GROUP INTERNAL AUDIT SUMMARY OF THE RISK ASSESSMENT METHODOLOGY USED FOR THE PREPARATION OF THE CONTROL SELF-ASSESSMENT (CSA) __________________________________________________________________ RISK ASSESSMENT PROCESS 1. Risk Categories Identified 4 types of risk categories have been identified:(i) People ♦ Failure of staff to comply with the procedures whether with the intention to commit fraud, oversight or negligence ♦ Non-familiarity of staff with the set guidelines and procedures ♦ Segregation on access to the computer system not observed or compromising on the staff password
(ii) Process ♦ Process failure ♦ Inadequate controls in the operational processes (iii) System ♦ Failure of application system to meet user requirements. ♦ Absence of in-built control measures in the application system. (iv) External Party / Event ♦ Imposition/changes of policies by government regulatory bodies ♦ Unsatisfactory/Non-performance by out-sourced service providers ♦ Fraud by syndicates or customers ♦ Legal action taken by customers due to Bank’s negligence or fraud committed by internal staff 2. Assessing the risk in each product • Identify 11 products to be assessed (Cash, ATM, Current Accounts, Savings Account, Multi-Currency Account, Fixed Deposits, ASB Agency, Share Margin Financing, Accounts, Safe Deposit Box and Remittances). • Identify all the operational processes for each 11 SSO products. • Objective : For each operation process, analyse the magnitude of the risk impact (in terms of exposure loss amount) and likelihood (in terms of number of incidents) for each of the 4 risk categories from the GIA’s historical investigation database for the past three years (1998, 1999 and 2000).
Page 1 / 2 Contributed by Shamsudin Hoosian on May 9, 2003 E-Mail Address : Shamsudin_Hoosian@rhbbank.com
• The extent of risk impact/likelihood for each risk category is assigned with the magnitude of either High or Low. • This is first achieved by averaging out the total loss exposure amount and number of incidents happened for a year to derive at a common median/average for each SSO product. • Secondly, a comparison of each operational processes of exposure loss amount/incident to the median will be done to derive the extent of risk. For e.g., if the exposure amount is higher than the calculated median, then the risk impact for that particular operation process is classify as high. • Similarly for comparison of each risk category can be done for the SSO product. Upon identifying the magnitude/extent of risk impact and likelihood for each risk categories / operational processes, the magnitude of each of the 4 risk categories / operational processes are mapped into a Risk Quadrant Grid. 3. Risk Quadrant From the risk assessment, the risk categories (e.g. people risk) or the operational processes (e.g. cash receipt/payment over the counter) are mapped into the Risk Quadrant Grid. The Grid is divided into the following four quadrants :Quadrant (i) Significant Impact and High Likelihood (ii) Significant Impact and Low Likelihood (iii) Insignificant Impact and High Likelihood (iv) Insignificant Impact and Low Likelihood
Risk Quadrants Grid Insignificant Impact High Likelihood
Risk Assessment - High Risk - Medium-High Risk - Medium-Low Risk - Low Risk
Significant Impact High Likelihood
Insignificant Impact Low Likelihood
Significant Impact Low Likelihood
4. Control Self-Assessment (CSA) Finally, the CSA questionnaires are formulated on the high risk and mediumhigh risk quadrants.
Page 2 / 2 Contributed by Shamsudin Hoosian on May 9, 2003 E-Mail Address : Shamsudin_Hoosian@rhbbank.com