1 / 15

Developing a Successful Business Driven Risk & Control Self Assessment (RCSA)

Developing a Successful Business Driven Risk & Control Self Assessment (RCSA). Craig Spielmann – Former Global Head of Enterprise Risk Management Strategy , First Data. CRAIG R. SPIELMANN Phone: 973-715-7632/Email: craigs@risktao.com.

lauratjones
Download Presentation

Developing a Successful Business Driven Risk & Control Self Assessment (RCSA)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Developing a Successful Business Driven Risk & Control Self Assessment (RCSA) Craig Spielmann – Former Global Head of Enterprise Risk Management Strategy, First Data

  2. CRAIG R. SPIELMANNPhone: 973-715-7632/Email: craigs@risktao.com • First Data: Craig is the Former Global Head of Enterprise Risk Management Strategy and was responsible for developing and implementing the ERM Framework Elements, Integrating Risk Management into the Business Strategy, executing Top Risk Assessments, developing and driving the RCSA and Scenario Analysis Programs, ERM Training, Bank Sponsorship Risk Analysis, collecting and reporting External Events and leading the ERM Technology Program’s Strategy and Architecture. • RBS – Managing Director: Head of Operational Risk Management for the Americas where he was responsible for driving risk practices and governance to comply with the Federal Reserve’s Cease & Desist Order over America’s businesses. Craig designed major changes to RBS’s risk framework and compensation program to align with the Federal Reserve’s Compensation Initiative and Dodd – Frank. He also implemented regional level scenario analysis on major industry exposures, Risk and Control Self-Assessments and a Model Risk Management program. He also co-chaired the Americas Compliance and Operational Risk Committee and was a member of the IT Risk Committee, ORM Capital and Vendor Management Committees. • RBS – Managing Director: Global Head of ORM’s Systems and Analytics where he developed advanced analytical risk systems for Operational Risk and ran the Global Risk Data Aggregation Initiative for ORM. • Citigroup: SVP/ CAO and Head of Risk Management for Global Technology Operations. Craig created and developed the firm wide IT Risk Management Approach and Culture Initiative, developed a business approach to application risk classification and Chaired the business wide Electronic Communications Committee. • J.P. Morgan: Head of JPM’s Horizon Risk & Advisory Business. Craig created JPMorgan’s Horizon GDC Solution deployed at J.P. Morgan and throughout the top institutions in the financial industry. Won several risk and technology awards including “Best Operational Risk Assessment Software,” Received a Patent on “Measuring and Managing Operational Risk”. Closed 26 major deals with top financial companies and regulators such as: The Federal Reserve Bank, Merrill Lynch, Credit Suisse, Prudential, The World Bank, Bank of China, Hong Kong Monetary Authority, Swiss Re, Bank of Tokyo – Mitsubishi, ABSA, Bradford& Bingley, British Petroleum, Kasikorn Bank, Developed an industry standard methodology for operational risk convergence . • J.P. Morgan: Head of Information Technology Risk Management . Craig built J.P. Morgan’s first Global IT Risk Department and initiated significant changes such as forming and chairing the Global IT Governance Committee, rolling out RCSA ‘s globally, defining key performance metrics and creating regular dialogue with regulators around the world. • RiskTao LLC: Craig is the CEO & Founder of RiskTao, LLC which specializes in Enterprise Risk Training and Advisory Services. • Education: Graduated from Iona College with a Double Major in History and Communications and is a 2nd Degree Black Sash and instructor in Gung Fu, Weapons, and Tai Chi

  3. Risk & Control Self-Assessment (RCSA) Risk & Control Self-Assessment (RCSA) facilitates the process of identifying, prioritizing, and evaluating risks to business objectives and drives business accountability for managing risks to the P&L. • Since 1985, RCSAs have been a core element of modern risk management practices. • The Committee of Sponsoring Organizations (COSO) of the Treadway Commission advocated RCSAs as a response to the 1980’s Savings and Loans (S&L) crisis. • RCSAs are a best practice for proactive risk management that spans government institutions, financial institutions, military, manufacturing, healthcare, pharmaceuticals, technology, central banks, regulators, non-profits and energy companies.

