Following the last weeks blog about identifying risks, Tony and John now discuss risk assessment levels and how to manage them using operational risk software.
This exert is taken from their book Mastering Risk Management…
Once risks are identified, they are assessed for likelihood (sometimes called frequency) and impact (sometimes called severity). Likelihood is reviewed on the basis of how frequently a risk event will occur over a given period (e.g. monthly, three times a year, once in 5 years). Alternatively, many firms find it helpful to think of the percentage likelihood of a risk occurring in one year.
Impact is generally assessed on the basis of the (possible) cost to the firm if the risk happens. However, some risk occurrences such as reputation damage are difficult to assess on a cost basis. This more subjective impact is generally assessed on a qualitative scale such as high, medium high, medium, medium low and low. While the term ‘severity’ is also used by some firms as being synonymous with impact, the word may also be used as a single value for a risk assessment, being a combination of likelihood and impact. This was more common before separate likelihood and impact assessments became widely used.
Three assessment levels
Risks can be assessed at three levels of mitigation.
Inherent Risk
Inherent (or gross) risk is assessed with no account taken of the controls which exist within a firm. The only controls which are assumed at the inherent level are inherent controls such as people’s honesty and society’s willingness to obey the law. The advantage of assessing risk at the inherent level is that there are no assumptions about the quality or existence (or otherwise) of controls. It also identifies the level of loss to which the firm is exposed if and when the existing controls fail.
Residual Risk
Residual (or net) risk is assessed after allowing for the existing controls within the firm. This means that there are assumptions about the adequacy and continuing effectiveness of the controls. These assumptions are rarely stated in residual risk assessments. If they are stated, they become close to control assessments. The object of this part of the exercise is to assess risks, not controls. The level of loss arising from a residual risk assessment is the day-to-day loss which the firms may suffer with the existing level of control.
Target Risk
Target risk is the name often given to the final level of expected risk appetite which exists within a firm after all mitigating effects are at the firm’s desired level. It is used to assess the impact (and sometimes the effectiveness) of control enhancement plans.
If risks are assessed at the inherent level, a control assessment can easily be linked to the inherent risk assessment. If risk is assessed at a residual level, the control assessment is already implicit in the residual risk assessment, and the result will require reconciling back to an explicit control assessment.
Heat map with both inherent and residual assessments and showing control effects
Using heat maps to assess risks
Heat maps are a very common way to assess risks. They generally use either four- or five-point scales, although five-point is becoming the standard as it gives more granularity than a four-point scale.
When setting the impact scale points, many firms prefer to use gross revenues. This is useful because the business (the first line of defence) can directly influence it and therefore the use of gross revenues encourages embedding of the process. If net profitability is used, it must be borne in mind that it is more difficult for business heads to influence the costs allocated to them, and they are therefore likely to be less willing to accept the scale.
The beginning point of the highest range is often set at three or four months of gross revenues or profitability, whichever is appropriate.
The same approach is used for setting the scale for likelihood. The beginning point of the highest range for likelihood is often set at a level at which it would be very unusual for the assess entity to experience a risk.
Next time, Tony & John discuss more on mitigating risks and risk transfer.
Mastering Risk Management by Tony Blunden and John Thirlwell is published by FT International. : https://www.pearson.com/en-gb/subject-catalog/p/mastering-risk-management/P200000003761/9781292331317
For more information contact us today on sales@risklogix-solutions.com
RiskLogix Solutions Limited
RiskLogix has worked with financial services firms around the globe, providing innovative software solutions, training and consultancy services. We provide tangible, actionable advice and guidance to help organisations achieve their strategic goals and deliver true business value.
For more information contact us today on sales@risklogix-solutions.com
Global HQ
Eagle House
167 City Road
London
EC1V 1AW
+44 207 377 2250
enquiries@risklogix-solutions.com
www.risklogix-solutions.com
www.linkedin.com/company/risklogix-solutions
