Self-assessment of operational risk

RMA Journal, The, Feb, 2002 by Mark Balfan, Phil Gledhill, Michael Haubenstock

Few would dispute the merits of an enterprise-wide assessment of operational risks. But why self-assessment? This installment of OR presents the value and implementation of self-assessment.

Operational risk management challenges are very different from those posed by market risk and credit risk. One fundamental difference is that there is no "position" to measure. Consequently, we need to apply a combination of different approaches to understand the current risk profile of the organization and how it might be changing.

An operational risk management framework (1) puts risk in the context of business strategy and risk appetite, establishes processes of risk assessment and measurement, and links the results to performance measures and shareholder value. But how do we know that all operational risks are understood and that they are being effectively monitored and improved? The answer lies in self-assessment--one of the critical components in the ORM framework.

Self-assessment (also called control self-assessment, or CSA) is a process whereby business areas identify and evaluate the risks incurred, the level of control the areas have over these risks, and action points for improvement. The starting point for GSA is a comprehensive set of risk definitions--usually a set of major categories and detailed subcategories. The next step, identification of the risks incurred, typically takes the form of a risk map that shows risks by business area and their relative frequency and severity. Additional sources of information can enrich the analysis:

* An examination of the history of loss events and near-misses highlights risk areas and provides insight into relative frequency and severity.

* The risk indicators used to monitor risk drivers and controls provide insight into the risk profile.

* A review of best practices and regulatory requirements for controls highlights additional risk areas.

* Audits and regulatory exams also will reveal potential weaknesses.

The Case for Self-Assessment

Self-assessment requires an investment in time and often technology. Organizations are committed to it because they realize self-assessment is necessary to:

* Create accountability in the line organizations. Line business areas are the "risk-takers" for operational risk and bear the profit-and-loss impact of any problems. A CSA process makes the risk analysis explicit, and line managers are therefore accountable for the results.

* Reinforce a culture of openness and transparency. Risk needs an open discussion to improve awareness and to allocate appropriate resources. CSA creates the forum to discuss the issues.

* Implement a proactive rather than reactive process. Businesses run better when they anticipate and correct problems before they occur. Preventing financial losses is also an important goal. CSA provides a method for identifying control weaknesses within the current process and developing action plans to eliminate the weaknesses.

* Engage various parts of the organization. Operational risk touches all parts of the organization and has many interdependencies between line and support areas, such as information technology. Self-assessment helps break down the silos to discuss risk across the organization and to discuss interdependencies. It may also help justify budgets for needed improvements.

* Increase awareness and ensure that all risks are considered. Operational risks cannot be specifically measured at a detailed level. There is no substitute for a complete understanding of risk. While many risk indicators exist, they are not comprehensive, and capital measures operate at too high a level to provide detailed insight into individual exposures. The qualitative analysis in self-assessment complements other quantitative measures to ensure that the full scope of operational risks are analyzed.

* Identify gaps and action items. Regardless of the source, the self-assessment process results in identification of control gaps and resulting action items. It consolidates the information from all sources into specific plans for improvement, accountability, and target dates.

* Enhance oversight and improve decision making. The results are reviewed by senior management in order to understand the organization's risk exposures and resulting plans. The expectation is support for the plans with the resources required to implement them.

* Improve audit efficiency. As the reliability of the CSA results improves, auditors may become more focused on the real issues facing the organization, rather than merely testing transaction details for errors. Consequently audit time and time spent with auditors may decline.

Primary Alternatives in Self-Assessment

There is no one approach to self-assessment. The processes tend to evolve over time and often change purposefully to maintain interest and bring new insights into the risk profile. The alternative approaches are checklists, narratives, and facilitated workshops.

Checklists. Probably the most common approach, checklists are structured questionnaires distributed to business areas for them to identify the level of risk and related controls. Some are very short with broad categories of risk (such as governance, compliance, processing, people, technology), while others provide a more detailed list that includes expected controls to be in place. Business leaders typically respond with a level of applicability to their process, often with some indication of frequency and severity/impact and the degree of control. Some organizations attempt to indicate the level of inherent risk (prior to control) and the level of risk after current controls are in effect. Any control weaknesses demand some type of corrective action (or a specific statement to accept the exposure), responsibility, and planned completion date.