RCA Remediation

We are currently reviewing our company's RCA process. The aim is to improve the quality of the Risk and Control Assessments (RCAs); however, without an understanding of what has historically been experienced on the ground, practical approaches to resolving the issues could not be made. As such, a review of the current RCA generation processes was performed throughout the whole of our company.  The assessment resulted in a number of issues being identified, which include people, process and technology concerns as summarised in the following themes:

  • Lack of formally approved policies, together with supporting procedures and processes;
  • Processes as documented are outdated and not representative of actions taken on the ground;
  • Lack of integration and standardisation between related processes;
  • Process level and/or strategic risks not identified;
  • Resource shortages impacting process execution;
  • Inaccurate or obsolete supporting toolsets; and
  • Inadequately designed or missing controls.

The RCA process has been reassessed with the intention of realising a number of key benefits and improvements. The ultimate aim of which is to assist the company in its objective of becoming the best risk managed environment. The key benefits as envisioned are : “Keeping to our commitments” - pro-active “hands-on” risk management;“Being in control” - informed risk and control assessments based on continuous monitoring of control execution; Standardised control assessments; and Improved audit readiness

The RCA Reassessment led us to find that the RCA quality is a current burning platform; our approach towards RCA creation requires improvement; and our CSA approach has been decided.

 

Has anyone gone through this process of improving their Risk Control Assessments and could you perhaps give me some guidance?  I would appreciate your inputs.

 

You need to be a member of Global Risk Community to add comments!

Join Global Risk Community

Votes: 0
Email me when people reply –

Replies

  • There is an important lesson in the above post.

    Who do you include or exclude in such a process?

    I have run vulnerability clients for organizations when drawing up crisis plans, and the selection is vital. Never forget to do proper stakeholder profiling internally - Who is a subject matter expert? Who has the real information or knowledge? Who advises who?

    Example - in Government. Who is the most powerful? A Cabinet minister? Or his or her advisers? Who is in the background?

    Part of this process should include some form of communication audit. How does messages and information flow? Risk emerges when messages do not reach their destinations.
  • Well... RCSA process involves people from all the units and make them understanding the importance of risk and control. The basic idea is not just to make people assess about the risk factors, but ensure that over a period of time, the said risk will be minimised.This means, there needs to be proper tracking system.

    The major factor where the effectiveness of RCSA realised is taking action on the deviation realised in assessments. Also, effectiveness will be introduction of new process based on results of RCSA process, otherwise whole exercise is futile and just a eyewash.The involvement of depts like process,audit,compliance,sales,ops will play a major role, as these have to sit and decide on the identification of risk and controls on periodic basis.

     

    Net net , the process can be effective if

    - Existance plan for roll out of RCSA 

    - Review of the RCSA results

    -Reduction of risks/controls based on past results

    - Involvement of staff from micro level to macro level

     

     

  • Dear  Chris,

    Agree.  We have heard exactly that! "that's not my responsibility".  We do use the term governance or methodology in preference to risk management but thank you for your contribution and surely will be considered in our approach.

     

    Would you say that the risk function should lie within business (managed there) or should it be seperate? i.e. a seperate department?

     

     



    CHRISTOPHER WHITWAM said:

    Dear Elmari

     

    I think the first point I should make is using the word risk will not help you in your objectives, the problems you have highlighted are common. People hear Risk Management and assume the risk team or the quality team is doing this "thsts not my responsibility" syndrome. Using the Governance word often removes these barriers, and the problems you have listed are Governance issues, with Risk Management being the primary discipline within the Governance framework.  The key is creating the correct Governance framework and having multiple stream risk reporting because risk is not a single discipline and is a deliverable from a wider set of responsibility and accountability COBIT v5 (expected end of 2011) is to cover the risk integration more than ever before.

     

    You mention process I refer to ITIL v3 all processes have a  policy and must have an assigned Process Owner and Manager who ensure the process is measured, audited and improved and integrates with dependent processes, part of this is to feed in identified risks to the service risk register, likewise all services should have named service owners who hold service risk responsibility.

