Risk and Controls Self

Assessment
How to maximise the value from your risk
assessments
Your Hosts

Alf Akerman David Tattam

Senior Consultant Chief Research & Content Officer
Housekeeping

• Please make sure your microphone and camera is turned off

• Please use the chat if you would like to ask questions
• This session is recorded
Agenda

1 Why? The value of Risk

Assessments 5 Evaluating and using the
output

2 What? What are we assessing?

Risk and Controls 6 Advancing to integrated
dynamic Risk Assessment

3 How? A methodology for Risk and

Controls Assessment 7 Q&A and Conclusions

4 Assessment Criteria

4
Objectives of RCSA. To:
1. Identify and document material risks and related controls.
2. Assess the level of each risk
3. Increase risk awareness and transparency
4. Provide management assurance
5. Assess effectiveness of controls
6. Identify areas needing improvement
7. Achieve a ranking of the risks

5
Agenda

1 Why? The value of Risk

Assessments 5 Evaluating and using the
output

2 What? What are we assessing?

Risk and Controls 6 Advancing to integrated
dynamic Risk Assessment

3 How? A methodology for Risk and

Controls Assessment 7 Q&A and Conclusions

4 Assessment Criteria

6
Risk

Risk is the effect of uncertainty on objectives

ISO 31000:2018

• Risk should be linked to objectives

• Understand what drives uncertainty
Risk - Fall from Height
Objectives Controls
1. Customer Service 1. Non-Slip Shoes
2. Maintain wellbeing and health 2. Inspections and Clean Up
3. Comply with regulations 3. Harness
4. PPE check
Critical Processes
5. Safety Hat
1. Get up to the required height
6. First Aid
2. Complete the task
3. Get back to ground level safely
4. Wear required PPE

Risk Event
1. Fall from height

Causes
1. Impaired worker
2. Liquid slip hazard on ground (Rain)
3. Inadequate process
4. Breakage in ladder leg (Manufacturer defect)
5. Slippery pole (Moss)

8
Components of Risk

1. Risk Causes
2. Risk Events
3. Failed Processes (These are included in Risk Events)
4. Risk Impacts
5. Controls

9
The Building Blocks

Cause Impact

Cause Event Impact

Cause Impact

Control
Control Control

10
“Fall from Height” Risk
But Why / How? But What Next?
Causes Events Impacts

Impaired
Worker Injury
Human error Failure to reach
ground level safely
Rain Water on
Slip
ground Failure to wear Compliance
required PPE Breach
Equipment
Moss Slippery
failure Fall
hazard Pole Failure to reach
to required
Faulty height
Manufacturer ladder Customer
Defect service
Failure to
“ladder” complete task
breakage
Inadequate
process

11
Control

A specific action taken with the objective of reducing either

the likelihood of the risk occurring and / or the impact if the
risk were to occur.

12
“Fall from Height” Risk
But Why / How? But What Next?
Causes Events Impacts

Impaired
Worker Injury
Human error Failure to reach
ground level safely
Rain Water on
Slip
ground Failure to wear Compliance
required PPE Breach
Equipment
Moss Slippery
failure Fall
hazard Pole Failure to reach
to required
Faulty height
Manufacturer ladder Customer
Defect service
Failure to
“ladder” complete task
breakage
Inadequate
PPE
process Safety Hat
Check
Inspections &
Clean Up Harness First Aid
Non Slip
Shoes
13
Fall from Height

Source: Protecht.ERM System

14
 Polling Question

What method do you use to analyze risk?

1. No specific method
2. Risk Bow Tie Analysis
3. Fishbone diagrams
4. FMEA
5. Other

15
15
Agenda

1 Why? The value of Risk

Assessments 5 Evaluating and using the
output

2 What? What are we assessing?

Risk and Controls 6 Advancing to integrated
dynamic Risk Assessment

3 How? A methodology for Risk and

Controls Assessment 7 Q&A and Conclusions

4 Assessment Criteria

16
Risk Assessment – What is it?

ISO 31000: 2018

1. Risk Identification
• The identification of key risks across the business
2. Risk Analysis
• Analysing the risk so as to:
Risk Identification
• Understand its components and levels
Risk Analysis
• Understand its size and therefore importance
Risk Evaluation 3. Risk Evaluation
• Evaluating the size of the risk against risk appetite
levels and zones
• After that, we can treat, monitor and review, record
and report
Type of Assessment
Vision
Strategic /
Operational /
Project Risk
BAU Risk
Outcomes Assessment Operational Strategic Assessment
Objectives Objectives

