Create a plan that details a methodical approach to risk assessment

Why Assess Risk?

Understand Likelihood of risks

Understand impact of such risks

Why important?

A quantitative baseline can be established of the potential risks that the business faces.

Assign responsibility for the management of risks

Can encourage Risk to rise to prominence within a organisation

The risk appetite for the firm can be established and the decision-making process improved.

Regulator satisfaction

A capital allocation figure with respect to operational risk can be established.

Why Measure Operating Risk?

 Establish a quantitative baseline for operating and improving the control environment.

 Ensure there is appropriate accountability and responsibility for risk management. By understanding where risk occurs and measuring how big it is, accountability and responsibility can be assigned to the people that are in the best position to manage it.

 Provide an incentive for risk management and the development of a risk-aware culture within the business

 Improve management decision-making. By knowing the size of risks they face, firms are in a position to decide how much risk they wish to take, as described in the last chapter.

 Satisfy regulators and stakeholders that the firm is adopting a proactive and transparent approach to risk management.

 Make an assessment of the financial risk exposure that can be used for capital allocation purposes.

Risk Measurement approaches

Expected loss is the loss that is expected to arise on average in connection with an activity. It is an inherent cost of such activity and is budgeted and, where permitted, deducted directly from revenues

Statistical loss (also known as unexpected loss) is an estimate of the amount that actual loss can exceed expected loss over a specified time horizon measured to a specific level of confidence (probability)

Stress loss is the loss that could arise from extreme events. Stress situations can arise from many sources and when extreme events do occur, quantitative and qualitative risk assessments alone are not sufficient. In these cases, the essential elements are a tried and tested disaster recovery process and well-prepared business continuity plans. These will be discussed later on in the chapter dedicated to business continuity management.

Assessment v Measurement

Measurement: Objective assessment of data

Assessment: Subjective assessment of the data and it's appropriateness

Steps to be taken when assessing risk:

 Review actual operational losses – or events that could have resulted in significant losses

 Consider the effectiveness of controls

 Undertake an internal assessment of risks inherent in its operations

 Consider other risk indicators

 Consider reported external operational losses and exposures

 Review changes in its operational environment

Cause & Effect

Cause

Effect

a trigger for a risk to take place

the consequence of this event