  4. RCSA Business Challenges Value– Senior management value perception Scoping– Scope challenges deciding scope and type of RCSA Strategic Alignment – Forward looking alignment to strategic goals Risk Measurement– Leveraging “exposure” values that management can relate Skills–Facilitators and participants skill sets

  5. Risk & Control Self-Assessment (RCSA) – Value Proposition Improves long term financial performance & client confidence Increases management’s decision making process to achieve business goals Transforms culture by driving business accountability for managing risk Develops a critical skill for all employees

  6. RCSA – Scoping 6 • RCSA requests can be generated from three critical sources: • Corporate – Determined by the risk organization/management committee • Business/Functional Area – Determined by the business or functional area • External – Client or regulator request • Requests could also be motivated by “trigger events”such as: • Major regulatory fines or violation of laws • Unexpected material financial losses • Significant service outages

  7. Scoping Approach Identify all major entities, geographical locations, technology, products, services and processes. Identify key strategic initiatives that could impact the P&L and business Assess inherent risk (revenue, client accounts, asset value, etc.) Review loss data to determine realized risks both internal & external Assign exposure values in “home currency” with rationale Specify an assessment frequency schedule for each exposure range

  8. The Business Risk Framework – Strategic Alignment • Define Business Goals (Market Share, Profitability, Capacity, Risk Management, Divest or Sell etc.) • Develop strategic plans to achieve the goals (Advertising, Mergers, Outsourcing, Joint Sessions, Sale, IPO, etc.) • Manage risks that can impede the strategy (regulatory, technology, culture, legal & tax liabilities, people , skills, costs, customer impact, capital, product suitability, organizational focus, change agenda, external factors, competitive landscape, employee safety, natural or manmade disasters, fraud, etc.) • Allocate resources to mitigate the risks within appetite (technology investments, regulatory relationship management, improve capital management, vendor management & due diligence, volume adjusted capacity planning, enhanced trade monitoring, information and cyber security programs, compensation balancing, enhanced training & communication programs, etc.)

  9. Business Risk Information Cycle Business Goals

  10. Risk Measurement – Currency, Aggregateable and Relatable Inherent Risk – Is the risk to an entity in the absence of consideration of controls. Inherent risk comes from the estimated value of company’s assets. These could include but not limited to: client accounts, client Information, physical assets (real estate, credit cards, equipment), held securities, revenue, currency, cash, credit, collateral, company stock, contractual obligations, and liabilities.

  11. ERM Risk Taxonomy – Engagement Tool

  12. Residual Risk – Currency, Aggregateable and Rationale 12 Residual Risk Rating - The risk remaining after all relevant controls and risk treatment decisions are applied to alter the risk's impact. The remaining risk will either be equal to the inherent risk or after considering control effectiveness, less than the inherent risk rating

  13. Remediation Strategy 13 • The Remediation Strategy is the business decision made to either address an ineffective control(s) or accept the risk(s). • All ineffective controls must be recorded as an “Issue” in an issue depository. • Costs, strategic business goals, risk appetite and overall effectiveness must be considered to determine if risk is accepted or remediated.

  14. RCSA Team Skills Align Skills to Roles Relationship Management: Team player who get along with people and can effectively work with a wide range of personalities from diverse backgrounds and interest. Sense of Humor:Business people need to want to meet with them. Passion: Demonstrates a desire to improve their risk knowledge both in and outside of work. Leadership: Comfortable challenging people in a professional and constructive way. Communication Skills: Strong listening, clear concise writing & presentation skills. Curiosity: Drive and passion for understanding the truth . Debating Skills: Ability to justify a position and defend against challenges. Business Knowledge:Strong business knowledge,understands transaction flows, P&L management. Project Management: Keeps everyone on track with key deliverables. Risk Management Skill:Can interpret and analyze risk on any topic, understands the risk approach and can educate people.

  15. RCSA Conclusions • To be successful: • Drive the RCSA from the strategic business plans. • Engage senior management often and early in the process. • Assign skilled people to work with the business and build relationships. 15

More Related