     

    Another part of the jigsaw is in relation to information security that covers both the process and technology parts, this is usually better managed, however the security team do have more guidance available i.e ISO27002 (Security Control Measures) and ISO27005 (Information security risk management)

     

    Project management again has its own risk management requirements Prince 2 details this well.  Business Continuity provides the Business Impact analysis and Risk Assessment for the business and associated business processes.

     

    As you can see Risk is a jigsaw with many pieces and needs to become an every day task probably without the staff even knowing that they are doing risk management. Your challange is to ensure all the pieces of the jigsaw have a central place of collection so a risk practitioner can make the picture.

     

    Chris Whitwam

  • Dear Elmari

     

    I think the first point I should make is using the word risk will not help you in your objectives, the problems you have highlighted are common. People hear Risk Management and assume the risk team or the quality team is doing this "thsts not my responsibility" syndrome. Using the Governance word often removes these barriers, and the problems you have listed are Governance issues, with Risk Management being the primary discipline within the Governance framework.  The key is creating the correct Governance framework and having multiple stream risk reporting because risk is not a single discipline and is a deliverable from a wider set of responsibility and accountability COBIT v5 (expected end of 2011) is to cover the risk integration more than ever before.

     

    You mention process I refer to ITIL v3 all processes have a  policy and must have an assigned Process Owner and Manager who ensure the process is measured, audited and improved and integrates with dependent processes, part of this is to feed in identified risks to the service risk register, likewise all services should have named service owners who hold service risk responsibility.

     

    Another part of the jigsaw is in relation to information security that covers both the process and technology parts, this is usually better managed, however the security team do have more guidance available i.e ISO27002 (Security Control Measures) and ISO27005 (Information security risk management)

     

    Project management again has its own risk management requirements Prince 2 details this well.  Business Continuity provides the Business Impact analysis and Risk Assessment for the business and associated business processes.

     

    As you can see Risk is a jigsaw with many pieces and needs to become an every day task probably without the staff even knowing that they are doing risk management. Your challange is to ensure all the pieces of the jigsaw have a central place of collection so a risk practitioner can make the picture.

     

    Chris Whitwam

  • Hi Deon,

     

    Thank you.  I agree with you regarding the reputational risk and would definately consider attending your master class in April.. Would you kindly forward me the details : elmarib@absa.co.za
    Thank you for your input.

     


    Deon Binneman said:

    Hi Elmari,

     

    Perhaps I can share some additional thinking. 2 Years ago I worked with the Risk Committee of South Africa's largest telecommunications firm prior to their listing to draw up a Reputation Risk Management framework and embed it into their processes.

     

    This was a 4 - month project and I used the following methodology:

    1. Selected interviews were conducted with key members of staff to determine understanding,perspectives and views of reputation risk. (CEO, Communication & PR, Marketing, Compliance, HSE andRisk Department Heads)
    2. A proprietary questionnaire to gauge potential reputation risk was completed by each person.
    3. An analysis of current methods on managing and mitigating the risk in the organisation were determined.
    4. A literature search on how reputation risk is managed and mitigated by other organisations was conducted. This included benchmarking studies where appropriate.
    5. A Comparison study on Best Practice approaches on managing and mitigating Reputation Risk was conducted.

    What I have seen in a number of organisations is that often the existing model of Residual Risk (Impact) likelihood after controls seems to be more financial focused rather than stakeholder reputation impact focused.

    This raises the risk profile of an organisation substantially as Stakeholder Reputation Risk has been defined as the most dangerous & volatile risk an organisation can face (Reputation Risk can be defined in 4 different ways - each with its own strategies for mitigation).


    By examining and extrapolating and viewing issues and incidents through the lenses of a stakeholder, opportunities, shortcomings and mitigation approaches will be revealed.

    Even though this is closely aligned to the ethical training normally provided by the Compliance department, this type of thinking and approach goes much further. There is thus a need to educate management to factor stakeholder management and reputation management thinking into decisionmaking processes.

     

    My take is that if up to 73% of a company's share price is derived from its reputation (The sum of all the intangibles) then adequate provision needs to be made for reputation risk identification.

