The Importance of Risk and Control Assessments (R&CAs) in Managing and Controlling Operational Risks to Your Organization

The Importance of Risk and Control Assessments (R&CAs) in Managing and Controlling Operational Risks to Your Organization

 

 

All businesses engage in projects that allow them to meet their strategic objectives (i.e. improve profitability). In order to meet their business goals, organizations rely on their business processes to ensure the completion of projects according to regulatory and industry standards. Because business processes enable organizations to be profitable, it is essential that organizations develop adequate business processes with effective internal controls to protect themselves from risks that undermine their strategic objectives. 

To determine whether internal controls on managing and controlling risks are effective, an organization's operational risk management (ORM) framework should encourage all business units, lines and departments to perform Risk and Control Assessments (R&CAs) on internal business processes. To complete R&CAs, companies should complete the following steps below. 

• Document all business processes in the form of standard operating procedures (SOPs) or business requirements for all business units, lines or departments. To document business processes, organizations should use a standard template that clearly identifies the following information below.

Download Also:

• Planning and Schedule Free Templates 
• Over 500 Contract Templates Free Download 

-The tasks involved in the process  

-The responsible parties and their job titles  

-Any service level agreements (SLAs) for each task  

-Any alternative task in the event that the original task cannot be completed  

Determine and calculate the inherent risk associated with all outsourced business processes. The inherent risk represents the risk intrinsic to performing a specific business process internally. Please refer to the Sample Risk Identification Tool Questionnaire as a means to determine the inherent risk.

• Perform a risk assessment on the internal business process to determine if adequate controls are in place to protect the organization from operational risks. Operational risk is the probability or likelihood of loss due to internal systems, processes, procedures or external events. The R&CA assesses the level of controls in place to protect the firm from specific operational risks such as Information Security, Business Continuity Risks, Disaster Recovery Risks, Regulatory/Compliance risks, Third-Party Risks. In third-party risk management (TPRM), a risk assessment on a third-party such as a vendor or a supplier serves as an evaluation of an outside party's internal controls in controlling operational risk for an outsourced process or function. A R&CA represents a risk assessment for an in-sourced process that is performed internally within the organization. The R&CA should take into consideration whether the internal controls within the organization adhere to corporate and industry standards from the following perspectives:

-Information Security Risk: The probability or likelihood of loss as a result of the organization lacking adequate internal controls to prevent the unauthorized access, use, disclosure, disruption, modification, inspection, recording or destruction of information. An information security risk assessment should be completed on the internal business process to ensure that it is in alignment with corporate standards for information security.

-Business Continuity Risk: The probability or likelihood of loss due to the organization lacking adequate internal controls to ensure that they can continue to operate if a business disruption occurs. A business continuity risk assessment should be completed on the internal business process to ensure that it is in alignment with corporate standards for business continuity. 

-Disaster Recovery Risk: The probability or likelihood of loss due to an organization lacking the controls to ensure that vital technological systems, infrastructure and information is recoverable due to a natural and/or man-made disaster. A disaster recovery risk assessment should be completed on the internal business process to ensure that it is in alignment with corporate standards for disaster recovery.

-Regulatory/Compliance Risk: The probability or likelihood of loss due to an organization providing services or products that do not adhere to regulations, laws or industry standards. A regulatory/compliance risk assessment should be completed on the internal business process to ensure that it is in alignment with applicable laws and regulations. If it is outsourced, the contract should be checked to ensure that the language is adequate.

-Third-Party Risk: The probability or likelihood of loss due to the use of third-parties that provides products/services for the organization. Third-parties normally include vendors, suppliers, broker-dealers or any outside party/entity that provides products/services to the organization. the R&CA should check to ensure that the third-parties that support the outsourced business process underwent a third-party risk assessment which includes information security, business continuity, disaster risk, regulatory/compliance risk, and financial risk.

Based on the results of the R&CA, the business units, lines and departments should implement adequate internal controls to manage risks identified during the R&CA process. Adequate controls should adhere to corporate and industry standards in regards to the following areas: Information Security, Business Continuity Risks, Disaster Recovery Risks, Regulatory/Compliance risks, Third-Party risks. Organizations should use ISO 27001, ISO 27002, ISO 31000, PCI Compliance, NIST Standards (800-14, 800-37, 800-52), and COSO Framework as guides to create adequate controls. All risks should be classified according to a risk-tiering system and recorded in a Governance, Risk and Controls (GRC) tool. All risks should be remediated within one year of being identified.

Related Topics:

• What Is Risk Management In Projects?
• Seeing What’s to Come: Digital Risk Management in Procurement 
• The Three Lines of Defense: Integrating Third-Party Risk Management Across the Organization
  

Overall, a R&CA should allow organizations to determine if their corporate infrastructure protects it from potentially negative risks. As part of the ORM framework within Enterprise Risk Management (ERM), an effective R&CA program should ensure that risks are identified, assessed, analyzed, mitigated and monitored. Doing so demonstrates that the organizations ORM program meets industry and regulatory standards.

The Author: Catherine Tibaaga

                                               

About:

I am a Risk Management professional who has over seven years of experience working for global firms such as Jones Lang LaSalle, E*TRADE Financial, JPMorgan Chase & Co. and Freddie Mac. I have worked in a variety of roles in third-party risk management, procurement and accounting. To provide value to organizations, I conduct and lead risk assessment activities for corporations that seek to outsource their activities to third-party suppliers. 

 

I also help companies build their vendor, operational, and enterprise risk management programs. Using my expertise in building risk management programs, I work with organizations to ensure that their vendor risk management programs align and comply with regulations (i.e. OCC 2013-29, GLBA and Privacy laws) and industry standards (i.e. ISO 27000 family of standards, PCI and NIST standards).  

My core expertise includes: 

Risk Management: Third-Party Risk, Operational Risk, Enterprise Risk RiskTools: Hiperos, MetricStream, Archer, Agiliance Regulations: OCC, GLBA and Privacy Laws, FRB, FDIC Industry Standards: ISO 31000, ISO 27001, ISO 27002, PCI Compliance, NIST Standards (800-14, 800-37, 800-52), COSO Framework.