Talking Risk
Risk and Your Role in Risk Management
Learn all about risks and your role in risk management
Produced by
THE OFFICE OF RISK MANAGEMENT
Chapter 1
Risk is the probability of an event occurring that could have an adverse or positive impact on your objectives.
Yow pardner, all over the campus I hearing ‘bout risk, risk, risk. What is this risk thing really about?
Whoa!! That’s some big terms boy ... objectives, adverse, impact, probability … break that down man!
OK, let’s look at it this way …. Tell me one of your goals … something you want to accomplish.
Wait … my brother has been saying he want to finish his CFA by December 2020. Can that work?
I don’t really have any major goal right now … I just kinda looking at things for a while….
Hmmm… let me see... he said he may be going on a 6-week mission at the IMF starting the end of November.
Sure, Great … now is there anything that you can think of that may prevent him from completing his studies by that date?
So what would happen if he goes on the mission?
Boy, then mister would miss the exam in December, and he ain’t going finish until March 2021. Those programs funny – you slip you slide.
Excellent!! Now let’s use that information…
He would like to complete his CFA by December 2020 – That’s the objective; He may be assigned to the IMF mission – that’s the probability of an event occurring; If he is assigned to the mission, his end date would be pushed back to March 2021 – that’s the adverse impact on the objective.
That’s an interesting example, but yes, you get the gist of it. The fact that you may not make it to work because you are going to music festival, is a risk to completing the assignment on time.
Sooo … when there is a specific task to be done, and something can happen that can prevent it from being completed, then that ‘something that can happen’ is the risk.
Ok, ok, so check this … the boss gave me an assignment and when I think about it, I realize that I may not finish in time. You see, music festival coming up ‘round the same time and I don’t think I going make it to work after the soca night and then I have to rest up for Buju on Saturday night! So going to music festival is a risk?!
You hit the nail right on the head!
Well …it looks like I will never get anything done because it’s a lot of things that can happen to affect everything I do … a lot of risks!!!! Boy, is like risk everywhere!
But wait … when you were using all those big terms earlier, you did say something about positive impact? So I ain’t hear anything else ‘bout that!
Ha ha ha … no worries … there is a process for you to manage these risks … it’s not as bad as you think.
Sure, let me explain with an example …
Ii
Wait ... I got this … Objective - to maximize profit. Probability of an event occurring - the opposition may win the election. Positive impact – tax reduction, more profit for my friend ( IF they win … we will see what happens).
Man … you catch on quick! Next time when we meet up, we will talk some more about how to deal with the risks. Catch you later…
So … your friend with the supermarket, pays 33% tax on his profit every year. I hear the opposition saying if they win the elections they will reduce the tax rate to 20%!! That means …
Ii
Chapter 2
Well boy that was the longest week ever! I couldn’t wait to continue this risk talk! I even have my friend here curious, how I talking about it so much. She joined the Bank about 2 weeks ago when you were out on leave.
No man … you ain’t got to do that. I done give her the lesson. I tell her ‘bout Music Fest and Buju and even the elections! She safe man.
Ok then. So since we know how to identify the risk, we have to assess it to see how it will affect the objective.
I’m glad to know that you so into it. So you want me to go over what we spoke about last week?
You mean like on a scale of 1 – 10, how bad it would be if his brother finish the CFA in March 2021 instead of December 2020?
Well I thought we done do that last week. My brother ain’t going finish his CFA in time, I ain’t going finish my assignment because of Music Fest and my pardner going pay less tax ( hopefully) elections)
That’s one part -- identifying what ‘ could ’ happen; but there is more. You have to figure out how severely the objective would be affected if the event occurs – would the impact be significant, very high, high, moderate or low.
Wait, slow down; what scale this now?
Yes, something like that.
So if you think it’s such a high risk, just don’t bother go to music fest!
I could tell you right now without any scale.
And miss Buju??? Really?? You must not be not feeling well!
For the CFA, the impact is low … if my brother finish 3 months later, it ain’t going kill him.
Anyway, don’t worry, I working on a plan.
With the tax thing, I would say moderate - if the tax reduce from 35% to 20%, its more money for my friend, but if it ain’t happen, no sweat, because he living without it now. Plus, it ain’t going be no big windfall - is a little small supermarket the boy have, ain’t like Rams or Valumart. Now, with the assignment the boss give me to do, if I miss the deadline, that one high , because the boss man have to report to the bigger bosses, you check!
He just saying we have to figure out the chances of the events occurring … like, if you think the opposition will win.
We say whether it is highly likely, likely, unlikely or very unlikely to happen.
(Smh) So now we know the extent of the impact, we have to determine the likelihood of the risk materializing.
Well, why he couldn’t just say that? He talking ‘bout materializing like I’m some kind a seamstress.
So you mean, how likely it is for the event to actually happen?
