You are hired in the Operational Risk department (2nd Line of defense) and tasked to create a Risk and Control Self-Assessment program for one of the following companies: Truist Financial Corp – TFC (NYSE); Pacific Electric and Gas - PCG (NYSE); Amazon.com -AMZN (NASDAQ). Please choose one company from the previous three companies and answer the questions below.
To understand the nature and scale of the company’s business, you should review the company’s description and data on any financial data websites (Yahoo finance, Google finance etc.) and the Annual Report (10-K), which is usually available under the Investor relations menu on the company’s website. (The financial information will be useful to determine the severity scale).
1) What are Risk and Control Self Assessments (RCSAs)? How would you construct an RCSA program? Create a rating scale similar to Exhibit B. The company’s revenues can help determine the size of the severity buckets. (25 points)
(Tips: Define various terms including risk, inherent and residual risk ratings, controls, and Action plans. Decide if your firm would adopt a top down or bottom up approach and explain why this method was chosen. create scope and how frequently RCSAs should be performed etc.).
Note: Tips are not a comprehensive list of things you need to define. They are just ideas to start.
2) As you create the program please identify the roles and responsibilities of first and second line of defense with respect to the RCSA program that you design (These would normally be the contents of policy and/or procedures). (25 Points)
PART 2 – 50 pts.
Identification of Risks and Controls
1) Identify Two Potential Operational Risks for the company. Use the following template that includes sample values:
Risk Name Risk Local Description Inherent Risk Rating Controls Residual Risk Rating Action Plans and Rationale
Inaccurate Disbursement (example) Employment initiates wire transfers from client accounts to external back due to lack of segregation of duties and entitlement controls causing financial loss. (example) Once a month, 5M – 20M (example)
- Maker checker
- Call back for new accounts
- Accounts payable review before execution (example) Once a quarter, 500k-5M (example)
Implement escalated approvals based on amount. (example)
For each of the identified risk, fill the above template with the following information: (25 points):
a. Articulate (describe) the risk in the "cause, potential event and impact" in the local description column (Exhibit A as a reference).
b. Assess the inherent risk and fill the inherent risk rating column with Frequency and Severity as shown in the example (You may guess the Frequency and Severity and then pick the color from Exhibit B).
c. Identify at least two controls that would mitigate the risk and identify the control type (directive, preventive, corrective, detective). If you are not able to find any controls that the organization has implemented, identify (make up) some that you feel would best mitigate the underlying risk. Controls should reflect processes that have already been implemented by the company to mitigate the risk.
d. Fill the residual risk ratings field using the Frequency and Severity. (You may guess at the Frequency and Severity)
e. Create a minimum of one action plan that would mitigate the risk (An action plan is a description to create a NEW control or enhance an existing control).
2) Provide an explanation (approximately one paragraph) of the values that you selected for each of the fields within the table. For example, what is the rationale for residual risk rating? How do the controls effectively reduce (or not) the inherent risk rating to residual risk rating? (25 points).
Exhibit A: Use as reference only
Exhibit B: Create a similar scale based on the size of your company.
SeverityFrequency <$500k 500k -<5M 5M - <20M 20M - <35M >=$35M
Once a month
Once a quarter
Once a year
Once in 5 years
Once in 10 years
Sample Solution