Heat Map Strength & Weakness
Strength: Easy to communicate and visualize
Weakness: May oversimplify risks
Heat Map User
Risk managers, executives
Bow-Tie Analysis Strength & Weakness
Strength: Comprehensive view of causes and consequences
Weakness: Time-consuming and complex to create
Bow-Tie Analysis User
Risk professionals, control experts
RCSA User
Operational staff, risk managers
What is the Risk and Control Self-Assessment (RCSA)
- Integral part of operational risk management frameworks
- Structured approach to understand the effectiveness of the control environment by identifying and assessing operational risks and associated controls
- Helps determine whether the residual risk is within approved risk boundaries
What is the value RCSA
- Correct internal control gaps on a timely basis
- Improve value
- Provide assurance
- Enhance risk culture
What can RCSA lead to
- Corrective actions
- Review of risk boundaries
- Accepting the level of risk for a period of time
- Management and board reporting
RCSA Key Considerations
- What risks to cover?
- What elements are required?
- Who does what?
RCSA Pros
- Interaction with other control processes
- a real-time view of the enterprise control environment
- Improve business value and enhance risk
culture
RCSA Cons
- Can be time-consuming and manually intensive
- Relies heavily on the quality of inputs
- Only captures what is known (room for bias)
KRIs First Line
Business Units
- Identifies KRIs
- Sets thresholds
- Monitors positions
- Escalates breaches of limits to management
KRIs Second Line
Risk Management
- Creates KRI framework and provide training
- Challenges / provides guidance to KRI selection process
- Facilitates reporting / escalation of breaches
- Identifies trends
KRIs Third Line
Internal Audit
- Provides validation/assurance around KRI processes
KRI Lifecycle
- Develop KRIs
- Establish KRI thresholds
- Monitor and report on KRIs
- Manage breaches of KRIs
- Revise KRIs as needed
As much as possible, KRIs should be developed to align to the
root causes of risk events
To Develop KRIs Some key considerations include
- an iterative and continuous process
- consistent KRI definitions and data inputs
required - KRIs sometimes present the best early warning signals when seen together
- Important to consider frequency of data collection
Effective KRIs should be
Measurable, Predictable, Comparable, and Informational
KRIs are
measures summarizing the frequency, severity, and impact of an event or corporate actions during a reporting period so they can be articulated that way
What are KRI thresholds?
These are the values that, if breached, should prompt a review of the causes and ascertain that no major issue is brewing
Important steps in setting KRI thresholds
- Determine and validate trigger levels or thresholds
- Based on industry tolerance or internal acceptance
- Board of Directors should approve thresholds (sometimes)
- Should coincide with risk appetite statement
KRI Monitoring and Reporting
- Frequency
- Format
- Escalation
- Hierarchy
- Outcomes
Examples: Key Risk Indicators
- Compliance
- Process, System, People
- Credit
- Balance Sheet Growth
- Capital Adequacy
- Profitability / Earning
