An initial step in ERM is to identify, assess, and prioritize an organization's key risks. The risk control self-assessment (RCSA) is a common tool that is well established in regulatory guidance and industry frameworks. Companies across all industry sectors use RCSAs for identifying, mapping, and controlling risks that threaten strategic and other objectives.1 Companies that integrate RCSA into the daily activities of their business units will also find it easier to adhere to the growing body of stakeholder expectations and regulatory requirements.
By its very nature, RCSA implementation will vary depending upon a company's specific needs. There is, however, a common process and methodology that all RCSAs follow. We'll begin this chapter with a short overview of risk assessment and the benefits it offers. Next, we'll examine how companies can implement RCSA process and methodology such as identifying risks, evaluating existing controls, and developing risk mitigation strategies. We'll look at the short- and long-term post-RCSA processes to get the most out of the results and increase future efficiency with an emphasis on common pitfalls and practical solutions. We'll conclude the chapter by examining how to incorporate risk assessment into the business process through strategic planning and review.
The objective of risk assessment (or RCSA) is to identify, evaluate, and prioritize an organization's key risks to enable more informed business and risk management decisions. Risk assessment principles are well established in industry frameworks such as COSO ERM, the Dey Report, the Turnbull Report, and ISO 31000.
Risk assessments generally include the following key steps:
The key benefits of risk assessment include:
While most organizations have implemented risk assessment programs for many years, common obstacles may prevent them from achieving the full benefits. These obstacles include:
Risk assessment is the process of identifying, evaluating, and prioritizing key risks related to the achievement of business objectives. Each organization should customize its risk assessment methodology for its own particular business scope, operating complexity, and risk management maturity. However, there are common industry processes and practices for risk assessment. Figure 13.1 provides an overall process map of the four phases of risk assessment.
The first phase sets the foundation. This should include senior-level sponsorship for risk assessment to ensure business unit participation and candor. Other elements include organizing and planning, establishing a risk taxonomy, developing risk assessment tools, and providing education and training.
The second phase involves risk identification, assessment, and prioritization. This includes establishing the context in terms of business objectives and regulatory and policy requirements. During this phase, the RCSA team conducts risk assessment interviews and/or workshops in order to identify, evaluate, and prioritize key risks. It enables many companies identify their top risks.
The third phase consists of deep dives, risk quantification, and management. In this phase, the company performs in-depth analyses (i.e., deep dives) of the top risks identified at the enterprise-wide level. The RCSA team then establishes key risk indicators (KRIs) and risk tolerance levels for each of these top risks. In addition, the team develops and implements specific risk management strategies, including accountabilities and action plans.
The fourth phase involves integration of RCSA into business and ERM processes. Risk assessment should not be a standalone exercise. Companies should integrate it with other ERM and business management processes, such as strategic planning, business activities, operational processes, and board and management reporting.
With respect to the overall risk assessment process, common pitfalls and practical solutions include:
Let's discuss the four phases of RCSA in greater detail.
The foundation-setting phase provides the essential support elements for risk assessment, including senior executive sponsorship, organization and planning, key documents and tools, and education and training. The absence of any of these elements may hinder the efficiency and effectiveness of the risk assessment process.
At the start of the risk assessment cycle, a senior-level sponsor (e.g., CEO, CFO, or CRO) should communicate the board's and executive management's commitment to the risk assessment process, its key objectives and expected benefits, and the expected timeline, along with primary milestones. Given the time constraints and other priorities business managers face, it can be difficult to get their full and candid input without high-level sponsorship. The project sponsor and other corporate leaders should lead by example, engaging in the risk assessment process with candid and thoughtful input.
The implementation team should produce an overall plan to define tasks, accountabilities, and deadlines. Key roles may include an RCSA manager to execute specific tasks and delegate responsibilities; subject matter experts to provide technical expertise; trained facilitators to assist in managing meetings and workshops; and risk analysts to capture, organize, analyze, and report on results. Together, these roles will constitute the RCSA project team.
