The Risk Management Association defines operational risk as “the risk of loss resulting from inadequate or failed internal processes, people, and systems, or from external events.” Examples of operational risk include natural and man-made disasters, cyber-attacks, errors, fraud, and regulatory or contractual non-compliance.
Organizations today face a wide range of risks originating in different areas of their business, related to strategy, credit, corporate and regulatory compliance, interest rates, liquidity, market prices, operations (errors, fraud, and external events), and reputation, among others. While risks are spread out across an organization and often interrelate, it is difficult to get a holistic view of risk necessary to manage it efficiently and effectively.
The problem is further compounded with the introduction of new products and services, mergers and acquisitions, business process changes, and new and intensifying sources of fraud. In many organizations, risks are documented haphazardly in spreadsheets and documents without consistent use of a common approach, methodology, or rating scale. In addition, accountability for risk is tenuous because risks are not assigned to named managers and business units. This undermines accountability and increases the likelihood that a significant risk event will occur.
In addition, non-standardized risk management terminology, inconsistent risk assessment methodology and inconsistent risk rating scales mean there is no comprehensive visibility to or accountability in addressing known risks. With everyone speaking differently about risk, incomplete risk registers and inconsistent risk assessments can lead to bad risk management decisions, illogical resource allocation, potential violations of regulatory mandates and an overall poor risk management program.
Consistently documenting risks and controls and performing reliable risk assessments is essential to establishing an effective risk management program.
RSA Archer Top-Down Risk Assessment enables practitioners to document risks and controls throughout the organization. Risks can be assessed on an inherent and residual basis, both qualitatively and across multiple risk categories using monetary values. Controls can be linked to the risks they treat for consideration as a part of a residual risk assessment. Risks and controls can be assigned to named individuals and organizational structure to establish appropriate accountability and to provide relevant reporting.
Key features include:
- Catalog a consolidated view of risks and internal controls within the organization
- Map risks to business processes, controls, higher-level risk statements and scenarios
- Establish a library of agreed-upon scenarios and perform assessments on selected scenarios
- Perform qualitative and monetary assessments of inherent and residual risk
- Monitor risks against established tolerances and risk appetite
- Enforce consistent terminology, risk assessment methodology and rating scales
- Organized, managed process to escalate issues to ensure proper signoff/ approval of issues
- Operationalize accountability for risks, controls, business processes, scenarios, risk assessments and outstanding issues
- Establish delegated authorities for approving risk and enforce those authorities by automatically routing risk decisions to the authorized individuals
- Visibility into risk and control inventory and assessment progress via predefined reports and risk dashboards
Today, organizations are faced with complex and fast moving risk challenges. RSA Archer Top-Down Risk Assessment is one element of an effective Integrated Risk Management program. Stressing the agility and flexibility needed by today’s modern organizations, integrated risk management brings together the various domains of risk across business activities (horizontally), connecting the activities to the strategies and objectives of the organization on an aggregated basis (vertically). This approach to risk management provides leaders with the most holistic understanding of risk facing their organization so they can make truly informed decisions about where to deploy limited capital and human resources to produce optimized returns for the organization while maximizing the likelihood of achieving the organization’s objectives.
As your organization drives business growth, your risk management program must evolve and manage risk more holistically, with more agility and integration than before. Effectively performing Top-Down risk assessments is one ingredient to demonstrating real progress and improvement in decreasing business risk. RSA Archer can help your organization better understand and manage risk assessments on one configurable, integrated software platform. With RSA Archer solutions, organizations can efficiently implement risk management processes using industry standards and best practices and significantly improve their business risk management maturity.