Embedding RCSA into Strategic Planning and Business Strategy This presentation was prepared for the New Generation Operational Risk: Risk Culture and Business Conduct Behaviour conference in Helsinki, Finland. In this presentation, Ascendore CEO, Andrew Smart outlines how to integrate Risk & Control Self Assessment into the Strategic Planning and Business Strategy. Based on the Risk-Based Performance Management approach, during this presentation an integrated approach to strategy and risk management is outlined, with risk appetite playing a central role.

1. Embedding RCSA into Strategic Planning
and Business Strategy
Operatiivisten Riskien Hallinta, Helsinki, Finland
Andrew Smart, Ascendore

2. Post credit crunch, financial services firms are drowning
under a tsunami of regulatory change, cost and complexity
2
Run the Bank
£200bn
plus fines
492%
Annual increase
regulatory change

3. 3
The cost & complexity
of operational risk &
compliance is too high
and there is a
“disproportionate risk
aversion creeping into
decision-making”
Chairman, HBSC, 2015
Accenture Risk Study, 2017

4. Boards and executives should be able to answer these
questions with confidence.
4
Are we in control?
Are we going to
deliver our strategy?
Are we operating
within appetite?

5. RCSA - an essential part of an integrated framework
Better Conversation
Better Decisions
Better Action-taking
Better Results
Risk & Control Self-
Assessment (RCSA) processes
and data should be an essential part of
an integrated Strategy & Risk
Management framework; an integral
part of enterprise management
reporting.
5

6. Integrated Strategy & Risk Management Framework
APPETITE
ALIGNMENT
APPETITESTRATEGY PERFORMANCE RISK
6

7. 7
Strategy
Strategic Drivers
Business Objectives
Operational Enablers
Compliance Enablers
Over the long-term, where are we going and
how will we get there?
Critical few things from the business model
that enable the delivery of the strategy
To deliver our long-term strategy what is the
focus over the next 12-24 months?
Where do we need to excel day-to-day
What are the ‘rules’ that define our operating
environment?

8. Risk Appetite defines the boundaries for
risk-takingStrategy
Strategic Drivers
Business Objectives
Operational Enablers
APPETITE
ALIGNMENT
RISK THRESHOLDS
RISK EXPOSURES
Compliance Enablers
8

9. Manage threats & opportunities via the risk
taxonomyStrategy
Strategic Drivers
Business Objectives
Operational Enablers
APPETITE
ALIGNMENT
STRATEGIC RISK
EXECUTION RISK
OPERATIONAL RISK
COMPLIANCE RISK
Compliance Enablers
9

10. Managed at every level in the framework
Strategy
Strategic Drivers
Business Objectives
Operational Enablers
StrategicRisk
Execution
Risk
Compliance
Risk
APPETITE
ALIGNMENT
ACCOUNTABILITY
ALIGNMENT
CASCADE
ASSESSMENT
MEASUREMENT
ACTION-TAKING
Operational
Risk
Compliance Enablers
10

11. The RACI framework is a proven approach to embedding accountability and
clarification of roles in decision-making. Supports the 3 Lines of Defence
InformResponsible(s)Accountable Consult
11

12. How do your operational and
regulatory enablers relate to
strategy?
Alignment mapping can identify gaps; areas
where your strategy is not supported or where
operational resources are been wasted.
Regulatory rules mapping provide assurance
that processes and initiatives are in place to
meet regulatory obligations and identify gaps;
where are the gaps or weaknesses in our
regulatory response landscape?
12
Key ControlsKey RisksObjectiveEntity
Processes
Initiatives
Technology

13. How does strategy & risk
cascade through the firm?
Board & Senior Management assurance is
enhanced by understanding the cascading of
objectives & risks through the firm.
Identify gaps in consolidated reporting by
linking objectives, risks and controls in ‘cascade
chains’ through the firm. Where does the chain
break?
13
Key Risk
(Strategic Risk)
Corporate
Division
Department
Key Risk
(Strategic Risk)
Key Risk
(Strategic Risk)
Key Risk
(Operational Risk)
Key Risk
(Strategic Risk)
Key Risk
(Strategic Risk)
Key Risk
(Operational Risk)
Key Risk
(Strategic Risk)
Key Risk
(Operational Risk)

14. Data points to inform your Risk Self-
Assessments
14
MAXIMUM
INHERENT
RESIDUAL
% $£€
IMPACT(S) LIKELIHOOD EXPOSURE
DRIVERS
use driver(s) as the basis for assessing impacts thus linking risk
back to strategy
ASSESSMENT FREQUENCY
assess risks on a pre-determined frequency (daily, weekly,
monthly, quarterly, annually) and/or on an event driven basis.
KRIs
Losses / Near Misses
Expert Judgement
Scenarios & Models
Related KPIs & KCIs
Control Self Assessment

15. Data points to inform your Control
Self-Assessments
15
KCIs
Losses / Near Misses
ASSESSMENT FREQUENCY
assess risks on a pre-determined frequency (daily, weekly,
monthly, quarterly, annually) and/or on an event driven basis.
Control Testing
Related KPIs & KRIs
DESIGN PERFORMANCE
CONTROL
EFFECTIVENESS

