Risk Management Insights

I want to join the BLOG

Risk and Control Self Assessment, Risk Assessment, Risk Management Framework

The Risk and Control Self Assessment Process in an Integrated Risk Management Framework

This is part 3 of our video series on "Disparate and Disconnected Risk Processes and Information". In this video, David Tattam talks about the eight key steps of the Risk and Control Self Assessment process aligned with the ISO 31000 Risk Management Standards.

Read More

Risk and Control Self Assessment, Risk Assessment, Risk Management Framework

Difficulties in Engaging Staff in Risk Management: Using a Personal Example to Explain the Risk Assessment Process

This is part 3 of our video series on "Difficulties in Engaging Staff in Risk Management". This video covers how you can use a personal experience, like going for an annual health check up, to engage your staff and explain the Risk and Control Self Assessment process.

Read More

Enterprise Risk Management, Risk and Control Self Assessment, Risk Assessment, Risk Management Framework

Inherent Risk: Friend or Foe?

What does Inherent Risk mean?

There are few common definitions in risk but Inherent Risk is commonly defined as "the risk without considering internal controls" or alternatively "a raw risk that has no mitigation factors or treatments applied to it". Residual Risk on the other hand is commonly defined as "the level of risk remaining after the relevant controls have been applied".

Read More

Enterprise Risk Management, Inherent & Residual Risk, Risk and Control Self Assessment, Risk Controls, Risk Assessment

Inherent Risk – Is it useful?

The ISO 31000:2009 standard does not refer to “inherent” risk. Is this a deliberate omission and if so, what is the reason? This leads to the question as to whether inherent risk is a useful concept in risk management and risk assessment.

The main areas of contention are:

What does Inherent Risk mean?

There are few common definitions in risk but “Inherent risk” is commonly defined as “the risk without considering internal controls” or alternatively “a raw risk that has no mitigation factors or treatments applied to it”. Residual Risk on the other hand is commonly defined as “the level of risk remaining after controls have been applied”. 

Read More

Inherent & Residual Risk, Risk Assessment

The Scoring of Residual Risk

We previously discussed the pros and cons of identifying and assessing the level of inherent risk. This article assumes that inherent risk is used and that the effectiveness of controls is separately assessed in order to arrive at a residual risk assessment.

The first issue to consider is how the level of residual risk is assessed taking into account the scoring of inherent risk and the level of control effectiveness. One approach is to apply subjective judgement without applying any mathematical relationship between inherent risk and the level of control effectiveness.
A second method is to apply a mathematical approach.

Read More

Enterprise Risk Management, Risk and Control Self Assessment, Operational Risk, Risk Assessment

Operational Risk Management 3 – Risk and Controls Self Assessment applied in a Business Context

This is the third blog in our Operational Risk Management series.

In the first article, I explained the incredible KRI system we all have via our five senses. In the second blog, I discussed the application of the Risk and Control Self Assessment (RCSA) in our personal lives using the example of the annual medical check-up. The seven key steps of the RCSA process were set out as part of this example.

In this blog, we will see how the RCSA works in a business context by applying it to a business process. I will use the process of managing employee expense claims, their payment, processing and recording, a process we can all appreciate from one perspective or another.

Read More

Inherent & Residual Risk, Risk and Control Self Assessment, Risk Assessment

Can Residual Risk Be Higher Than Inherent Risk?

For those that adopt inherent risk in their risk assessment process, there is general recognition that inherent and residual risk are connected in the following manner:

Inherent risk less the effect of controls equals residual risk.

This implies that residual risk will always be less than or equal to inherent risk. However, any general rule is there to be challenged. Can residual risk be higher than inherent risk? To assess this, we need to understand the way in which controls modify risk, leading to a residual risk position. 

Read More

Risk and Control Self Assessment, Risk Assessment

Risk and Control Self Assessment - Average or Worst Case?

Risk and Control Self Assessment (RCSA) has become a cornerstone of current Enterprise Risk Management, yet the quality of assessments differ greatly between practitioners. 

Read More