The Risk Register is a tool for documenting operational risks and actions to manage or control them. It is generally administered by the Chief Risk Officer (CRO) or in small firms the responsibility is often delegated to one of the senior managers. It allows all of the potential risks to be observed in one place, so that they can be prioritised, assigned ownership, and appropriately responded to. Risks inherent in an organisation need to have mechanisms in place to capture and track them giving a clear picture of the inherent risk of the business and the potential consequences.
The CRO or delegated individual is required to report to the firm’s governing body the firm’s risk exposure relative to its risk appetite and tolerance, as well as providing oversite and validation of external risk reporting. To accomplish the complex task of oversight and management, whilst still maintaining independence and integrity, the Risk Register is used to fulfil management and reporting requirements.
When constructing a Risk Register, we at Objectivus Financial Consulting recommend categorising the operational risks to the Basel Accords which refer to the banking supervision recommendations on banking regulations. Within the second of these, known as the Basel II Accord, there are a series of 7 different operational risks, or event types, which are listed below with examples of each:
- Internal fraud – misappropriation of assets, tax evasion, intentional mismarking of positions, bribery;
- External fraud – theft of information, hacking damage, third-party theft and forgery;
- Employment practices and workplace safety – discrimination, workers compensation, employee health and safety;
- Clients, products, and business practice – market manipulation, antitrust, improper trade, product defects, fiduciary breaches, account churning;
- Damage to physical assets – natural disasters, terrorism, vandalism;
- Business disruption and systems failures – utility disruptions, software failures, hardware failures; and
- Execution, delivery, and process management – data entry errors, accounting errors, failed mandatory reporting, negligent loss of client assets
This categorisation provides a framework for internal and external reporting to common industry standards expected by governing bodies and external regulators.
Typically, we find that a financial services business has between 25 to 35 Key Risks which can be placed into those 7 high level categories. By referring back to the Basel II Accord we observe that the firm’s management can much more easily assess what the actual risks are inherent within the business.
Once this categorisation has taken place and there is a general agreement within the senior management team that all Key Risks have been captured it is then necessary to sub-divide these Key Risks into their Underlying Risks, usually 4-5 each. There are 3 reasons why we believe this further breakdown is important:
- It more easily allows individual ownership of individual risks. We are advocates of individual risk ownership this means there is always a senior person ultimately responsible for every Key and Underlying Risk, even if that ownership is delegated to others by senior management. Ownership promotes a culture of responsibility leading to good governance;
- Specific controls can then be allocated to the risks; and
- When there is the inevitable breakdown of a control, the ability to understand its implications is more effectively understood. This means there will be more efficient remediation because the increase in risk is at a granular level.
Operational risk needs to be quantified so that the firm can apportion the appropriate control resources against each Underlying Risk. If a firm needs to have an Internal Capital Adequacy Assessment Process (ICAAP), then being able to have monetary risk values against each Key Risk is a requirement for a meaningful Pillar 2 calculation.
There is obviously an optimal number of calculations that need to take place to give that value. Too few and the change in the Pillar 2 number becomes concentrated on too small a number of large risks and with too many and the administrative task of the upkeep and monitoring of the Risk Register becomes far too onerous. Through experience gained with our clients over the years we recommend, as stated above, 25-35 Key Risks and approximately 130 Underlying Risks.
The Control Framework serves to manage and mitigate the Underlying Risks. Typically there will be as many Controls as Underlying Risks, where each Control will affect many Underlying Risks, and each Underlying Risk being affected by many Controls. This broad matrix can only be put in place through the gathering of good quality data, which is symptomatic of a good governance structure.
Good corporate governance starts at a board level and is disseminated down, throughout the business. The board of directors sets the Risk Appetite for the firm for the various different types of risk. This appetite set against available capital, cash and other funding is the basis of the monetary value of risk that the business is prepared to endure. The board will subsequently need to approve 2 data sets, a grading matrix for the severity of each possible event and grading matrix for the probability of that event taking place. We recommend a scale of 1-5 for both. Minor (1) to catastrophic (5) for severity and rarely (1) to very frequent (5) for the probability.
The severity matrix can then have actual financial ranges set against the scale and the probability matrix can be compared to a timeline. In this way we can give each Underlying Risk an annual monetary figure which can then be observed at a Key Risk level. Without the Control Framework in place the board is able to see the Inherent Risk value of the firm, that being the addition of all the Key Risks without any control being in place, the maximum risk the firm is subject to. When the Control Framework is administered each Underlying Risk will have its annual risk number reduced through a deceased probability of the event occurring and if it was to occur, the impact would also be reduced through certain controls. This will then give a Residual Risk value which can then be imported into the ICAAP Pillar 2 calculation.
When controls breakdown the various Underlying Risks values will change and then upon remediation of the control the values will then revert, or possibly decrease if that remediation also involves an improvement.
In the next information document we will advise on how the Control Framework can be set up and then following that how it is possible to systemise the whole process using appropriate technology.