16. Three types of related
indicators to give a full picture
RAG is common practice
RAGAR is best practice
16
Key Performance Indicators (KPIs)
Used to define performance thresholds and
targets; and to monitor progress towards achieving
these targets.
Key Risk Indicators (KRIs)
Used to define risk thresholds and targets; to
monitor changes within the risk environment.
Key Control Indicators (KCIs)
Used to define control thresholds and targets; to
monitor changes within the controls environment.
BASELINE
LT 1
LT 2
UT2
UT 1
TARGET
T 2
T 1

17. Assessment and measurement
is not enough.
Action-taking is critical in
driving performance &
managing risk
Typically we think about two
types of actions
17
Improvement Actions
Audit Actions

18. Tools to bring it all together
18
Better
Action-
taking
Better
Decisions
Better
Results
Strategy
Map
Better
Conversations
Appetite
Alignment
Matrix
Risk
Appetite
Risk Map

19. Map Business Objectives & their
causal relationship to improve the
communication, monitoring and
management of strategic and
operational performance.
19

20. Define risk tolerances across the
framework reflecting the
materiality of the business unit.
Use Drivers to link RCSA back to
Strategy.
20

21. The Risk Map provides a visual
overview of the risk profile and
make it easy to identify potential
risk issues.
Four perspectives risk map is
aligned to the Strategy Map.
21

22. Starting with Strategic Drivers,
define Risk Appetite across the
framework, reflecting the
materiality and strategic intent of
the business unit.
22

23. The Appetite Alignment Matrix
visualise the alignment of risk-
taking to risk appetite showing
where the firm is aligned, over-
exposed and under-exposed.
23

24. Are we operating within appetite?
24

25. Appetite, Performance, Risk and Controls
Effectiveness should be assessed,
measured and aligned across the
organisational hierarchy and within the
taxonomy within the framework.
25
STRATEGY
typically strategy is cascaded top-down
DATA
typically data flows up the organization
EXECUTION
typically execution is driven from the middle
Corporate
Divisions
Departments
STRATEGIC RISK
EXECUTION RISK
OPERATIONAL &
COMPLIANCE RISK

26. 26
STRATEGY MAP
Are we on track to deliver the
strategy?
APPETITE ALIGNMENT MATRIX
Are we operating within
appetite?
RISK APPETITE
How much risk is acceptable?
RISK MAP
What level of risk are we taking?

27. Benefits of Improved
Strategic Execution
▪ A growth in shareholder value of 150%,
driven by a 180% growth in profits and a
120% growth in revenue
▪ A 50% improvement in customer
satisfaction
▪ A 50% improvement in key process
effectiveness
▪ A 25% improvement in employee
satisfaction, leading to a 50% reduction
in employee turnover
Benefits of an
Integrated approach
▪ Transformed our approach to risk and
regulatory compliance over 12-month
▪ Reduce the value of our operational
losses by 94%, the volume by 63% and
our economic capital provision by 23%”
▪ Eliminate 11 spreadsheet systems
▪ Enabled us to secure a 3% regulatory
capital release and reduce our cost of
capital significantly
27
Benefits of Enterprise
Risk Management
▪ Increasing the range of opportunities
▪ Identifying and managing risk entity-
wide
▪ Increasing positive outcomes and
advantage while reducing negative
surprises
▪ Reducing performance variability
▪ Improving resource deployment
▪ Enhancing enterprise resilience
Results based on 3 year performance of BSC Hall of Frame
winners
COSO ERM Framework, 2017 Example benefits reported by Ascendore customers
Study of 275 insurance companies showed those implementing an ERM program over an 11 year period enjoyed a 20% premium in
firm value compared to those that didn't. Standard & Poor's "ERM opinion" rating program reported firm rated as having an "excellent"
or "strong" ERM program reported a stronger positive change in equity prices and lower stock volatility than peers.

28. We believe that risk management and compliance must enable strategy
execution and value creation, not simply tick regulatory boxes.
28
“we have reduced our Pillar 2 capital by
81.2% while delivering a 94% reduction
in the value of errors and a 63%
reduction in the volume of errors”
Head of Enterprise Risk, Homeloan Management Limited
We provide Integrated GRC
(Governance, Risk and Compliance)
solutions to financial services firms
and their regulators built on familiar,
everyday office tools; SharePoint,
Office 365 & the Cloud.

29. COSO ERM Framework 2017 Risk-Based Performance
Management
29

30. What is Risk-Based Performance Management?
Enhance Shareholder value
Control Cost & Complexity
Drive Accountability
Align the firm
Risk-Based Performance
Management (RBPM) is an
strategic execution approach which
integrates business strategy, risk
appetite, performance management
and risk management.
30

31. Integrated Strategy & Risk Management Framework
APPETITE
ALIGNMENT
APPETITESTRATEGY PERFORMANCE RISK
31

32. Embedding RCSA into Strategic Planning
and Business Strategy?
Andrew Smart
Ascendore