The Shortcuts Trap – Risk and Control Self Assessments



How RCSA timesavers could increase risk within the business





This is the first in a series of four blogs about the ways in which common shortcuts can undermine overall risk management success within organizations. You can view the second blog here ‘The Shortcuts Trap – Key Indicators Under Fire’





Operational risk teams are under pressure to reduce the
amount of time that the business has to spend on completing risk and control
self-assessments (RCSAs). However, these teams should stick to their guns.
Common shortcuts can lead to poor risk management outcomes, because the
business will not have sufficient “skin in the game” if they do not have full
ownership of the risks their part of the first line of defence runs, as well as
the need to manage them. Common shortcuts that are cropping up include:





  • Copying
    previous assessments
    – While many risk management software solutions enable
    users to copy assessments, it’s a bad idea to do this. These solutions also
    allow the copying of risk and controls too – which can be beneficial to a
    point. Using a list of risks and controls from another similar operation can be
    a good starting point for creating a list tailored to a specific operation.
    However, there is the possibility that the business will not fully engage and
    modify these copied lists to reflect their operation’s own specific risks and
    controls. The same holds true for assessments – the likelihood that an
    assessment that is copied won’t then be turned into a bespoke assessment that
    reflects the reality of risk management within the business can be high.
  •  Assuming that residual risk equals inherent
    risk minus controls
    – Residual risk, inherent risk, and controls are indeed
    a composite set of three. However, the inherent risk score and the control
    score are both qualitative and subjective assessments. Believing that these can
    all be linked arithmetically to produce a final residual risk score that is
    “absolutely right” can lead to significant errors in understanding the risk
    that the organization is exposed to. Both teams and the business need to
    understand that these numbers are suggestive of what real risk is, and not a
    precise measure – they are no substitute to understanding the full risk
    picture.
  •  Ignoring control types – There are four
    control types – directive, preventative, detective, and corrective. The first
    two control types help to reduce the likelihood of a risk event from taking
    place, while the second two lessen the impact should an event occur. Teams
    sometimes implement one type of control without implementing the other control
    type, and yet report that both likelihood and impact have been reduced. It’s
    important to be sure that any reduction in reported risk exposure matches the
    types of controls in place – there are no shortcuts when it comes to controls.


  • RCSA-Dangers-of-shortcuts




  • Creating
    the risk register on behalf of the business
    – In some firms, it’s
    commonplace for the operational risk team to create the register of risks on
    behalf of the business, and then simply ask the business to sign off on the
    document. This is fraught with danger. First, the risk register won’t be an
    accurate reflection of the risks in the business because it was not created by
    the business. Secondly, the business won’t “own” those risks – instead,
    organizationally, the op risk team will own them. Culturally, such a situation
    usually leads to poor risk management by the first line of defence and blame
    being put on the second line should a risk crystalize.
  • Failing
    to anchor a discussion on risks with the business
    – When developing a risk
    register with the first line of defence, it is important to anchor the dialogue
    within their business objectives. Asking for “blue sky thinking” about risks,
    which can seem easier and less time-consuming, can produce an idiosyncratic
    list of risks, some of which may not be appropriate or meaningful. Anchoring a
    conversation about which risks should be in the risk register to the business
    objectives helps to make it more likely that the risks being managed are the
    right ones, given the first line’s activities.
  • Developing
    a common risk register
    – Some organizations have started to take out risks
    that many business units have in common, such as human resources risk or IT
    risk, and are putting those in a common risk register. The risk register for an
    individual business then only contains the risks specific to it. Quite often,
    then the only risks actively assessed by the business will be their specific
    ones. Culturally, this can be problematic because it’s highly likely that the
    “centralized” risks will then fail to be managed by the business effectively as
    they will be seen to be risks held in common.
  • Aggregating
    RCSAs at a low level to create a high level RCSA
    – Often this aggregation
    is done to save the risk committee or senior management time and effort.
    However, an aggregated RCSA score may not reflect the real level of risk, if it
    was to be considered properly by a senior executive or board member. At a high
    level in an organization, there are numerous factors that should be taken in to
    consideration that would not be reflected in a simple aggregated score.




In short, while it’s true that pressures from the business
to reduce their risk workload can be tremendous, it’s important that op risk
teams do not give in to these. Taking shortcuts will almost certainly lead to
risks not being managed properly, which will of course increase both the
likelihood that a risk will take place, as well as the impact that an event
will have.