How RCSA timesavers could increase risk within the business
This is the first in a series of four blogs about the ways in which common shortcuts can undermine overall risk management success within organizations. You can view the second blog here ‘The Shortcuts Trap – Key Indicators Under Fire’
Operational risk teams are under pressure to reduce the amount of time that the business has to spend on completing risk and control self-assessments (RCSAs). However, these teams should stick to their guns. Common shortcuts can lead to poor risk management outcomes, because the business will not have sufficient “skin in the game” if they do not have full ownership of the risks their part of the first line of defence runs, as well as the need to manage them. Common shortcuts that are cropping up include:
- Copying previous assessments – While many risk management software solutions enable users to copy assessments, it’s a bad idea to do this. These solutions also allow the copying of risk and controls too – which can be beneficial to a point. Using a list of risks and controls from another similar operation can be a good starting point for creating a list tailored to a specific operation. However, there is the possibility that the business will not fully engage and modify these copied lists to reflect their operation’s own specific risks and controls. The same holds true for assessments – the likelihood that an assessment that is copied won’t then be turned into a bespoke assessment that reflects the reality of risk management within the business can be high.
- Assuming that residual risk equals inherent risk minus controls – Residual risk, inherent risk, and controls are indeed a composite set of three. However, the inherent risk score and the control score are both qualitative and subjective assessments. Believing that these can all be linked arithmetically to produce a final residual risk score that is “absolutely right” can lead to significant errors in understanding the risk that the organization is exposed to. Both teams and the business need to understand that these numbers are suggestive of what real risk is, and not a precise measure – they are no substitute to understanding the full risk picture.
- Ignoring control types – There are four control types – directive, preventative, detective, and corrective. The first two control types help to reduce the likelihood of a risk event from taking place, while the second two lessen the impact should an event occur. Teams sometimes implement one type of control without implementing the other control type, and yet report that both likelihood and impact have been reduced. It’s important to be sure that any reduction in reported risk exposure matches the types of controls in place – there are no shortcuts when it comes to controls.
- Creating the risk register on behalf of the business – In some firms, it’s commonplace for the operational risk team to create the register of risks on behalf of the business, and then simply ask the business to sign off on the document. This is fraught with danger. First, the risk register won’t be an accurate reflection of the risks in the business because it was not created by the business. Secondly, the business won’t “own” those risks – instead, organizationally, the op risk team will own them. Culturally, such a situation usually leads to poor risk management by the first line of defence and blame being put on the second line should a risk crystalize.
- Failing to anchor a discussion on risks with the business – When developing a risk register with the first line of defence, it is important to anchor the dialogue within their business objectives. Asking for “blue sky thinking” about risks, which can seem easier and less time-consuming, can produce an idiosyncratic list of risks, some of which may not be appropriate or meaningful. Anchoring a conversation about which risks should be in the risk register to the business objectives helps to make it more likely that the risks being managed are the right ones, given the first line’s activities.
- Developing a common risk register – Some organizations have started to take out risks that many business units have in common, such as human resources risk or IT risk, and are putting those in a common risk register. The risk register for an individual business then only contains the risks specific to it. Quite often, then the only risks actively assessed by the business will be their specific ones. Culturally, this can be problematic because it’s highly likely that the “centralized” risks will then fail to be managed by the business effectively as they will be seen to be risks held in common.
- Aggregating RCSAs at a low level to create a high level RCSA – Often this aggregation is done to save the risk committee or senior management time and effort. However, an aggregated RCSA score may not reflect the real level of risk, if it was to be considered properly by a senior executive or board member. At a high level in an organization, there are numerous factors that should be taken in to consideration that would not be reflected in a simple aggregated score.
In short, while it’s true that pressures from the business to reduce their risk workload can be tremendous, it’s important that op risk teams do not give in to these. Taking shortcuts will almost certainly lead to risks not being managed properly, which will of course increase both the likelihood that a risk will take place, as well as the impact that an event will have.