You
and
them big terms again! …
Well if his brother applies for a visa now, he could get it in time for November. The likelihood of him going to the IMF would change from very unlikely to likely.
Those answers bring me to a very important point about assessing likelihood. You have to take into consideration things that are being done to make the outcome less likely (if it is negative) or more likely (if it is positive).
My brother going on the IMF mission is very unlikely because he seem to have forgotten one little, but very important detail …. he doesn’t have a visa and the last time I checked the IMF is in the US of A. The music fest thing is unlikely , because I love Buju but I also love my job … so I will still go, but like I said, I working on a plan to kill two birds with one stone.
That’s easy …
The election one, I leaving that alone … let somebody else answer that.
And the opposition winning the election … for
Well I would say it’s likely, i t can go either way, these things are unpredictable. Both parties campaigning hard. There isn’t much any of us can do.
And my friend here says he working on a ‘plan’ so he could go music festival and still finish his assignment, so it is unlikely that he would miss his deadline.
Yes … let’s hope it’s a good plan or else that unlikely will become very likely and that’s a bigger risk for him!
Let me listen to this one good …
Just like that? … I thought you had to do some research and come up with an equation to solve for ‘x’ and that kinda thing.
That is excellent! You have assessed your risks by rating the impact and likelihood of each risk.
Not at all. The important thing is being able to determine the effect an event would have on your objective (impact) and the chances of that outcome materializing, taking into consideration anything that is being done to influence the outcome (likelihood) . Of course, in the workplace there are a lot more risks to be assessed, so the process would be more extensive, but the analysis is the same – and always remember to keep your objective in mind when assessing risks .
Well, on that note, I think I need to go and assess all of my many risks. Then what to do after that?
Then we could talk about how to manage them and other risks in the workplace; but that’s for next time. With all the risks you have, that will take a while. See you next week!
Sure … hopefully by then some people would have figured out their wonderful plan!
Chapter 3
Yo pardner, before we go on, I need a favor. It’s all part of the plan to finish the assignment – so work with me. By the way, you know that Machel coming for White Sands??!!!!!
So, you finish assessing all your many risks and ready to manage them?
You would think he would use the weekend to reflect and come to his senses, but he gone from bad to worse. Maybe he think when they looking staff for the risk office, is the person with the most risk going get the post.
What Machel and White Sands have to do with you? Buju and music fest ain’t enough risks to manage?
Anyway, what is the favor?
So what you think I was trying to do by asking you to help me? But obviously, you want to pick and choose what risk to manage.
I have to get back to you on that. Let’s continue …. We need to come up with an action plan to manage the risks we have identified and assessed.
You said we can take action to reduce the likelihood, right? So … since you don’t really have a social life … you think you could review the paper for me while I go music fest and white sands?
Boy, you ain’t easy! That’s you big ‘plan’? Begging with attitude … “since you don’t really have a social life…”??? Well sah, some people bold!
Simmer down… we will get to that. Managing risks is not about “mine first”; it’s about prioritizing and addressing the higher risks first.
And you don’t think the risk of me getting in trouble with the boss is higher???
Higher than what exactly??? If you ask me, I think that if you get your priorities in order, then your likelihood would be so low, you won’t even have a risk.
Oh dear … it looks like we have some new risks being created here … let me hurry on.
And do realize, I did not ask you. you
So how do you determine which risk is higher?
It’s not an ‘x’. It’s a multiplication sign! (Smh) …
And you all think it was so funny when I said solve for ‘x’? Look it there now!
Once we calculate the scores, we focus on crafting a response for
You can’t take a joke?
Using a range of 1 – 5 where one is low and 5 is high, we rate the impact and the likelihood and come up with a score for each risk. Risk is a combination of likelihood and impact; therefore:
risks that have a higher risk score.
Risk Score = Impact x Likelihood
Ok, ok … so let’s score the risks we talked about.
The pardner just say don’t waste time on them low risk things and pay attention to the high risk!!! Does 6 sound like a high number to you ?? Anyway, the impact of me not finishing the assignment is very high - 4 . And since ‘some people’ don’t want to help me out, likelihood is also 4. That gives a risk score of 16 , which is pretty high.
The impact of my brother finishing his CFA 3 months later is low, so that’s a 2 . Let’s say he applied for the visa and gets it; the likelihood is a 3 . The risk score would be 6 , which is on the low end. So, we forget he, and move on.
Just so? You ain’t even give it any thought.
We???? The last time I went to music fest was the year when they had bring Burning Flames and I was at work bright and early the next day to complete all my assignments.
Good, so we now need to come up with a response to manage this high risk.
Thanks for the history lesson. That was so long ago, I sure not even Burning Flames remember. Anyway, I already have a response - I will start my assignment earlier and sleep a little less on the Saturday to finish it before I go Buju. I’ve got options!!
