TraceRiskUncategorizedRisk Rating Probability

Risk Rating Probability

Example: Probability Rating System

Rating 1 – Optimal: Threats and vulnerabilities have been identified and control processes are aligned with strategic plans, cost-benefit analyses and corporate governance objectives. Fully leveraged technologies, personnel and processes minimize the probability of an adverse event or condition and operational, compliance, financial and reporting objectives are always met. The likelihood of an unforeseen adverse event or condition is slight. Historical performance has been strong with the annual rate of problematic occurrences being very low.

Rating 2 – Managed: Threats and vulnerabilities are measured quantitatively and technologies, personnel and processes are routinely effective causing operational, compliance, financial and reporting objectives to be typically achieved. Current risk management and internal control practices anticipate and address potentially problematic conditions. The likelihood of an unforeseen adverse event or condition is relatively low and when such occurs, it is manageable. Historical performance has been very good with the annual rate of problematic occurrences being sufficiently below the bank’s acceptable limit.

Rating 3 – Defined: Most threats and vulnerabilities are identified and remedied but adverse events or conditions can arise suddenly and with unpredictable consequences. Technologies, personnel and processes are sometimes ineffective and operational, compliance, financial and reporting objectives are not always met. There is an increasing likelihood that an unforeseen adverse event or condition will happen due to occasional lapses in applying sound risk management techniques or internal controls and, if such occurs, the situation must be carefully managed. Historical performance has been good but there is room for improvement and the annual rate of problematic occurrences has reached the bank’s acceptable limit.

Rating 4 – Intuitive: Threats and vulnerabilities are not always identified and/or remedied and adverse events or conditions are largely unpredictable. Technologies, personnel and processes are often ineffective and operational, compliance, financial and reporting objectives are infrequently met. Adverse events or conditions will very likely occur because controls are largely people- reliant and risk management techniques are often weak or absent. Historical performance indicates that the annual rate of unforeseen problematic incidents exceeds the bank’s acceptable limit.

Rating 5 – Hazardous: Threats and vulnerabilities are not identified or even recognized and problematic situations and loss exposure will almost surely result. Technologies, personnel and processes are ineffective and operational, compliance, financial and reporting objectives are almost never met. Adverse events or conditions will very likely occur because controls are largely people- reliant and risk management techniques are weak or absent. The historical annual rate of unforeseen problematic incidents well exceeds the bank’s acceptable limit and it reflects poor corporate governance by the Board and management.