How RCSA timesavers could increase risk within the business
This is the first in a series of four blogs about the ways in which common shortcuts can undermine overall risk management success within organizations. You can view the second blog here ‘The Shortcuts Trap – Key Indicators Under Fire’
Operational risk teams are under pressure to reduce the amount of time that the business has to spend on completing risk and control self-assessments (RCSAs). However, these teams should stick to their guns. Common shortcuts can lead to poor risk management outcomes, because the business will not have sufficient “skin in the game” if they do not have full ownership of the risks their part of the first line of defence runs, as well as the need to manage them. Common shortcuts that are cropping up include:
- Copying previous assessments – While many risk management software solutions enable users to copy assessments, it’s a bad idea to do this. These solutions also allow the copying of risk and controls too – which can be beneficial to a point. Using a list of risks and controls from another similar operation can be a good starting point for creating a list tailored to a specific operation. However, there is the possibility that the business will not fully engage and modify these copied lists to reflect their operation’s own specific risks and controls. The same holds true for assessments – the likelihood that an assessment that is copied won’t then be turned into a bespoke assessment that reflects the reality of risk management within the business can be high.
- Assuming that residual risk equals inherent risk minus controls – Residual risk, inherent risk, and controls are indeed a composite set of three. However, the inherent risk score and the control score are both qualitative and subjective assessments. Believing that these can all be linked arithmetically to produce a final residual risk score that is “absolutely right” can lead to significant errors in understanding the risk that the organization is exposed to. Both teams and the business need to understand that these numbers are suggestive of what real risk is, and not a precise measure – they are no substitute to understanding the full risk picture.
- Ignoring control types – There are four control types – directive, preventative, detective, and corrective. The first two control types help to reduce the likelihood of a risk event from taking place, while the second two lessen the impact should an event occur. Teams sometimes implement one type of control without implementing the other control type, and yet report that both likelihood and impact have been reduced. It’s important to be sure that any reduction in reported risk exposure matches the types of controls in place – there are no shortcuts when it comes to controls.
- Creating the risk register on behalf of the business – In some firms, it’s commonplace for the operational risk team to create the register of risks on behalf of the business, and then simply ask the business to sign off on the document. This is fraught with danger. F
