Risk Management Insights

I want to join the BLOG

Enterprise Risk Management, Risk and Control Self Assessment, Risk Assessment, Risk Management Framework

Inherent Risk: Friend or Foe?

What does Inherent Risk mean?

There are few common definitions in risk but Inherent Risk is commonly defined as "the risk without considering internal controls" or alternatively "a raw risk that has no mitigation factors or treatments applied to it". Residual Risk on the other hand is commonly defined as "the level of risk remaining after the relevant controls have been applied".

Read More

Risk Management, Risk and Control Self Assessment, Risk Maturity, Risk Controls

Expected and Targeted Risks

Are they useful?

Residual risk, the risk after considering existing controls, is universally accepted as important to assess in the risk assessment process. 

In a previous blog article,  we questioned whether inherent risk was useful. We concluded on balance that it can be a useful concept to recognise and assess. Inherent risk is useful in providing assistance when assessing the importance of controls and helping in the understanding of stress test scenarios.

This blog takes the next step and explores whether “Expected” and “Targeted” risk are useful. 

Read More

Compliance Management, Risk and Control Self Assessment, Operational Risk

Operational Risk Management 4 –Compliance Management and Compliance Risk Management


This is the fourth article in the series of “Learning from yourself as an expert already”. The first blog addressed Key Risk Indicators (KRI) and the second two addressed the Risk and Control Self Assessment (RCSA) process. This blog addresses Compliance Management and Compliance Risk Management.

The extent of personal compliance management depends heavily on the country in which you reside.  Some countries have few rules and nature seems to take care of itself. Other countries have many laws and regulations over personal behavior from strictly enforced speed limits to drinking laws. As an Australian, I am more used to the latter, Australia, and New South Wales in particular, is often now referred to as the “Nanny State”!  Regulatory compliance requirements are everywhere!

The starting point for compliance in your personal life is, therefore, to understand the laws and regulations that are applicable to you. These are often written in a way that is not easily understood and we have to interpret into plain English as to what it really means to us. Ignorance of the law, as we know, is no defence.

Read More

Enterprise Risk Management, Risk and Control Self Assessment, Operational Risk

Operational Risk Management 3 – Risk and Controls Self Assessment applied in a Business Context

Operational Risk Management

This is the third blog in this Operational Risk Management series. In the first article, I explained the incredible KRI system we all have via our five senses. In the second blog, I discussed the application of the Risk and Control Self Assessment (RCSA) in our personal lives using the example of the annual medical check-up. The seven key steps of the RCSA process were set out as part of this example. 

In this blog, we will see how the RCSA works in a business context by applying it to a business process. I will use the process of managing employee expense claims, their payment, processing and recording, a process we can all appreciate from one perspective or another. This example is deliberately at a granular level to illustrate the principles. The same concepts should be used at any level of the organisation using the appropriate level of granularity. This means that the volume of information should be similar for any risk assessment carried out.

Read More

Enterprise Risk Management, Risk and Control Self Assessment, Operational Risk

7 Steps of the Risk and Control Self Assessment (RCSA) Process in Your Personal Life

This post is part of our series Operational Risk Management – Learning from yourself as an expert already!

My last blog highlighted the extensive use of KRIs (Key Risk Indicators) in our personal lives and the incredible KRI system we all have via our five senses. This blog focusses on the Risk and Control Self Assessment process. Again, the expertise we have in our personal lives provides excellent guidance as to how a good RCSA should be carried out in our businesses and the value add of the RCSA process when done well.

In our personal lives, risk assessments are sometimes performed formally, such as for your motor vehicle’s annual service. Other times, however, they are performed informally, from checking the risks and controls relating to your swimming pool to assessing the risks of your house when your first child is born.

Read More

Enterprise Risk Management, Risk Management, Risk and Control Self Assessment, Risk Controls

Need Help Defining a Risk Control?

6 Key Questions to Define Risk Control.

In last week's blog, I discussed the basic but often confused issue, of describing operational risks in a logical and understandable way. This week, I turn to controls, which are often as equally poorly defined and understood.

The ISO 31000 standard defines control as a “measure that is modifying risk”. While not incorrect, this definition is broad, and I am not sure overly meaningful or engaging with the employee at the coal face. 

Read More

Inherent & Residual Risk, Risk and Control Self Assessment, Risk Assessment

Can Residual Risk Be Higher Than Inherent Risk?

For those that adopt inherent risk in their risk assessment process, there is general recognition that inherent and residual risk are connected in the following manner:

Inherent risk less the effect of controls equals residual risk.

This implies that residual risk will always be less than or equal to inherent risk. However, any general rule is there to be challenged. Can residual risk be higher than inherent risk? To assess this, we need to understand the way in which controls modify risk, leading to a residual risk position. 

Read More

Risk and Control Self Assessment

Risk and Control Self Assessment - Average or Worst Case?

Risk and Control Self Assessment (RCSA) has become a cornerstone of current Enterprise Risk Management, yet the quality of assessments differ greatly between practitioners. A risk assessment process commonly involves the identification of risks and related controls within a business area and a determination as to the level of each risk, using an assessment of the risk’s likelihood and consequence, and the effectiveness of controls. Most approaches to risk self assessment involve identifying just one level of consequence and one level of likelihood. However, for any given risk type there will nearly always be a range of consequence levels, each with a different likelihood of occurrence.
Read More