Now that you have selected a firm (starbucks)and identified objectives, risks, and controls, it is time for the next steps to come up with the RCSA approach.  (4) For the controls, describe the roles (people), processes (steps people must follow), and systems (infrastructure, software, third parties) that would be responsible for the controls to work effectively.  (5) Finally, explain how you would evaluate the effectiveness of the controls (e.g. rate the control design, use metrics that show control test results or be indicators on the control performance).  (6) Provide your approach to assessing the remaining risks to the firm objectives (from step 2) that have been mitigated / not yet mitigated with the controls in place. As the Op Risk Manager, you now have a rough outline on how to approach the assessment process for your selected firm.

Added Etsy Example + Mindmap (see attached). Note: Milestone 1 mindmap in discussion for Milestone 1
For the control assessment proposal with Etsy, there are 6 sets of proposed controls. 

(4) Below are what would need to be in place to ensure those controls work effectively.  Four of these controls rely on the Technology teams, development / independent testing units, and product support specialists.

They must have the appropriate testing environments set up that reasonably mirror the production systems (detective – tools to identify errors).
The Surveillance and Testing approaches must be documented and reviewed regularly with the appropriate 2nd line of defense control functions (directive – reliance on procedures).
The Model team should stress test search results for buyers / sellers of dramatically different backgrounds and provide the scenarios to an independent control function to evaluate (preventative – identify potential issue areas).
Product support teams should follow up on the outage issues on priority basis and prepare lessons learned based on appetite levels (corrective – employ ticket system to address performance issues).

C1) end to end encryption

C2) surveillance on unauthorized data access attempts

C5) independent test of search results

C6) outage severity and duration

Two of the controls rely on the Sales team.  To manage client experiences, they must have tools to evaluate customer ratings / complaints (corrective – address customer feedback).  Sales metrics must be tracked and those above appetite levels reviewed with Board level managers (detective – identify trouble areas and escalate concerns).

C3) respond to customer ratings and complaints

C4) track sales metrics for performance reviews with Board

(5) Controls without appropriate monitoring often fail to remain relevant.  To check that the Technology team remains vigilant on their surveillance, independent testing, and outage reviews (C2, C5, C6), scheduled sample testing on daily / weekly / monthly / quarterly / ad-hoc basis by the first line is expected, with review and challenge by second line on quarterly basis, and annual audit by third line.  The integrity of the transaction process (C1) would be evaluated based on idiosyncratic cases when certificates have expired or there is data loss reported.

For the Sales team, the controls on customer feedback and sales metrics (C3, C4) would be evaluated based on separate customer engagement indicators.  Second line control functions would evaluate metrics that show buyers returning to use the site tools and purchase from sellers along with sellers that successfully find matches for their unique products.  The engagement is correlated with the Sales team effectiveness.

(6) With the controls in place, the residual risks for compromised user data (R1) and failed transactions (R2) are low.  This reflects how the uncertainties are mitigated with encryption / monitoring to address the high inherent risk of stolen user data and medium inherent risk for buyers / sellers not matching / completing their sales.  Independent testing is effective in mitigating the low inherent risk of fraudulent search tool results (R3) to attain the low residual risk.  Finally, the high inherent risk of outages (R4) impacting customer experiences remains high on the residual risk basis since there are still many variables outside the firm’s control that can trigger delays for customers to reach the firm’s online marketplace.  The appetite levels must be calibrated to recognize this high residual risk (e.g. low tolerance during gift-giving times around holidays).