Please enable JavaScript.
Coggle requires JavaScript to display documents.
identify and describe tactical control measures that could be used to…
identify and describe tactical control measures that could be used to manage risk.
Preventative Controls
Segregation of Duties aims to prevent too much responsibility, authority and power being concentrated in the hands of too few individuals. In turn, this prevents the possibility of the internal control structure being compromised and the risk of fraud arising.
Other Examples
The setting up and ongoing maintenance of good procedures to prevent unauthorised actions and errors
The use of training to reduce the likelihood of human error arising from a lack of expertise
The use of well-designed systems to automate processes and controls to eliminate risk due to human error
IT and systems controls built in to operational processes are used as a key means of
implementing preventive controls.
Preventive controls are those that prevent errors occurring in the first place.
Detective Controls
Internal Detection
Internal detection controls are thereto trap errors after they have occurred but before a potential loss is realised in the outside world, i.e. they detect the risk event in order to prevent the effect and avoid escalation of the problem (stopping the rot). Checking and inspection-type activities fall into this category.
Detective controls detect errors once they have occurred.
External Detection
External detection controls are those that detect errors and losses once they have been
realised, i.e. they detect the effects.
External detective controls are important because they can limit the direct and indirect losses to the firm. External detective controls are perhaps more concerned with reducing the impact of loss, rather than reducing the likelihood of loss (because the loss has already occurred).
Example
The best example of such controls is the activity of reconciliation, which checks the status of information within the firm against externally held records.
Control Measures
Controls are there to be defined and implemented. Beyond that the task is for the controls to be checked and reviewed periodically to see if they are operating effectively and smoothly
Other Strategies to manage a CRYSTALLIZED risk
Diversification strategies
: an over-reliance on a particular customer, product or market may expose the firm to heavier losses than if it operated a more diverse business. By widening the net, the firm is spreading the risk.
Risk sharing
: by collaborating with other firms, or pursuing joint ventures, it is possible to share any potential operational losses, as well as having the potential to share benefits and profits with the other party.
Financial reserves
: by having access to emergency funding or borrowing, or capital reserves.
Insurance
: having insurance against the financial loss presented by a risk event is valuable. It may take time for the insurance arrangements to take effect and therefore firms need to see this as a contributing but not total remedy for risk mitigation.
Business continuity or contingency planning
: the ability to anticipate and plan for potential operational crises reduces the harm of unexpected losses. Continuity or contingency planning may take the form of disaster recovery, succession planning or the production of other fall-back procedures to deal with potential crises or threats to the continuity operation of the business. This includes emergency response, crisis management and business resumption planning, covering a whole range of scenarios as identified by the business. A contingency plan needs to be drawn up, maintained, tested and checked regularly.
Good communication and reporting
: having high quality, integrated management information systems allows information to be shared globally and efficiently. This means that if a risk is realised, the firm is able to react quickly to reduce its impact.
Outsourcing
: is described as entering into a contract with another company for services to provide operational and administrative support. Outsourcing of activities can reduce the institution’s risk profile by transferring activities to others with greater expertise and scale to manage the risks associated with specialised business activities. However, a firm is still responsible for the duties from a regulatory
Limit setting
: market and credit risk limits are also relevant management strategies for operational risk as exceeding limits can be the first sign of operational errors. Limits can be used in other ways to reduce the impact of risk, such as setting capital limits on major technology development or using them as early warning signals in process controls (e.g. risk indicators).
Risk awareness training
: When the organisation is under stress, perhaps due to an increase in business or an external event, then the operational risk framework needs to provide staff with additional guidance. Such information will enable them to appreciate the importance of individual controls and, if they are to make a decision not to operate a control, the impact of such a decision. This means that the information available to the staff will need to be at both a summary and a detailed level. It also means that training will be required throughout the organisation and that this training will need to be reviewed on a regular basis.
Control Strategy Heat Map
The cost of controls
Opportunity cost is the consequence of giving up one potential course of action as a result of taking an alternative course of action.
Insurable risk
An insurable risk is a risk that meets the ideal criteria for efficient insurance. The concept of insurable
risk underlies nearly all insurance decisions.
What makes a risk insurable
The insurer must be able to charge a premium high enough to cover not only claims expenses, but also to cover the insurer's expenses. In other words, the risk cannot be catastrophic, or so large that no insurer could hope to pay for the loss.
The nature of the loss must be definite and financially measurable. That is, there should not be room for argument as to whether or not payment is due, or what amount the payment should be.
The loss should be random in nature, or else the insured may engage in adverse selection (anti- selection).
Examples include Fidelity Insurance (Insurance against dishonest employees) and Fire Insurance
Factors determining uninsurable risk
A risk is uninsurable when an insurance company cannot calculate the probability of the risk and therefore cannot work out a premium that the business must pay. For example, you cannot take out insurance against possible failure of the business itself.
.
Risk is too widespread, for example, when there is a war
When the loss is incurred due to your own deliberate actions, it cannot be insured. If, for example, you have financial problems in your business and decide to set fire to your premises in order to obtain a cash payout from insurance, this will be a void claim.
PAGE 79