Great! The overall risk scores readily identifies the risks that need immediate attention and then we decide on the appropriate response to reduce the risk to a manageable level.
Arm … can I ask a small question? Suppose you have a risk response, right, but then something else kinda come up that could make the risk go back up to high?
You taking the joke too far!!! You must dance to every drumbeat?? You need to pick up you assignment and run wid it !!!
I never said it was me, but, if you must know … I just get a WhatsApp saying that Mr Killa coming for ‘Breaking Dawn’ ….
What else could you possibly come up with? Carnival is not until December and we in May!
Sounds like you have to monitor your controls before you even implement them; but that’s for a next time.
You know what, before some of us get carried away any further… let’s end the risk talk for today … we getting the hang of it. I was thinking though, there are a couple of risk areas in the Bank that I need to understand better. Maybe we could go through some of them next time we hook up?
Sure, I am looking forward to that … I think. I feel like I was doing some risk management on the fly today.
Everything cool man. Let me tell you … It’s not an easy road but every now and then I just pick up something, run wid it , and I’m the happiest man alive ! No worries….
Chapter 4: Part I
Is there any specific area you want to look at?
So we ready to look at some real risk issues in the Bank?
Be careful what you ask for - with all your drama, you might turn out to be the biggest risk!
Well I overhear the pardner from Accounting talking about paying vendors and saying he ain’t want to pay anybody late. He did sound serious.
Yeah man, I really want to expand my knowledge in this risk management thing.
To pay on time and make sure the money right.
OK, so for vendor payments, what is the objective?
Yes, I agree, to effect timely and accurate vendor payments.
Well, there might be an internal delay in the process, so the bills end up being paid late.
Ok, let’s say it your way then, Ms Webster.
Well she didn’t sound like a dictionary or thesaurus just now with all them big terms? So much for keep things simple.
(Lord Help) So we have the objective. What might be some of the risks?
Webster?? I thought her surname was James.
If there is a delay in paying the bills the impact would be ‘low’ because its not like they not going to get paid, just maybe a week or so late.
Good – we have the objective and the risk. Let us assess the impact and likelihood and score them.
I didn’t say that, but not because it hasn’t happened, that doesn’t mean it can’t happen. If it does, ECCB could have a reputation for not paying its bills on time.
Oh, so in other words, it’s ok for word on the street that ECCB owe and wouldn’t pay on time?
You
hear
anybody saying that?
That sounds reasonable; so we have a ‘very high’ impact score of 4 based of the reputational risk. Now what’s the likelihood?
Well from what the Accounting pardner was saying, it sound like he don’t make joke eh! If it have bills to pay – he paying them! So it’s very unlikely that the bills will be paid late.
So why should he be stressing about bills he ain’t get?? That’s like my brother worrying about going IMF and he know he ain’t got no visa.
Yes, but remember it’s not them alone dealing with the bills. What if the bills don’t get to Accounting on time?
All I am saying is that before we rush to say ‘very unlikely’, look at the whole process and see if there are any gaps. There may be areas for improvement, so I would say ‘likely’; at least for now.
So you think the man who waiting for his money going be saying “ well I know the pardner in Accounting really want to pay me, but ain’t really he fault; is because they didn’t send across the bill in time to pay” ?
So what you trying to say, he must go look for the bills to pay?
Great, so based on the discussion, that’s a likelihood score of 3.
Oh … it’s like that? I give a rating, and because she come up with some fancy argument, you just pick up she score and run wid it?
So we have a score of 12 for the risk of settling bills late. This is a moderate risk. It’s an area that may not need urgent attention, but there may be things we can do to improve.
Not at all. Based on the information, I think the point is valid. We cannot just look at things in one area … remember the objective is paying vendors on time. So it’s about the entire process, how it can be affected and the overall impact on the Bank.
Ok cool, go on; let me see what going happen next time.
Chapter 4: Part II
Since Noah was building the ark back then, this statistics thing seems to be a challenge. How do we assess that risk?
First, the objective, which in this case is “to provide accurate, timely and consistent data to stakeholders”.
Correct, and the risk is lateness and “wrongness”. If once or twice the data come out a day or two after the due date, all you going hear is ‘Central Bank always late’. And if by chance any of the numbers wrong, well is big headlines “Central Bank misleading the public!”
But a lot of the data that ECCB publishes comes from the member countries and on occasions it’s late; so the ECCB is not at fault for late publication.
What’s the next risk?
I know things can slip thru and we may have to publish a correction after the fact.
Let’s look at the risk of data error. If this happens too often, the public will question any data published by the ECCB after that, no matter who is at fault; the impact will be very high.
Actually, you are both making valid points so let’s break this down; let’s look at different risks affecting the objective.
Oh, so when the man ain’t get pay, he ain’t to be concerned about where the problem start but in this case, its ok to buss a Shaggy - “it wasn’t me.”
Ok, so that’s a 5 - serious reputational damage. And the likelihood …?
