Applying Lessons from the Financial Services Industry … · Risk and Control Assessment (RCSA)...

Copyright © 2010, SAS Institute Inc. All rights reserved. 1

Company Confidential - For Internal Use Only

Copyright © 2010, SAS Institute Inc. All rights reserved.

Applying Lessons from the Financial Services Industry in Tax Administrations Governance Risk and Compliance Allan Russell SAS Fellow, Head of EMEA Risk Centre of Excellence

2



Basel 2 Advanced Measurement Approach

Also, according to section 664 of original Basel Accord, In order to qualify for use of the AMA a bank must satisfy its supervisor that, at a minimum:

Its board of directors and senior management, as appropriate, are actively involved in the oversight of the operational risk management framework;

It has an operational risk management system that is conceptually sound and is implemented with integrity; and

It has sufficient resources in the use of the approach in the major business lines as well as the control and audit areas.

http://en.wikipedia.org/wiki/Operational_risk_management

http://en.wikipedia.org/wiki/Operational_risk_management


3



Topics for Today

Challenges

Definitions

What is Risk – some common traps

Methodology

Managing Risk

4



Challenges in Risk Management Today

Complex world

Many vectors for risk

New types of risk emerging

Threats changing and evolving

Tighter budget control

Overlaps across many areas of responsibility


5



Governance-Risk-Compliance

Governance

Compliance Risk

Internal Auditors

Risk Managers Compliance Officers

6



Challenges in Risk Management Today

Complex world

Many vectors for risk

New types of risk emerging

Threats changing and evolving

Tighter budget control

Overlaps across many areas of responsibility

How to ensure a common understanding ?

How to ensure costs are appropriate ?

How to take a proactive approach ?


7



Some Definitions

What is a Risk ?

An undesirable incident/ event (e.g., fraud, system failure, etc.)

A measure of exposure to loss from undesirable incidents/events

Adapted from “A New Approach for Managing Operational Risk” prepared by OpRisk

Advisory and Towers Perrin.

8



Some Definitions

Examples of Types of Risks and Causes

Underpayment

» Internal Fraud

» External Fraud

» Process Error

Overpayment

» Process Error

Reputation

» Bad case handling

Political

» Poor Policy implementation

» Budget Overrun


9



Some Definitions Mitigant

A Control

A Policy

Insurance

A Key Risk Indicator (KRI)

A leading indicator that risk events (crystallisation) may increase

Audit

A way of testing controls for effectiveness

Continuous Audit – Audits launched as a result of continuous monitoring of, for example, a KRI

10



Some Definitions Risk Appetite

In theory risks can be almost eliminated – but at what cost ?

How much risk of a particular type can we tolerate ?

How much will we spend (financial and other costs) to mitigate ?

Scenario

What if ?

» Series of Events

Need to understand causes and effects

» Internally Generated

» News and Gossip

» Data Driven


11



Some Common Traps

What is not effective Risk Management ?

A Focus on specific threats

A Focus on individual controls

These are interesting topics but .....

Threats change very quickly – are you chasing your own tail ?

Missing the overall picture leads to ...

... imbalance in spending

... exposure to less „popular“ risks

... overall increased costs

Explicit statement of Risk Appetite used to drive behaviour throughout the organisation

12



Methodology OpRisk Management Frameworks

A B

Definition of

Risk:

An undesirable incident/

event (e.g., fraud, system

failure, etc.)

A measure of exposure to

loss from undesirable

incidents/events

Risk

Identification:

Ask managers to identify

their major risks

Define risk “universe” and

use data

Risk

Measurement

Method:

Risk Exposure = Likelihood x Impact for

each risk type, one risk at

a time

Frequency and Severity

distributions to calculate the

cumulative loss potential

from multiple events

Adapted from “A New Approach for Managing Operational Risk” prepared by OpRisk

Advisory and Towers Perrin.


13



Building the Risk Management Framework

Multi-dimensional framework

Dimensional Mappings

Alignment with

business changes

Financial Information

• Out-of-box dimensions to

capture common reference

data (e.g. Organization

structure, Processes,

Products etc.)

• Auxiliary dimensions to

extend reference data

capabilities

• Define mappings

between any

dimensions

• Mappings facilitate data

capturing and reporting

• Insurance policies

• Exchange rates

• Split and Merge

capabilities to align

OpRisk environment

with business changes

(e.g. M&A, business

restructuring)

14



EGRC

Repository

Risk & Control

Assessment Incident

Management

GRC

Indicators

Policy

Management Scenarios

Remediation Management (Issues & Action Plans) Audit

Management

Control

Testing

Integration, Continuous Monitoring/Auditing, CAATs

Operational Systems &

Other GRC Applications

Dashboard &

Reporting

Alerts &

Escalation

Corporate Performance

Management Systems Risk Analytics &

Modelling

External

Loss Data

Elements of an Enterprise Risk Management System

External GRC Content

Providers + Consortiums

Reference Data & Libraries


15



Reference Data and Libraries

Example – Regulation to Process Mapping

16



Risk and Control Assessment (RCSA)

Define a library of compliance risks

Define a library of compliance-related controls

Map compliance risks to compliance controls.

