What are the 3 chapters of Risk Profiling?
- Complete MRE determination
- Complete L3 risk assessment
- Complete L1 risk assessment
How are applicable MREs determined?
Workshop held:
* Identify processes owned by the DoCO
* For each (43) L3 risk, ask: Can a Risk Event eventuate from any owned processes.
* If yes, the L3 Risk and supporting MRE will be included in the Risk Profile.
Are risk records required for applicable risks/MREs?
Yes, GRACE will mandate the creation of a risk record.
Are rationales required for non-applicable risks/MREs?
Yes, rationale will be required.
What are 3 reasons we want to categorise risks and events properly?
- Correctly reflect the risks the BU or enabling unit is facing.
- Impacts ability to identify gaps in process/controls and uplift as required.
- Affects quality of reporting to Senior Management, Board Committees and regulators, and impacts their confidence in our ability to manage risks.
What does MRE refer to?
The type of risks that may occur.
Who will own Risk Profiles?
Risk Owner, being:
* Divisional executive for divisional profiles.
* CO Owner for CO profiles.
Which persona is to support the Risk Owner with specialist risk advice and complete tasks?
Risk Manager (DCO, GRC Facilitator, or equivalent).
What does 2nd Line Risk do?
Facilitates workshop and provides independent review.
What are the 6 steps of Chapter 2 - L3 risk assessment?
- Create L3 risk record(s)
- Prepare L3 risk description
- Complete CCA
- Complete RRA
- Complete TRA
- Determine L3 Risk response
Who performs Chapter 2 - L3 risk assessment?
Risk Manager (DCO or equivalent)
In L3 Risk assessment, what L3 risks are assessed?
The L3 risks identified in Chapter 1 – MRE determination
When writing risk descriptions, what taxonomies need to be used?
Cause and Impact Taxonomies
When writing risk descriptions, what should be included to align with bow-tie approach?
- Cause – what causes risk event to occur
- Event – what could go wrong
- Impact – implication of risk event on NAB
Who performs Chapter 3 – Complete L1 Risk Assessment
Risk Manager (DCO or equivalent)
What are the 3 tasks in completing L1 Risk Assessment?
- Create L1 risk record
- Validate CCA, RRA, and TRA for L1 risk
- Validate risk response for L1 risk
What is used to perform L1 Risk assessment?
Output from Chapters 1 & 2, which includes linking of all supporting L3 risk records
What calculations does GRACE automatically provide for L1 Risks, and what are they based on?
- CCA – based on lowest (worst) of all linked L3 CCAs
- RRA – based on highest (worst) of all L3 financial and non-financial impacts, and likelihood.
- TRA – based on highest (worst) of all L3 impacts/likelihood and latest target date
Must GRACE automatic calculations for CCA, RRA, TRA be accepted?
No, must validate rating and provide rational for any adjustments
How is risk response completed?
Manually, using ALARP approach, informed by L3 risk responses.
What are the 3 ALARP categories?
- Requires action
- Tolerable
- Acceptable
What does RRA stand for?
Residual Risk Assessment
What is are the steps of the L3 RRA?
- Assess residual FI (input dollar amount)
- Assess residual NFI (input impact classification)
- Input justification for residual NF&FI
- Assess and input residual likelihood
- Calculate risk rating
* L3 RRA completed
FIs are assessed based on data both inside and outside of GRACE. What data side GRACE informs FI assessment?
- Internal losses (# and $ over last 3 years)
- External losses (Australian banking/financial industry only)
- Top 5 external losses across all industries globally
- CCA Outcome
-
Showcase 17th April (RP + CCA)62
-
PVOR9
-
PACE 2.024
-
Risk Profiling45
-
PVOR Milestones as at 30th April30
-
PVOR - CCoE & ORM Responsibilities2
-
CPS 230 Postcard #521
-
CO Early Adoption Timeline5
-
All Epics - Definitions of Done0
-
User Tooling 2.08
-
Divisions / BUs / EUs4
-
GRACE Personas30
-
Continuous Monitoring9
-
PVOR (as at 23rd May 2024)20
-
PVOR Plan as at 29th May27
-
Risk Profiling eLearn25