Having a common language is key to an effective discussion. This is particularly true in risk management, since each company will have its own hierarchy of risks, depending on its business model, industry, and many other factors. Therefore, establishing definitions and categories of risks to facilitate discussion is crucial to running a successful RCSA. As much as possible, these categories should be common to all business units and functional areas in order to facilitate aggregation across the organization. In this regard, it is important to align the risk taxonomy with the business language used in the organization.
A popular way for companies to classify risk is according to operational events, a system the Basel Committee endorses. For example, a company might establish a broad category of employment-practice events with further subcategories such as employee relations, workplace safety, and diversity.
Other companies choose cause-driven or impact-driven classification. Under the former, risks are classified according to the root cause of operational losses. However, this method can run into difficulty when there are multiple root causes for a loss, or when the cause is unclear. The impact-driven method classifies risks by the financial impact of operational losses. While the classification itself poses few challenges, it may leave companies with an insufficient understanding of root causes. I believe the cause-driven method, despite its challenges, is the preferred method. Management can only address root causes (e.g., employee training), but not consequences (e.g., employee errors).
In addition to this taxonomy, it is often helpful to have a glossary of key terms (e.g., probability, severity, tolerance, etc.). This can help avoid unnecessary confusion and ensure the entire company is on the same page.
The RCSA project team should employ the tools that facilitate the risk assessment process in the most effective and efficient way. Typically, assessment tools fall into two categories: short-answer surveys and open-ended interviews. The former is most appropriate for gathering aggregate data during staff workshops. The latter can provide a fuller and more contextualized discussion of risk issues. Polling a large group of operational personnel requires a standardized question/answer template while the detailed input of senior executives and board members is best captured by open-ended questions. Figure 13.2 shows an example of an executive questionnaire.
1. | Please summarize the scope of the business or operating unit that you are representing. |
2. | Review the key short-term and long-term business objectives for your business unit. |
3. | Looking back, discuss the major losses, incidents, or near-misses that concerned you the most. |
4. | Looking forward, identify the main risks faced by the company and your specific business unit, including estimated probabilities and consequences. |
5. | Discuss the key controls associated with these main risks (e.g., risk policy and tolerance levels, processes and systems, risk mitigation strategies). |
6. | Discuss the metrics and reporting associated with these main risks. |
7. | Identify other relevant issues that we have not discussed. |
FIGURE 13.2 Top-Down Executive Questionnaire
In the past, the available technology could support either of these tools, but rarely both in a sufficiently integrated fashion. Modern cloud-based technologies not only support both assessment approaches, but are also able to integrate them seamlessly, making data aggregation easier and less error prone—and, in many cases, completely automated in real-time.
A knowledgeable staff is essential to a company's success in risk assessment. The project team should be conversant in best practices for implementing risk assessments, analyzing and aggregating risk assessment results, and providing analyses and reports to management and the board. Other participants must understand the role of risk assessment, why the risk assessment is being done, what the value is to the business, how they can best participate and contribute, and how they can apply the results to mitigate risks and enhance business performance. A well-planned and executed training program can achieve both these goals.
Once the foundational groundwork has been laid, the project team is ready to execute. The key deliverables in this phase include top-down risk assessments from senior executives, bottom-up risk assessments from business and operating units, risk assessment reports and heat maps, and the prioritization of enterprise-level risks.
A key tenet of ERM is to identify, assess, and manage risks in the context of business objectives. Part of strategic and business planning is establishing key objectives at the corporate and business unit levels, each associated with a key performance indicator or KPI (e.g., market share, operating efficiency, earnings growth, etc.). In turn, key risks may impact the achievement of these business objectives and variability in the KPIs. These key risks are associated with key risk indicators or KRIs (e.g., product/service quality problems, operational risk metrics, unexpected earnings volatility, etc.). Associating key business objectives and KPIs with key risks and KRIs provides the basis for integrated performance reporting and management.
