Risk & Control Assessment Template

Overview

A structured approach to operational risk management combining risk identification, control design assessment, and control effectiveness testing. Aligned with Basel III, ISO 31000, and COSO frameworks.

What's Included

1. Risk Assessment Matrix

Risk Ratings:

• Impact: Negligible, Low, Medium, High, Critical
• Likelihood: Rare, Unlikely, Possible, Likely, Almost Certain
• Risk Level: Low (1-4), Medium (5-9), High (10-16), Critical (17-25)

2. Control Effectiveness Framework

Control Types

Preventive Controls: Stop risk events from occurring

• Segregation of duties
• System access controls
• Automated validations
• Approval workflows

Detective Controls: Identify risk events after occurrence

• Reconciliations
• Exception reports
• Monitoring dashboards
• Audit trails

Corrective Controls: Remediate after risk events occur

• Break-fix procedures
• Escalation protocols
• Issue management processes
• Root cause analysis

Control Assessment Criteria

3. Risk & Control Matrix (RCM) Template

Process: [Trade Lifecycle - FX Spot]
Risk Owner: [Head of Trading]
Last Updated: [Date]
Review Frequency: [Quarterly]

┌────────────────────────────────────────────────────────────────┐
│ RISK IDENTIFICATION                                            │
├────────────────────────────────────────────────────────────────┤
│ Risk ID: R-001                                                 │
│ Risk Category: Operational Risk                               │
│ Risk Event: Incorrect trade price executed                    │
│ Risk Cause: Manual input error, system malfunction            │
│ Risk Impact: Financial loss, regulatory breach, reputational  │
│ Inherent Risk: HIGH (Impact: High, Likelihood: Medium)        │
└────────────────────────────────────────────────────────────────┘

┌────────────────────────────────────────────────────────────────┐
│ KEY CONTROLS                                                   │
├────────────────────────────────────────────────────────────────┤
│ Control ID: C-001                                              │
│ Control Description: Automated price validation against        │
│   market reference data (Bloomberg/Reuters)                    │
│ Control Type: Preventive + Detective                          │
│ Control Owner: Front Office Systems                           │
│ Control Frequency: Real-time                                  │
│ Control Design: WELL DESIGNED                                 │
│ Control Effectiveness: EFFECTIVE                              │
├────────────────────────────────────────────────────────────────┤
│ Control ID: C-002                                              │
│ Control Description: 4-eyes check for trades >£500k            │
│ Control Type: Preventive                                      │
│ Control Owner: Trading Desk Manager                           │
│ Control Frequency: Per transaction                            │
│ Control Design: WELL DESIGNED                                 │
│ Control Effectiveness: EFFECTIVE                              │
└────────────────────────────────────────────────────────────────┘

┌────────────────────────────────────────────────────────────────┐
│ RESIDUAL RISK ASSESSMENT                                       │
├────────────────────────────────────────────────────────────────┤
│ Residual Risk: LOW (Impact: Medium, Likelihood: Low)          │
│ Risk Acceptance: ACCEPTED by CRO                              │
│ Date: [Date]                                                   │
│ Next Review: [Quarterly]                                       │
└────────────────────────────────────────────────────────────────┘

Risk Assessment Methodology

Step 1: Risk Identification

Use these prompts to identify risks:

1. What could go wrong? (Risk event)
2. Why would it happen? (Risk cause)
3. What would be the consequences? (Risk impact)
4. Who is responsible for managing this risk? (Risk owner)

Risk Categories (Basel II/III):

• Operational Risk: Process failures, human error, system outages
• Financial Risk: Market risk, credit risk, liquidity risk
• Compliance Risk: Regulatory breaches, policy violations
• Strategic Risk: Business model failure, competitive threats
• Reputational Risk: Brand damage, customer trust erosion

Step 2: Inherent Risk Assessment

Impact Assessment:

Likelihood Assessment:

Inherent Risk = Impact × Likelihood

Step 3: Control Identification

For each risk, document:

1. Existing Controls: What controls already exist?
2. Control Design: Does the control adequately address the risk?
3. Control Effectiveness: Is the control operating as designed?
4. Evidence: What evidence demonstrates effectiveness?

Step 4: Control Testing

Testing Frequency:

• Critical Risks: Monthly
• High Risks: Quarterly
• Medium Risks: Semi-annually
• Low Risks: Annually

Testing Approach:

Testing Evidence:

• Screenshots of system controls
• Approved documents with signatures/timestamps
• Reconciliation sign-offs
• Exception reports
• Access control matrices

Step 5: Residual Risk Assessment

After applying controls:

Residual Risk = Impact × Likelihood (post-controls)

Risk Response:

• Accept: Residual risk is within appetite
• Mitigate: Implement additional controls
• Transfer: Insurance, outsourcing
• Avoid: Exit the activity

Step 6: Risk Reporting

Management Dashboard Metrics:

• Number of risks by category and severity
• Control effectiveness rate (% of controls rated "Effective")
• Overdue control testing
• New risks identified this period
• Risk trend analysis (increasing/decreasing)

Control Testing Template

Control Testing Workpaper

Control ID: C-001
Control Description: Automated price validation against market reference
Risk Addressed: R-001 (Incorrect trade price executed)

Testing Period: Q1 2025
Tester: [Name], Risk Analyst
Test Date: [Date]

TEST PLAN:
1. Select sample of 30 trades executed in Q1 2025
2. Re-perform price validation using Bloomberg reference data
3. Verify system rejected out-of-range prices
4. Confirm exceptions were escalated and resolved

SAMPLE SELECTION:
- Population: 4,523 trades in Q1 2025
- Sample Size: 30 trades (stratified by trade size)
- Selection Method: Random sampling across all trading desks

TEST RESULTS:
┌────────────────┬───────────────┬────────────────┬──────────────┐
│ Trade ID       │ Executed Price│ Market Price   │ Exception?   │
├────────────────┼───────────────┼────────────────┼──────────────┤
│ T-20250103-001 │ 1.2745        │ 1.2744         │ No (±0.01%)  │
│ T-20250103-002 │ 1.2755        │ 1.2744         │ Yes (±0.09%) │
│ T-20250103-003 │ 1.2740        │ 1.2744         │ No (±0.03%)  │
│ ...            │ ...           │ ...            │ ...          │
└────────────────┴───────────────┴────────────────┴──────────────┘

EXCEPTIONS IDENTIFIED:
- 2 trades triggered price validation exception (0.09% and 0.11% variance)
- Both exceptions were escalated to Desk Manager within 2 minutes
- Both were approved with documented rationale (market volatility)

CONCLUSION:
Control is OPERATING EFFECTIVELY
No control deficiencies identified
Next test: Q2 2025

Risk Appetite Statement Template

Organisation: [Your Firm]
Effective Date: [Date]
Review Frequency: Annual
Approved By: Board of Directors

RISK APPETITE FRAMEWORK

1. OPERATIONAL RISK
   - Maximum acceptable loss per event: £500k
   - Maximum acceptable annual operational losses: £2M
   - Tolerance: Zero tolerance for regulatory breaches

2. FINANCIAL RISK
   - Value at Risk (VaR) limit: £1M (99% confidence, 1-day)
   - Credit exposure to single counterparty: £5M
   - Liquidity buffer: Minimum 30 days operating expenses

3. COMPLIANCE RISK
   - Regulatory breaches: Zero tolerance
   - Policy exceptions: Require CRO approval
   - Audit findings: Max 3 "Medium" findings per audit

4. STRATEGIC RISK
   - New product approval: Requires full risk assessment
   - Geographic expansion: Requires Board approval
   - M&A activity: Requires independent risk review

5. REPUTATIONAL RISK
   - Media coverage: Zero tolerance for negative coverage related to compliance
   - Customer complaints: <1% of transaction volume
   - Employee conduct: Zero tolerance for fraud or misconduct

Three Lines of Defence Model

First Line: Business Operations

Role: Own and manage risks

Responsibilities:

• Identify and assess risks in day-to-day activities
• Design and implement controls
• Perform first-line control testing
• Escalate risk events and control failures

Example Activities:

• Trading desk performs daily P&L reconciliation
• Operations team validates trade settlement instructions
• IT performs system health checks

Second Line: Risk & Compliance

Role: Oversee and challenge

Responsibilities:

• Define risk management framework and policies
• Provide independent risk oversight
• Monitor control effectiveness
• Report risk profile to senior management

Example Activities:

• Risk team performs quarterly control effectiveness reviews
• Compliance team monitors regulatory changes
• Risk committee reviews risk dashboard

Third Line: Internal Audit

Role: Independent assurance

Responsibilities:

• Provide independent assurance on risk management
• Audit first and second line activities
• Report to Audit Committee

Example Activities:

• Annual audit of trade lifecycle controls
• Review of risk management framework effectiveness
• Testing of IT general controls

Risk Event Management

Incident Logging Template

Incident ID: INC-2025-001
Reported By: [Name]
Date Reported: [Date]
Status: [Open/Under Investigation/Closed]

INCIDENT DETAILS:
- Description: Trading limit breach - Trader exceeded single counterparty limit
- Risk Category: Financial Risk (Credit Risk)
- Impact: £750k excess exposure for 2 hours
- Root Cause: System limit check bypassed for "urgent" trade

IMMEDIATE ACTIONS TAKEN:
1. Trade unwound within 2 hours
2. Trader suspended pending investigation
3. CRO and CFO notified
4. Regulatory reporting assessed (no breach of regulatory limits)

ROOT CAUSE ANALYSIS (5 Whys):
1. Why did the breach occur? → Limit check was bypassed
2. Why was it bypassed? → Trader used override function
3. Why was override possible? → System allows overrides with manager approval
4. Why was approval given? → Manager approved without checking aggregate exposure
5. Why didn't manager check? → No real-time visibility of aggregate exposure

CORRECTIVE ACTIONS:
1. Remove override function for credit limits (Due: [Date])
2. Implement real-time exposure aggregation dashboard (Due: [Date])
3. Retrain all traders and managers on limit framework (Due: [Date])
4. Enhance limit monitoring alerts (Due: [Date])

PREVENTIVE ACTIONS:
1. Review all system override capabilities
2. Implement maker-checker for all limit overrides
3. Monthly certification of limit compliance by desk heads

LESSONS LEARNED:
- Override functions must have appropriate controls
- Real-time monitoring is critical for credit risk
- Training alone is insufficient; system controls needed

Regulatory Compliance Mapping

FCA/PRA Compliance Matrix

Key Performance Indicators (KPIs)

Risk Management KPIs

1. Control Effectiveness Rate: % of controls rated "Effective"

   • Target: >95%
   • Red Flag: <90%

2. Overdue Control Testing: # of controls with testing past due

   • Target: 0
   • Red Flag: >5

3. High/Critical Risks: # of residual risks rated High or Critical

   • Target: <5
   • Red Flag: >10

4. Risk Incidents: # of risk events materialized

   • Target: Trending downward
   • Red Flag: Trending upward

5. Control Deficiencies: # of control failures identified

   • Target: <3 per quarter
   • Red Flag: >10 per quarter

6. Remediation Timeliness: % of corrective actions completed on time

   • Target: >90%
   • Red Flag: <80%

Risk Committee Charter Template

RISK COMMITTEE CHARTER

PURPOSE:
To provide oversight of the firm's risk management framework and ensure risks
are identified, assessed, and managed within Board-approved risk appetite.

MEMBERSHIP:
- Chief Risk Officer (Chair)
- Chief Financial Officer
- Chief Operating Officer
- Head of Compliance
- Head of Internal Audit (Observer)

FREQUENCY: Monthly

QUORUM: 3 members including CRO

RESPONSIBILITIES:
1. Review and approve Risk & Control Matrix
2. Monitor key risk indicators and risk appetite adherence
3. Review significant risk events and incidents
4. Approve risk management policies and frameworks
5. Escalate material risks to Board

REPORTING:
- Monthly risk dashboard to Executive Committee
- Quarterly risk report to Board
- Ad-hoc escalation for Critical risks

AUTHORITY:
- Approve risk mitigation plans
- Escalate to Board for risk acceptance decisions
- Commission independent reviews where needed

Integration with Operating Model

Risk management integrates with:

┌─────────────────────────────────────────────────────────┐
│ STRATEGY & RISK APPETITE                                │
│ Board-level risk appetite and strategic priorities      │
└────────────────┬────────────────────────────────────────┘
                 │
    ┌────────────┴────────────┐
    │                         │
    ▼                         ▼
┌─────────────────┐   ┌──────────────────┐
│ RISK FRAMEWORK  │   │ PROCESSES (BPMN) │
│ RCM, Policies   │◄──┤ Risk embedded    │
└────────┬────────┘   └──────────────────┘
         │
         ▼
┌─────────────────────────────────────────┐
│ GOVERNANCE (RACI + Committees)          │
│ Risk ownership and decision rights      │
└────────┬────────────────────────────────┘
         │
         ▼
┌─────────────────────────────────────────┐
│ MONITORING & REPORTING                  │
│ KRIs, dashboards, risk reporting        │
└─────────────────────────────────────────┘

Next Steps

1. Download this template
2. Identify your top 10 risks
3. Document existing controls
4. Assess control effectiveness
5. Report residual risk profile to management

Need Expert Support?

Designing a risk & control framework that satisfies regulators while being operationally practical requires deep expertise. If you need support with FCA/PRA compliance, risk framework design, or preparing for regulatory reviews, contact our team for a consultation.

Template Version: 1.0 Last Updated: January 2025 Regulatory Alignment: FCA SYSC, Basel III, ISO 31000, COSO License: Free for commercial use with attribution