Professional Documents
Culture Documents
Risk Register
Risk Register
Risk Register
RCSA Date:
Department Head
The objective of the RCSA is to to identify and assess operational risks and to determine the adequacy and effectiveness of the internal controls designed to manage those
risks.
The purpose of this document is to ensure complete and accurate identification of operational risks, To quantify the risk exposure to operational risk and rate them as High,
Medium and Low; To assess the strengths and weaknesses in the operational risk control environment exhaustively and accurately; and to prioritize management action for
high risk areas.
Process Details Risk Identification and Assessment Control Identification and Assessment Residual Risk Action Plans
SOP Available
# Function Process Name Sub Process Risk Event Reference # Risk Description Risk Causal Factors Risk Category Root Cause Risk Impact Description Risk Data Sources Ref. Description Risk Likelihood Risk Impact Combined Risk Assessment Risk Owner Control Ref. #. Control Control Description Control Frequency Control Type Control Category Control Classification Control Design Effectiveness Control Operating Effectiveness Combined Control Effectiveness Control Owner Residual Risk Remarks, if any Action Required Action Plan Reference Action Plan Item Target Date
(Yes/ No)
Expected
Greater than 50% The event will probably
and up to 75% occur in most circumstances
Risk Impact
1 2 3 4
Insignificant Minor Moderate Major
Operating Effectiveness
1 2 3 4
Poor Unsatisfactory Satisfactory Effective
Impact Criteria
5 1 2 3
Severe Insignificant Minor Moderate
Control Operation
Combined Heatmap
5 1 2 3
Highly Effective Poor Unsatisfactory Satisfactory
Result
ol Operation
4 5 Control Effectiveness
No. of Controls
Effective Highly Effective Rating
sment Result
Control Rating
2 1
Residual Risk Rating Residual Risks
Medium Low Low
Ver
TOTAL Err:504
Risk Events (Inherent)
Control Assessment
Very High High Medium High Medium Low Low
Residual Risks
Unsatisfactory The control design is limited and ineffective Unsatisfactory Control is operating with limited effectiveness
The control is designed adequately to substantially Control is always operational effectively in the way
Highly Effective Highly Effective
mitigating the risk intended in design
Residual Risk Scale
Control Effectiveness
1 2 3 4 5
Medium Medium
Low High Very High
Low High
1 Low Low Low Low Low Low
Control Risk
Operating Design Impact
Poor Poor Severe
Unsatisfactory Unsatisfactory Major
Satisfactory Satisfactory Moderate
Effective Effective Minor
Highly Effective Highly Effective Insignificant
Definition
1: Risk Causal Factor
*People Risk of negative impact related to inadequacies in human capital and the management of human re
*Process Risk of negative impact related to weak internal business processes within every aspect of the busin
2: RISK Category Group of potential causes of risk, to allow grouping of individual risks for more evaluating and respo
*Reporting All risks araising form the reliability of financial reporting to TWQ management
*Strategic The risks arising from or resulting in Tanfeeth’s inability to formulate or execute a business strategy
*Compliance The risks arising from or resulting in a failure to comply with existing local, regional, or internationa
regulatory policies or the development, administration, and enforcement of regulations.
*IT The risks arising from or resulting in failure of technology or related systems.
The risks arise from inadequate or failed internal processes, procedures, and people, or from failure
*Operational achievement of related Key Performance Indicators.
3: Risk Data Source Is information (data) that is used by an organization for diverse Risk Management and other busine
*Audit Points Through any audit point that resulted from observation and/or reports.
*Customer Complaints A complaint is an expression of dissatisfaction made to an organization, related to its products, or th
*Incidents Through any incident or event that impacted the organization earlier
*Process Notes Activity or set of activities that use resources to transform inputs into outputs.
Establishing effective and efficient processes that are consistently followed and improved upon is th
*Regulatory Inspection Through regulatory inspection, SAMA, Ministry of commerce and any other regulatory inspector
*Fund Policy Policies established by a Fund for the purpose of eliminating or reducing any dilution of the value o
Fund's current prospectus.
*Whistle Blowing Whistleblowing can be internal, an employee reports wrongdoing using the reporting channels with
*CSA Control Self Assessment (CSA) is defined as an effective approach to identifying and managing areas
*Emerging Risk A new or unforeseen risk that we haven't yet contemplated. This risk should be on our radar, but it
4: Control Classification Classification of information is a process that enables organizations to group information assets into
*Access Control Process of granting authorized users the right to use a service while preventing access to non-autho
*Reconciliation An accounting process in which two sets of records are compared to ensure that the results are acc
*Verification and Authorisation Independent procedures are used to check that a product, service, or system meets requirements a
*IT / System Control Information technology software and/or system
*Process Control Criteria and methods are needed to ensure that both the operation and control of these processes
*Maker Checker One of the central principles of licensing in the information systems of financial organizations.
*Physical Control Measure that modifies or maintains risk. Those measures might include policies, processes, practice
5: Control Type The control type is a process effected by an entity's board of directors, management, and other per
*Preventive Decrease the chance of errors and fraud before they occur, and often revolve around separating du
quality.
*Detective They are designed to find errors or problems after the transaction has occurred. Detective controls
the-fact chance to detect irregularities.
*Directive A control that guide, and usually impel toward an action or goal.
Risk Data Source SOP
Audit Points Yes
Customer Complaints No
External Audit
Incidents
Internal Audit
Process Notes
Regulatory Inspection
SOP
Fund Policy
Whistle Blowing
CSA
Emerging Risk
Others
Control Category
Manual
Automated
Both
NA
Risk
Probability Final Rating
Highly Likely VERY HIGH (VH)
Expected HIGH (H)
Possible MEDIUM HIGH (MH)
Not Likely MEDIUM LOW (ML)
Remote LOW(L)
mulate or execute a business strategy that successfully meets Tanfeeth’s Vision & Mission.
isting local, regional, or international laws or regulatory policies. Unexpected changes to existing local, regional, or international laws or
forcement of regulations.
ated systems.
ocedures, and people, or from failure of asset infrastructure resulting in poor performance, protection, and utilization of existing assets and non-
reports.
nization, related to its products, or the complaints handling process itself, where a response or resolution is explicitly or implicitly expected.
earlier
ts into outputs.
tly followed and improved upon is the basis for most management standards.
reducing any dilution of the value of the outstanding shares issued by the Fund resulting from short-term trading, as described in the applicable
ng using the reporting channels within the organization, or external, i.e., an employee reports wrongdoing to parties outside the organization.
his risk should be on our radar, but it is not, and its potential for harm or loss is not fully known.
tions to group information assets into relevant categories depending on the level of protection each category of information should be provided.
ice, or system meets requirements and specifications and fulfills its intended purpose.
ation and control of these processes are effective.
rectors, management, and other personnel, designed to provide reasonable assurance regarding the control.
d often revolve around separating duties. From a quality standpoint, preventive controls are essential because they are proactive and focused on
tion has occurred. Detective controls are essential because they provide evidence that preventive controls operate as intended and offer an after-
l.
function
All
Center of Excellence
HR Operations
on.
known.