Related?? I just know you for the first time when you come to the Bank.
We have been doing this for a while now. So if there is an outlier or anomaly, it should be picked up during the review process.
That answer sounded very ‘Webster- ish’, so I saying maybe we are cousins. But, you have a point; and even though you might indicate the source, people don’t always watch that.
What about if data came in wrong from the member countries?
Eh, Eh, well you ain’t tell me we related.
Well this is where it gets a little tricky, because most of the data comes from the countries.
So I guess, if there are gaps in the review process, then it is ‘likely’ that a few errors may slip through, so we going give it a 3 .
That’s an option. But then, what happens if the estimates are way off? That’s just as bad as if the data is wrong, and create another set of problems.
Great stuff. So the score for the risk of data errors is 15 . That’s a high risk score so an urgent response is required. What about the risk that the data may not be timely?
What about using estimates?
Then that comes down to the methodology, skill sets and internal review process to make sure they are accurate.
There’s a saying ‘it’s better to remain silent and thought a fool than to speak up and remove all doubt .’ In this case, it might be ‘ better to leave it blank than to estimate and get it dead wrong ’.
This is a very interesting discussion.
If the data is published late because of delays in the member countries, and there is nothing the ECCB can do about that, the risk is not fully within the Bank’s control and should not be assessed as one of the Bank’s risk. We may have to adjust the release calendar if the problem persists; that is what is within our control. However, the risk that the data may be published late because of internal delays after the data is received or if there may be errors because of internal gaps, now those are within the Bank’s control and need to be assessed and treated with. This applies to any information published by the Bank.
Whew … that was a marathon boy. No wonder we having so much problems with statistics.
For real, we going have to take a break.
Maybe next time we could look at the risk of having unproductive meetings because of poor scheduling. Would you believe the boss put a meeting for 8 o’clock in the morning, first day after the long holiday weekend!! That could make sense?? Wha’ he really thinking?
Chapter 5
The current situation is stable. I’m monitoring closely.
Ok then… whatever that means, but like you said, you have options.
For real … and for such a high-risk area, I find the folks in MISD seem very cool.
So how is the assignment going?
Let’s talk a little bit about managing IT risks. You know all this talk about cyber-attacks; it all sounds like a big deal.
It might be the A/C, because in there always cold. Maybe that’s the risk response to deal with all the IT risks.
Ha Ha, - good one. The truth is MISD has many risks. Let’s take the objective of managing IT services, for example.
Well you know with music fest and the other activities, maybe when I come in to do the assignment, the system may be down; then the boss can’t say I didn’t try.
You mean like SAP, SAS, SWIFT and the rest of the alphabet?
And even basic things like email, DM and simply being able to turn on your computer in the morning.
What music fest have to do with the Bank’s IT system?
Yes, so that ‘some people’ can do their assignment.
Girl, you ain’t even know how IT systems work. It’s all connected. You ain’t see when FLOW having problems, your internet does go down?!
If that’s your Plan B, I suggest you start thinking about Plans C, D and E!
That would be a disaster, especially if it’s a day when HR processing salaries!
Back to the IT risks. What if there’s a major power failure that cause everything to shut down?
Well, you ain’t have to wonder what the impact would be for that! I think we should give that a 6 !
6?? But the highest rating is a 5.
Exactly! You ain’t hear it might be a day when HR doing salaries?
But don’t we have surge protectors for things like that?
Surge protectors ain’t no match for SKELEC!
OK, so we agree that it’s a 5. What about the likelihood of that happening?
Well with SKELEC, the likelihood of a major power failure is also a 6. They does have me lights blinking on and off like is Christmas.
Let’s say it’s highly likely.
So do we have a contingency plan that would allow us to fail over to a back-up system?
You couldn’t just ask if there’s a Plan B? Trying to sound all ‘techy’, yet you didn’t know that all systems are connected.
There are some redundancies in place but until they are all fully implemented, I would say the likelihood is a 4.
Interesting you should say that. Do you know that you may be involved in the cyber- attacks you spoke about earlier?
Wow, that’s a risk score of 20 ! I’m glad is them have to deal with that and not me.
Me?? I don’t work in MISD.
Nobody is accusing you. ‘You’ is just an indication that staff members can contribute to the success of cyber-attacks.
And I’m sure they didn’t call my name! So I don’t see how you all want to come accuse me.
It’s true. I was reading an article that said a lot of the cyber-attacks are carried out by targeting staff members.
The impact would be the same as the power outage as key services may be unavailable.
But MIS sending out all kinds of emails about being careful when you get emails and not to click on links we not sure about.
Don’t forget them paragraph they want as passwords.
On another note, at the gate where the security officer come out and check the vehicle, that’s part of risk management?
Yes it does; which means there is more work to be done. You see now why the A/C has to be so cold!