Delivered
Processes / Operating Model Projects
Projects
Operational and Change / Strategic and
Risks Financial Risks Delivered Risk Project Risk

Enterprise Risk Operational and Change / Delivered Strategic and

Management Financial Risk Risk Management Project Risk
Management Management

18
 Assessed Unit (Business Unit, Area,
Activity, Hazard etc)

RCSA Objectives
Inherent
Risk
Methodology
Critical Success Controls
Factors

Residual
Risks Risk

Controls

Actions

Targeted
Risk 19
Risk Assessment - Objectives
Personal Health Employee Expense Claims

1. Live a long and healthy life 1. Happy employees

2. Meet contractual and regulatory
obligations
3. Manage expenses

20
Risk Assessment – Critical Functions

1. Heart 1. Timely Payment

2. Skeleton 2. Correct amount
3. Skin 3. Correct bank account
4. Liver 4. Simple / fair policy and process
5. Know the regulatory and contractual
5. Kidneys
obligations
6. Blood 6. Meet the obligations.
7. Brain 7. Post to correct general ledger account
8. ……. 8. Post the correct amount
9. Post in the correct period
10. Supporting documentation
11. Budget vs. Actual
12. Pay only legitimate expenses

21
Risk Assessment - Risks

1. Cholesterol 1. System outage

2. Melanoma 2. Manual processing error
3. Kidney disease 3. System processing error
4. Heart disease 4. Third party bank processing error
5. ……… 5. Insufficient available funds
6. ……

22
Risk Assessment - Controls

1. Statins 1. UPS Power Supply

2. Diet 2. System Monitoring
3. Fitbit 3. Back up system
4. First Aid

23
Understanding the Risk
But Why / How? But What Next?
Causes Events Impacts

High Cholesterol
Foods
Death
High
Cholesterol
Diet Clogged Heart
Cholesterol Arteries Failure

Permanent
Disability
Hereditary

Statins
Fitbit

Diet
First Aid

24
Risk Assessment - Health
Risk Controls Inherent Risk Residual Risk
Risk before controls Risk after controls
Likelihood Consequence Likelihood Consequence
Cholesterol, caused by Lipitor
fatty diet or hereditary Diet
leading to heart attack First Aid
5 4 3 3
Fitbit

Key:
1 2 3 4 5
Likelihood Rare Unlikely Possible Likely Almost
Certain
Consequence Negligible Minor Moderate Major Severe

25
Risk Matrix Key
Inherent Risk
Residual Risk
Effectiveness of current controls

26
Bow Tie

But Why / How? But What Next?

Causes Events Impacts

People
Operator Unhappy
error employee
System
Hardware failure System Failure to
Systems failure
Outage pay on time
Power Breach of
Power outage Contract
interruption
External
Event

System
Back up
monitoring
UPS Power System
supply

27
Risk Assessment – System Outage

Risk Controls Inherent Risk Residual Risk

Risk before controls Risk after controls
Likelihood Impact Likelihood Impact
System outage UPS
cause by People, System
Systems, External Monitoring 5 4 2 3
Events, Leading to Back Up
Unhappy staff and
contractual breach

Key:
1 2 3 4 5
Likelihood Rare Unlikely Possible Likely Almost Certain
Impact Minimal Minor Moderate Major Extreme

28
Risk Matrix Key
Inherent Risk
Residual Risk
Effectiveness of current controls

29
Agenda

1 Why? The value of Risk

Assessments 5 Evaluating and using the
output

2 What? What are we assessing?

Risk and Controls 6 Advancing to integrated
dynamic Risk Assessment

3 How? A methodology for Risk and

Controls Assessment 7 Q&A and Conclusions

4 Assessment Criteria

30
Assessment Criteria
1. Assessment method: Qualitative, Quantitative, Semi quantitative
2. Assessing Likelihood and Impact
3. Qualitative
• Likelihood and Impact Scales
• Likelihood and Impact Assessment: Inherent and Residual
• One impact from a range – “Typical, Worst Case, 99th percentile?

