Best Practices on Risk Aggregation
As part of risk and control assessment process, organisations collect a lot of information about risks at various levels across the organisations. However, it is generally difficult to aggregate the detailed information about risks at a business division or group level to create an aggregated view of operational risk exposure.
Guiadance on the following topics are considered neccesary: –
- Aggregating data at risk level. Data may include incidents, issues, control assessment outcomes, control testing outcomes and key risk indicators.
- Aggregating data at risk category level. Aggregating exposure of risks owned across different business unit to a single risk category (e.g. External Fraud).
- Aggregating data at business unit level. Aggregating exposure of different types of risks at the business unit level.
- Aggregating data at different levels within the organisation structure e.g. Division and Group level.