Yes it is. One of the objectives is to prevent unauthorized access to the campus, so they have to confirm who is entering.
Good stuff. This affects likelihood; so in this case, because of all these initiatives, the likelihood is probably a 3.
But that still makes it a high risk area.
Oh Ok. Because I know they check boxes when you leaving the Bank. So I was thinking maybe they checking to see if you thief anything and bringing it on the campus.
Really?? Trust you to think that! I think is a good thing because with all that is going on these days you can’t be too careful. The impact of unauthorized access would be very high, because people can do some serious damage.
Yes, but with them checking, and all the cameras they have, I would think the likelihood would be about a 2 . A lot of people forgetting to put back up they window tho’.
Well I guess you don’t have that problem ... your windows stuck in one position – UP.
Boy, I just got the loan approved today.
Who talking - walking! It gets me from point A to point B!
I happy for you, because you were becoming a real risk to the Bank. You pull up by the gate, you windows can’t go down and you back doors can’t open! You lucky they let you in.
Wait, you aint get you new car yet?
Did you realize that in the security example, the risk score was 10? That’s because, although the impact was very high, the likelihood was low because of the controls. That’s why its’s important to complete the risk assessment and look at all the factors before saying a risk is high or low.
FYI, I am free to use ‘old faithful’ whenever I want. Actually, I was thinking of letting you use it since you don’t have a car yet.
Girl, you remind me of a Washie student One morning he auntie drop him to school in she little old car because it was raining. When he jump out in front the school, my boy see he friends, hear him “Miss, thanks for the ride,” like she is some stranger who he ain’t know.
If that was me, he would have a very high risk of drowning next time rain come!! Out of Order!
You’re right, because I just figured everything to do with security is high risk.
And once you get your new car, the risk going to be even lower.
Thanks … but I’m good.
That’s great. I hope I can depend on you to spread the word. Risk awareness is very important in building an effective risk culture.
These risk talks have been really good. I’m learning a lot.
Yes, the problem seems to be writing the words to complete certain assignments!
Oh, for sure. You know spreading the word has never been a problem.
Yeah, me too.
Chapter 6
Sure. For example, the Bank is required to publish its Balance Sheet by a certain time each month.
I hope is not another fete because you can’t take on anything else!
I want to raise something that has been on my mind.
Yes, but the Bank only has control over completing it and sending it out on time to the media houses for publishing.
So the risk would be that it may not be published on time.
No it’s not … at least not that I know of. This thing about something not assessed as a risk if the Bank has no control over it. Explain that some more.
So let’s say it went out on time, but it’s election time, the politics hot, so it didn’t get a space in the paper. That ain’t the Bank fault.
So you’re saying just concern ourselves with what’s happening inside the Bank?
I would prefer to say - focus on the risks that we have control over. If the risk response is outside of our control then it is not a risk for us to manage.
Or it could be that the music fest ads full up the paper.
Exactly, so late publishing is not one of the Bank’s risk. We only have control over the risks related to timely completion and dissemination to the media houses.
And
if
the
Well that ain’t the same thing I just said? You just put it in your fancy way.
Not quite - let me try and help. The ECCB regulates commercial banks even though their operations are outside the ECCB. The BSD is assigned to manage the risk of a commercial bank failure.
So if commercial banks decide to give big loans to all they big friend who they know can’t pay back and then have problems, the ECCB must manage that? you saying
What I’m saying is that the BSD manages the risk of a commercial bank failing by identifying any problem areas and implementing measures to have them addressed.
commercial bank decide they going do they thing anyway? ECCB must take the blame for that?
That means ensuring that the on-site and off-site surveillance were carried out effectively, the relevant authorities were advised of any areas of concern and ECCB did the necessary follow-up for corrective action.
Ahhhh …. now that’s where it gets interesting. The ECCB cannot be held responsible for the decisions taken by a commercial bank. However, it must ensure that it carried out its duties and the necessary steps were taken to address any issues that were identified.
In other words, we carry the horse to the water to drink but we can’t be blamed if the horse decides not to drink the water, even if we coax it, and then fall down because it’s dehydrated.
Yes, that’s the gist of what we’re saying.
Don’t miss the very important point though - we have to stay on top of what we have control over. For example, we have to make sure we can show that we took the horse to the water.
Ok. On another note, in Banking Dept. the other day they were saying something about a moderate target risk score. How is that? Everything ain’t supposed to be low risk?
That may be so, but some risks can’t be low by the very nature of what is involved; so being moderate is not necessarily a bad thing.
For real, nothing moderate about the big money and ‘truckload’ of transactions they dealing with every day.
Retire? And still fighting up Machel and Buju! You really need to stay in your lane!
Explain that some more please. I soon time to retire; I have to make sure my pension secure.
I’m as young as I feel! And since all you know about is Burning Flames, maybe you need to retire!