31
Assessing Likelihood and Impact
Likelihood Impact

Impacts
Causes

Risk Event

Early Late
Preventive Corrective
Detective Detective
Impact of Controls on Likelihood and
Impact of the “Main Event”

Control Type Likelihood Impact

Preventive

Early Detective

Late Detective

Corrective
Likelihood Scales
1. How articulate?
2. Time period?
3. Provide spread across all of your risks

Example
Level Statement Times per period Once in given period % of chance of
happening in next
12 months
5 Almost certain More than 100 per year More than 1 per day More than 80%

4 Likely Between 50 and 100 per year Between 1 per week and 1 Between 50% and
per day 80%
3 Possible Between 10 and 50 per year Between 1 per month and 1 Between 20% and
per week 50%
2 Rare Between 1 and 10 per year Between 1 per year and 1 per Between 5% and
month 20%
1 Very Rare Less than 1 per year Less than 1 per year Less than 5%

34
 Polling Question

What time horizon do you use on your likelihood scale?

1. 0-1 year
2. 0-3 years
3. 0-5 years
4. Longer
5. None

35
35
Impact Scale Example

Level Monetary actual Reputation Customer Regulatory

1. Impacts should equal $ loss and satisfaction Breach
objectives opportunity loss
2. Impact levels by Greater than $ 5 Global media Loss of more than Major breach of
5 Very High
objective should be a million coverage 100 customers critical regulation

similar magnitude 4 High Between $2 and $ 5 National media Loss of between 40 Medium breach of
million coverage and 100 customers critical regulation

3 Medium Between $500,000 City wide media Over 1000 Minor breach of
and $ 2 million coverage customers unhappy critical regulation
and loss of less
than 40 customers

2 Low Between $50,000 Local Media Between 100 and Major breach of non
and $500,000 Coverage 1000 customers critical regulation
unhappy
1 Very Low Less than $50,000 Employee coverage Less than 100 Minor breach of non
customers unhappy critical regulation

36
Inherent, Residual, Targeted Risk and
Effectiveness of Controls

1. Inherent Risk (Gross): The level of risk assuming

there are no controls.
2. Residual Risk (Net): The level of risk after taking into
account existing controls
3. Targeted Risk: The level of risk that is desired, taking
into account risk appetite and the reward / risk trade
off.
4. Effectiveness of Controls: The level of effectiveness
of controls in reducing the likelihood and / or the
consequence of the risk
Summary

• Inherent (Gross) Risk I I

• Existing Controls (C)
• Residual (Net) Risk R C
• Outstanding Issues and Actions (IA) T R
IA
• Targeted Risk T

Use of each level

• Inherent less Residual = Importance of Controls
• Targeted less Residual = Outstanding Issues and Actions
• When Residual equals Targeted = Success!
Polling Question

Which of the following risk levels do you assess

in your risk assessment methodology?
(Select all that apply)

1. Inherent (Gross)
2. Residual (Net)
3. Targeted
4. Control effectiveness
5. Other
 Polling Question

How frequently do you conduct risk assessments?

1. Annually
2. Semi-annually
3. More frequently
4. Dynamically wen there is a trigger point (e.g. incident)
5. Never

40
40
Agenda

1 Why? The value of Risk

Assessments 5 Evaluating and using the
output

2 What? What are we assessing?

Risk and Controls 6 Advancing to integrated
dynamic Risk Assessment

3 How? A methodology for Risk and

Controls Assessment 7 Q&A and Conclusions

4 Assessment Criteria

41
Classic “5*5” Matrix

42
Using the matrix assessment
1. It is a subjective sizing of risk
2. Understand the limitations and assumptions
– What risk level: Typical, worst case?
– It is the assessment of only one likelihood / impact
combination
– Level of subjectivity
3. It is not an assessment against risk appetite

