Risk Management of Uber Essay

User Generated

Znexxxxx

Writing

Description

Unformatted Attachment Preview

Assignment #3: Create RCSA Program for your Firm (180 points) Revised v3; Feb 29, 2020 NOTE: Page Limit: Maximum 1.5 pages. 2 pages including optional exhibit in Appendix. Exhibit: Optional (in Appendix). Firm’s risk rating methodology across all risk types. This helps you determine the rating (color)/ severity-loss number of inherent risk and residual risk in the table. Generally, the strength of control will reduce the frequency and/or severity of the residual risk (when compared to inherent risk). Generally, controls also have a risk rating/ color based on the effectiveness/ strength of the control/s to help determine the residual risk but is not needed here. Mostly used by risk to challenge control effectiveness of process/ business owner. Internal Audit challenges/tests effectiveness of both 1st and 2nd line controls. For example: Business/ 1st line controls (strength or lack of) can be adherence to policy and procedures and escalating exceptions to policy, and periodic RSCA reporting to Op Risk committee etc. 2nd line (risk group) controls (strength or lack of) can be design/ operational effectiveness of: policies, governance/framework, oversight/challenge and timely/effective reporting (to management and Board), training to ensure policies/ risk appetite is communicated to everyone in company etc. You are hired in the Operational Risk department (2nd Line of defense) and tasked to create a Risk and Control Self-Assessment program for the firm. PART 1 – 80 pts.: Identification of Risks and Controls Note: This section is not new with the exception of assessing the risk ratings/color (frequency/severity) is the only addition to the guidance provided in class previously. 1) Template: Identify two Potential Operational Risks (Column 1) for the company. Risk Name Inaccurate Disbursement Risk Description Employment initiates wire transfers from client accounts to external back due to lack of segregation of duties and entitlement controls causing financial loss. Inherent Risk Rating Once a month, 5M – 20M Controls - Maker checker - Call back for new accounts - Accounts payable review before execution Residual Risk Rating Once a quarter, 500k-5M Action Plans Rationale for Residual Risk Rating Implement escalated approvals based on amount. How do the controls effectively reduce (or not) the inherent risk rating (Highred) to (yellowmoderate)? For each risk, fill the template with the following: (each part worth 5 points for each risk): 1 a. Column 2: Describe the risk using guidance provided in previous assignments/ milestones 1 & 2 (what went wrong (who, what, when, why, how), root causes. a. Column 3: Assess and fill the inherent risk rating column (Frequency and Severity) as shown in the example (Guess the Frequency and Severity and then pick the color from Exhibit). b. Column 4: Identify at least two controls that would mitigate the risk and identify the control type (directive, preventive, corrective, detective). If you are not able to find any controls that the organization has implemented, identify (make up) some that you feel would best mitigate the underlying risk. c. Column 5: Fill the residual risk ratings field using the Frequency and Severity. (You may guess Frequency and Severity) d. Column 6: Create a minimum of one action plan that would mitigate the risk (An action plan is a description to create a NEW control or enhance an existing control). Note: • Risks and controls resulting from the RCSA are recorded in the firm’s risk register and owned by the business. Scorecards build on RCSAs by weighting residual risks to provide a means of translating the RCSA output into metrics that give a relative ranking of the control environment – these scorecards will include the quantification of the impact (severity) and likelihood (frequency) of the risks occurring by using firm’s uniform scoring methodology (e.g. H/M/L - see Exhibit). • The RCSA process considers financial, client, legal & regulatory and reputation when considering the risk impact. The outcome of risk assessments (adhoc, specific or process driven) will result in a list of potential risks that the firm is exposed to. These identified risks, along with their scoring, their mitigation controls, and controls scoring (these are also scored but not being asked here), must be stored in a structured/ formal risk register. Regulated firms keep their risk register updated and ready to disclose to a regulator if that requirement arises. • Where risk mitigating controls are scored low or weak, either in terms of design or performance, action plan must be defined immediately and assigned to one or more owners (across 1st and/or 2nd lines of defense). Action plan is to further manage the risk within firm’s risk appetite through adding/ enhancing new/ existing controls. The aim is to bring the residual risk from moderate to low or for a moving target (such as cyber) maintain residual risk at moderate through establishing capabilities. The risk management department follows up/ track/ reports (to risk committee or board) on any action plan (in progress until completion), since in the interim there might be a control in place which won’t be robust enough and compensatory controls are needed. Ultimately, the head of risk might block or place a condition (exception raised to Sr management and/or Board) if a certain initiative/action plan/ project (as a risk mitigation control) is not in place or is not progressing as planned or found to be not robust enough by a specified time. • 2) Column 7: Risk Rating Rationale (focus on control/ residual risk) on why the residual risk is reduced to yellow based on strength/s of control/s. For example, what is the rationale for residual risk rating? How do the controls effectively reduce (or not) the inherent risk rating to residual risk rating etc. (15 points for each risk) 2 PART 2– 100 pts. Propose RCSA Program/ Construction Can be a letter form or in bulleted form like below- (your choice), based on the risks and controls highlighted above 1) RCSA Program Overview to establish common understanding and expectations of what the program means and how often it will be performed (50 points) A) What are Risk and Control Self Assessments (RCSAs)? B) How would you construct an RCSA program? (Tips: Define various terms including risk, inherent and residual risk ratings, controls, Action plans etc. Decide how frequently RCSAs should be performed) 2) Identify the roles and responsibilities of first and second line of defense with respect to the RCSA program – based on the controls/ action plans highlighted above (to ensure common understanding/ expectations/ accountability is established. (50 Points) Out of Scope: 3rd line (Internal Audit) role/responsibility in testing/ risk rating the RCSA controls and determining the residual risks (as part of their risk-based audits) and providing independent assurance/reporting to Board. Appendix: Optional Risk Rating scale based on the size of your company.
Purchase answer to see full attachment
Explanation & Answer:
4 pages
User generated content is uploaded by users for the purposes of learning and should be used following Studypool's honor code & terms of service.

Explanation & Answer

Hello markJust as usual, I have delivered the final answer before the deadline. Please take a look at it and let me know in case you need any revision. Thank you so much for your invitation 😍

Running head: CREATING A RCSA PROGRAM

Creating A RCSA Program
Insert Your Name Here
Institution

Insert due date of paper here

1

CREATING A RCSA PROGRAM

2
Part 1

Risk Name
Risk

Description Inherent
Risk
Rating

Controls

Residual
Risk
Rating

System
Outage

The ridebooking
system
goes
offline
momentaril
y denying
clients
access to
the central
reservation
system.
Clients
may opt for
competitio
n.

Run
redun
dant
global
distrib
ution
syste
ms on
altern
ative
cloud
comp
uting
platfor
ms.

$10
Implement
millionautomatic
$20 million switch
from one
cloud
service to
another
when load
ceilings are
reached

$160
million $200
million

Action
Plans

Rationale
for
Residual
Risk
Rating
Alternative
cloud
services
spread or
take up the
load
F...

Related Tags