Let us look at the management of the investment portfolios and the risk that the interest rate may fall below the Bank’s tolerance.
Well, if the interest rates go too low, then that could mean losses for the Bank, which would have a high impact. (3)
When you say loss, you mean I could lose my pension?
In other words, we can’t change the impact or reduce the likelihood. Therefore, we accept a moderate risk score and monitor the market movements.
The Bank has no control over how the interest rates move. What can be done is to monitor the markets and make adjustments, where possible, to minimize potential losses from adverse interest rate changes.
So based on that assessment, the current risk score is 9 which is considered to be Moderate.
No, I am referring to the income that the Bank earns on the investments. Given how the markets are so unpredictable, that is likely to happen.(3)
And you are saying that’s a good thing?
Exactly; and in that scenario, a moderate risk score is acceptable.
I hear what you saying about the Bank, but what about my pension?
Your pension is secure. One of the underlying principles of the Bank’s investment strategy is the preservation of capital. This means, even if there is a loss of income due to market movements, the principal, including your pension, is preserved.
Not all risks targets can be low. The Bank takes appropriate risks. A culture of aggressive risk avoidance could potentially stifle progress then the Bank won’t be able to achieve its overall objectives.
Ok, I could work with that. So you’re saying that not every time the risk has to be low?
But how to decide when a risk target should be low or moderate?
For real – juggling breaking dawn, music fest, white sands plus the assignment, I getting tired just thinking about it.
This
risk
Here’s a risk response for you … pick up your assignment, run with it , finish it like a boss and then you could walk like a champion .
management thing seems like a full-time job in itself.
You have to consider:
1. How critical is the process that is being assessed? 2. What would be the overall impact of the risk? 3. How much can be done to reduce the likelihood? 4. What corrective action can be taken if the risk materializes?
Your creativity never ceases to amaze me. I hope you put it to good use.
Girl you ain’t see nothing yet. You think all these risk talks are for show? Next month is my turn to lead capacity building and I done have my topic – ‘Risk Management: What you need to know’. They going think I come from PwC!
Think about it: It’s an important assignment with a high impact score; but, it is understood that sometimes staff can get ill or some other incident or event may occur to cause a delay. So you factor that in your analysis and you set your target risk score at moderate!
Actually, now I think about it, the risk score for the assignment is moderate.
How you figure that?
Chapter 7
Well, like we said before, sometimes the risk isn’t as high as you may think. What kind of risk were you all referring to?
I know we talked about the whole security thing already, but what about the big vault they have downstairs and all this money movement back and forth?
For example, with all that money, they don’t be afraid that somebody might hijack the trucks or break in the vault?
Yeah, that’s real money we talking about and ain’t no little ‘nuts change’ either.
I didn’t expect to see you since you again already have your training on lock down. What’s on your mind?
You remember how they had steal that vault in the movie with Vin Deisel. One of them Fast and Furious movies, I can’t remember which one.
But I thought we say that if the currency is not yet issued it has no real value?
If we are assessing the risk of currency being stolen, the impact would be very high.
So where you think them criminals does get their ideas from? Anyway, how we deal with them risks?
I wasn’t thinking of anything that dramatic. This is not Hollywood!
That true.
is
So then, if it is new notes, why would the impact be very high?
We have to consider the fact that it would take some time to alert the public and recover the stolen currency, if at all. There is also the potential reputational damage for the Bank.
How the Bank going have reputational damage? Is like you saying the Bank had something to do with the robbery.
The reputational damage is based on the public perception that the Bank’s security arrangements are weak, especially if the money is stolen from the vault.
Actually, if the money is stolen from the vault, the way they have down there secured like Fort Knox, people would feel it’s an inside job. So you’re right, the impact is very high.
What is the likelihood of that happening though? Whether it’s stealing from the vault or the truck?
Well we already spoke about the Fort Knox arrangements. There is also dual custody for all currency stock which means no one person can access the currency in the vault.
Don’t forget our heavy duty security officers – you see how many of them does be going gym … including the Chief! But what about when they are transporting the currency?
You know, we probably need to examine the risk of telling people your business! I done know the impact is high because you all over me like white on rice!
The Bank has primary and secondary back-up security arrangements in place. So in both instances the likelihood is low, based on the controls in place, which means the overall risk is low.
You watch too much TV! Probably you need to spend some of that time working on your assignment!
I hope so. I keep thinking about that movie though.
This risk thing is really something else. Things that you expect to be high risk are actually not.
New notes are monetized when it has been issued by the ECCB. Monetized means it has been recognized as legal tender to settle transactions.
For real, because I was so sure that everything to do with currency was a high risk.
I’m still not clear on something you said earlier though. What you meant by saying the currency has no value before it is issued?
I’m so glad you ask that. I know I said it, but I was just repeating what I heard somebody say before.
Until the Bank becomes aware that currency notes have been stolen, they can be spent as normal. However, it would mean that there is currency in circulation that’s unaccounted for.