     

    I hope this does not add to your woes, but raises important considerations.

     

    Check my blog - http://www.deonbinneman.wordpress.com for more information. You may also want to consider attending my next Reputation Risk Management Master Class in April in Johannesburg.

     

    Regards,

     

     

     

  • Dear Martin,

     

    Thank you, I had a quick look at the presentation and can certainly find value and use some of the information.  I definately do not want to re-invent the wheel on RCAs.  I will definately make contact with you once I have read it in detail.  Much appreciated.



    Martin Davies said:

    Elmari,

     

    Thank you for going through your experience and the difficulties that you have experienced in running a Risk Control Assessment program.

     

    Over the years I have worked with several institutions to build such frameworks with the end goal being, to class controls and measure their effectiveness transparently across the organisation.

     

    I have taken to share a presentation with you on such a program at this address http://causalcapital.blogspot.com/2011/03/best-practice-rcsa-framew.... Do have a look at the blog which highlights some of the difficulties I have personally experienced deploying RCSA in banks and please feel free to download the presentation.

     

    Any questions do feel free to come back to me.

    Best Practice RCSA Framework
    View Presentation For a long time, the activity of Control Self-Assessment has been a  recognized   industry wide approach that is us...
  • Hi Elmari,

     

    Perhaps I can share some additional thinking. 2 Years ago I worked with the Risk Committee of South Africa's largest telecommunications firm prior to their listing to draw up a Reputation Risk Management framework and embed it into their processes.

     

    This was a 4 - month project and I used the following methodology:

    1. Selected interviews were conducted with key members of staff to determine understanding,perspectives and views of reputation risk. (CEO, Communication & PR, Marketing, Compliance, HSE andRisk Department Heads)
    2. A proprietary questionnaire to gauge potential reputation risk was completed by each person.
    3. An analysis of current methods on managing and mitigating the risk in the organisation were determined.
    4. A literature search on how reputation risk is managed and mitigated by other organisations was conducted. This included benchmarking studies where appropriate.
    5. A Comparison study on Best Practice approaches on managing and mitigating Reputation Risk was conducted.

    What I have seen in a number of organisations is that often the existing model of Residual Risk (Impact) likelihood after controls seems to be more financial focused rather than stakeholder reputation impact focused.

    This raises the risk profile of an organisation substantially as Stakeholder Reputation Risk has been defined as the most dangerous & volatile risk an organisation can face (Reputation Risk can be defined in 4 different ways - each with its own strategies for mitigation).


    By examining and extrapolating and viewing issues and incidents through the lenses of a stakeholder, opportunities, shortcomings and mitigation approaches will be revealed.

    Even though this is closely aligned to the ethical training normally provided by the Compliance department, this type of thinking and approach goes much further. There is thus a need to educate management to factor stakeholder management and reputation management thinking into decisionmaking processes.

     

    My take is that if up to 73% of a company's share price is derived from its reputation (The sum of all the intangibles) then adequate provision needs to be made for reputation risk identification.

     

    I hope this does not add to your woes, but raises important considerations.

     

    Check my blog - http://www.deonbinneman.wordpress.com for more information. You may also want to consider attending my next Reputation Risk Management Master Class in April in Johannesburg.

     

    Regards,

     

     

     

  • Elmari,

     

    Thank you for going through your experience and the difficulties that you have experienced in running a Risk Control Assessment program.

     

    Over the years I have worked with several institutions to build such frameworks with the end goal being, to class controls and measure their effectiveness transparently across the organisation.

     

    I have taken to share a presentation with you on such a program at this address http://causalcapital.blogspot.com/2011/03/best-practice-rcsa-framew.... Do have a look at the blog which highlights some of the difficulties I have personally experienced deploying RCSA in banks and please feel free to download the presentation.

     

    Any questions do feel free to come back to me.

    Best Practice RCSA Framework
    View Presentation For a long time, the activity of Control Self-Assessment has been a  recognized   industry wide approach that is us...

  • Dear Bryan,

    I agree. Very important to have the right people in the right space.  Thanks for your valued input.


