1ST KUWAIT ENTERPRISE RISK MANAGEMENT CONFERENCE November 26-28, 2012
Prashant Nair Head of Operational Risk Kuwait International Bank

The views expressed in this presentation do not reflect the official views of Kuwait International Bank. These are my personal views and are based on the best practice approach as a operational risk practitioner.
Risk Assessment
How to identify risks for which RCSA may be deployed?
Why Risk Assessments / RCSA?
Types of RCSA?
Reporting RCSA Results
How to make the process effective?
Benefits for the business

The risk analysis activity assists the effective and efficient operation of the organisation by identifying those risks that require attention by Management

This will facilitate the ability to prioritise risk control actions
“Trust is good, control is better�
Joe Stalin
Works fine in a centrally controlled society
“Trust, but verify�
Ronald Reagan
For managing situations beyond your direct control
All Risks
At an appropriate level of granularity
Risks defined in the language of the risk owner
Risks duly mapped to source and
Controls
Survey?
Risk owners opinion or expert opinion?
An opportunity to communicate views on risks
Biggest benefit – Culture building…..

Data stored onsite is safer than data stored offsite???

Applications running on a local system is safer than something coming from outside the system???
We can do it better Our environment is more secure Our employees can be trusted It costs more money over time to go to the Cloud We will lose control or visibility of our resources We will lose our jobs or career enhancement
Security is complex and cumbersome; very few organizations ever really achieve their goals due to budget restrictions, resource availability, etc. Most organizations lack the necessary security controls to achieve comprehensive 24x7 security for their entire environment. Employee’s are the single biggest risk to insider threats which represents 70-80% of all cyber attacks. Cloud Service Providers can invest more to achieve a higher level of security than any one organization
Whatever works…
Multiple choice RCSA..
Probability and Impact scale based RCSA
Voting and aggregation (workshop scenario)
•
The Business unit participants evaluate identified risk events and associated controls in terms of Inherent Risk – Risk of a particular event occurring due to the inherent nature of the activity , before considering the controls which prevent or limit it’s impact.
Control effectiveness – The controls for each risk event are assessed using a Five Point Rating Scale (Effective, Limited Improvement Needed, Significant Improvement Needed, Partially Ineffective, Ineffective).
Residual Risk - Residual Risk is the remaining risk that is not eliminated after considering the control mechanisms or mitigating characteristics of the operating environment. • The Inherent Risk & Residual Risk in identified risk events are assessed and evaluated based on two dimensions
Probability – The probability of occurrence of the event (i.e. the frequency or no. of times it can occur in a year.)
Impact – The intensity of the operational loss measured in terms of monetary value.
Effective Control Inherent Risk
High Risk
Residual Risk
Low Risk
Natural - Earthquake
Man-Made - Disgruntled Employee
Political – Political unrests
Technology / Infrastructure - Software bugs / cyber attacks
Accidental - Fire / water outage
Operational – Key Man risk
People
Premises
Technology
Information
Supplies
Stakeholder
Impact Scale Scal e
Descriptio n
Impact Inability to achieve business objectives, e.g.:
5
4
3
Critical
High
Moderate
Loss of significant business Massive reduction in company reputation with stakeholders Excessive costs dramatically impacting long term profitability and viability Inability to attract new business Significant IT disruptions leading to significant delays in business operations
Constrained ability to achieve business objectives, e.g.: Significant but recoverable reduction in company credibility and/or reputation Significant reduction in service and business capability Incurring excessive costs Loss or misappropriation of significant assets Loss of significant number of key personnel Moderate impact on achievement of business objectives, e.g.: Loss of high value customers or alliances Temporary loss of service or business Temporary, but recoverable reduction in creditability/reputation Short term increase in costs or loss of revenue
2
Low
Limited impact on achievement of business objectives e.g.: Temporary delay in reaching objectives Short term or limited reputation damage Limited impact on customer retention Limited increase in costs Minimal impact to revenue or earnings
1
Minor
Relatively insignificant impact on the achievement of business objectives.
Likelihood Scale Score
Rating
**Percentage
*Frequency
5
Expected
%80<
More than 3 times a quarter
4
Highly Likely
%80 â&#x2030;Ľ
Up to 3 times a quarter
3
Likely
%60â&#x2030;Ľ
Up to 3 times every half year
2
Not Likely
%30â&#x2030;Ľ
Up to 3 times a year
1
Slight
%10>
Less than once (1) a year
Control Effectiveness Scale
Risks that scored within the RED ZONE are considered to have “ a very high probability of occurrence / major financial impact “and requires immediate action plans that are necessary to close a significant control gap. Risks that scored within the AMBER ZONE are considered to have a “ a high probability of occurrence / material impact “ and requires action plans to develop or enhance existing controls. Risks that scored within the YELLOW ZONE are considered to have a “ a low probability of occurrence / medium impact and do not require action plans but if some are suggested by the participants or ORM team , then their feasibility has to be checked. Risks that score within the GREEN ZONE are considered to have “ a very low probability of occurrence / low impact “ or in control.
Critical
1
Impact
High
2
Moderate
Low
1
1
Minor
3
1 Remote
Not likely
Likely
Probability
High Likely
Excepted
Effective Control Inherent Risk Assessment
High Risk
Residual Risk Assessment
Low Risk
12 9
10
Effective
Controls
8 6
Limited Improvement Needed
4
Significant Improvement Needed Partially Ineffective
2 0
0 Effective
Effective 9
0
Limited Significant Improvement Improvement Needed Needed
Limited Improvement Needed 0
0
0
Partially Ineffective
Ineffective
Significant Improvement Needed 0
Ineffective
Partially Ineffective
Ineffective
0
0
Risk 1 Risk 2
5
Risk 3 Risk 4
0
5
Risk1 Risk2
A top down view for senior management
Heat map – several types available
Need to define reporting parameters.. For e.g. if based on a scale of 1-5 what is one and what is 5? If based on good….bad. What is good what is bad?
Scope to drill down till the risk mapping.
Multiple slice and dice views, risk/product/etc.
Million dollar question…
Assess all new products and services before launch
Post launch – risk assessment
Consistency in assessment cycle and methodology
Regular discussion of assessment results with stake holders
IT- Change Management should have a risk assessment cycle before deployment
Regular reporting and commentary by Operational risk on the assessments to top management.
Benefits Enhanced process efficiency Proactive rectification of process flaws Proof of better control environment Improved Audit Reports Forum or Medium to highlight a Departments need to resolve a problem Plan measures which the department believes is feasible to implement
For achieving the Benefit What Business needs to do……..
Make Risk assessments part of the business process / BAU. Highlight process weakness – This is not a punishable offence!! Suggest ways to strengthen the control environment which is practical and implementable by the business Participate in the RCSA workshops Asking questions as it creates awareness!!
• Risk Ownership— lies with business • Risk Management — Everybody’s job • It’s good to take risks —if you manage them well
Thank You Prashant Nair, PIOR Head â&#x20AC;&#x201C; Operational Risk Kuwait International Bank
Phone :+965 97793880 Email : prashant.n.nair@gmail.com LinkedIn Profile : http://kw.linkedin.com/in/pnayar