Individual Assignment #1
Risk Identification, Assessment, Response (Action plans), and Monitoring (KRIs)
Assignment Objective: Demonstrate your ability to understand, discuss and evaluate COSO Internal Control Framework and COSO ERM
Framework principles. Apply these concepts, terminology, and methodology to risk assess real-life risk events.
Utilize required reading and class materials to demonstrate your understanding of the following areas:
• Risk Identification (root cause analysis including risk factors, triggers, and conditions).
• Risk Assessment and Measurement (Assess Inherent Risk (Impact x Likelihood) with rationale, Assign Control rating (with
rationale) and map the control weaknesses to COSO Internal Control and/or COSO ERM frameworks) to derive Residual Risk.
• Risk Mitigation and Corrective Action Plans (projects/plans to strengthen specific control weaknesses identified above).
• Risk Monitoring- Establish KRIs around risk factors identified in the root cause analysis above.
Select one real, material risk event of a public company from recent news (within the past 2 years, if possible).
Note: It cannot be a risk event already discussed in the discussion (Homework) in Canvas. Create a Board report to identify, assess,
respond (action plan), and monitor (KRI) frequency. Students are expected to develop original work.
The material risk can be non-financial (operational, model, vendor, cyber), strategic, or financial risk (credit, market, liquidity/funding).
Please note that Reputational Risk is always a secondary or tertiary knock-on effect, so please do not select it.
Material Risk is a designation that (typically in a particular regulatory context) indicates that a certain risk is of sufficient significance
for an organization that it must be managed following certain minimum criteria. As part of the Capital Adequacy Assessment Process,
regulated financial institutions must identify and manage all their material risks.
1. (15 points): Risk Event Selection Process – How to ensure risk is material? For this, determine Inherent Risk to the company:
Adapt the Likelihood and Impact rating process presented in Session 2 slides to your company’s size, complexity, and business risk
profile. To derive the materiality of the inherent risk, please follow the instructions provided in the class. This is the most important
step as you don’t want to select a minor incident to report to the Board.
a. Using the Impact x Likelihood scale + rationale for each, determine if the Inherent Risk rating is in Critical/ High range.
This is generally the range of material risk, and it is important enough to be mitigated and reported to the board, even
if it is well managed/ monitored and the controls are strong.
b. Make sure you have enough information (news or through research) to perform a credible Bow-tie Root Cause
2. (30 points): Identify the Risk Factors, Risk Conditions & Risk Consequences: For the selected material risk, conduct the root cause
via Bow-Tie analysis Diagram
3. (5 points): Describe the risk event: (Describe who, what, when, why, and how- root cause).
4. (10 points): Assign a Control rating by identifying at least two controls that in your opinion were absent or weak. This is the
Control weakness/ vulnerability/failure that was exploited and most likely contributed to risk materialization.
o Control Effectiveness Rating: Determine Control Effectiveness Rating to derive at a residual risk rating.
o Provide Control Rating Rationale and identify at least two control weaknesses that contributed to risk event
materializing. This is the Control weakness/ vulnerability that was exploited or has contributed to the event.
▪ COSO Internal Control- 17 principles
▪ Revised COSO ERM Framework – 20 Principles
5. (5 points): Residual Risk Rating with Rationale in case of #1 below.
Depending on when the risk event has taken place, this may include the results of mitigation projects.
I. If the risk event took place 1+ years ago, residual risk may include some control weaknesses that have already been
addressed by management. If that is so, you should clearly explain your rationale.
II. If the risk event took place within the past few months, it is possible that CAP is still in progress, and is being
monitored till the risks are mitigated within appetite.
6. (10 points): Establish a minimum of two Corrective Action Plans (projects) and expected completion timelines
A plan to correct (reduce/mitigate) an identified control deficiency risk to an acceptable level along with a completion timeline.
An action plan can include creating a NEW control or enhancing an existing, weak control. These can be projects/plans to
strengthen specific control weaknesses identified above, generally around risk factors (triggers and conditions)
7. (5 points): Assign a Risk Owner for Corrective Action Plan (CAP) (accountable person who owns the process where risk
materialized). The CAP owner takes action, monitors, and periodically reports to senior management on the progress made- on a
monthly, or quarterly basis as needed.
a. Define what roles and departments should be involved
8. (10 points): Establish Monitoring (KRIs and or KPIs):
b. Early warning signals (Cause related KRIs or exposure-related KRIs) or
c. Lagging Indicators (loss related) or performance/action indicators (KPIs).
d. Provide KRI description, measure, and threshold (in terms of red, yellow, and Green)
9. (5 points): Assign a sub-committee responsible and reporting frequency for monitoring the effectiveness of the mitigation/ CAP
for the control deficiencies
10. (5 points) Professional Writing (Written slides)
1. Structure, Development, and Consistency of presentation- Organization, flow, and coherence of ideas.
2. Risk Identification and supporting analysis.
3. Correct use of terminology and concepts taught in class.
4. Grammatically correct and clear layout of the presentation.
5. Cite references in footnotes or end notes