Regulators expect all regulated organisations to have an enterprise-wide risk management process appropriate to the nature of the business undertaken.
Whatever the level of risk that your business is exposed to, you must ensure you have in place a risk management framework that covers the following areas:
- ‘the tone from the top’, for example, the active involvement of the board in the risk management process, including setting the risk appetite of your organisation
- an appropriate risk management infrastructure, reflecting clarity of responsibility and accountability, together with independent oversight of the risk management framework, all of which should be supported by documented procedures
- identification of all risks relevant to your organisation
- assessment of the potential impact of each identified risk and an estimate of the likelihood of occurrence of such risk
- controls to manage or mitigate those risks
- testing of controls to ensure they are operating effectively, and remediating or enhancing the control environment when deficiencies are identified
- reporting to senior management and the board.
Our risk team can also assist with managing your:
Cybercrime risk can be broken down into three types: fraud and theft; system destruction or corruption; loss or misuse of sensitive data.
An enterprise-wide response is required which must be driven by your senior management. It should be a key part of your firm’s enterprise risk framework, and you should apply the same principles to cybercrime risk as you would to credit risk or market risk, including:
- a documented policy
- identification of material risks
- assessment of inherent risk being the impact times the probability of occurrence
- identification of key controls to mitigate the impact and probability of the risk
- calculation of residual risk
- assessment of residual risk compared with risk appetite set by the board.
Assisting with the assessment of cybercrime risk your firm is exposed to:
Knowledge and awareness are key when combatting cybercrime. Waystone can arrange training for your staff and presentations for your senior management team to raise awareness of the types of cyber-attacks employed by criminals and highlight the potential vulnerabilities your organisation may be facing. We can also review your control environment and procedures and identify any areas that may require improvement or enhancement.
The risk register sets out in writing all the risks to which you may be exposed. It should cover all parts of your business and you may require different risk registers to address each part of your business.
Having identified the potential risks, you should carry out the following:
- assess the inherent risk of loss – the more complex your business model, the more sophisticated the methodology you will need to use
- identify the controls you have in place – controls should be capable of being audited and should be periodically tested to ensure that they are reliable as a risk mitigating measure
- assess the residual risk – the risk that remains should the controls be operating effectively
- determine whether the aggregate firm-wide risk is in line with the risk appetite set by the board
- prepare an ICAAP report – if applicable, an assessment as to whether your firm has sufficient capital in place to enable it to withstand risk events.
Waystone has extensive experience in helping firms with preparing a risk register whether as part of a simple risk management framework or as a part of a larger ICAAP report.
The nature of assistance can be tailored to your specific needs and can include:
- advice on the design of your risk management infrastructure
- reviews to determine the effectiveness of your enterprise risk framework
- assistance in the preparation of the risk register
- assistance in the preparation of your Internal Risk Assessment Process (IRAP) and Internal Capital Adequacy Assessment Process (ICAAP).