43
Risk Matrix Appetite Assessment

Risk Rating Appetite Evaluation

1 Moderate Low 1
1 5
2 Moderate Moderate 2
3
3 Moderate High 3
4 2
4 Low Very Low /
4
Zero
5 High High 5

44
Agenda

1 Why? The value of Risk

Assessments 5 Evaluating and using the
output

2 What? What are we assessing?

Risk and Controls 6 Advancing to integrated
dynamic Risk Assessment

3 How? A methodology for Risk and

Controls Assessment 7 Q&A and Conclusions

4 Assessment Criteria

45
Reporting and Analytics
Key Risk Indicators
RCSA

Issues and Actions

Controls Assurance

Incident Management

46
Dynamic Risk Profile “Risk in Motion”

47
 Risk Report with Linked Items
Drilldown Risk Details
Risk Name COVID-19 Infection
Risk Description Employee or customer infection due to the COVID-19 pandemic.
Risk Owner
Risk Assessment
Last Review Date 15/03/2020 Prior Residual Rating
Inherent Rating Extreme Control Effectiveness Partially Effective Residual Rating Low

Controls Testing Results

Control Testing Mar 20
Protective equipment, eg. face mask, protective closing, gloves etc Design Effectiveness Effective
Protective equipment, eg. face mask, protective closing, gloves etc Operating Effectiveness Not Effective
Protective equipment, eg. face mask, protective closing, gloves etc Overall Effectiveness Not Effective

Key Risk Indicators

KRI Owning Business Unit Apr 20 Jul 20
% of staff temperature checked on entry to company premises People & Culture 40
Number of COVID19 infected employees People & Culture 0

Compliance
Owning
Question Apr 20 May 20 May 20 Jun 20 Jun 20 Jul 20 Jul 20 Jul 20 Jul 20 Jul 20 Aug 20 Sep 20 Sep 20
Business Unit
Can you confirm that you have practised
safe self distancing and avoided
Company Yes Yes No Yes No No Yes Yes No Yes Yes No Yes
unessential activities outside your home
during the period?

Incidents
Incident
Title Details Severity Loss Status
Date
Jane Doe reported mild symptoms - colds and mild sore throat on 12th March 2020, tested positive for
Staff COVID19 COVID19 2 days later. Under
Moderate $20,000 12/03/2020
infection Investigation
Employee had previous contact with a family member who had been overseas.

Incidents
Incident
Title Details Severity Loss Status
Date
Jane Doe reported mild symptoms - colds and mild sore throat on 12th March 2020, tested positive for 48
Staff COVID19 COVID19 2 days later. Under
Moderate $20,000 12/03/2020
infection Investigation
Employee had previous contact with a family member who had been overseas.
Bringing it to life Unknown
Unknowns

Regulators / Clients
Strategic / Known
Emerging Risk Unknowns Board / Committees /
Management
Environmental
factors Top / Key
L2 / L3 Oversight
Risk
Elevated risk
Control failure Group Level Business Process System Project Vendor
Risk Unit Product Assets Mngr Mngr
New incident
Division Level Known
Overdue Issue
Risk Knowns
Adverse KRIs
Country Level
Risk

Vendor Level
Risk

Did something How can we predict

What happened? Why did it happen?
happen? that it will happen?
Agenda

1 Why? The value of Risk

Assessments 5 Evaluating and using the
output

2 What? What are we assessing?

Risk and Controls 6 Advancing to integrated
dynamic Risk Assessment

3 How? A methodology for Risk and

Controls Assessment 7 Q&A and Conclusions

4 Assessment Criteria

50
Questions

Enter your question in the question section on the GoTo control panel.

If the question input area is not visible, click on the orange arrow at the top of
the panel to expand the viewing area.

Redefining the way the world thinks about risk

Upcoming Activities
Catch up on past webinars at protechtgroup.com/webinars

A Year in Review 2021 to a Year to Look

Forward To 2022!
A Fireside Chat with David Bergmark and David Tattam

Tuesday 7th December

12:30pm – 1:30pm AEDT
Thank you!
david.tattam@protecht.com.au

Get in touch:
• UK, Europe & Middle East:
+44 20 3978 1360
• Australia - Asia Pacific &
Americas: +61 433 149 949

info@protechtgroup.com

www.protechtgroup.com/erm