Calculating residual risk – Can inherent minus controls ever equal residual?

  • Subscribe to updates

  • Privacy
  • This field is for validation purposes and should be left unchanged.

During the last three blogs, we have discussed identifying risks and the controls to mitigate those risks. The next stage is to analyse, and if necessary, to challenge the assessment scores.  Here Tony and John give some guidance on challenging assessment scores and how to manage them with operational risk software– taken from their book: Mastering Risk Management. 

As both risk and control self-assessment scores are largely subjective, they should be challenged with whatever actual data we have to hand. This may include control testing scores, internal audit scores, actual loss data of the firm, near miss data, trend data and external loss data if available. In addition, the existing of outstanding actions is another indication of management’s view of the controls,  i.e. if they think that it is worth spending resources to enhance a control then the control cannot currently be highly effective.

Some of this is obvious, for example, if control testing or an internal audit shows that a control is not very good, but the control owner is claiming that the control is effective, a challenge is clearly needed. However, actual loss data may relate to a control environment which has now changed and therefore may bear little resemblance to the current mitigation of the risk.

Challenging and validating the baseline residual assessment

It may be that the firm has internal losses, control tests and audit reports, external losses and outstanding actions linked to the risk that has been assessed. If there are any internal losses linked to the risk, these can be used to challenge the assessments. To start the challenge, use any losses that are outside of appetite to challenge the inherent assessment. This is because appetites are usually set a little larger than business-as-usual values. Therefore, the losses that are outside business-as-usual values must be heading towards (but not necessarily at) the inherent value of the risk.

These larger losses can be used to check whether the likelihood of the larger losses and the impact of the larger losses have reached the assessment of the inherent level. It is possible that the larger losses are below the inherent level of impact as some of the detective and corrective controls may have still been operating. However, the likelihood value should be near to the inherent assessment as for a loss to occur the directive and preventative controls must have failed.

Having challenged the inherent assessments, the average of the remaining losses (i.e. those losses within appetite) can be calculated for both likelihood and impact. These values can then be compared to the baseline residual assessment figures and may be adjusted if necessary.

To continue the challenge, use the control tests and audit reports to check whether control assessments are consistent with the test results and audit reports. If the design and performance rating are changed, the baseline residual values will of course also need changing.

Are there outstanding actions that will affect either the risk or the controls that mitigate the risk? As actions are intended to reduce the residual likelihood or residual impact values these are likely to be currently at the unacceptable level. If the residual values are already within appetite, the necessity for the action should be challenged. However, if the actions are intended to reduce the residual levels of assessment and are close to completion, it may be that some adjustment can already be made.

External losses may pose a challenge in terms of the data available. Any analysis may have to be restricted to the relevant risk category rather than the actual risk. However, some useful data may be available through scaling the likelihood and impact using relevant scaling factors such as gross revenues or staff numbers. After scaling, any losses outside appetite can again be used to challenge the inherent assessments.  As with internal losses, those external losses within appetite can then be compared to the residual assessment figures and one or both of the likelihood and impact may be adjusted if necessary.

Final residual likelihood and impact figures, which have been tested and confirmed, result from the above exercise.

Using the data for management – Actionable risk appetite

Having achieved, challenged and validated control assessments and residual likelihood and impact values these can be used by the business to align its expenditure on risks and controls to its risk appetite. Qualitative statements of risk appetite can be represented using the likelihood and impact values which are used in risk and control self-assessments (RCSAs). It is therefore appropriate to ask if the confirmed residual likelihood and impact figures are at levels at which the business is comfortable. If they are at such levels clearly no further actions are required. However, if the business is not comfortable with the confirmed levels actions are required to reduce the current levels to those within the business’s appetite.

Summary

Handled with some thought, risk and control self-assessments are a valuable tool in managing risk. Although their title misses the word ‘identification’, this is where the problems often start. The identification of the risks to the business objectives is of course fundamental to the management of those risks. Equally, assessing whether the design and performance of the controls is within the firm’s appetite leads to the actions that further mitigate the risks.

Risk and control assessments are an excellent starting point for the risk management campaign, but there are other tools that should also be implemented.  More about these in future blogs.

Mastering Risk Management by Tony Blunden and John Thirlwell is published by FT International. : https://www.pearson.com/en-gb/subject-catalog/p/mastering-risk-management/P200000003761/9781292331317   

For more information contact us today on sales@risklogix-solutions.com

RiskLogix Solutions Limited

RiskLogix has worked with financial services firms around the globe, providing innovative software solutions, training and consultancy services. We provide tangible, actionable advice and guidance to help organisations achieve their strategic goals and deliver true business value.

For more information contact us today on sales@risklogix-solutions.com

Global HQ

Eagle House
167 City Road
London
EC1V 1AW
+44 207 377 2250

enquiries@risklogix-solutions.com
www.risklogix-solutions.com
www.linkedin.com/company/risklogix-solutions