El método de la intuición en la obra de Bergson.

There are three main parts to risk & control self assessment (“self assessment”), which are explained below, namely risk identification, risk assessment and control evaluation.

Risk identification

The initial risk identification stage seeks to identify the sources and root causes of key risks which may affect the business objectives, examples of which may include (for operational risk):

a change in existing products, processes or key staff; development of new products or processes;

new projects or initiatives; and

a potential terrorist attack affecting the business premises.

In practical terms, there are several common methods of identifying the key risks:

self assessment questionnaires – this is a bottom-up approach, whereby business managers identify and assess the areas that present most risk to the business as a whole. A standard self assessment questionnaire, with instructions, is provided to the managers and staff best placed to understand the key risks and the results are compiled by the risk management function.

Care is needed to achieve consistency in ratings across business units and to manage poor response rates. Regular communication between the business managers and risk

management function can help mitigate these weaknesses.

process and risk mapping – this is a systematic and analytical approach which considers the major steps in key business processes as a prompt to identify the major risks. It may be performed at either a high or low level to identify “what can go wrong” with key business processes and results in a visual portrayal of the key risks and controls, for example by means of a flow chart.

Care is needed not to exclude risks arising from interdependencies between different processes.

facilitated workshops – a series of workshops is undertaken to consider each business risk category and involves those staff who are best placed to understand the risk category i.e. the company experts for that risk. Relevant material (see below) is circulated in advance for review and, with the aid of a facilitator, a structured discussion takes place in which the group seeks to reach a consensus on the key risks faced by the business.

The methods described above are not mutually exclusive and can be used in combination. The simplest option is a self assessment questionnaire, while a more sophisticated approach is process mapping. In practice, a combination of a top-down and bottom-up approach to risk

identification is needed, with a combination of both executive management and business unit identification and assessment of the key risks. The nature of risks identified will also differ depending on the business level, i.e. department, division, senior management or board level.

Tool 6.1 Self assessment methodology Supporting material which may assist the various risk assessment approaches above includes:

business goals and objectives; business risk appetite;

process and risk maps; loss event data; key risk indicator data;

risk event categorisation and causation analysis; prior risk assessments;

regulatory reports; audit reports; and

prior risk management plans.

Risk assessment

In order to be meaningful to management, identified risks need to be prioritised and considered against the current control environment:

the use of standard risk assessment templates provides a helpful structure for this process, for example, assisting staff to consider the risk descriptions, causes and drivers, different types of risk effects and the most appropriate risk owner;

standard criteria for assessment are helpful in order to aggregate the results across risk classes, for example risks may be assessed for probability and impact;

risks may be assessed on an inherent basis (before the controls are applied), or on a residual basis (after controls have been applied). However, in practice it can be difficult to disregard the controls in place in order to make an inherent risk assessment. Whichever approach is adopted, most value will be obtained if:

there is clear prioritisation of risks, identifying the more significant risks which should be the focus of board attention; and

there is clear identification of those areas where the business is very reliant on the effectiveness of its controls.

the measurement of inherent and residual risk may also be undertaken by stress and scenario testing.

It is important to allocate ownership of risks to owners with the authority and resources to manage them effectively. The owner may delegate these tasks to others as and when appropriate, but remains accountable for the completion of the assessments.

Tool 6.1 Self assessment methodology

Control evaluation

Once identified and prioritised, the risks may be considered against the current control environment in order to understand the residual risk profile of the franchisee:

the use of standard control assessment templates provides helpful structure to this process (see attached risk profile tool with example self assessment template);

standard criteria for assessment are necessary in order to aggregate the results, for example, controls may be assessed for their design and performance;

controls may be preventative or detective, for example, the use of recruitment criteria is a preventative control and quarterly staff reviews are a detective control. It is helpful to consider the balance of preventative and detective controls in place against key risks, given that preventing losses is more effective than detecting them once they have occurred:

front line prevent controls are high level controls aimed at preventing risk causes from occurring at a very early stage. Examples might include the business planning process, franchise guidelines or admissions criteria;

back stop detect controls are a less frequent type of detect control and would typically be carried out on a monthly or quarterly basis. Both the issues identified and the remedial action prompted by back stop controls can be relatively serious due to the potential time lag since the risk event. Examples may include various quarterly reviews, reinsurance debtors’ return or a review of solvency deficits.

it is important to allocate ownership of controls to capable owners with the authority and resources to manage them effectively. The owner may delegate these tasks to others as and when appropriate, but remains accountable for their completion;

the resulting risk profile of scored residual risks may then be reviewed against the risk appetite and, if the level of risk exposure is higher than the franchisee appetite for any risks, mitigation strategies / action plans may be developed to reduce the level of risk, for example by reducing the risk exposure (e.g. writing less business through delegated authorities) or by implementing additional controls (e.g. more frequent audit review); and

the action plans may then be agreed by management and reported against as part of ongoing management reporting. This will ensure that the exposure is limited and that there is cost / benefit in the mitigation strategy.

Tool 6.2