So let’s say somebody give me a hundred dollar bill that they happen to thief out of a box of new notes; if I go across by Ram’s with it, they ain’t going take it from me?
Before you answer that, I have a question – why you want to accept stolen money?
It’s not like I am going to knowingly accept stolen money. I’m just using that scenario to make a point!
And what happens when the central bank finds out?
That is correct. Hence the reason why there are strict controls, to minimize loss to the Bank and the public.
There are measures to recover the unissued currency notes.
In other words, it’s not that the notes don’t have a value, but they are not recognized by the Central Bank as legal tender until they have been issued.
On that note, I will be very careful who give me money from now on.
Back to what we were saying earlier about high risks. Very often we confuse the impact of a risk with the risk itself. The impact refers to the worst that can happen or how much your objective would be affected if a particular event occurs.
However, because the impact may be high, meaning that there may be a significant negative impact on the objective, that doesn’t mean that it’s a high risk.
Ok, now you are confusing me!
Ok, I get that. So where is the confusion?
So you can have an impact of 5 but because of good controls, the likelihood is 1 and the risk score would be 5, which is a low risk.
Boy this feels like me the other day with the ‘biggest loser’ challenge. After I eat all kind a bush for weeks, I gone down to weigh on the last day and I only lose 4lbs!
The impact of losing weight with the bush was high, but with them coconut tart and banana bread from ‘I have’ every Friday, what you expect? The likelihood was 1 !
I guess you aren’t as big a loser as you think!
Remember the final risk score is based on the impact and likelihood. So although the impact may be high, if the controls are good, this reduces the likelihood, which results in a low risk score.
Chapter 8
Not at all, I am actually enjoying these meetings and learning a lot.
You make it sound like you don’t want to be here.
I don’t know everything. I’ve gotten new perspectives, new information and a lot of food for thought.
What could you possibly be learning when you are the one answering all the questions?
So here we are again!
Strategic risks refer to the negative effect of a perceived or actual failure to deliver on the strategic initiatives. You already know about reputational risk.
Well while you in the thinking mode, tell me what you think about the risk of the Bank not delivering all those things in the Strategic Plan?
Well that speaks directly to strategic and reputational risks.
You going wait for me to tell you break that down? You should know the drill by now.
Well if that’s your version of break down ... how do you assess this strategic risk?
You have to assess each strategic objective separately. The impact would vary from one to the next.
So each project has a different impact. What about the likelihood?
I would think that if the Bank fails to meet those objectives that are more likely to directly affect the people of the ECCU, that’s where the impact would be higher.
You got that right! One thing people don’t forget is when you say you going do something for them and then you don’t do it! Ask any politician!
In each case, it depends on whether or not the Bank has control over the event that may cause the delay or non- delivery.
Let’s say, for example, we didn’t finish the greening project because the shipment of the solar panels was late, that’s a high likelihood that we have no control over.
(Sigh) All I meant was that the shipment could also be late because we didn’t process a payment on time. That would be within our control.
Yes it is; but it is important when assessing the strategic projects, we ensure that we are not the ones creating or heightening the risks by failing to do our part.
Oh, the Bank has its own cargo boat? Sorry, I didn’t know that.
I would not necessarily say we have no control over it.
The fact is, the likelihood is still high.
Bondieu! You and that one tune! Kittay mwen en poh - ba mwen on shans! Ou pas lass avec meme bagai sa la?
You hear that – ensure we deliver what is within our control – that means complete all of your assignments!
So what about those projects where ECCB is not the only party involved?
The same principle would apply.
We must ensure that we deliver what is within our control. That way, if the project is delayed or incomplete, the strategic and reputational risks would be lower because the risk event is outside of the Bank’s control.
Translation: My God! … Leave me in Peace – give me a chance! You not tired with that one thing!
One of the biggest risk issues we face is the getting the data to feed into the publications and policy briefs. So getting the papers completed on time is a major challenge.
You all ain’t have no risk in Research department that needs managing?
Most of the risks in Research have to do with accuracy of the information and timely delivery. So it’s primarily reputational risks.
I was just trying to help you but…
What I would like to know is who supposed to manage all these risk??!
So I guess it’s similar to Statistics Dept. But you all need to come up with a plan. ‘John Public’ funny. If you come to them late too often, they just rest you down and you ain’t even know.
That is so true; and don’t forget one of the strategic goals is to be the advisor of choice. You can’t advise if nobody listening to you!
Boy, it looks like this risk thing cover the whole Bank!
Well I know my name is unique, but its definitely not ‘We all’.
Who is ‘we all’? That’s somebody in the Bank? Wait, I wonder if that’s the nickname for the Chief Risk Officer?
I’m glad you asked that question. We all are responsible for risk management.
Well I know it can’t be me!
Why you so sure?
