This is part 3 of our video series on "Disparate and Disconnected Risk Processes and Information". In this video, David Tattam talks about the eight key steps of the Risk and Control Self Assessment process aligned with the ISO 31000 Risk Management Standards.
Hi, I'm David Tattam, Director of Research and Training at the Protecht Group. We at Protecht believe that there are six key building blocks required to support a strong integrated enterprise risk management framework.
- Number one, risk taxonomy. A good risk classification, risk libraries to which all of your information can be connected.
- Number two is the risk assessment process, which is what we're going to be covering today.
- For completeness, number three controls assurance, testing of our key controls.
- Number four, our key risk indicators to give us more up-to-date risk information.
- Number five incident management, how do we manage and deal and learn from incidents.
- And finally, issues and actions, identifying weaknesses and fixing them.
So today, we're going to be looking at the risk assessment process, otherwise known as the risk control self-assessment. Now the objective of this process is to identify, analyze and understand our key business risks, and their related controls and evaluate those against our risk appetite and the desired risk levels and to see if we need to make any improvements.
Now there are many approaches to risk assessment. We will outline Protecht's preferred approach. This is made up eight key steps which really are aligned to the ISO 31000 Risk Management Standards. Now the process begins from the principle of risk as defined in ISO 31000 which is "risk is the effect of uncertainty on objectives".
Risk and Control Self Assessment Steps
- Identify business objectives
- Identify operating model
- Identify the risk
- Assess the risk (using likelihood and impact)
- Evaluate against the appetite
- Identify issues and actions
- Monitor and review
- Incident Management
So step number one, is identification of the business's objectives. Step number two is to identify the operating model, the key processes that need to be working to be able to deliver against those objectives and only now can we then go to step three, identify the risks that could cause the operating model to file or not deliver the expected outcome.
Once we've identified the risks, we then need to assess the risks typically using likelihood and impact. Once we've assessed and analyzed the size of risk, we need to evaluate it against our risk appetite, risk evaluation and determine whether we need to make any improvements if it is outside of appetite.
If we do need to make improvements, this allows us to identify any issues, control weaknesses, and control gaps and from there, we can identify the actions required to remediate those. This then moves us onto this process being repeated on a periodic basis, ongoing monitoring, and review. And finally, the importance of recording and reporting the risk assessment. This is often done on a traffic light report using red, amber and greens.
They're the basic building blocks of the risk assessment process.
So please check out our other videos and blogs in helping you build a strong enterprise risk management process. So hopefully, we'll see you later and until next time, take care.
Do you use Inherent Risk in your risk assessment process? Learn professional hacks for dealing with the common issues around this level of risk and more at our live webinar. Click below to register today:
Other videos in this series:
- Part 1 - Solving the Problem by Integrating the Building Blocks of Risk Management
- Part 2 - Solving the Problem with Risk Taxonomies
- Part 4 - Are you intimate with your controls? (coming soon)