Risk Profiling eLearn

Question 1

Why are our operational risk profiles anchored to our processes at NAB?

Answer 1

To ensure clear identification of where risk eventuates and where it needs to be managed (or improved).

Question 2

In simple terms, what does Risk Profiling do? (3 points)

Answer 2

1. Identifies the operational risks in our business that impact NAB’s ability to achieve its strategic objectives and ensures these are assessed and managed.
2. Helps us understand how we are managing these risks.
3. Determines if we’re doing enough or if we need to make changes to improve our risk management.

Question 3

Why does Risk Profiling requires us to consider the causes for each risk event, and the impacts that result?

Answer 3

Understanding theses causes and impacts enables us to implement controls to prevent or reduce the impacts

Question 4

Why does NAB use the “bowtie” method for risk profiling?

Answer 4

Because each documented risk event includes multiple causes and impacts

Question 5

How does Risk Profiling analysis begin?

Answer 5

By identifying the risks that may eventuate directly from processes owned by the division or critical operation, or that impact the division or critical operation from processes owned elsewhere at NAB

Question 6

Once we’ve identified the applicable Risks that impact the division or critical operation, what do we identify for each risk event?

Answer 6

1. The potential causes
2. The potential financial or non-financial impacts

Question 7

Once we understand risk events, and their causes and impacts, what is the next step?

Answer 7

To understand how we are managing these risk events

Question 8

What do we do to understand how we are managing risk events?

Answer 8

Two assessments:
1. CCA to identify what we have to manage causes and impacts
2. RRA to assess remaining potential impact from risk event once the effectiveness of controls is considered

Question 9

What do the CCA elements tell us?

Answer 9

Coverage: have we implemented the right controls?
Effectiveness: do the controls reduce likelihood/impacts?
Efficiency: do the controls find issues quickly before they impact our customers?

Question 10

What is the Target Risk Rating?

Answer 10

The target risk across the next 12 months, determined by the risk owner

Question 11

How is the Risk response determined?

Answer 11

Comparing the residual risk to the target risk

Question 12

Who is involved in the Risk Profiling process? (Persona names only)

Answer 12

1. Risk Owner
2. Risk Manager /DCO
3. Chief Risk Officer (CRO) Teams
4. Material Risk Exposure (MRT) Teams

Question 13

What are the Risk Owner responsibilities in Risk Profiling?

Answer 13

Accountable for developing and maintaining a risk profile and will validate and approve (approvers)

Question 14

What are the Risk Manager/DCO responsibilities in Risk Profiling?

Answer 14

Management of risk profiles and will most likely perform most risk profiling activities.

Question 15

What are the Chief Risk Officer (CRO) Team responsibilities in Risk Profiling?

Answer 15

Provide independent review and challenge of risk profiling activities and outputs where required.

Question 16

What is MRE determination?

Answer 16

A Material Risk Exposure (MRE) refers to the types of risk events that may occur in a division or critical operation. MRE determination enables Risk Owners to understand their exposure to these risk events.

Question 17

How do we perform MRE determination?

Answer 17

• Consider the processes within the division or critical operation where risks may occur.
• Consider risks which may occur elsewhere that IMPACT the division or critical operation.
• Use the Enterprise Risk Taxonomy to help describe the underlying types of L3 Risk that may impact the division or critical operation.

Question 18

What is a risk description?

Answer 18

Clear description of an L3 risk event, how it is causes, and the impacts of the risk event.

Question 19

Why is a Risk Description important?

Answer 19

Risk descriptions help identify the relevant controls that need to be implemented to mitigate the causes or reduce the impacts of risk events

Question 20

How should Risk Descriptions be written?

Answer 20

Systematically analyse and document all potential causes and impacts of each risk event within the relevant division or critical operation.

Question 21

What can be used to support writing risk descriptions (but do not replace professional judgement)?

Answer 21

• Enterprise Risk Taxonomy guidance
• Cause Taxonomy
• Impact Taxonomy

Question 22

What are Risk Descriptions a direct input into?

Answer 22

The CCA

Question 23

How is Residual Risk Impact determined?

Answer 23

Once the Overall Impact Rating and Likelihood Rating have been determined, the Residual Risk Rating is determined based on the impact and likelihood combination as defined in the Risk Heat Map table.

Question 24

What is the Target Risk Rating?

Answer 24

Determined by the Risk Owner as the level of L3 residual risk that the risk owner wants to maintain over the next 12 months

Question 25

How is the Target Risk Rating determined?

Answer 25

The Risk Owner will understand the causes, impacts, and likelihood of risks that impact the division or critical operation. They will determine how much residual risk can be maintained within the risk appetite for the division or critical operation.

The Target Risk Assessment will be represented by:
1. Target Impact Rating
2. Target Likelihood Rating