INDIVIDUAL Assignment 1: Risk Identification, Assessment, Response, Monitoring (KRIs) and Action Plans

INDIVIDUAL Assignment 1: Risk Identification, Assessment, Response, Monitoring (KRIs) and Action Plans
Background Overview:
⦁ Risks and controls resulting from the business self-assessments (also called RCSA) are recorded in the firm’s risk register and owned by the business. Scorecards build on the Risk and Control Self-Assessments (RCSAs) by weighting residual risks to provide a means of translating the RCSA output into metrics that give a relative ranking of the control environment – these scorecards will include the quantification of the impact (severity) and likelihood (frequency) of the risks occurring by using firm’s uniform scoring methodology (e.g. H/M/L – see Exhibit).
⦁ The RCSA process considers financial, client, legal & regulatory and reputation risks when considering the risk impact. The outcome of risk assessments (adhoc, specific or process driven) will result in a list of potential risks to which the firm is exposed. These identified risks, along with their scoring, their mitigation controls, and controls scoring (these are also scored but not being asked here), must be stored in a structured/ formal risk register. Regulated firms keep their risk register updated and ready to disclose to a regulator if that requirement arises.
⦁ Where risk mitigating controls are scored low or weak, either in terms of design or performance, action plans must be defined immediately and assigned to one or more owners (across 1st and/or 2nd lines of defense). The action plan is to further manage the risk within firm’s risk appetite through adding/ enhancing new/ existing controls. The aim is to bring the residual risk to within a pre-determined risk appetite (e.g. from moderate to low or for a moving target (such as cyber) maintain residual risk at moderate through establishing risk capabilities and improving maturity).

⦁ The risk management department follows up/ tracks/ reports (to risk committee or board) on any action plan (in progress until completion), since in the interim there might be a control in place which won’t be robust enough and compensatory controls are needed. Ultimately, the head of risk might block or place a condition (exception raised to Sr management and/or Board) if a certain initiative/action plan/ project (as a risk mitigation control) is not in place or is not progressing as planned or found to be not robust enough by a specified time.

Assignment Objective: You are a risk manager of a publicly traded company that is facing business problems/ risks. Create a dashboard report to the board risk committee leveraging the rubric provided. In the dashboard report, you will identify, assess, respond (action plan) and communicate key/ material risks to the Board risk committee. Use the Likelihood and Impact rating scale provided in class and adapt to your company’s size, complexity and business risk profile to derive the inherent risk, control rating and residual risk rating. Students are expected to develop original work.

Approach: You need to correctly identify via root cause analysis taught in class and homework, 2 material/ key risks (with one or more risk event), ideally across 2 principal risk types that are the root cause (Example: 1 Operational, 1 Strategic). Please note that Reputational Risk cannot be considered a root cause, so do not use it, except as a secondary or tertiary knock-on effect.

⦁ Select one or more real risk event/s of a publicly traded company from the news.
⦁ In addition, review the annual report or news to identify key/ material risks (business lines, products, and services).

For the 2 material/ key risks identified (with one or more risk event), ideally across 2 principal risk types, please describe the following provided in the template that provides instructions and rubric for grading:

Rubric for Grading:
Part A: For each risk, fill the template with the following:
⦁ (10 points: 5 points per material risk type) Column 1:
identify via root cause analysis taught in class and homework, 2 material/ key risks (with one or more risk events), ideally across 2 principal risk types that are the root cause for the public traded company. Your reasoning must be consistent with publicly available information about the risk event, but you may draw additional conclusions based on this information.
The risks can be categorized as financial risk (credit, market, liquidity/funding), strategic risk, operational risk, compliance risk.

