Professional Documents
Culture Documents
RCSA 20211201 Webinar
RCSA 20211201 Webinar
Assessment
How to maximise the value from your risk
assessments
Your Hosts
4 Assessment Criteria
4
Objectives of RCSA. To:
1. Identify and document material risks and related controls.
2. Assess the level of each risk
3. Increase risk awareness and transparency
4. Provide management assurance
5. Assess effectiveness of controls
6. Identify areas needing improvement
7. Achieve a ranking of the risks
5
Agenda
4 Assessment Criteria
6
Risk
Risk Event
1. Fall from height
Causes
1. Impaired worker
2. Liquid slip hazard on ground (Rain)
3. Inadequate process
4. Breakage in ladder leg (Manufacturer defect)
5. Slippery pole (Moss)
8
Components of Risk
1. Risk Causes
2. Risk Events
3. Failed Processes (These are included in Risk Events)
4. Risk Impacts
5. Controls
9
The Building Blocks
Cause Impact
Cause Impact
Control
Control Control
10
“Fall from Height” Risk
But Why / How? But What Next?
Causes Events Impacts
Impaired
Worker Injury
Human error Failure to reach
ground level safely
Rain Water on
Slip
ground Failure to wear Compliance
required PPE Breach
Equipment
Moss Slippery
failure Fall
hazard Pole Failure to reach
to required
Faulty height
Manufacturer ladder Customer
Defect service
Failure to
“ladder” complete task
breakage
Inadequate
process
11
Control
12
“Fall from Height” Risk
But Why / How? But What Next?
Causes Events Impacts
Impaired
Worker Injury
Human error Failure to reach
ground level safely
Rain Water on
Slip
ground Failure to wear Compliance
required PPE Breach
Equipment
Moss Slippery
failure Fall
hazard Pole Failure to reach
to required
Faulty height
Manufacturer ladder Customer
Defect service
Failure to
“ladder” complete task
breakage
Inadequate
PPE
process Safety Hat
Check
Inspections &
Clean Up Harness First Aid
Non Slip
Shoes
13
Fall from Height
1. No specific method
2. Risk Bow Tie Analysis
3. Fishbone diagrams
4. FMEA
5. Other
15
15
Agenda
4 Assessment Criteria
16
Risk Assessment – What is it?
1. Risk Identification
• The identification of key risks across the business
2. Risk Analysis
• Analysing the risk so as to:
Risk Identification
• Understand its components and levels
Risk Analysis
• Understand its size and therefore importance
Risk Evaluation 3. Risk Evaluation
• Evaluating the size of the risk against risk appetite
levels and zones
• After that, we can treat, monitor and review, record
and report
Type of Assessment
Vision
Strategic /
Operational /
Project Risk
BAU Risk
Outcomes Assessment Operational Strategic Assessment
Objectives Objectives
Delivered
Processes / Operating Model Projects
Projects
Operational and Change / Strategic and
Risks Financial Risks Delivered Risk Project Risk
18
Assessed Unit (Business Unit, Area,
Activity, Hazard etc)
RCSA Objectives
Inherent
Risk
Methodology
Critical Success Controls
Factors
Residual
Risks Risk
Controls
Actions
Targeted
Risk 19
Risk Assessment - Objectives
Personal Health Employee Expense Claims
20
Risk Assessment – Critical Functions
21
Risk Assessment - Risks
22
Risk Assessment - Controls
23
Understanding the Risk
But Why / How? But What Next?
Causes Events Impacts
High Cholesterol
Foods
Death
High
Cholesterol
Diet Clogged Heart
Cholesterol Arteries Failure
Permanent
Disability
Hereditary
Statins
Fitbit
Diet
First Aid
24
Risk Assessment - Health
Risk Controls Inherent Risk Residual Risk
Risk before controls Risk after controls
Likelihood Consequence Likelihood Consequence
Cholesterol, caused by Lipitor
fatty diet or hereditary Diet
leading to heart attack First Aid
5 4 3 3
Fitbit
Key:
1 2 3 4 5
Likelihood Rare Unlikely Possible Likely Almost
Certain
Consequence Negligible Minor Moderate Major Severe
25
Risk Matrix Key
Inherent Risk
Residual Risk
Effectiveness of current controls
26
Bow Tie
People
Operator Unhappy
error employee
System
Hardware failure System Failure to
Systems failure
Outage pay on time
Power Breach of
Power outage Contract
interruption
External
Event
System
Back up
monitoring
UPS Power System
supply
27
Risk Assessment – System Outage
Key:
1 2 3 4 5
Likelihood Rare Unlikely Possible Likely Almost Certain
Impact Minimal Minor Moderate Major Extreme
28
Risk Matrix Key
Inherent Risk
Residual Risk
Effectiveness of current controls
29
Agenda
4 Assessment Criteria
30
Assessment Criteria
1. Assessment method: Qualitative, Quantitative, Semi quantitative
2. Assessing Likelihood and Impact
3. Qualitative
• Likelihood and Impact Scales
• Likelihood and Impact Assessment: Inherent and Residual
• One impact from a range – “Typical, Worst Case, 99th percentile?
