Showcase 17th April (RP + CCA)

Question 1

What Risks should be included in a Division’s or a Critical Operation’s Risk Profile?

Answer 1

Only the Risks that may eventuate during the execution of the Division or Critical Operation’s processes.

Question 2

What is a benefit of Risk Profiling being agnostic to Divisions/COs?

Answer 2

Risk Profiling will be consistent across the Enterprise

Question 3

Will ownership of divisional Risk Profiles be aligned to FAR?

Answer 3

Yes

Question 4

What is FAR and what does it do?

Answer 4

Financial Accountability Regime.
Imposes a strengthened responsibility accountability and framework for entities in the banking, insurance, and superannuation industries and their directors and senior executives.

Question 5

When did FAR commence?

Answer 5

March 2024

Question 6

What are two reasons to be process-led?

Answer 6

1. CPS 230 requirement
2. Industry best practice

Question 7

Will Divisional/Critical Operation boundaries simplify Risk Profiling?

Answer 7

Yes

Question 8

Who should perform Risk Profiling?

Answer 8

Risk Manager

Question 9

Considering the risk bowtie, what are 3 components of risk (not considering controls)?

Answer 9

1. Event (L3 Risk)
2. Cause (what causes the event)
3. Impact (impacts of the event)

Question 10

Considering the risk bowtie, what is the flow of risks eventuating?

Answer 10

Cause > Event > Impact

Question 11

What is a risk bowtie?

Answer 11

A visualization tool that helps us understand how the components of risk and controls work together.

Question 12

In the context of the risk bowtie, what is the function of preventative controls?

Answer 12

Preventative controls aim to prevent the event from occurring.

Question 13

In the context of the risk bowtie, what is the function of detective controls?

Answer 13

Detective controls identify events before they cause significant damage.

Question 14

In the context of the risk bowtie, what is the function of corrective controls?

Answer 14

Corrective controls correct for the impact of events.

Question 15

What is the first step in risk profiling?

Answer 15

Determine applicable L3 Risks.

Question 16

Why do we want to start risk profiling by looking at L3 risks?

Answer 16

• It is too difficult to determine L1 MREs at first because they’re so broad.
• We want to leverage risks existing in operations first.

Question 17

How many L3 risks sit under the 20 non-financial MREs?

Answer 17

43

Question 18

Why do bottom-up instead of top-down?

Answer 18

More clarity at and a lot more to look at.

Question 19

What level do we report risks at, and what level do we manage risks at?

Answer 19

Report at MRE (L1) level.
Manage at L3.

Question 20

When do we look at MREs?

Answer 20

After applicable L3 risks are determined.

Question 21

How often is Risk Profiling performed?

Answer 21

Once per year (cyclical basis) unless something else triggers a Risk Profile refresh.

Question 22

What is the current state of risk descriptions?

Answer 22

They are currently very poorly written and inconsistent.

Question 23

How do we want risk descriptions to be written in future?

Answer 23

Clear detail regarding the risk’s cause and impacts, with reference to relevant cause/impact taxonomies.

Question 24

What is a summary of the 11 steps of Risk Profiling (excluding steps for exclusion rationales) that VG made with ORM?

Answer 24

1. Determine applicable L3 risks
2. Complete MRE determination
3. Create L3 risk records
4. Prepare L3 risk description
5. Complete CCA (L3)
6. Complete RRA (L3)
7. Complete TRA (L3)
8. Determine risk response (L3)
9. Create L1 risk record(s)
10. Validate CCA, RRA & TRA (L1)
11. Validate risk response (L1)
    * Risk profiling completed

Question 25

When do we start the CCA?

Answer 25

After robust risk description has been written, and controls have been linked to it.

Question 26

What are the 6 CCA steps (assuming no failures)

Answer 26

1. Assess Coverage.
2. Input Coverage into GRACE (Power BI will take this).
3. Access Power BI CCA report.
4. Assess Effectiveness
5. Assess Efficiency.
6. Determine overall CCA result.
   * CCA complete.

Question 27

Why do we assess Coverage?

Answer 27

To determine if any control coverage gaps exist.

Question 28

How is CCA Coverage assessed (as in what step will be followed)?

Answer 28

Utilise a template with a list of questions designed to establish if you have any control gaps in the identified overlayed controls linked to the risk.

Question 29

How is CCA Coverage determined (as in, what criteria are assessed)?

Answer 29

• Primary assessment will be how well controls address event/cause/impact
• Secondary assessment based on control taxonomy
• This is done so CCA outcome is relevant to risk bowtie and helps form RRA (Residual Risk Assessment)

Question 30

What do we assess for Risk Taxonomies in the CCA template?

Answer 30

We try to match L3 Risk Taxonomy allocations with control buckets in the control taxonomy. This informs if we have appropriate controls for that risk type.