⦁ (10 points: 5 points per material risk type) Column 2: Provide brief description of the risk event including the threat source or root cause. Use Titanic example of 5 Whys to get to the threat source/ root cause. (Describe who, what, when, why, how, and root cause)

⦁ (10 points: 5 points per material risk type) Column 3: Assess and fill the inherent risk rating column using the Likelihood and Impact rating scale provided in class and adapt to your company’s size, complexity and business risk profile to derive the inherent risk, control rating and residual risk rating. Be sure to justify both the Likelihood and impact and identify as many of factors in the COSO Risk Assessment table sample shared in class as they maybe relevant here

⦁ (10 points: 5 points per material risk type) Column 4: Identify at least two controls per risk event or material risk that in your opinion were absent or weak. This is the Control weakness/ vulnerability that was exploited. Identify the vulnerabilities most likely to contribute to the risk materialization/ or has contributed to the event

⦁ (10 points: 5 points per material risk type) Column 5: Fill the residual risk ratings field using the Impact and Likelihood rating. (You may guess Frequency and Severity of impact if not readily available). This is after control- strength/ weakness (the recommended remediation) is taken into account.

⦁ (10 points: 5 points per material risk type) Column 6: Create a minimum of one action plan (projects) that would mitigate/reduce the risk to an acceptable level along with completion timeline (An action plan is a description to create a NEW control or enhance an existing control).

⦁ (10 points: 5 points per material risk type) Column 7: Risk Rating Rationale focus on the control (strength or weakness that led to the residual risk rating) on why the residual risk is reduced to yellow based on strength/s of control/s. Identify the weaknesses apparent in the information system, system security procedures, internal controls, or implementation that could have been exploited by the threat source. Explain how the control could have mitigated the threat frequency or severity impact. For example, what is the rationale for residual risk rating? How do the controls effectively reduce (or not) the inherent risk rating to residual risk rating etc.

Part B: For the 2 risks identified above, propose the following. It is mandatory to read and apply the KRI concepts provided in the COSO paper entitled “Developing Key Risk Indicators to Strengthen Enterprise Risk management” provided in Canvas files (see sections Developing KRIS, Sources & information when developing KRIS and KRI communication & reporting…)
⦁ (10 points) Document approach to monitor the effectiveness of the 2 recommended controls. You should consider the monitoring frequency, defend the approach, and identify any challenges, if any, with implementing the monitoring mechanisms.

⦁ (10 points) At least 1 Key risk indicator (KRI) for each risk. It is acceptable to use the same indicator for the two distinct risks as long as you explain why the proposed KRI is good for each risk. You should also identify the challenges, if any, associated with implementing each propose KRI.

⦁ (10 points) Writing:  Communicate your analysis in a clear and concise manner.
Your work will be evaluated based on following criteria:
⦁ Writing:  Communicate your analysis in a clear and concise manner. Check for spelling and grammar. – 2 points
⦁ Risk Identification and supporting Analysis: Provide clear root cause analysis, assumptions. Ability to identify key aspects and linkages of the analysis (inherent risk, control, residual risk, KRI, action plan.). We encourage you to include external sources and your own analysis while leveraging class material, required readings. Cite references and citations in foot notes or end notes. – 7 points
⦁ Length: Provide your name / UNI. Your assignment should be no longer than 10 PowerPoint Slides – 1 points

Reference Material from Class Slides- Session 2
How to Determine Residual Risk Rating?

Control Effectiveness (strength or weakness) determines Residual Risk

FOR Reference ONLY: Please design/ create your own templates based on rubric above as these are for reference only

Risk Name- Root cause (Risk Type) Explain the Risk Event including the threat source Inherent Risk Rating and Rationale Control Rating and rationale (Consider the weakness/ vulnerability that was exploited) Residual Risk Rating (after control- strength/ weakness is taken into account) Action Plans to remediate the absent or weak controls Rationale for Residual Risk Rating (Consider the planned mitigation work to be completed)