In pursuit of business objectives, businesses must also comply with regulations and corporate policies, another key objective of ERM. In risk assessment, it is useful to summarize the regulatory requirements and guidelines, as well as corporate policies and associated risk tolerance levels (if available) for each key risk.
Before cataloguing risks via surveys, interviews, and workshops, it is important to understand the status of each risk within the current environment. This is best defined in terms of inherent risk, controls, and the resultant residual risk.
Inherent risk refers to the risk exposure of an event prior to consideration of any controls or mitigation efforts. Inherent risk is typically assessed along four attributes,2 which can be defined qualitatively or quantitatively:
These attributes are often interrelated. For example, the more vulnerable a company is to a risk event, the greater its impact. Similarly, multiple risk events can have an aggregate impact on the company. That is why having a documented taxonomy is so important. A company can evaluate its risk interactions by grouping individual risk events into broader categories and studying their aggregate effects. For example, individual risk events relating to distribution, sourcing, and vendor relationships would fall under a broader category of supply chain risk.
How well a company manages its risks and their interdependencies depends on how effective its controls are at mitigating unwanted effects of risk events. Controls may be preventative, detective, or corrective:
It's easy to see how preventative controls might be preferable to detective or corrective ones, but the former may not always be possible. A good example is cybersecurity, where it is nearly impossible to prevent 100% of cyberattacks, so the cybersecurity program must have effective detective and corrective controls.
Some controls are manual while others can be automated. If a control involves both automated and manual components, it should be classified as manual. For example, a software system may produce a daily exception report that an employee must review before reporting and resolving each item. Because it requires the employee's involvement, this would be considered a manual control.
The risk management team should regularly evaluate the design and effectiveness of controls and recommend changes when warranted. For this reason, the RCSA process should include a testing protocol to assess the effectiveness of the control, identify gaps in the control environment, and produce a corrective plan for timely remediation if necessary. Evaluating design ensures that the control is performing as intended while evaluating effectiveness makes sure the control is operating or being operated appropriately. Evaluation usually involves a thorough walkthrough of the control. Considerations during the evaluation should include:
Once a company has assessed inherent risks and controls it can then determine the residual risk of individual events—that is, the risk exposure of an event after taking controls and mitigation efforts into consideration. While the purpose of identifying inherent risk is to determine which risk events require the most attention and resources for mitigation, residual risk is a closer measure of the actual risk exposure a company faces and the effectiveness of existing controls. Residual risk is what a company considers when it chooses to mitigate, avoid, transfer, or accept risk.
As discussed previously, it is useful to conduct interviews using open-ended questions when working with senior executives on risk assessments. In addition to identifying key risks associated with corporate objectives (i.e., top-down risk assessment), these interviews can gather important institutional knowledge about business strategy and culture, lessons learned from previous risk events, and the kinds of KPIs and KRIs that senior executives find most useful. For business unit teams, it may be more appropriate to organize workshops to develop bottom-up risk assessments. During the interviews and workshops, participants identify risks or risk events, and assess probability, severity, and effectiveness of controls through the use of polls or surveys. They may also decide on risk treatment, such as avoidance, mitigation, transfer, or acceptance.
The interviews and workshops may result in a large number of risk assessments. It is the responsibility of the project team to aggregate and report on these results. Risk assessment reports generally provide the following information for each risk:
In addition to risk assessment reports, heat maps (or “risk maps”) can help visualize the risk assessment information. On a heat map, risks are plotted against probability along the y or vertical axis and severity along the x or horizontal axis. An alternative methodology is to plot risks according to their severities and effectiveness of controls. Attention should then be focused on risks with high severity and low control effectiveness. Regardless of the methodology used, it is important to note that risk assessments and heat maps are generally not considered by board members and senior executives as actionable information that can support board- or executive-level decisions. Rather, they should be viewed as initial risk assessment and visualization reports that can support further analyses and modeling. In other words, risk assessments and reports are “start products,” not “end products.”
