Create a plan that details a methodical approach to risk assessment 2…
Create a plan that details a methodical approach to risk assessment 2
Risk Register - Summarise risk and the potential for scoring and the approach for managing that risk.
Headings of a risk register
Description and overview of the risk
Owner of the risk
Division/business area exposed to the risk
Geographical location(s) exposed to the risk
Legal and regulatory requirements (e.g. Sarbanes Oxley) associated with the risk
When the risk might occur
The impact assuming that the risk does occur
Link to existing procedures and policies relating to the risk
An assessment of the risk’s likelihood or probability of occurrence
A priority rating or score, obtained from the impact and probability assessment
The management’s strategy as to how the risk will be addressed
The containment strategy defining what exactly will happen if the risk occurs
expectation multiplied by impact would deliver the severity figure.
Risk refers to any adverse consequence or loss. This is the chance that damage, loss, injury or disaster may occur.
Certainty refers to an absolute fact, which can be depended upon with conviction.
Uncertainty refers to something that cannot be accurately predicted or known – being uncertain or any restriction on the accuracy of measurement.
Graphical representation of information normally found on an existing risk register
What are the consequences
How Frequently does it happen
What can go wrong?
The risk assessment approach
This is a method of ranking risks in order of their importance.
For instance, a firm might decide that the process risk of volume sensitivity is higher than the system risk of inadequate security, or that a lack of training is higher risk than the pace of change
This will take the key external loss events and then appraise whether they could happen within the firm.
Scenario analysis together with using loss data is a good approach.
By investigating these scenarios, preventive measures can be determined to reduce their risk of occurrence.
seeks to identify and analyse the individual risks and adequacy of controls across the entire business.
it builds up a detailed profile of the risks that occur in each area, aggregating them to provide overall measures of exposure for departments, divisions or the firm as a whole.
It addresses risk and control issues at the process level, thus complementing the role of line managers.
Accountability and responsibility for risk management can be clearly defined.
It encourages a risk aware culture and a more transparent environment.
As risks are identified and assessed, mitigation action can be taken immediately if necessary. This means that improvements to the control environment can be made quickly in the short-term.
It improves the quality of management information by creating a detailed profile of risks in each business area.
It allows a cross-section of staff to give a balanced view.
The continuing maintenance of firm risk profiles is often a major undertaking, which would be exacerbated in a high change environment where profiles may change continuously.
It can be influenced by senior managers if not properly managed.
Key risk indicators
just having the risk indicators is not sufficient; it is the action taken as a result of the indicator being exceed which is crucial
Risk indicators are statistics and/or metrics, often financial, which can provide insight into a firm’s risk position. These indicators tend to be reviewed on a periodic basis
Historical loss data
Once the data has been collected (from either internal or external sources) it can then be used in the measurement process. (ie measuring risks and their impact).
allows the firm to understand the size of losses, in monetary terms, which can be attributed to particular risks.
Creation of a loss database is crucial to the requirements of both the Basel Accord and to the approach used by regulators such as the PRA.
does not predict unexpected losses very well, due to the lack of data or imagination in anticipating them.
The triplet definition