Come to think of it, what’s your name for real? I didn’t really catch it when they were doing the introductions. I just know the last name is James.
Don’t worry, I will tell you all about your role. Then you would find out who is ‘we all’.
Ok then. No wonder I didn’t catch it that sound like a risk in itself! Anyway, we still have to figure out who is ‘We all’.
My name is La-A Abcd James. (pronounced LaDasha Absidy).
Chapter 9
What exactly you mean by response? What is the question they responding to?
So, how you say the Bank going deal with all these risks?
For each risk identified with a risk rating of high or very high, the department would have to come up with a response to bring it down.
You ain’t hear the pardner say ‘we all’ going manage them. Why you stressing? I just want to know who is ‘we all’.
Boy still wondering how the Bank going manage all these risks. I
The response is the corrective action to be taken, to address the risk that has been identified.
So once the departments carry out their plan to fix the risk, everything safe?
Not quite. They have to monitor to ensure that the response addresses the problem identified.
For you, it means forgetting about music fest, the sands and morning break and focusing on getting your assignment done.
Well, what’s the point of coming up with a plan that you know ain’t going work. That makes any sense?
It’s White Sands and Breaking Dawn, get it right!
It’s not that it doesn’t work, but sometimes the problem is not fully addressed and further action is required.
Umm … not quite. Risk management is everyone’s responsibility Each staff member is a part of risk management in his or her department.
For example, your big plan to beg with an attitude to finish your assignment did not work. On the other hand, buying a new car addressed the risk of you not being allowed on the compound.
You ain’t see they have a whole Office of Risk Management! Obviously is them!
Since you know so much, you figure out who is ‘we all’ yet?
Hello? How you figure that out?
Yeah – explain yourself.
And who would know what can prevent you from completing your assignments?
Let me answer that because we done know why ‘some people’ can’t finish they assignment and it has nothing to do with the Bank.
He was speaking in general! The same people doing the assignment and their supervisors should know what could prevent them from finishing it.
Let me ask a question – who do you think understands your department’s work best?
We who doing the work day in and day out – who else?
One more thing – so if you know something can prevent you from finishing your assignment, what would you do?
Go to the supervisor and see what they could work out so I could get my work done.
That’s management. Knowing the issues/risks that can impact your objectives and taking steps to address them. That is the role of the first Line of Defence in risk management. risk
What all these question have to do with risk management?
So when me, the small man, have all them military responsibility, what about the higher ups?
Whoa… You turn military on me now. First line of Defence - I ain’t come work to fight no war!
It’s just a term used to show that those who are directly involved in the specific task are the first to encounter any challenges.
Not only the challenges, but as part of their duties, they also are the ones to implement any controls to minimize the impact.
The
department’s
Good question caller.
management team forms part of the first line of defence and has ultimate responsibility for managing the department’s risk.
Well, it’s one Bank and when things go wrong ‘John Public’ ain’t care which department you in.
You right about that. All they know, you work Central Bank; so good or bad, you in it!
So in other words, if something was to happen, they as much to blame as me. I cool with that.
Of course, someone outside the department can still weigh in; sometimes if you are too close to a process, you may not see all the pitfalls.
So now you see why ‘we all’ have a part to play! If risk management is to be effective, everyone has a vital role in the process.
I thought that risk management was for the risk people. But you right, who in the kitchen feel the heat.
Chapter 10
Actually, the Internal Audit Department is the Third Line of Defence.
Well I would never have thought that the Bank had so much risk.
Wait … It sound like the Bank turn into the Defence Force now … so who is the second line?
The Office of Risk Management or ORM is the Second Line of Defence.
That’s why there is a whole Risk Office. At one time risk used to reside with Internal Audit (IAD). Then, you know like when children mature, risk ‘moved out’ and went on its own. But, Risk and IAD still collaborate and share information.
In other words, if the ORM see the front line struggling and things more than them, they step in and help out?
So the ORM and Internal Audit are like the backstop in case anything slip through the first line?
Or better yet, they could just come in front with us. Get all the risk information first hand!
Oh that’s how you see it? The way I look at it, we who in the first line take all the ‘blows’, and the ORM and Internal Audit stay behind looking on, and hope nothing pass through the first line.
Actually, ORM provides support to the departments in managing their risks and the Internal Audit gives the assurance that everything is in order. the
Ok, but just to clarify, it’s not that they wait until they see the whole front line wipe out to step in? They know they could jump in anytime and help.
Sure. The ORM continually monitors the risks across the Bank to facilitate timely responses to risk issues and events. Even if a department does not report a risk issue or event, once they become aware they will follow up to make sure that it is addressed.
The ORM has to keep abreast of the risk issues across the Bank , not just a single department, so they can be proactive in their responses to all risk issues.
Just making sure. Remember you say ‘ we all ’ in this thing together.
Made with FlippingBook Online newsletter