Hello, dear friend, you can consult us at any time if you have any questions, add WeChat: daixieit

Assignment 2

Risk Assessment - Organization

Overview

Risk and control self-assessments (RCSAs) play a vital role in ERM and Operational Risk Management. It is a tool for qualitative assessments of future risks. It helps quantify and prioritize risks facing an organization. As you recall, there are four types of data in ORM:

1. Internal Operational Risk loss data

2. External (industry) Operational Risk loss data (given by external sources, e.g., ORX.org);

3. Scenario analysis; and

4. Business Environment and Internal Control Factors (BEICF) analysis

RCSA develops the fourth category of data. RCSA is the primary tool used effectively in assessing risk factors in the external business environment (industry, economy) and the quality of internal controls of the organization. RCSA is also used to select Key Risk Indicators (KRIs) both to warn about changes in the external environment and in the various internal controls.

Details

Working individually, you are required to design a Risk Control Self-Assessment (RCSA) framework and use the framework to identify and document risks and controls for a public organization.

PART 1. RCSA PROGRAM CONSTRUCTION

You are hired in the Operational Risk department (2^nd Line of defense) and tasked to create a Risk and Control Self-Assessment (RCSA) program for one of the following companies trading on NASDAQ or NYSE. Please choose one. Please read the most recent 10-K report of the Organization. The section that is of interest in this case is Management Discussion. You will need information from that reading to answer the questions below.

Question 1. Based on this description above please highlight THREE risks for TBD:

1. Risk #1: __________________________________________

2. Risk #2: __________________________________________

3. Risk #3: __________________________________________

Question 2. In the Bowtie diagram shown in Exhibit A below, for the Risk #1 of the list above please list THREE Threats (or causes) and THREE Impacts (or Consequences) that (the Organization) may face as a result of the Risk Event. Please write your answer in each of the empty boxes under consequences. Use a separate sheet if necessary.

Question 3. For the Risk #1 selected for the Bowtie in Exhibit A below, please list three existing controls for the risk.

Also, propose at least two new mitigation actions if the existing controls listed are not effective and the risk may be trending upwards.

1. Control #1: __________________________________________

2. Control #2: __________________________________________

3. Control #3: __________________________________________

4. Mitigation Action #1: __________________________________

5. Mitigation Action #2: __________________________________

Exhibit A - Bowtie Diagram: Use as reference only.

THREATS  HAZARD     EFFECT

CONTROLS THREATS EVENT   CONSEQUENCE

PART 2: IDENTIFICATION OF RISKS AND CONTROLS

1)  For the Risk #1 and Risk #2 identified above, please conduct the potential operational risks f using the following template (one template for each risk, for a total of 2 templates):

For each of the identified risk, fill the above template with the guidance below and elaborated more thoroughly in your writings and graphs:

a. Articulate (describe) the risk in the "cause, potential event and impact" in the local description column (Please also show the result similar Exhibit A separately).

b. Assess the inherent risk and fill the inherent risk rating column with Frequency and Severity table as Exhibit B. You may guess the Frequency and Severity according to the organization you have chosen and then pick the color).

c. Identify at least two types of controls that would mitigate the risk and identify the control type (directive, preventive, corrective, detective).  If you are not able to find any controls that the organization has implemented, identify (make up) some that you feel would best mitigate the underlying risk. Controls should reflect processes that have already been implemented by the organization to mitigate the risk.

d. Fill the residual risk ratings field using the Frequency and Severity. (You may guess the Frequency and Severity according to the organization you chosen and controls strength you designed)

e. Create a minimum of one action plan that would mitigate the risk (An action plan is a description to create a NEW control or enhance an existing control).

2)  Provide an explanation (approximately one paragraph) of the values that you selected for each of the fields within the table. For example, what is the rationale for residual risk rating (Frequency & Severity)? How do the controls effectively reduce (or not) the inherent risk rating to residual risk rating (Frequency & Severity) etc.?

Exhibit B: Create a similar scale based on the size of your organization.

Assessment:

Students will be evaluated on their ability to explain all components of the framework (including process, standards and roles, and responsibilities), their ability to use the above-created standards to identify Operational Risks for an Organization, their ability to articulate the identified risks in terms of cause, potential event, and impact, and their ability to reasonably provide controls to mitigate the risks and assess inherent and residual risk levels.