Periodically assess compliance risks and controls to identify weaknesses in the compliance environment.

Identify key compliance risks and controls to enable compliance teams to prioritize their efforts and resources.

Map compliance risks and controls to reference data and library elements such as processes, regulations, etc.

RCSA module enables compliance teams to analyze future compliance risk exposures


17



Mappings

Example – Map Compliance Risks and Controls to Processes

Example – Map Compliance Risks and Controls to Regulations

18



Incident Management

Event details

Financial effect details

Recovery details

Controls that failed and resulted in the compliance incident

One or more causes of the incident

Regulatory actions and fines

Regulatory issues and warnings

Incident management provides a historic view of the compliance environment.


19



Consolidated Profile of the Compliance Environment

Example- Capture incidents (historic view) related to compliance risks (future exposure)

20



GRC Indicators and Continuous Monitoring

Enables compliance teams to define and monitor one or more indicators

Can provide early warning of potential weak spots and provide adequate time to address these before they escalate into damaging compliance breaches and incidents

Enables compliance teams to proactively manage the compliance environment and demonstrate business benefits to various stakeholders by mitigating financial or reputational damage through early, preventative action


21



GRC Indicators and Continuous Monitoring

Extract data from one or more operational systems to derive the values of compliance indicators.

Define business rules associated with various levels of escalation.

Schedule the frequency of business rules execution (e.g., daily or weekly).

Define escalation actions (e.g., e-mail alerts, automatically create a new issue or update assessment scores for compliance risks or controls).

22



Indicators Related to Compliance Risks

Example - Monitor Compliance Indicators Related to Risks


23



Policy Management

Enables compliance teams to define and manage the complete life cycle of all policies across the organization

Ability to link policies to related business processes, risks and controls

Example- Mapping of Policies

24



Control Testing

Periodically review controls for adequacy and effectiveness

Control tests are critical for complying with regulations and standards

Controls can either by tested manually or through automated business rules

Customizable UI screens and workflow for control tests

Certify the controls


25



Control Testing

Example- Control Tests for Compliance Controls

26



Issues and Action Plans

Document issues and action plans to remediate the issues

Ability to link issues and action plans to the relevant items

Customizable UI screens and workflow for approving issues and action plans


27



Issues and Action Plans

Example- Mapping of Issue and Action Plans with Compliance Indicator and Regulation

28



Reporting and Dashboards

Reports can be

Scheduled (daily, weekly, etc.)

Ad hoc basis

Enriched using an extensive set of visualization tools such as WRS, BI Dashboard

Provides a Microsoft Office add-in


29



Reporting and Dashboards

Example- Compliance Dashboard

30



Sample Dashboard View


31



Sample Trend Analysis

32



Sample Heatmap (by frequency and severity)


33



Scenarios

Assess the potential extent and impact of future risk events

Define and manage scenario templates

A bucketed scenario template asks for the expected frequency of losses for multiple severity ranges

A rare event scenario is intended to capture information about how often an extreme event happens, and what the expected impact range is.

Define and manage distribution of scenario questionnaires

Customizable approval workflow

34



Audit Management

Define and manage audit missions

Customizable UI screens and workflow for audit missions

Calendar view of audit missions

Perform audit tests, similar to the control testing workflow

Capture audit findings/audit points

Follow-up mitigating actions


35



EGRC

Repository

Risk & Control

Assessment Incident

Management

GRC

Indicators

Policy

Management Scenarios

Remediation Management (Issues & Action Plans) Audit

Management

Control

Testing

Integration, Continuous Monitoring/Auditing, CAATs

Operational Systems &

Other GRC Applications

Dashboard &

Reporting

Alerts &

Escalation

Corporate Performance

Management Systems Risk Analytics &

Modelling

External

Loss Data

Elements of an Enterprise Risk Management System

External GRC Content

Providers + Consortiums

Reference Data & Libraries

36



Benefits of an Enterprise Wide Risk Management Program A consistent approach to recognising and managing

Risks

Set cost of Risk mitigation in the context of the Risk Appetite

Common Understanding across multiple organisational entities – area (Corporate/Personal) or functional (Audit/Risk and Compliance)

Clear understanding of reasons for and effectiveness of Policies

Ability to respond to emerging threats in an appropriate way


37



Benefits of an Enterprise Wide Risk Management Program A consistent approach to recognising and managing

Risks

Set cost of Risk mitigation in the context of the Risk Appetite

Ability to be proactive

Scenarios and Control Tests

Ability to be Effective

Test what„s necessary and only that – no wasted effort

Date post:	09-Sep-2018
Category:	Documents
Upload:	dodat
View:	213 times
Download:	0 times

Applying Lessons from the Financial Services Industry … · Risk and Control Assessment (RCSA)...

Documents