Embed Size (px)
Citation preview
Assessment of Risk Mitigation Strategies
Presented by:Eneni Oduwole Group Head, Operational Risk Mgt.Guaranty Trust Bank Plc
Outline
• What is Risk Assessment
• Case Study
• Process for Assessing Risk
• Options for Evaluating Risk
• Evaluation of Mitigation Strategies
What is Risk Assessment?
• A logical and objective (qualitative / quantitative) approach to analyzing and interpreting data with the purpose of PREDICTING possible adverse eff ects
• A formal way to CALCULATE risk so that informed decisions can be made; it bears an element of uncertainty
Risk = Exposure .Exposure Limit
Case Study
• In 2007, the senior management of CSBank Ltd decided to look for better ways to use its IT infrastructure and investments to prudently and effectively support growth
• The Bank had grown rapidly as a result of both acquisitions and the entrepreneurial cultures in its lines of business which resulted in difficulties in managing the organization’s IT landscape
• It hopes to achieve first mover advantage with new business opportunities that emerge, the use of initiative is encouraged amongst business unit heads
• What are the major risks faced by this Bank?
Process for Assessing Risk
• Review strategy & business model
• Identify gaps between desired and actual results
• Conduct risk assessment (identi fies prevalent risks)
• Assess impact & f requency
• Develop & implement controls
• Reassess risk exposures and controls
• Communicate and document f indings
f2
Slide 5
f2 comma insertedfunmilayo.phillips, 04/07/2011
Options for Evaluati ng Risk
• Conducting Periodic Risk Assessments• Risk Mapping• Maintaining a Risk Register• Periodic Review of Contingency Plans
Evaluation of mitigation strategies
• How to assess risk miti gation
• Identification of risk exposures
• Critical evaluation of exposures
• Dealing with the exposures (terminate, tolerate, treat or transfer)
• Establishment of action plans
Features of Risk Mitigation Strategies
• Effectiveness at business unit level: Reduction of risk exposure
• Cost effectiveness: Risk mitigation strategy must be cheaper than the likely loss estimate
• Alignment with business model: Risk controls must seamlessly fit into the work culture and business profile of theorganisation
• Complexity: The simpler the strategies, the higher the chances of adoption by stakeholders
• Consistency with regulatory / legal & ethical requirements
Methods of identifying risk exposures
• Interview with stakeholders: one on one chats
• Trend analysis: Key Risk Indicator / data analysis
• Brain-storming: with a group of experts
• Review completed checklists, templates and surveys:should be closely monitored
• Nominal Group Technique: risk manager facilitates the session but does not lead the discussion
• Delphi Technique: reduces chaos
Interview with Experts
10
Trend Analysis
11
Checklist, Templates and Surveys
12
Brainstorming
13
Nominal Group (NGT ) & Delphi Techniques
14
Process for NGT
15
Process for Delphi T echnique
16
Critical evaluation of Risk Exposures
• Define Exposure Groups ( EGs)
• Define Exposure Profiles
• Ascertain likely frequency of occurrence
• Determine estimated impact on business (w hether
financial or non-financial)
• Determine overall risk rating
• Decide acceptabilit y of the risk profile For each EG
Dealing with the Risk Exposur es
• Terminate: when cost is higher than benefit; no competencies for managing risk
• Tolerate: when cost is within risk appetite levels or insignificant to benefit; no brainer
• Treat: when benefit from business venture is seriously threatened; staff and business model / structure can implement and support control
• Transfer: when benefit is threatened but staff / business model may not support required control (risk may be shared or transferred completely)
Considerations for selecting Action Plans
• Policy Changes: Consider regulatory / legal / ethical issues such as modifications of banking & related policies
• In-House Actions: Consider appropriate plans that would fit into the organization’s business strategy / model / structure, and culture
• Simplicity: Action plans should be rid of complexities / complex methodologies which might sabotage the correction process; new process / control should be easy for auditors to review
• Implementation: Incorporation of related activities into routine business processes should be seamless; relevant parties should be carried along
• Review: Tracking of implementation should be easy; effectiveness of control should be tested periodically
Thank you...
