Assignment 1: Risk Identification, Assessment, Response and Communication
Background Overview:
Also read: Enterprise Risk Management Techniques
Assignment Objective:
You are a risk manager of a publicly traded company that is facing business problems/ risks. You have been tasked to create a dashboard report to the board risk committee in the form of a template/ rubric provided using the Likelihood and Impact rating scale provided. In the dashboard report, you will identify, assess, respond (action plan) and communicate key/ material risks to the Board risk committee. Students are expected to develop original work.
Select a publicly available risk event of a publicly traded company. In addition, review the annual report to identify material and nonmaterial risks throughout business lines, products, and services. For the risk event (one real and other risks from business lines, products, and services in annual report), please describe the following provided in the template that provides instructions and rubric for grading:
Template and Rubric for Grading:
10 points (5 per risk type)
20 points (10 per risk type)
10 points (5 per risk type)
20 points (10 per risk type)
10 points (5 per risk
type)
10 points (5 per risk type)
20 points (10 per risk type)
Total 100 (50 per risk type)
Risk Name/ Type
Risk Description
Inherent Risk Rating/
Rationale
Controls Residual Risk Rating
Action Plans Rationale for Residual Risk
Rating
Inaccurate Disbursement (Operational Risk)
Describe who, what, when, why, how, and root causes On xx date, an employee initiated wire transfers from client accounts to his own external Account due to lack of
Once a month, 5M – 20M
– Maker checker – Call back for new accounts – Accounts payable review before execution
Once a quarter, 500k-5M
Implement escalated tier based approval in the policy based on $$ amount.
How do the controls effectively reduce (or not) the inherent risk rating (High- red) to (yellow- moderate)?
segregation of duties and entitlement controls causing xxx in financial loss.
Risk Type #2
For each risk, fill the template with the following:
1) Column 1: Identify two potential risks for the public traded company. Your reasoning must be consistent with publicly available information about the risk event, but you may draw additional conclusions based on this information. The risks can be categorized as credit, liquidity, strategic/business/reputation, market, operational, compliance/legal, financial, and capital adequacy.
2) Column 2: Provide brief description of the risk event. (Describe who, what, when, why, how, and root cause) 3) Column 3: Assess and fill the inherent risk rating column using the rationale of Frequency and Severity of Impact as shown in the
example. If not readily available, assume/ guess the Frequency and Severity of Impact for the firm and then pick the color from Exhibit.
4) Column 4: Identify at least two controls that in your opinion were absent. Explain how the lack of control would have contributed to the risk event. Identify the vulnerabilities most likely to contribute to the event.
5) Column 5: Fill the residual risk ratings field using the Frequency and Severity. (You may guess Frequency and Severity of impact if
not readily available)
6) Column 6: Create a minimum of one action plan that would mitigate the risk (An action plan is a description to create a NEW control or enhance an existing control).
7) Column 7: Risk Rating Rationale focus on the control (strength or weakness that led to the residual risk rating) on why the residual risk is reduced to yellow based on strength/s of control/s. Identify the weaknesses apparent in the information system, system security procedures, internal controls, or implementation that could have been exploited by the threat source. Explain how the control could have mitigated the threat frequency or severity impact. For example, what is the rationale for residual risk rating? How do the controls effectively reduce (or not) the inherent risk rating to residual risk rating etc.
Likelihood 1 Rare
2 Infrequent
3 Occasional
4 Frequent
5 Imminent
Frequency In more than/ every 5 years
In the next/ every 3-5 years
Within the next/ every 1-3 years
Within the next/ every 1 year
Within the next/ every Qtr.
Impact 1 Minor
2 Moderate
3 Significant
4 Severe
5 Catastrophic Critical success
factors
Financial Exposure, Brand Damage, Legal/ Regulatory Action, Health & Safety Staffing Client Operations
such as customers or vendors
required for employees or third parties, such as customers or vendors
including class actions, incarceration of leadership
Source: COSO:Risk Assessment in Practice (Link)