3.1 RISK AND CONTROL SELF-ASSESSMENT
Any risk quantification project should be thought about as a knowledge management project. Risk quantification is a continuous process of knowledge transformation that begins with risk identification and ends with a quantified risk profile. The identification of risks which results in a risk mapping is the first step in this process. Although we are rather quantitative people, we consider this qualitative step as the most important.
We have been working with financial institutions as well as with nonfinancial institutions, and although we observed that risk identification is probably too much a kind of administrative process in many companies, we must acknowledge that many resources, both human and technical, are devoted to this task. A myriad of software has been developed by external vendors or internal IT teams to facilitate the RCSA1 process. Second and first lines of defense are fully committed to those tasks for significant periods of time.
We intentionally split RCSA into two subtasks: risk identification and risk assessment.2 We are aware that the boundaries between these two processes are usually blurred, or that the identification of significant risks is considered as a result of the RCSA, but in the best practices that we have encountered they were separated and each of them led to specific deliverables.
Risk identification is the process that aims at identifying the exposures ...