31
Assessing Likelihood and Impact
Likelihood Impact
Impacts
Causes
Risk Event
Early Late
Preventive Corrective
Detective Detective
Impact of Controls on Likelihood and
Impact of the “Main Event”
Preventive
Early Detective
Late Detective
Corrective
Likelihood Scales
1. How articulate?
2. Time period?
3. Provide spread across all of your risks
Example
Level Statement Times per period Once in given period % of chance of
happening in next
12 months
5 Almost certain More than 100 per year More than 1 per day More than 80%
4 Likely Between 50 and 100 per year Between 1 per week and 1 Between 50% and
per day 80%
3 Possible Between 10 and 50 per year Between 1 per month and 1 Between 20% and
per week 50%
2 Rare Between 1 and 10 per year Between 1 per year and 1 per Between 5% and
month 20%
1 Very Rare Less than 1 per year Less than 1 per year Less than 5%
34
Polling Question
1. 0-1 year
2. 0-3 years
3. 0-5 years
4. Longer
5. None
35
35
Impact Scale Example
similar magnitude 4 High Between $2 and $ 5 National media Loss of between 40 Medium breach of
million coverage and 100 customers critical regulation
3 Medium Between $500,000 City wide media Over 1000 Minor breach of
and $ 2 million coverage customers unhappy critical regulation
and loss of less
than 40 customers
2 Low Between $50,000 Local Media Between 100 and Major breach of non
and $500,000 Coverage 1000 customers critical regulation
unhappy
1 Very Low Less than $50,000 Employee coverage Less than 100 Minor breach of non
customers unhappy critical regulation
36
Inherent, Residual, Targeted Risk and
Effectiveness of Controls
1. Inherent (Gross)
2. Residual (Net)
3. Targeted
4. Control effectiveness
5. Other
Polling Question
1. Annually
2. Semi-annually
3. More frequently
4. Dynamically wen there is a trigger point (e.g. incident)
5. Never
40
40
Agenda
4 Assessment Criteria
41
Classic “5*5” Matrix
42
Using the matrix assessment
1. It is a subjective sizing of risk
2. Understand the limitations and assumptions
– What risk level: Typical, worst case?
– It is the assessment of only one likelihood / impact
combination
– Level of subjectivity
3. It is not an assessment against risk appetite
43
Risk Matrix Appetite Assessment
44
Agenda
4 Assessment Criteria
45
Reporting and Analytics
Key Risk Indicators
RCSA
Incident Management
46
Dynamic Risk Profile “Risk in Motion”
47
Risk Report with Linked Items
Drilldown Risk Details
Risk Name COVID-19 Infection
Risk Description Employee or customer infection due to the COVID-19 pandemic.
Risk Owner
Risk Assessment
Last Review Date 15/03/2020 Prior Residual Rating
Inherent Rating Extreme Control Effectiveness Partially Effective Residual Rating Low
Compliance
Owning
Question Apr 20 May 20 May 20 Jun 20 Jun 20 Jul 20 Jul 20 Jul 20 Jul 20 Jul 20 Aug 20 Sep 20 Sep 20
Business Unit
Can you confirm that you have practised
safe self distancing and avoided
Company Yes Yes No Yes No No Yes Yes No Yes Yes No Yes
unessential activities outside your home
during the period?
Incidents
Incident
Title Details Severity Loss Status
Date
Jane Doe reported mild symptoms - colds and mild sore throat on 12th March 2020, tested positive for
Staff COVID19 COVID19 2 days later. Under
Moderate $20,000 12/03/2020
infection Investigation
Employee had previous contact with a family member who had been overseas.
Incidents
Incident
Title Details Severity Loss Status
Date
Jane Doe reported mild symptoms - colds and mild sore throat on 12th March 2020, tested positive for 48
Staff COVID19 COVID19 2 days later. Under
Moderate $20,000 12/03/2020
infection Investigation
Employee had previous contact with a family member who had been overseas.
Bringing it to life Unknown
Unknowns
Regulators / Clients
Strategic / Known
Emerging Risk Unknowns Board / Committees /
Management
Environmental
factors Top / Key
L2 / L3 Oversight
Risk
Elevated risk
Control failure Group Level Business Process System Project Vendor
Risk Unit Product Assets Mngr Mngr
New incident
Division Level Known
Overdue Issue
Risk Knowns
Adverse KRIs
Country Level
Risk
Vendor Level
Risk
4 Assessment Criteria
50
Questions
Enter your question in the question section on the GoTo control panel.
If the question input area is not visible, click on the orange arrow at the top of
the panel to expand the viewing area.
Get in touch:
• UK, Europe & Middle East:
+44 20 3978 1360
• Australia - Asia Pacific &
Americas: +61 433 149 949
info@protechtgroup.com
www.protechtgroup.com/erm