Based on the aggregate risk assessment results, the company should identify its most critical risks (e.g., top-10 risks). This is not to say that the company should only pay attention to 10 risks. In fact, each business unit or functional area may identify their own top risks and collectively monitor all of the key risks recorded in the risk assessment process. However, it is useful to establish a priority list of enterprise-level risks. For example, one large asset management firm reported over 700 risks. It would be impractical for executive management or the board to review and monitor such a large number of risks. Instead, the project team should identify the top-10 risks for the company based on the risk assessment information and confirm their analysis with executive management.
The top-10 risks identified in the previous phase represent the most critical risks facing the company. This list focuses management time and attention on the appropriate risks. Each of these key risks warrants further assessment, quantification, and management strategies.
Deep dives are more granular risk assessments. Beyond the information gathered during Phase 2, deep dives may add risk assessments from the next level down in the organization, external benchmarking of the risk and related controls, process maps that clearly document the key business and operational flows, independent assessments from auditors and regulators, and control effectiveness testing. Overall, the purpose of deep dives is to gather more detailed and actionable information.
Peter Drucker was right when he said “What gets measured gets managed.” For key risks, that means developing actionable KRIs that support the quantification and monitoring of top risks. In addition to measuring risk exposures, it is useful to track risk metrics related to control effectiveness (key control indicators) and leading indicators (early warning indicators).
Risk tolerance levels, as outlined in the company's risk appetite statement (RAS), provide benchmarks against which management can evaluate risk assessments and KRIs and represent the company's risk appetite on key risks. Examples of risk tolerance dimensions include market risk, credit risk, or liquidity risk limits; business performance targets and triggers; operational performance goals and limits; and other benchmarks for desirable and undesirable performance. Ideally, the company tracks KRIs against risk tolerance levels so management can clearly see if risk levels are within acceptable ranges.
Without strategies to reshape the company's risk/return profile, every process up to this point would be an intellectual exercise. Based on an assessment of key risks relative to business objectives and tolerance levels, management should decide on the appropriate strategy to address each one. These strategies will incorporate one or more of the four broad categories of risk response: avoidance, mitigation, transfer, or acceptance. Any risk acceptance should be followed by discussions of how to incorporate the total cost of risk into product pricing and/or performance measurement systems. The total cost of risk includes expected loss, unexpected loss (e.g., cost of economic capital), risk transfer costs, and administrative costs. To support the execution of risk-management strategies, the risk function should develop action plans (e.g., creating corrective actions, project change requests, and risk transfer strategies) with clear accountabilities and approval from management.
Risks are inherently fluid, dynamic, and difficult to predict. Thus even the best risk assessment and quantification processes may not identify the next risk event that impacts the organization. Companies should develop early warning systems to indicate emerging risk issues before a risk event occurs. While KRIs are associated with specific risks, early warning systems provide a more generalized and comprehensive way for companies to foresee potential risk events. For example, a spike in employee absenteeism or customer complaints may hint at more significant operational risk issues. Or an uptick in credit spreads and price volatility may provide early warnings about capital markets turmoil. In conjunction with these early warning systems, companies should invest in preparedness with respect to early-action and crisis-management strategies. For example, in a financial market crisis, early actions may include contingent liquidity and capital plans to raise financial resources during the initial stages of the crisis when funds are still available. In a natural disaster, the crisis management program may include business contingency planning and recovery plans, as well as internal and external communication protocols.
Risk assessment should not be a standalone process. It should be part of strategic planning and review processes, business processes and operations, and other ERM processes such as dashboard reporting, loss/event tracking, and risk escalation policies.
