Risk Framework
- Matthew Bell
- Anonymous
The table and supporting information below sets out the design of the scenario risk assessment framework, and any resulting proposed best practice guideline.
Scenario | Application of current mechanisms | Proposed best practice guideline | Residual Impact & risks |
|---|---|---|---|
|
|
|
|
Likelihood Rating Key
Almost certain 76 – 100% probability: Risk has a high likelihood of occurring even if any mitigation is implemented. The event will likely occur within in the next 12 months.
Likely 51 – 75% probability: Risk has a high likelihood of occurring. The event will likely occur in the next 24 months.
Moderate 26 – 50%: Risk has a moderate likelihood of occurring. The event could occur in the next 36 months.
Unlikely 11 – 25%: Risk is considered unlikely to occur. The event is unlikely to occur within the next 5 years.
Rare 0 - 10%: Risk will occur in rare circumstances. The event is unlikely to occur within the next 10 years.
Impact Rating Key
Severe - disaster with potential to lead to collapse of business and is fundamental to achievement of objectives.
Major - critical event which can be endured but may have prolonged negative impact and extensive consequences.
Significant - major events that can be managed but requires additional resources and management effort.
Minor - event which can be managed under normal operating conditions.
Insignificant - consequences can be readily absorbed under normal operating conditions.
Overall Risk Matrix
Likelihood / impact | Insignificant | Minor | Significant | Major | Severe |
|---|---|---|---|---|---|
Almost Certain | Medium | High | Very high | Extreme | Extreme |
Likely | Medium | Medium | High | Very high | Extreme |
Moderate | Low | Medium | Medium | High | Very high |
Unlikely | Very low | Low | Medium | Medium | High |
Rare | Very low | Very low | Low | Medium | Medium |
Actors (note: copied from scope document for v2.0 Standard)
Customer: a person or party that holds an account with a financial institution, and is an authorised signatory of that account and can authorise payments from that account.
API Provider: a financial institution that manages the Customers account from which a payment could be made.
Payee: a person or party receiving a payment into their account.
Third Party: a person or party that provides services using an API Provider’s API in a manner that complies with the API Standards. The Third Party is the entity which:
Initiates API calls to establish an Enduring Payment Consent Authority;
Receives and manages Tokens in relation to the Enduring Payment Consent;
Initiates API calls to process payment instructions in relation to the Enduring Payment Consent; and
Can be, but does not need to be, the Payee or the Consent Recipient.
Consent Recipient: The person, party or service (e.g. mobile App) that the Customer has given their Enduring Payment Consent to in favour of in terms of payment initiation. The Consent Recipient:
Can also be, but does not need to be, both the Payee and the Third Party;
Can be, but does not need to be, the Payee; and
Can be, but does not need to be, the Third Party.