The views and opinions expressed in this article are those of the thought leader as an individual, and are not attributed to CeFPro or any particular organization.
Hafsteinn Gislason, Director, Operational Risk, Silvergate Bank
How do you ensure a risk-based approach when identifying material risks?
The key to identifying the material risks within an RCSA is dependent on several key deliverables:
Ensuring risk coverage
Timeliness of RCSA
Appropriate governance
Holistic Framework
Now when we have these building blocks in place, there comes a time when a new question arises about development or risk that is on the horizon. There is a need to identify its impact and define materiality.
In my experience, this methodology creates a focused response by utilizing previously gathered information and challenging it with a new risk/development. This method informs the framework and therefore is sustainable as the new data is now available within the most current assessments.
What critical processes do you prioritize when identifying inherent risk?
The identification occurs in the build-up to an RCSA. During the scoping of new or existing organizational units, identify all critical processes and the experts for them and include them in the RCSA discussions. Critical processes can also be low-frequency if they have high exposure. Preferable is to have a standardized process inventory/taxonomy to ease the activity and create connectivity of risk results and other variables within the organization. Repeat this process before re-assessment.
Critical process identification relies on communication and collaboration between 1st and 2nd lines of defence to best inform the assessment.
How do you ensure key controls are effective when mitigating risk?
The effectiveness of controls comes down to testing and documentation. High-frequency controls should, if possible, have identified metrics. All incidents and events of specified criteria can also provide information on the state of the control environment, including near misses, as they are often a control failure caught by another control and can provide valuable lessons. Issue management can be a great tool to tie up loose ends in a risk-prioritized manner.
Why do institutions conduct RCSAs and what are the most common material risks to look out for?
RCSA should have a risk taxonomy and provide coverage and inclusion of all applicable risks. I believe an RCSA program should be a comprehensive tool that cuts across all risk types. If the goal is to identify a specific material risk, then the program will likely miss others. Not because they do not exist, but because they are not in scope. If we are not careful, the most common material risks might be all the risks you document.
That brings us to why I think they should conduct an RCSA.
Hafsteinn will be speaking at our upcoming Operational Risk Management USA Congress, taking place on October 12-13 at Etc Venues Lexington.