Companies must establish clear links between strategic planning and risk assessment. In fact, the integration of strategy and ERM is a key initiative as boards and executive management take a more active role in risk oversight. This integration offers significant benefits. The strategic planning process results in business objectives that should drive risk assessment. On the other hand, risk assessment illuminates key risk exposures and the cost of risk, both of which are essential in making risk/return tradeoff decisions during the strategic planning process. In addition to strategic planning, companies should also integrate risk assessment into strategy and business review processes. As companies execute their business strategies, they often organize strategy and business review sessions to consider new information such as competitive trends, customer data, and business performance. They can then update risk assessments and related monitoring processes with this new information.
Key business processes and operations should include risk assessment on a day-to-day basis. For example, the pricing of the company's products and services should fully incorporate the cost of risk. Risk assessments can also support other processes such as new product and business development, M&A transactions, project management, and capital allocation. Operational processes should also integrate risk assessment analysis. For example, a process map can depict where key risks (and actual errors and losses) may occur within an operational process. Management can then embed specific controls and risk-monitoring processes where they are most effective.
Companies should not only be concerned about the worst-case scenario of any single risk, but also the possibility of a more consequential scenario of multiple risk events, such as a failed product launch, an economic downturn, or a new competitive threat. Moreover, the company may stress test the combined failure of key controls, such as risk model error, incorrect data, and departure of key risk personnel. While less likely than a single risk event, the confluence of multiple risk events (i.e., the “perfect storm”) may present the company with critical challenges worth preparing for.
The sheer volume of data from risk assessments, other ERM analytics, and business performance systems can be overwhelming. In order to provide senior management and the board with the appropriate information, I strongly recommend creating dashboard reports designed to support the specific decision-making and informational needs of corporate executives and board members.
At the board level, for example, these reports would provide a concise executive summary of business/risk performance as well as external performance drivers. They would focus on key board discussion and decision points, providing forward-looking analyses of organization-wide performance, including key performance and risk indicators shown against specific targets or limits. And they would offer actual performance data on previous business/risk decisions as well as rationale for management recommendations. A modern dashboard system, which we'll examine more thoroughly in Chapter 18, can also provide drill-down capabilities to underlying data and analysis when desired.
Every risk loss or event represents a valuable learning opportunity, but only if the risk team captures and reviews them systematically. Companies should develop and maintain a loss/event database to capture all material losses and incidents. This database can inform postmortem analyses in terms of root causes and needed controls, reveal key risk trends and emerging patterns, help address risk issues before they become major problems, and close a feedback loop on the efficacy of risk assessments and dashboard reporting. Based on my experience, developing a loss/event database is a low-cost but high-value ERM initiative.
Risk events do not occur on a regular interval, but in real time. Thus, annual risk assessments—even if they are updated monthly or quarterly—may not support timely alerts or management responses. A risk escalation policy can mitigate this problem by establishing specific notification triggers for material losses or events (e.g., losses above a certain threshold, risk events that impact a certain number of customers, etc.). A lesson learned from previous corporate disasters is that bad news does not always travel up the organization. A risk escalation policy establishes the explicit expectation and specific criteria for communicating risk events on a timely basis.
As the risk landscape increases in complexity, it is becoming more and more important to increase collaboration and coordination efforts between the ERM program and the company's internal audit function. An innovative way to accomplish this is through the use of the RCSA process. RCSA data and outputs can provide points of comparison between ERM risk focus areas and those of internal audit, thus providing an added level of structure and assurance.
A simple first step to sync a company's RCSA process to its internal audit program is to map RCSA risk focus areas to those in the internal audit universe. This allows both ERM and internal audit to better understand their risk and audit review coverage at any given moment. Such an approach provides the ERM team additional perspective on controls and risk mitigation processes while it offers a quasi-independent evaluation of audit scope and priorities. For example, risk assessments can inform risk-based audit plans while audit findings can validate control effectiveness ratings.
The mapping process should take place after the completion of RCSA as well as during the annual internal audit plan-setting period. By coordinating efforts between ERM and internal audit, the organization can ensure that there is a consistency in approach and a focus on the risks that truly are impactful.