Inaccurate Disbursement (Operational Risk) Describe who, what, when, why, how, and root causes On xx date, an employee initiated wire transfers from client accounts to his own external Account due to lack of segregation of duties and entitlement controls causing xxx in financial loss. Once a month, 5M – 20M
Identify the vulnerabilities most likely to contribute to the event, such – Maker checker missing
– Call back for new accounts missing
– Accounts payable review before execution missing Once a quarter, 500k-5M
Implement escalated tier based approval in the policy based on $$ amount. How do the controls effectively reduce (or not) the inherent risk rating (High-red) to (yellow-moderate)?
Risk Type #2
Strategic Risk OR
Financial Risk -it can be an opportunity/ with an upside that needs to be managed)

Methodology: Please use your company’s size, complexity and product/business/ processes to derive the impact and likelihood.
Likelihood 1
Rare 2
Infrequent 3
Occasional 4
Frequent 5
Imminent
Frequency In more than/ every 5 years In the next/ every 3-5 years Within the next/ every 1-3 years Within the next/ every 1 year Within the next/ every Qtr.

Impact 1
Minor 2
Moderate 3
Significant 4
Severe 5
Catastrophic
Critical success factors
Financial Exposure,

Brand Damage,

Legal/ Regulatory Action,

Health & Safety

Staffing

Client Operations

⦁ Financial loss up to $X million
⦁ Local media attention quickly remedied
⦁ Not reportable to regulator
⦁ No injuries to employees or third parties, such as customers or vendors
⦁ Isolated staff dissatisfaction
⦁ Financial loss of $X million up to $X million
⦁ Local reputational damage
⦁ Reportable incident to regulator, no follow up
⦁ No or minor injuries to employees or third parties, such as customers or vendors
⦁ General staff morale problems and increase in turnover
⦁ Financial loss of $X million up to $X million
⦁ National short-term negative media coverage
⦁ Report of breach to regulator with immediate correction to be implemented
⦁ Out-patient medical treatment required for employees or third parties, such as customers or vendors
⦁ Widespread staff morale problems and high turnover ⦁ Financial loss of $X million up to $X million
⦁ National long-term negative media coverage; significant loss of market share
⦁ Report to regulator requiring major project for corrective action
⦁ Limited in-patient care required for employees or third parties, such as customers or vendors
⦁ Some senior managers leave, high turnover of experienced staff, not perceived as employer of choice ⦁ Financial loss of $X million or more
• International long-term negative media coverage; game-changing loss of market share
⦁ Significant prosecution and fines, litigation including class actions, incarceration of leadership
⦁ Significant injuries or fatalities to employees or third parties, such as customers or vendors
⦁ Multiple senior leaders leave
NOTE: For Financial exposure success factor, make sure to define which measure you are using (e.g., nominal Dollar amounts, percentage of annual EBIT, percentage of market cap, other), its thresholds for each impact category (i.e. Minor, Moderate, Significant, Severe, and Catastrophic), and why the measure and thresholds you chose are appropriate for your organization.

RCD Tool- From Homework on Internal Control #1

Source: WoltersKluwer.com
Risk Category Definition Risk Category Risk Subcategory
Strategic risk: A category of risks related to unexpected changes in key elements of strategy formulation or execution. This is highly variable by company and must be customized. Strategic Strategy Development or Formulation
Strategic Strategy Execution or Implementation (incl. M&As)
Strategic Governance
Strategic Strategic Relationships
Strategic Competitor
Strategic Supply Chain (This can also be operational risk depending on root cause)
Strategic Economic
Strategic External Relations (same as above)
Strategic Legislative/Regulatory
Strategic International
Operational risk: A category of risks related to unexpected changes in elements related to operations, such as human resources, technology, processes, and disasters. Operational Human resources
Operational Technology
Operational Litigation
Operational Compliance
Operational Internal or External fraud
Operational Disasters (Natural & Man-made)
Operational People, Processes, Systems
Financial risk: A category of risks related to unexpected changes in external markets, stock prices, interest rates, and liquidity supply and demand. Financial Market
Financial Credit
Financial Liquidity
Insurance risk: Generally applies only to insurance companies. Insurance Pricing
Insurance Underwriting
Insurance Reserving
Insurance Setting of required capital for insurance products