Risk Identification, Assessment, Response and Communication

posted in: Research Paper | 0

Assignment 1: Risk Identification, Assessment, Response and Communication

Background Overview:

Also read: Enterprise Risk Management Techniques

  • Risks and controls resulting from the business self-assessments (also called RCSA) are recorded in the firm’s risk register and owned by the business. Scorecards build on RCSAs by weighting residual risks to provide a means of translating the RCSA output into metrics that give a relative ranking of the control environment – these scorecards will include the quantification of the impact (severity) and likelihood (frequency) of the risks occurring by using firm’s uniform scoring methodology (e.g. H/M/L – see Exhibit).
  • The RCSA process considers financial, client, legal & regulatory and reputation risks when considering the risk impact. The outcome of risk assessments (adhoc, specific or process driven) will result in a list of potential risks to which that the firm is exposed. These identified risks, along with their scoring, their mitigation controls, and controls scoring (these are also scored but not being asked here), must be stored in a structured/ formal risk register. Regulated firms keep their risk register updated and ready to disclose to a regulator if that requirement arises.
  • Where risk mitigating controls are scored low or weak, either in terms of design or performance, action plan must be defined immediately and assigned to one or more owners (across 1st and/or 2nd lines of defense). Action plan is to further manage the risk within firm’s risk appetite through adding/ enhancing new/ existing controls. The aim is to bring the residual risk to within a pre-determined risk appetite (e.g. from moderate to low or for a moving target (such as cyber) maintain residual risk at moderate through establishing capabilities).
  • The risk management department follows up/ track/ reports (to risk committee or board) on any action plan (in progress until completion), since in the interim there might be a control in place which won’t be robust enough and compensatory controls are needed. Ultimately, the head of risk might block or place a condition (exception raised to Sr management and/or Board) if a certain initiative/action plan/ project (as a risk mitigation control) is not in place or is not progressing as planned or found to be not robust enough by a specified time.

Assignment Objective:

You are a risk manager of a publicly traded company that is facing business problems/ risks. You have been tasked to create a dashboard report to the board risk committee in the form of a template/ rubric provided using the Likelihood and Impact rating scale provided. In the dashboard report, you will identify, assess, respond (action plan) and communicate key/ material risks to the Board risk committee. Students are expected to develop original work.

Select a publicly available risk event of a publicly traded company. In addition, review the annual report to identify material and nonmaterial risks throughout business lines, products, and services. For the risk event (one real and other risks from business lines, products, and services in annual report), please describe the following provided in the template that provides instructions and rubric for grading:

  • Citations: You are required to cite information sources as appropriate.
  • Length: Your assignment should be no longer than 2 pages (double-spaced).
  • Provide your name / UNI, clear assumptions, references and citations, proper format / spelling and grammar / length.

Template and Rubric for Grading:

10 points (5 per risk type)

20 points (10 per risk type)

10 points (5 per risk type)

20 points (10 per risk type)

10 points (5 per risk

type)

10 points (5 per risk type)

20 points (10 per risk type)

Total 100 (50 per risk type)

Risk Name/ Type

Risk Description

Inherent Risk Rating/

Rationale

Controls Residual Risk Rating

Action Plans Rationale for Residual Risk

Rating

Inaccurate Disbursement (Operational Risk)

Describe who, what, when, why, how, and root causes On xx date, an employee initiated wire transfers from client accounts to his own external Account due to lack of

Once a month, 5M – 20M

– Maker checker – Call back for new accounts – Accounts payable review before execution

Once a quarter, 500k-5M

Implement escalated tier based approval in the policy based on $$ amount.

How do the controls effectively reduce (or not) the inherent risk rating (High- red) to (yellow- moderate)?

segregation of duties and entitlement controls causing xxx in financial loss.

Risk Type #2

For each risk, fill the template with the following:

1) Column 1: Identify two potential risks for the public traded company. Your reasoning must be consistent with publicly available information about the risk event, but you may draw additional conclusions based on this information. The risks can be categorized as credit, liquidity, strategic/business/reputation, market, operational, compliance/legal, financial, and capital adequacy.

2) Column 2: Provide brief description of the risk event. (Describe who, what, when, why, how, and root cause) 3) Column 3: Assess and fill the inherent risk rating column using the rationale of Frequency and Severity of Impact as shown in the

example. If not readily available, assume/ guess the Frequency and Severity of Impact for the firm and then pick the color from Exhibit.

4) Column 4: Identify at least two controls that in your opinion were absent. Explain how the lack of control would have contributed to the risk event. Identify the vulnerabilities most likely to contribute to the event.

5) Column 5: Fill the residual risk ratings field using the Frequency and Severity. (You may guess Frequency and Severity of impact if

not readily available)

6) Column 6: Create a minimum of one action plan that would mitigate the risk (An action plan is a description to create a NEW control or enhance an existing control).

7) Column 7: Risk Rating Rationale focus on the control (strength or weakness that led to the residual risk rating) on why the residual risk is reduced to yellow based on strength/s of control/s. Identify the weaknesses apparent in the information system, system security procedures, internal controls, or implementation that could have been exploited by the threat source. Explain how the control could have mitigated the threat frequency or severity impact. For example, what is the rationale for residual risk rating? How do the controls effectively reduce (or not) the inherent risk rating to residual risk rating etc.

Likelihood 1 Rare

2 Infrequent

3 Occasional

4 Frequent

5 Imminent

Frequency In more than/ every 5 years

In the next/ every 3-5 years

Within the next/ every 1-3 years

Within the next/ every 1 year

Within the next/ every Qtr.

Impact 1 Minor

2 Moderate

3 Significant

4 Severe

5 Catastrophic Critical success

factors

Financial Exposure, Brand Damage, Legal/ Regulatory Action, Health & Safety Staffing Client Operations

  • Financial loss up to $X million
  • Local media attention quickly remedied
  • Not reportable to regulator
  • No injuries to employees or third parties, such as customers or vendors
  • Financial loss of $X million up to $X million
  • Local reputational damage
  • Reportable incident to regulator, no follow up
  • No or minor injuries to employees or third parties,
  • Financial loss of $X million up to $X million
  • National short- term negative media coverage
  • Report of breach to regulator with immediate correction to be implemented
  • Out-patient medical treatment
  • Financial loss of $X million up to $X million
  • National long- term negative media coverage; significant loss of market share
  • Report to regulator requiring major project for corrective action
  • Financial loss of $X million or more
  • International long-term negative media coverage; game-changing loss of market share
  • Significant prosecution and fines, litigation
  • Isolated staff dissatisfaction

such as customers or vendors

  • General staff morale problems and increase in turnover

required for employees or third parties, such as customers or vendors

  • Widespread staff morale problems and high turnover
  • Limited in- patient care required for employees or third parties, such as customers or vendors
  • Some senior managers leave, high turnover of experienced staff, not perceived as employer of choice

including class actions, incarceration of leadership

  • Significant injuries or fatalities to employees or third parties, such as customers or vendors
  • Multiple senior leaders leave

Source: COSO:Risk Assessment in Practice (Link)

https://www2.deloitte.com/content/dam/Deloitte/global/Documents/Governance-Risk-Compliance/dttl-grc-riskassessmentinpractice.pdf

Last Updated on October 13, 2020 by Essay Pro