We are currently reviewing our company's RCA process. The aim is to improve the quality of the Risk and Control Assessments (RCAs); however, without an understanding of what has historically been experienced on the ground, practical approaches to resolving the issues could not be made. As such, a review of the current RCA generation processes was performed throughout the whole of our company. The assessment resulted in a number of issues being identified, which include people, process and technology concerns as summarised in the following themes:
- Lack of formally approved policies, together with supporting procedures and processes;
- Processes as documented are outdated and not representative of actions taken on the ground;
- Lack of integration and standardisation between related processes;
- Process level and/or strategic risks not identified;
- Resource shortages impacting process execution;
- Inaccurate or obsolete supporting toolsets; and
- Inadequately designed or missing controls.
The RCA process has been reassessed with the intention of realising a number of key benefits and improvements. The ultimate aim of which is to assist the company in its objective of becoming the best risk managed environment. The key benefits as envisioned are : “Keeping to our commitments” - pro-active “hands-on” risk management;“Being in control” - informed risk and control assessments based on continuous monitoring of control execution; Standardised control assessments; and Improved audit readiness
The RCA Reassessment led us to find that the RCA quality is a current burning platform; our approach towards RCA creation requires improvement; and our CSA approach has been decided.
Has anyone gone through this process of improving their Risk Control Assessments and could you perhaps give me some guidance? I would appreciate your inputs.
Who do you include or exclude in such a process?
I have run vulnerability clients for organizations when drawing up crisis plans, and the selection is vital. Never forget to do proper stakeholder profiling internally - Who is a subject matter expert? Who has the real information or knowledge? Who advises who?
Example - in Government. Who is the most powerful? A Cabinet minister? Or his or her advisers? Who is in the background?
Part of this process should include some form of communication audit. How does messages and information flow? Risk emerges when messages do not reach their destinations.
Well... RCSA process involves people from all the units and make them understanding the importance of risk and control. The basic idea is not just to make people assess about the risk factors, but ensure that over a period of time, the said risk will be minimised.This means, there needs to be proper tracking system.
The major factor where the effectiveness of RCSA realised is taking action on the deviation realised in assessments. Also, effectiveness will be introduction of new process based on results of RCSA process, otherwise whole exercise is futile and just a eyewash.The involvement of depts like process,audit,compliance,sales,ops will play a major role, as these have to sit and decide on the identification of risk and controls on periodic basis.
Net net , the process can be effective if
- Existance plan for roll out of RCSA
- Review of the RCSA results
-Reduction of risks/controls based on past results
- Involvement of staff from micro level to macro level
Agree. We have heard exactly that! "that's not my responsibility". We do use the term governance or methodology in preference to risk management but thank you for your contribution and surely will be considered in our approach.
Would you say that the risk function should lie within business (managed there) or should it be seperate? i.e. a seperate department?
CHRISTOPHER WHITWAM said:
I think the first point I should make is using the word risk will not help you in your objectives, the problems you have highlighted are common. People hear Risk Management and assume the risk team or the quality team is doing this "thsts not my responsibility" syndrome. Using the Governance word often removes these barriers, and the problems you have listed are Governance issues, with Risk Management being the primary discipline within the Governance framework. The key is creating the correct Governance framework and having multiple stream risk reporting because risk is not a single discipline and is a deliverable from a wider set of responsibility and accountability COBIT v5 (expected end of 2011) is to cover the risk integration more than ever before.
You mention process I refer to ITIL v3 all processes have a policy and must have an assigned Process Owner and Manager who ensure the process is measured, audited and improved and integrates with dependent processes, part of this is to feed in identified risks to the service risk register, likewise all services should have named service owners who hold service risk responsibility.
Another part of the jigsaw is in relation to information security that covers both the process and technology parts, this is usually better managed, however the security team do have more guidance available i.e ISO27002 (Security Control Measures) and ISO27005 (Information security risk management)
Project management again has its own risk management requirements Prince 2 details this well. Business Continuity provides the Business Impact analysis and Risk Assessment for the business and associated business processes.
As you can see Risk is a jigsaw with many pieces and needs to become an every day task probably without the staff even knowing that they are doing risk management. Your challange is to ensure all the pieces of the jigsaw have a central place of collection so a risk practitioner can make the picture.
Thank you. I agree with you regarding the reputational risk and would definately consider attending your master class in April.. Would you kindly forward me the details : firstname.lastname@example.org
Thank you for your input.
Deon Binneman said:
Thank you, I had a quick look at the presentation and can certainly find value and use some of the information. I definately do not want to re-invent the wheel on RCAs. I will definately make contact with you once I have read it in detail. Much appreciated.
Martin Davies said:
Perhaps I can share some additional thinking. 2 Years ago I worked with the Risk Committee of South Africa's largest telecommunications firm prior to their listing to draw up a Reputation Risk Management framework and embed it into their processes.
This was a 4 - month project and I used the following methodology:
What I have seen in a number of organisations is that often the existing model of Residual Risk (Impact) likelihood after controls seems to be more financial focused rather than stakeholder reputation impact focused.
This raises the risk profile of an organisation substantially as Stakeholder Reputation Risk has been defined as the most dangerous & volatile risk an organisation can face (Reputation Risk can be defined in 4 different ways - each with its own strategies for mitigation).
By examining and extrapolating and viewing issues and incidents through the lenses of a stakeholder, opportunities, shortcomings and mitigation approaches will be revealed.
Even though this is closely aligned to the ethical training normally provided by the Compliance department, this type of thinking and approach goes much further. There is thus a need to educate management to factor stakeholder management and reputation management thinking into decisionmaking processes.
My take is that if up to 73% of a company's share price is derived from its reputation (The sum of all the intangibles) then adequate provision needs to be made for reputation risk identification.
I hope this does not add to your woes, but raises important considerations.
Check my blog - http://www.deonbinneman.wordpress.com for more information. You may also want to consider attending my next Reputation Risk Management Master Class in April in Johannesburg.
Thank you for going through your experience and the difficulties that you have experienced in running a Risk Control Assessment program.
Over the years I have worked with several institutions to build such frameworks with the end goal being, to class controls and measure their effectiveness transparently across the organisation.
I have taken to share a presentation with you on such a program at this address http://causalcapital.blogspot.com/2011/03/best-practice-rcsa-framew.... Do have a look at the blog which highlights some of the difficulties I have personally experienced deploying RCSA in banks and please feel free to download the presentation.
Any questions do feel free to come back to me.
I agree. Very important to have the right people in the right space. Thanks for your valued input.
Bryan Whitefield said:
Absolutely!.. Training and development is very important. We have put together a guideline, i.e. methodology document together and while doing that realised how important it is to have documented and approved process and procedure documents for each BU in place, so before we can continue to do the dummy guide to completing RCAs, we need to get the necessary alignment and agreement with risk owners and business.
Bill Savage said: