A simplified RCSA case study that showcases how the RCSA process works.
We have been engaged to conduct a risk control self-assessment exercise for the front office treasury group at a bank. We are following the RCSA process presented below.
RCSA case study – Audience selection for issues identification
Our first step is an offline informal survey of treasury group participants to get a sense of common challenges and issues. We do our discussions on a one on one basis with each team with a clear mandate for identifying current as well as potential operational issues. The audience we select for our discussions includes members of the following teams:
- Treasury Front office
- Treasury Back office
- Treasury Middle office
- Technology group
- Internal Audit
- Financial Control
- Regulatory Reporting
While the core group includes only the first three, the additional five groups regularly interact with the treasury team and provide a better perspective of interfacing and delivery challenges as internal outsiders.
RCSA example – List of initial challenges.
In our initial discussion with the group identifies a number of operational challenges. A small sample of these challenges is shared below:
- Delayed day end processing. At least once a week day end processing for the treasury system is delayed beyond normal office hours requiring the back office staff to stay behind and close the books. A delayed day end has a follow on effect on the core banking system day end processing because the core banking platform waits for the day end results from the treasury platform before beginning its own processing. To date the group has always been able to complete its day end processing before the 10:30 pm cutoff, but there have been a few close calls.
- The most common cause of delayed day end processing is either a late post market close deal or a counterparty trade limit exception.
- A late post market trade is sometimes required when there is an issue with regulatory reserves treasury is responsible for A shortfall in that reserve requires a covering trade from the market. We generally find out about the shortfall just before day end processing begins but after all trades for the day have been entered in the system. The final reserve requirement cannot be determined till all treasury trades have been entered, approved, committed and settled.
- The same holds true for counterparty limit checks. While traders do an initial counterparty limit check before posting a trade, the actual final limit verification happens as part of the treasury day end process. This happens because the counterparty trade limit management system is external to the treasury platform.
- Treasury day end processing begins generally 30 – 50 minutes after close of markets at 4 pm. The delay happens because while traders maintain an Excel based blotter for their day long activity, tickets and trades are only generated at day end after client facing activities are finished. While we only have three traders on the front desk, the trade entry and approval process takes anywhere between 30 – 60 minutes to complete.
- Network and protocol failures. Because of network load on account of day end processing in a number of subsystems, there have been a few instances where system handshakes between subsystems have failed in the past leading to unanticipated delays in the start of the core banking day end processing. Sometimes the failures have occurred at the treasury system end while there have been a few instances where the middleware layer connecting the two platforms has failed. All the failures in the past have been addressed quickly by vendor intervention through a support call.
RCSA Example – Identify risks.
Our risk identification exercise yields a number of challenges and associated business risks.
|Delayed Day End Processing||Miss the daily cutoff for core banking day end processing.|
Delay core banking day end processing.
Miss the daily cutoff for treasury regulatory reporting.
Central Bank Compliance penalty.
Potential downgrade in Central Bank Internal Risk Assessment Framework for regulated counterparties.
|Incorrect or delayed reporting of short fall in liquidity and statutory reserves.||Inability to comply with mandatory minimum liquidity and statutory reserve requirements. Central Bank Compliance penalty.|
Potential downgrade in Central Bank Internal Risk Assessment Framework for regulated counterparties.
Market Good Will Impact.
Higher counterparty risk weights assigned.
|Counterparty Limit Exception||Inability to rollback transaction.|
Inability to get limit enhancement exception in time.
Counterparty Goodwill and relationship damage if transaction rolled back post end of day leaving the counterparty with no options to cover himself.
|Delayed Treasury Day end processing on account of delayed ticket entry and processing||Same as delayed day end and incorrect reserve reporting|
|Network and Protocol failures||Same as delayed day end and incorrect reserve reporting|
The primary challenge is the risk of delay in day end processing. That risk is linked directly to a number of business related consequences. From central bank non compliance penalty to loss of market good will and damage to customer relationships.
RCSA Case Study – Risks – Next steps.