Question 31

Can we keep going if Coverage is Not Complete?

Answer 31

No, it is a hard stop.

Question 32

What do we do if Coverage is complete?

Answer 32

We fill the relevant GRACE field (TBD) that gets ingested into a Power BI report (in progress) that automatically calculates effectiveness and efficiency metrics for the CCA.

Question 33

Do we keep going if Effectiveness is rated Not Effective?

Answer 33

No, it is a hard stop.

Question 34

What do we do if all metrics for the CCA are green (i.e., CCA is Effective)?

Answer 34

We take a snapshot to show the CCA at a point in time, and upload this into GRACE as an artefact

Question 35

Is CCA outcomes from Power BI static?

Answer 35

Power BI is fluid and changes month-to-month, so you must take a snapshot to show the results of an analysis at a certain point in time and attach this to GRACE as an artefact.

Question 36

Can we update Risk Profiling with new CCA snapshots?

Answer 36

Yes, Risk Profiling is a dynamic process. Risk Profiling informs risk management going forward, so may revisit Power BI multiple times and update with new CCA snapshots.

Question 37

What is the workflow between the CCA, GRACE, and Power BI?

Answer 37

• GRACE is the source of truth.
• CCA and Power BI are driven by data from GRACE.
• We update GRACE with outcome of CCA.
• This completes the cycle.

Question 38

Since CCA draws data from GRACE, why do we need to update GRACE with CCA outcome?

Answer 38

CCA Coverage assessment is purely manual, so GRACE can’t automatically know the result.

Question 39

How many CCA templates will be made?

Answer 39

There must be 43 templates (one for every L3 risk) so they have CCA questions for each one.

Question 40

What is part of the reason the CCA template is aiming to be very granular and prescriptive?

Answer 40

To remove optionality and discretion (that leads to ambiguous or inconsistent results).

Question 41

When is the risk bowtie used?

Answer 41

After risks have been identified and CCA has been performed.

Question 42

What does RRA stand for?

Answer 42

Residual Risk Assessment

Question 43

What is the purpose of the RRA?

Answer 43

To see how much risk remains after the implementation of controls to address the risk

Question 44

What does TRA stand for?

Answer 44

Targeted Risk Assessment

Question 45

What is the purpose of the TRA?

Answer 45

Determine if residual risk is acceptable, understand what we want, and how we will get there.

Question 46

After the TRA, what do we do if we want lower residual risk?

Answer 46

Implement a risk response.

Question 47

After the TRA, what do we do if we think residual risk is too low?

Answer 47

We might be going too hard with controls, so we can look at removing some controls.

Question 48

We are looking at changes in how we will complete residual risk assessments. What will change in how people get data?

Answer 48

Currently, everyone is expected to get data themselves. In future, ORM will provide clear data points (capability to support making these accurate and helpful).

Question 49

We are looking at changes in how we will complete residual risk assessments. What will change in using the CCA?

Answer 49

Using the CCA will help us understand our risk bowtie and the balance/strength of our preventative/detective/corrective controls. Are we firefighting risks or actually preventing them?

Question 50

What is the traditional calculation used in risk management?

Answer 50

IRA – CCA = Residual Risk

Question 51

What is changing in how IRA is performed?

Answer 51

IRA will not be performed at the operational level; IRA will be performed centrally across the organisation.

Question 52

Why is IRA being removed from operational level?

Answer 52

There is minimal benefit, and it takes a lot of time and effort.

Question 53

When IRA is removed, what will be the start of risk profile analysis?

Answer 53

CCA

Question 54

Who is working on developing a strong reason not to use IRA?

Answer 54

KB. KB is confident we can move from MRE determination straight into CCA and get to the same point without using the IRA.

Question 55

What is happening to risk records for critical operations and divisional profiles?

Answer 55

• They will need to be updated for critical operations.
• Most of them for divisional profiles are already there

Question 56

What does ORP stand for?

Answer 56

Operational Risk Profiling

Question 57

What does ‘early adoption’ of the new ORP process involve?

Answer 57

Determination of risk profiles for two selected critical operations.

Question 58

How will the early adoption process go?

Answer 58

The Business/DCO will through the ORP process with the ORM and CCoE teams via a series of workshops followed by practical activities to be completed by the business in-between each workshop.

Question 59

What is the purpose of the ORP early adoption approach?

Answer 59

Use the experience to further develop the training and guidance required for full implementation in July.

Question 60

How does ORP early adoption approach benefit the Critical operation owner?

Answer 60

They will have a completed/partially completed profile for their CO completed ahead of time, with the assistance and guidance of the ORM/CCoE teams

Question 61

When will the ORP early adoption approach run?

Answer 61

24th April – 23rd May (5 weeks)