The Shortcuts Trap – Risk and Control Self Assessments
How RCSA timesavers could increase risk within the business
This is the first in a series of four blogs about the ways in which common shortcuts can undermine overall risk management success within organizations. You can view the second blog here ‘The Shortcuts Trap – Key Indicators Under Fire’
Operational risk teams are under pressure to reduce the
amount of time that the business has to spend on completing risk and control
self-assessments (RCSAs). However, these teams should stick to their guns.
Common shortcuts can lead to poor risk management outcomes, because the
business will not have sufficient “skin in the game” if they do not have full
ownership of the risks their part of the first line of defence runs, as well as
the need to manage them. Common shortcuts that are cropping up include:
- Copying
previous assessments – While many risk management software solutions enable
users to copy assessments, it’s a bad idea to do this. These solutions also
allow the copying of risk and controls too – which can be beneficial to a
point. Using a list of risks and controls from another similar operation can be
a good starting point for creating a list tailored to a specific operation.
However, there is the possibility that the business will not fully engage and
modify these copied lists to reflect their operation’s own specific risks and
controls. The same holds true for assessments – the likelihood that an
assessment that is copied won’t then be turned into a bespoke assessment that
reflects the reality of risk management within the business can be high. - Assuming that residual risk equals inherent
risk minus controls – Residual risk, inherent risk, and controls are indeed
a composite set of three. However, the inherent risk score and the control
score are both qualitative and subjective assessments. Believing that these can
all be linked arithmetically to produce a final residual risk score that is
“absolutely right” can lead to significant errors in understanding the risk
that the organization is exposed to. Both teams and the business need to
understand that these numbers are suggestive of what real risk is, and not a
precise measure – they are no substitute to understanding the full risk
picture. - Ignoring control types – There are four
control types – directive, preventative, detective, and corrective. The first
two control types help to reduce the likelihood of a risk event from taking
place, while the second two lessen the impact should an event occur. Teams
sometimes implement one type of control without implementing the other control
type, and yet report that both likelihood and impact have been reduced. It’s
important to be sure that any reduction in reported risk exposure matches the
types of controls in place – there are no shortcuts when it comes to controls. - Creating
the risk register on behalf of the business – In some firms, it’s
commonplace for the operational risk team to create the register of risks on
behalf of the business, and then simply ask the business to sign off on the
document. This is fraught with danger. First, the risk register won’t be an
accurate reflection of the risks in the business because it was not created by
the business. Secondly, the business won’t “own” those risks – instead,
organizationally, the op risk team will own them. Culturally, such a situation
usually leads to poor risk management by the first line of defence and blame
being put on the second line should a risk crystalize. - Failing
to anchor a discussion on risks with the business – When developing a risk
register with the first line of defence, it is important to anchor the dialogue
within their business objectives. Asking for “blue sky thinking” about risks,
which can seem easier and less time-consuming, can produce an idiosyncratic
list of risks, some of which may not be appropriate or meaningful. Anchoring a
conversation about which risks should be in the risk register to the business
objectives helps to make it more likely that the risks being managed are the
right ones, given the first line’s activities. - Developing
a common risk register – Some organizations have started to take out risks
that many business units have in common, such as human resources risk or IT
risk, and are putting those in a common risk register. The risk register for an
individual business then only contains the risks specific to it. Quite often,
then the only risks actively assessed by the business will be their specific
ones. Culturally, this can be problematic because it’s highly likely that the
“centralized” risks will then fail to be managed by the business effectively as
they will be seen to be risks held in common. - Aggregating
RCSAs at a low level to create a high level RCSA – Often this aggregation
is done to save the risk committee or senior management time and effort.
However, an aggregated RCSA score may not reflect the real level of risk, if it
was to be considered properly by a senior executive or board member. At a high
level in an organization, there are numerous factors that should be taken in to
consideration that would not be reflected in a simple aggregated score.
In short, while it’s true that pressures from the business
to reduce their risk workload can be tremendous, it’s important that op risk
teams do not give in to these. Taking shortcuts will almost certainly lead to
risks not being managed properly, which will of course increase both the
likelihood that a risk will take place, as well as the impact that an event
will have.