Skip to content

"*" indicates required fields

Step 1 of 9

11%
How would you rate your organisation's current risk maturity level?*
Which areas of risk management would you like to assess?*

Risk Identification: Top-down and Bottom-up

How your organization identifies and documents potential risks
Are risks identified at the business process level (bottom-up approach) and then reported to a central risk management function for aggregation in the risk register?*
Does your risk identification process produce a structured taxonomy that categorizes causes, risks, impacts, and controls in a consistent manner?*
Does your organization use risk identification methods tailored to different business activities (e.g., process mapping for operations, structured workshops for less formalized activities) while maintaining consistent reporting formats for comparability?*
Does your Executive Committee or Senior Management team conduct quarterly sessions to review the organization's main risks and identify emerging risks from a top-down perspective?*
Do your risk specialists (Legal, Compliance, and other risk owners) meet regularly as a committee to discuss emerging risks and horizon scanning results within their respective disciplines?*
Does your organization map risks as networks of interdependencies with causality links, beyond simply listing them in a risk register?*

Risk Appetite

Actionable, Linked to Risks and Controls
Has your organization formally documented its risk appetite statements for key operational risk categories?*
Are your risk appetite statements communicated to relevant staff members who make risk decisions?*
Do your Executive Directors demonstrate understanding of operational risk appetite concepts and actively monitor limits?*
Is your risk appetite reporting regularly measured against exposure limits, control limits, and other KRIs in a timely manner?*
Does your Board receive sufficient information to effectively assess whether the organization operates within its defined risk appetite?*
Are action plans automatically triggered when a risk is assessed as exceeding risk appetite (through scenario analysis, RCSA, control testing, or incidents)?*

Risk Assessment

Based on observable evidence; comparable across units
Is your assessment of inherent risk exposure and impact ranges based on actual business data (such as transaction volumes and values)?*
Are risk assessments updated at least annually and also following significant trigger events (internal or external) that warrant reassessment?*
Is there a consistent methodology for scenario generation and assessment across all business units, with structured quantification of causes and impacts?*
Are scenario analysis results used to improve decision-making and risk mitigation when they indicate risks above appetite?*
Are risks assessed at multiple levels of severity and impact, typically using three stress levels (Expected Loss - Stress Case - Worst Case)?*
Is each Risk and Control Self-Assessment (RCSA) unit clearly defined with an appropriate scope that prevents focus on insignificant risks (organized by process, business activity, or both as appropriate)?*
Does your organization conduct thematic "deep dive" risk reviews that focus on a single risk type across multiple business units?*
Are your controls assessed based on hard evidence from control testing results rather than subjective self-assessment?*
Does your organization compare previous risk assessments with actual loss experience to validate assessment accuracy and improve the process?*
Do business lines develop and implement their own scenario quantifications, with results aggregated by the second line of defense and properly documented for capital assessment?*

Risk Mitigation

Controls and testing, external insurance, action plans and timeliness
Are key controls regularly tested by the first line of defense (and also by the third line)?*
Does your second line of defense test controls during deep dives, thematic risk reviews, compliance monitoring, and second-line assurance reviews?*
Are outsourcing decisions integrated into your risk strategy, with clear understanding of whether outsourcing transfers or acquires risk depending on the scope?*
Do all action plans have clearly assigned owners and specific deadlines?*
Are action plan deadlines strictly respected, with extensions treated as exceptional and overdue actions (including audit recommendations) not tolerated?*
Does your control testing framework match testing rigor to the level of inherent risk (e.g., higher inherent risks require testing through reperformance)?*
Does your control testing framework match testing rigor to the level of inherent risk (e.g., higher inherent risks require testing through reperformance)?*
Does your control testing evaluate not only individual control effectiveness but also the independence between controls (to prevent common failure modes)?*
Is your corporate strategy explicitly linked to your risk appetite framework?*

Risk Monitoring and Reporting

Is your collection of risk incidents comprehensive and reliable?*
Is your risk reporting clear and focused, highlighting priority issues, deviations from normal patterns, and comparisons across similar activities and time periods?*
Are near misses (potential incidents that were avoided) routinely reported and analyzed?*
Can you verify the comprehensiveness of your incident collection through reconciliation with other data sources (e.g., general ledger, audit validation, IT logs)?*
Are risk and incident reports from business lines fed back to those units with comparative data across the organization to improve engagement and data quality?*
Are your Key Risk Indicators (KRIs) preventative, relevant, and actively used, with timely monitoring and appropriate actions taken when indicators reach amber/red thresholds?*
Are your KRIs validated by reviewing their status at the time of actual risk events (ineffective if green during events, governance issues if red without action)?*

Risk Culture

Are training programs fully completed by all staff (100% completion rate for mandatory training)?*
Are past incidents widely shared throughout the organization (beyond risk committee reporting) to promote learning and prevent recurrence?*
Do business units spontaneously report events, alerts, and anomalies without prompting?*
Is the relationship between the first and second lines of defense collaborative, harmonious, and respectful?*
Is there a demonstrated willingness across the organization to continuously improve risk management and learn from market best practices?*

Risk Governance

Are roles and responsibilities between the first and second lines of defense clearly defined and documented?*
Is the role of risk champion well established and functioning effectively in your organization?*
Are all non-financial risk types governed according to the same consistent risk management framework?*
Are action plans and their timelines systematically monitored and respected?*
Are risk actions and recommendations from internal audit and risk management coordinated to avoid overlaps and duplication of effort?*
Privacy Policy | Cookie Policy
Page load link
Go to Top