We now try and link our key risk factors to the appropriate key risk indicators. The objective is to see that if we can identify leading (detective) indicators of risk that can possibly be used to control the occurrence of the event in question (through the control process). We also need an indicator that we can use to gauge the success of our control process.
We do this for a few of the risk identified above. While some items lead to simplified straight forward Key Risk Indicators, other would need to be discussed and tweaked with the selected audience as part of the formal RCSA discussion.
|Risk Factor||Key Risk Indicator – KRI|
|Delayed Treasury Day End processing||Deals entry and processing completed over Total deals recorded in manual blotter.|
Percentage of deals awaiting entry, approval, confirmation or settlement.
|Delayed Treasury Regulatory Reporting||Treasury day end start time stamp – market close time stamp – in minutes. Actual.|
Treasury day end complete time stamp – market close time stamp – in minutes. Actual.
Treasury day end start time stamp – market close time stamp – in minutes. Average.
Treasury day end complete time stamp – market close time stamp – in minutes. Average.
|Noncompliance with Reserve Requirements||Number and amount of penalties levied for treasury reporting noncompliance in the last reporting period.|
|Incorrect Reserves Requirements||Number and amount of penalties levied for treasury reporting noncompliance in the last reporting period.|
|Missed Treasury Regulatory Reporting deadline||To be discussed during RCSA formal forum|
|Counterparty Limit Exception||To be discussed during RCSA formal forum|
|Counterparty Trade Rollback||To be discussed during RCSA formal forum|
|Delayed Core Banking Day End processing||To be discussed during RCSA formal forum|
|Market Goodwill||To be discussed during RCSA formal forum|
|Central Bank Internal Risk Assessment Framework downgrade||To be discussed during RCSA formal forum|
RCSA Case Study – Using the Self-Assessment survey.
We create a short self-assessment survey for each of the risk identified above.
For instance let’s take Delayed Treasury Day End Processing as a risk. The leading Key Risk Indicator (KRI) for detecting the level of this risk is the percentage of deals awaiting entry, verification, confirmation and settlement. One relevant control measure suggested to track the risk throughout the day is to limit the KRI level to less than 10% by monitoring the measure every hour. This requires a process change. The process change is the control measure.
RCSA – The Control Measure and its assessment.
Rather than wait till day end for deal ticket entry, dealers are required to post all outstanding deals recorded during the hour, before the close of that hour. This ensures that all deals have been entered just before or immediately after market close.
The lagging control measure that determines that our designed leading controls are working is the time elapsed between market close and start of treasury day end processing.
By assigning an individual or team to monitor both KRI and control measures, we can assess if the control function designed by us is working effectively in curtailing the associated risk.
Our original risk control self-assessment survey would query if the risk of delayed treasury day end processing is within acceptable limits and our internal risk appetite. The right answer to that question at inception would be no. Rather than limiting ourselves to just yes and no, we can also grade our answers based on our own internal assessment of how high or low this risk is.
During our formal RCSA exercise, the approach discussed above is presented. If the approach is acceptable two separate controls functions are assigned to two separate individuals. An internal treasury control is assigned to monitor compliance with the 10% outstanding deals waiting to be entered KRI. This is done every hour on the hour and non compliance or a breach of the KRI should leave to an immediate correction by the dealer concerned. This enforcement can only happen with the full support and buy in of the treasury head. Without this support from the business, the control measure will only be able to monitor but will not be able to correct errant behavior.
An external treasury control is assigned to monitor compliance with the time elapsed from market closure to treasury day end start. This control is also responsible for reporting the results of both control functions to the risk and monitoring group.
A review frequency is agreed to see if the two control functions work and if the risk threshold for delayed treasury day end processing is reduced. The initial review frequency is set for 30 days, when the RCSA questionnaire and survey is circulated to see if any improvements have occurred. If the control processes are successful, the grading should change. If the control processes are unsuccessful a decision can be taken to investigate the causes for failure, wait for another cycle or redesign the control process.
1. Risk Control Self Assessment – Institute of Operational Risk.