LO 41.3: Explain the use of a Risk Control Self-Assessment (RCSA) and key risk indicators (KRIs) in identifying, controlling, and assessing operational risk exposures.
The control environment plays an important role in mitigating operational losses. The OpRisk manager should map each business units processes, risks, and control mechanisms associated with the processes. For example, Figure 3 illustrates the equity settlement process for an equity trading firm. All major processes for the business unit are identified as the first step in managing risks.
Figure 5: Equity Setdement Process
A risk control self-assessment (RCSA) requires the documentation of risks and provides a rating system and control identification process that is used as a foundation in the OpRisk framework. Once the RCSA is created, it is commonly performed every 1218 months to assess the business units operational risks. It is common for financial institutions to seek
Page 48
2018 Kaplan, Inc.
Topic 41 Cross Reference to GARP Assigned Reading – Cruz, Chapter 2
expert opinions to help provide qualitative measures for the effectiveness of the RCSA framework. The experts perform an evaluation and color rate the performance in each process as Red, Amber, or Green (RAG) to indicate the level of risk based on historical process data.
The following four steps are commonly used in designing an RCSA program: 1.
Identify and assess risks associated with each business units activities. The manager first identifies key functions in the firm and performs risk scenarios to assess potential losses, the exposure or potential loss amount, and the correlation risk to other important aspects of the firm such as financial, reputation, or performance.
2. Controls are then added to the RCSA program to mitigate risks identified for the firm. The manager also assesses any residual risk which often remains even after controls are in place.
3. Risk metrics, such as key risk indicators or internal loss events, are used to measure the
success of OpRisk initiatives and are linked to the RCSA program for review. These risk metrics would also include all available external data and risk benchmarks for operational risks.
4. Control tests are performed to assess how effective the controls in place mitigate
potential operational risks.
A major challenge for OpRisk managers is the ability to properly interpret output data of the aggregated RCSA framework. Outputs could give managers a false sense of security if risks are controlled within tolerances that are set too high. Alternatively, risk managers may weight some risks more heavily and take corrective actions that focus too intensively on specific key measures while spending too little focus on other important variables.
Key risk indicators (KRIs) are identified and used to quantify the quality of the control environment with respect to specific business unit processes. KRIs are used as indicators for the OpRisk framework in the same way that other quantitative measures are used in market and credit risk models. The collection of reliable data used as KRIs is an important aspect of the self-assessment process. The data collection process may be automated to improve the accuracy of the data, but there will be costs associated with implementation. Even though KRIs may be costly to measure, they provide the best means for measuring and controlling OpRisk for the firm.
Regulators prefer the use of accurate quantitative KRIs in a control environment over more qualitative measures that only indicate whether the firm is getting better or worse based on historical losses. The more qualitative measures used in the example of the equity trading process in Figure 3 can be expanded to incorporate quantitative KRIs. Figure 6 includes examples of KRIs for the equity settlement process to help the firm self-assess the quality of the risk control environment.
The first step in creating an OpRisk model is identifying key factors that may be driving the success or failure of a business process. For example, the daily trade volume may be an important measure used to quantify how well the firm is executing the trade capture process. During the exercise of identifying KRIs, assumptions are made to determine proxies or inputs that drive the process. For example, execution errors are assumed to be greater
2018 Kaplan, Inc.
Page 49
Topic 41 Cross Reference to GARP Assigned Reading – Cruz, Chapter 2
on high volume days. Other examples of KRIs that are used to predict execution errors are the number of securities that were not delivered, trading desk head count, and system downtime.
An important KRI for the process of matching trades and confirmation is the number of unsigned confirmations. KRIs are used as warning lights or red flags that highlight possible concerns for the firm. For example, when the number of unsigned confirmations older than 30 days as a percentage of total confirmations exceeds target percentages it indicates a problem area in the confirmation process. Similarly, the number of disputed collateral calls may be a good KRI for the custody and control step. Finally, the number of transactions that failed to clear or settle may be a good KRI for the settlement process.
Figure 6: Key Risk Indicators for an Equity Trading Firm
Collecting data at the lowest level or the cost center level allows information to be aggregated for all locations. This is very advantageous for the RCSA program because the OpRisk manager is then able to drill down or disaggregate the total data for the firm to help pinpoint where potential concerns may be originating.
Some additional examples of common internal control factors that are used to explain specific business environments are summarized in Figure 7.
Figure 7: Examples of Business Environment and Internal Control Factors (BEICFs)
Business Environment Systems Information Security People Execution/Processing
Factor Description Minutes system is down or slow Number of malware or hacking attacks Headcount of employees, experience Number of transactions or transaction breaks
External data such as stock market indices and market interest rate levels are also used in RCSA frameworks. For example, increased volatility in the equity market can lead to higher volume and higher operational losses for the firm. The insurance industry often relies on external databases to gather information on accidents or losses for areas or geographical regions they are less familiar with. Banks may also use external databases to gather information regarding losses for risks they have not been exposed to and therefore lack any relevant internal data.
Three common methods of gathering external data are: internal development, consortia, and vendors. Under the internal development method, the firm gathers and collates information from media such as news or magazines. This may be the least expensive method, but it may not be as accurate and has the potential to overlook large amounts of relevant data. The most popular consortium for banks is the Operational Riskdata eXchange Association (ORX), which contains large banks in the financial industry. While
Page 50
2018 Kaplan, Inc.
Topic 41 Cross Reference to GARP Assigned Reading – Cruz, Chapter 2
this consortium has a relatively low loss reporting threshold, there are often no details on the losses and therefore this data can only be used for measurement. There are a number of vendors who provide detailed analysis on losses that can be used for scenario analysis. However, the loss threshold for vendor data is often much higher and the information may not always be accurate.
S c e n a r i o A n a l y s i s