    Bryan Whitefield said:

    All good replies.  In addition I believe one of the keys is matching employees to your risk appetite.  Sometimes we need aggressive risk takers and sometimes we need a much more cautious approach depending on what is at stake and where we are in a product/services life cycle.  This will vary across the business and hence we need to vary our teams to suit.  There is no doubt that risk takers are not keen on detailed controls and detailed controls are not good for business units that you want to move swiftly and take significant but well thought out risk.  If you get the mix wrong you have much more chance of underperformance in all the areas you identified in your review.  Get it right and your staff find the way and the time to make it happen.

  • Dear Bill,

    Absolutely!.. Training and development is very important.  We have put together a guideline, i.e. methodology document together and while doing that realised how important it is to have documented and approved process and procedure documents for each BU in place, so before we can continue to do the dummy guide to completing RCAs, we need to get the necessary alignment and agreement with risk owners and business.
    Bill Savage said:

    I am working with a financial services client to build out their RCSA program. We are considering including training and employee development as a risk area that will be evaluated as this can be a contributing factor to many other risks (e.g. process execution). Another option that is under consideration is the creation of a "guideline" that would drive some level of standardization around mitigation plans. This would help improve the communication between the risk owners and the other stakeholders of the RCSA process.
This reply was deleted.

[Free COVID-19 Framework] What's the path to recovery look like?

We created a free presentation (attached), which discusses both global and organizational impacts of the COVID-19 pandemic, along with critical actions organizations should take immediately. This presentation introduces a framework that helps regions and organizations navigate a path to recovery via 9 potential scenarios. These scenarios capture outcomes related to GDP impact, public health response, and economic policies. The presentation also breaks down 6 immediate and critical actions…

Read more…
3 Replies · Reply by Boris Agranovich Jan 2, 2021
Views: 109

If risk management is about decision making, are current risk management solutions irrelevant?

Now that the updated COSO and ISO risk management standards emphasize a connection to enterprise objectives and decision making, does this mean ERM and GRC solutions focused on risk registers and regulatory compliance are missing the true value of risk management?Will current risk management solutions evolve to integrate more decision support functionality or will standalone prescriptive analytics and other technology solutions take a more prominent role in enabling risk-informed…

Read more…
3 Replies
Views: 74

A question related to classification of instruments between trading and banking book.

We have an interesting question from one of our members.       "We usually perform OTC FX transactions with clients backed-to-back on the market (with Banks). Now we are going to perform a FX swap (i.e. Spot + forward) JPY/EUR for the Bank account for 1 week at the longest. The purpose is to get EUR place @ CB for LCR compliance purpose (no trading purposes). Bank's Management think that this should be considered as a trading position and therefore be classified within the Bank's trading book.…

Read more…
4 Replies
Views: 180

Plunging oil prices: curse or blessing in disguise?

The recent sudden crash of oil prices has had a major impact on the world economy, leading to many troubled faces in the international arena. The Russians fear the effects of yet another powerful hit on their economy, Venezuela seems to be considering default and the Americans are weary of the consequences for its young and emerging shale oil industry. And then you have the Middle East, where the smallest match is enough to ignite the largest fire. But are these worries really justified or…

Read more…
1 Reply
Views: 42

Introducing the Global Risk Series - Book 1 Risk Management How Tos

Dear GlobalRisk Community member, Our community’s mission is to foster business, networking and educational explorations among members. Learn from some of the top experts in the industry as they clearly explain how to approach the most important Risk management concepts. Check out their expert tips and use the link at the end of each article to navigate back to the website to leave your comment or ask a question. Some of the topics include: How do you Explain Risk Appetite?  How to Prepare a…

Read more…
14 Replies · Reply by Boris Agranovich Sep 12
Views: 469

    About Us

    The GlobalRisk Community is a thriving community of risk managers and associated service providers. Our purpose is to foster business, networking and educational explorations among members. Our goal is to be the worlds premier Risk forum and contribute to better understanding of the complex world of risk.

    Business Partners

    For companies wanting to create a greater visibility for their products and services among their prospects in the Risk market: Send your business partnership request by filling in the form here!

lead