – Complete L1 Risk Assessment

Answer 15

Risk Manager (DCO or equivalent)

Question 16

What are the 3 tasks in completing L1 Risk Assessment?

Answer 16

1. Create L1 risk record
2. Validate CCA, RRA, and TRA for L1 risk
3. Validate risk response for L1 risk

Question 17

What is used to perform L1 Risk assessment?

Answer 17

Output from Chapters 1 & 2, which includes linking of all supporting L3 risk records

Question 18

What calculations does GRACE automatically provide for L1 Risks, and what are they based on?

Answer 18

• CCA – based on lowest (worst) of all linked L3 CCAs
• RRA – based on highest (worst) of all L3 financial and non-financial impacts, and likelihood.
• TRA – based on highest (worst) of all L3 impacts/likelihood and latest target date

Question 19

Must GRACE automatic calculations for CCA, RRA, TRA be accepted?

Answer 19

No, must validate rating and provide rational for any adjustments

Question 20

How is risk response completed?

Answer 20

Manually, using ALARP approach, informed by L3 risk responses.

Question 21

What are the 3 ALARP categories?

Answer 21

1. Requires action
2. Tolerable
3. Acceptable

Question 22

What does RRA stand for?

Answer 22

Residual Risk Assessment

Question 23

What is are the steps of the L3 RRA?

Answer 23

1. Assess residual FI (input dollar amount)
2. Assess residual NFI (input impact classification)
3. Input justification for residual NF&FI
4. Assess and input residual likelihood
5. Calculate risk rating
   * L3 RRA completed

Question 24

FIs are assessed based on data both inside and outside of GRACE. What data side GRACE informs FI assessment?

Answer 24

• Internal losses (# and $ over last 3 years)
• External losses (Australian banking/financial industry only)
• Top 5 external losses across all industries globally
• CCA Outcome

Question 25

What data inside GRACE informs NFI assessment?

Answer 25

• Top 5 external losses across all industries globally
• Events linked to the risk record

Question 26

NF&FIs are assessed based on data both inside and outside of GRACE. What data outside GRACE informs NF&FI assessment?

Answer 26

• GAITS
• MOI
• Complaint Data

Question 27

How is residual likelihood assessed?

Answer 27

Use likelihood table within RMPFGN

Question 28

How is residual risk rating performed?

Answer 28

GRACE automatically calculates residual risk rating by taking the highest residual risk impact and likelihood rating and plotting them on a heatmap to derive the overall rating

Question 29

What does TRA stand for?

Answer 29

Targeted Risk Assessment

Question 30

What are the steps in TRA and RR?

Answer 30

1. Determine target impact
2. Determine target likelihood
3. Capture justification for target rating
4. Calculate target risk rating
5. Capture risk response in GRACE, if required.
6. Raise finding/treatment plan, if required.
   * TRA and RR completed

Question 31

What is the target impact?

Answer 31

The objective for a residual risk impact (NF&FI) in the next 12 months

Question 32

How is target impact calculated?

Answer 32

Use the higher of your targeted financial and non-financial impact classification.

Question 33

What is target likelihood?

Answer 33

The objective for a residual risk likelihood in the next 12 months

Question 34

How is target risk rating determined?

Answer 34

GRACE automatically calculates the target risk rating by taking the target risk impact and likelihood rating and plotting them on the heatmap to derive the overall rating

Question 35

What does RR stand for?

Answer 35

Risk Response

Question 36

What are the 3 possible risk responses in GRACE?

Answer 36

1. Acceptable
2. Tolerable
3. Requires action

Question 37

When is a risk ‘Requires Action’?

Answer 37

When Target Risk Rating is lower than Residual Risk Rating – the risk must be reduced in the next 12 months

Question 38

When is a risk ‘Tolerable’?

Answer 38

When Target Risk Rating is or same as the Residual Risk Rating (i.e., indicating further action can be taken to reduce the risk) and the actions to reduce the risk is likely to take longer than 12 months to deliver.
CCA must be effective.

Question 39

When is a risk ‘Acceptable’?

Answer 39

When Target Risk Rating is the same as the Residual Risk Rating, and the risk does not need to be reduced any further over the next 12 months.
CCA must be effective.

Question 40

In regards to Risk Responses, when must you raise a Finding / Treatment Plan?

Answer 40

When Risk Response is “Requires Action”

Question 42

What is risk profiling, in simple terms?

Answer 42

• The process of identifying and reviewing all non-financial risks that exist within our business.
• Understanding what we’re doing to mitigate these risks, and
• Determining if we’re doing enough or if we need to make changes to improve our risk management

Question 43

What does CCA Coverage answer?

Answer 43

If we have enough controls to address all relevant causes and impacts or risk events

Question 44

What does CCA Effectiveness answer?

Answer 44

If our controls reduce the likelihood and/or impacts of risk events

Question 45

What does CCA Efficiency answer?

Answer 45

If our controls are adding value or costing resources