Risk Profiling Flashcards
What are the 3 chapters of Risk Profiling?
- Complete MRE determination
- Complete L3 risk assessment
- Complete L1 risk assessment
How are applicable MREs determined?
Workshop held:
* Identify processes owned by the DoCO
* For each (43) L3 risk, ask: Can a Risk Event eventuate from any owned processes.
* If yes, the L3 Risk and supporting MRE will be included in the Risk Profile.
Are risk records required for applicable risks/MREs?
Yes, GRACE will mandate the creation of a risk record.
Are rationales required for non-applicable risks/MREs?
Yes, rationale will be required.
What are 3 reasons we want to categorise risks and events properly?
- Correctly reflect the risks the BU or enabling unit is facing.
- Impacts ability to identify gaps in process/controls and uplift as required.
- Affects quality of reporting to Senior Management, Board Committees and regulators, and impacts their confidence in our ability to manage risks.
What does MRE refer to?
The type of risks that may occur.
Who will own Risk Profiles?
Risk Owner, being:
* Divisional executive for divisional profiles.
* CO Owner for CO profiles.
Which persona is to support the Risk Owner with specialist risk advice and complete tasks?
Risk Manager (DCO, GRC Facilitator, or equivalent).
What does 2nd Line Risk do?
Facilitates workshop and provides independent review.
What are the 6 steps of Chapter 2 - L3 risk assessment?
- Create L3 risk record(s)
- Prepare L3 risk description
- Complete CCA
- Complete RRA
- Complete TRA
- Determine L3 Risk response
Who performs Chapter 2 - L3 risk assessment?
Risk Manager (DCO or equivalent)
In L3 Risk assessment, what L3 risks are assessed?
The L3 risks identified in Chapter 1 – MRE determination
When writing risk descriptions, what taxonomies need to be used?
Cause and Impact Taxonomies
When writing risk descriptions, what should be included to align with bow-tie approach?
- Cause – what causes risk event to occur
- Event – what could go wrong
- Impact – implication of risk event on NAB
Who performs Chapter 3 – Complete L1 Risk Assessment
Risk Manager (DCO or equivalent)
What are the 3 tasks in completing L1 Risk Assessment?
- Create L1 risk record
- Validate CCA, RRA, and TRA for L1 risk
- Validate risk response for L1 risk
What is used to perform L1 Risk assessment?
Output from Chapters 1 & 2, which includes linking of all supporting L3 risk records
What calculations does GRACE automatically provide for L1 Risks, and what are they based on?
- CCA – based on lowest (worst) of all linked L3 CCAs
- RRA – based on highest (worst) of all L3 financial and non-financial impacts, and likelihood.
- TRA – based on highest (worst) of all L3 impacts/likelihood and latest target date
Must GRACE automatic calculations for CCA, RRA, TRA be accepted?
No, must validate rating and provide rational for any adjustments
How is risk response completed?
Manually, using ALARP approach, informed by L3 risk responses.
What are the 3 ALARP categories?
- Requires action
- Tolerable
- Acceptable
What does RRA stand for?
Residual Risk Assessment
What is are the steps of the L3 RRA?
- Assess residual FI (input dollar amount)
- Assess residual NFI (input impact classification)
- Input justification for residual NF&FI
- Assess and input residual likelihood
- Calculate risk rating
* L3 RRA completed
FIs are assessed based on data both inside and outside of GRACE. What data side GRACE informs FI assessment?
- Internal losses (# and $ over last 3 years)
- External losses (Australian banking/financial industry only)
- Top 5 external losses across all industries globally
- CCA Outcome
What data inside GRACE informs NFI assessment?
- Top 5 external losses across all industries globally
- Events linked to the risk record
NF&FIs are assessed based on data both inside and outside of GRACE. What data outside GRACE informs NF&FI assessment?
- GAITS
- MOI
- Complaint Data
How is residual likelihood assessed?
Use likelihood table within RMPFGN
How is residual risk rating performed?
GRACE automatically calculates residual risk rating by taking the highest residual risk impact and likelihood rating and plotting them on a heatmap to derive the overall rating
What does TRA stand for?
Targeted Risk Assessment
What are the steps in TRA and RR?
- Determine target impact
- Determine target likelihood
- Capture justification for target rating
- Calculate target risk rating
- Capture risk response in GRACE, if required.
- Raise finding/treatment plan, if required.
* TRA and RR completed
What is the target impact?
The objective for a residual risk impact (NF&FI) in the next 12 months
How is target impact calculated?
Use the higher of your targeted financial and non-financial impact classification.
What is target likelihood?
The objective for a residual risk likelihood in the next 12 months
How is target risk rating determined?
GRACE automatically calculates the target risk rating by taking the target risk impact and likelihood rating and plotting them on the heatmap to derive the overall rating
What does RR stand for?
Risk Response
What are the 3 possible risk responses in GRACE?
- Acceptable
- Tolerable
- Requires action
When is a risk ‘Requires Action’?
When Target Risk Rating is lower than Residual Risk Rating – the risk must be reduced in the next 12 months
When is a risk ‘Tolerable’?
When Target Risk Rating is or same as the Residual Risk Rating (i.e., indicating further action can be taken to reduce the risk) and the actions to reduce the risk is likely to take longer than 12 months to deliver.
CCA must be effective.
When is a risk ‘Acceptable’?
When Target Risk Rating is the same as the Residual Risk Rating, and the risk does not need to be reduced any further over the next 12 months.
CCA must be effective.
In regards to Risk Responses, when must you raise a Finding / Treatment Plan?
When Risk Response is “Requires Action”
What is risk profiling, in simple terms?
- The process of identifying and reviewing all non-financial risks that exist within our business.
- Understanding what we’re doing to mitigate these risks, and
- Determining if we’re doing enough or if we need to make changes to improve our risk management
What does CCA Coverage answer?
If we have enough controls to address all relevant causes and impacts or risk events
What does CCA Effectiveness answer?
If our controls reduce the likelihood and/or impacts of risk events
What does CCA Efficiency answer?
If our controls are adding value or costing resources
