Amidst all of the hullabaloo about artificial intelligence (AI), machine learning (ML) and other new technological approaches to operational risk, practitioners of the discipline should pause and reflect. What are they doing with the operational risk data they are collecting at the moment? Could they be driving much more value from this operational risk data for their business?
This is the first blog in a four-part series of blogs that explores how operational risk professionals could be getting much more business value out of their data today – enabling their organization to thrive. The first area of data collection we will look at is risk and control self-assessment (RCSA) data, which financial services firms often collect and then forget about.
Getting RCSA culture right
RCSA data often gets ignored because it’s viewed as subjective, and therefore of minimal value – it can rapidly become an activity that is completed only because the regulator asks for it. This can become a vicious cycle – these attitudes can quickly undermine the value that can be derived from RCSAs because the responses that are given in the exercise may not be seriously considered ones – thereby generating poor-quality RCSA data.
The reality is that RCSA data can be immensely valuable – operational risk managers need to challenge the tone that is coming from the top about RCSAs, and actively challenge the responses received to RCSAs from the business for authenticity. Through challenge, the organization’s cultural values around RCSAs will begin to change, producing much more thoughtful responses. Good RCSA response data can help an organization better understand:
• When controls have failed (an unexpected event)
• When controls are working (day-to-day event)
• How good controls are (in theory and in reality).
Good RCSA data is ultimately good for the business – operational risk managers need to actively communicate that to their organizations.
Understanding controls better
There are four different types of controls that organizations have, and which RCSA data can shed light on. These include:
• Directive controls – These controls help prevent risks from materializing through policies and procedures.
• Preventative controls – These also help prevent operational risk events from occurring, and can sometimes be automated.
• Detective controls – Such controls tell the organization that a risk event has taken place.
• Corrective controls – These are also for after a risk event has taken place, and help the organization “put things right” – disaster recovery would be one example.
Ideally, an organization would have one of these types of controls in place for each risk it has, although this is not always possible. The first two control types focus on the likelihood of an event occurring, while the second set ameliorate the impact. So, for example, if a firm has lots of directive and preventative controls but no truly effective detective or corrective controls for a type of risk event, the impact of such a risk event could be significant in terms of cost.
Analyzing RCSA data
Organizations should be using their RCSA data to create Risk and Control Profiles. Such a profile would contain the following elements, most of which are derived from RCSA data:
• The name of the risk and any ID number associated with it
• The inherent impact and inherent likelihood, expressed as a score
• The residual impact and the residual likelihood, expressed as a score
• Target impact and target likelihood, derived from the risk appetite statement
• A list of the individual controls for that risk
• Scores for both the design of the control and the performance of the control
• A score for the effectiveness of the overall control environment, which is calculated by multiplying the design and performance scores together.
Through such a report, operational risk teams and the business can sense check the validity of the RCSA information. They are also able to see in a much clearer way just how the quality and structure of the control environment is affecting either the likelihood or impact of their risks. In one place, stakeholders can see how well the organization is positioned to manage a risk within its stated risk appetite.
This data can also be turned into a radar chart, or “spider gram”. By plotting risks against control effectiveness, it’s easy to compare how well the controls are working, versus the risks. The business can see how well risks are controlled – if they are under-controlled or over-controlled.
In short, by using risk assessment software and data already at their disposal in new ways, operational risk teams can help the business to better understand the risk and control environment within the organization, and make decisions about it. Business executives will develop a more thoughtful understanding of the value that risks and controls bring to the business, and how evolving this environment can enable the business return more value to shareholders.
The three blogs that follow this first one will look at how operational risk teams can better use the data created by KRI programs and loss event data collection. The final blog will explore how firms can undertake a useful cost-benefit analysis of their control environment using data they already have.
RiskLogix provides operational risk management software and SaaS to enable your firm to improve the way it uses RCSA data in reporting to the business, senior management, and the board. To learn more please contact us.