Академический Документы
Профессиональный Документы
Культура Документы
INTRODUCTION
The recent news headlines related to subprime mortgage crisis, rogue traders, and corporate fraud have highlighted that despite investment in risk assessment and risk management disciplines, significant risk failures persist. While isolated incidents of onetime governance failures are bound to occur, long term systemic failures are more than just an isolated anomaly.
The failures may be the result of a clutter of risk information caused by many risk assessments from many perspectives. The process of organizing these risk assessments to provide organizations with a more holistic view of enterprise risk is fundamental to mastering risk assessments. This whitepaper explores approaches to risk assessment, offers some best practices for conducting risk assessments and provides practical guidance on mastering this business process.
2
The following best practice approaches will help an organization master risk assessment and minimize disjointed risk information: 1. Use a risk-focused approach 2. Adopt a common categorization of risk types 3. Parse the risk jumble 4. Perform scenario analysis 5. Use a risk table 6. Monitor risks 7. Increase self assessment 8. Achieve risk convergence
One of the major reasons for the ineffective execution of risk assessments is the significant focus on controls. The control-based approach is used to identify and assess controls, or more specifically the risk of missing or broken controls; the risk-based approach is used to identify and assess risk events, or risks that could impact the achievement of business objectives. Risk assessments are much more effective when using a true riskbased approach.
Friday, 20 September 2013
To assist in the discipline of risk assessment, it is important to have a common taxonomy and categorization of risk types. The risk management community has provided numerous risk models to categorize risks into types for reporting and analysis purposes. With a library of common sets of risk categories, risk assessment practitioners are better able to identify the organization's risks and can pull together risk information in a concise profile that helps users understand and monitor identified exposures.
Physical damage
Political risk Regulatory/legislative 7 Terrorism
QHSE office [ www.qhseoffice.com ]
Interest rates
Liquidity
Risk information must be organized to be understood and managed. In the jumble of risk information that is currently being gathered, some of the information is about controls or more accurately missing or broken controls, some of it is about risk events (the events the controls were designed to mitigate) and some of the information describes the primary or secondary consequences of the risk events if they occur. The result is a mass of information that is described as risk, but it is not all risk.
10
SCENARIO ANALYSIS
The discipline of scenario analysis is critical to effective risk assessments because it forces one to ask, What could go wrong in the future? Scenario analysis is the process of analyzing a number of possible future events and focuses attention on all possible outcomes of an event occurring and the associated impacts. Proper scenario analysis improves decision-making by allowing management to more completely consider various outcomes and their implications to an organization. For example, in looking at the scenario of fraudulent trades occurring, the following questions need to be evaluated:
11
SCENARIO ANALYSIS
1. Where does trading activity take place? 2. What kinds of trading takes place? 3. What are all the ways unauthorized trading could take place?
12
SCENARIO ANALYSIS
7. What would tell us if, in fact, unauthorized trades are occurring? 8. How often do we formally analyze this scenario? 9. What issues have we identified in the past? 10. What losses have our industry competitors experienced? 11. How could trades be hidden?
13
Risks and the corresponding risk assessments can be evaluated using either a quantitative or a qualitative approach. Quantitative assessments use actual dollar amounts to provide an financially-based risk value. Qualitative assessments use scoring methods and the experience of employees and consultants to arrive at a risk score. Since determining an actual dollar value of risk is often times a very resource intensive activity, the qualitative risk assessment approach is used as a best practice by most risk assessment groups. Although termed a qualitative approach, this method typically involves assigning some numerical value that can be used to stack rank or come up with some relative ratings on the assessment of risks.
14
15
Transfer the risk: An alternative to accepting a higher than reasonable risk when the cost of controls is too high is to purchase insurance to lower the business impact of an incident. This is a common risk management step.
Mitigate the risk: Risk mitigation typically focuses on managing the areas where the organization is most vulnerable. Risk mitigation involves the identification and management of risk mitigating controls.
17
MONITOR RISKS
A best practice in mastering risk assessments is to establish standard metrics for the consequences and outcomes that will drive business decisions. Common metrics are classified as key performance indicators (KPI) and key risk indicators (KRI).
A KPI is part of a measurable objective and helps an organization measure progress towards goals, especially toward difficult to quantify knowledge-based processes. KPIs are made up of a direction, benchmark, target and time frame.
18
MONITOR RISKS
A KRI measures how risky an activity is. It differs from a KPI in that the KPI is meant as a measure of how well something is being done. A KRI is an indicator of the possibility of a future adverse impact. The idea behind the KRI is to provide a set of agreed indicators, which can range from the simple, such as staff turnover, to the more sophisticated, such as the a complex calculation for measuring operational performance. The behavior of KRIs should signal how well or how badly a firm is managing potentially costly operational hazards such as fraud, legal risk, technology failure and trade settlement errors.
19
Using risk self assessment drives the responsibility and accountability of risk management to process owners by reinforcing their responsibility and accountability for the risk areas that they own. Companies embracing risk self-assessment often view it as a cost-effective technique for establishing touch points with the right people, enabling management to communicate as well as educate. An effective risk self-assessment program reports risk assertions from process owners upward in the organization and identifies matters requiring follow-up and possible disclosure.
20
Risk convergence is the integration of discrete risk assessment information into a unified framework in order to dramatically: Streamline processes Increase assurance reliability
21
Risk-based approaches to management hold significant promise. If risks are understood in terms of cause/effect relationships, governance failures and losses should be prevented. If variance in expected business or process performance is viewed from a risk perspective as unmanaged risks, then business performance should improve or at least become less volatile. Risk assessment is the foundation of risk management. Organizing the information produced through risk assessment will allow risk convergence to fulfill its potential.
22
THOUGHTS
To minimize the confusion of varying risk information, risk assessment efforts need to converge. Risk information can be categorized as root cause, risk event, consequence and downstream effect. Effective risk assessments force one to ask, What could go wrong in the future? Rejecting risk is the head-in-the-sand approach. Establish standards for the consequences. QHSE office provide a common point of entry for audit, risk management and compliance owners. 23