Ch 1 Fundamentals of Operational Risk Flashcards
5 questions
How has the recognition and management of operational risk evolved over time?
- Operational risk, present in all operational processes and systems, has been recognized as a distinct risk type in the last few decades. This recognition began with Basel II in the late 1990s, initially targeting internationally active banks but later influencing regulatory guidance for other financial sectors.
- Today, most financial organizations have integrated operational risk management into their business activities, often with the support of a centralized function.
- Non-financial firms have also extensively developed operational risk management, investing in areas like health & safety practices, disaster management, and anti-corruption practices.
What is operational risk and what are some examples of operational risks based on different causal factors?
- Operational risk, as defined in Basel II, is the ‘risk of loss resulting from inadequate or failed internal processes, people and systems or from external events’.
- This definition includes legal risk but excludes strategic and reputation risk.
- It focuses on risks arising from four primary causal factors - processes, people, systems, and external factors.
What are the seven risk event types in the Basel II regulatory framework?
Internal Fraud - misappropriation of assets, tax evasion, intentional mismarking of positions, bribery.
External Fraud - theft of information, hacking damage, third-party theft and forgery.
Employment Practices and Workplace Safety - discrimination, workers’ compensation, employee health and safety.
Clients, Products, and Business Practice - market manipulation, antitrust, improper trade, product defects, fiduciary breaches, account churning.
Damage to Physical Assets - natural disasters, terrorism, vandalism.
Business Disruption and Systems Failures - utility disruptions, software failures, hardware failures.
Execution, Delivery, and Process Management - data entry errors, accounting errors, failed mandatory reporting, negligent loss of client assets.
How are expected operational risks managed?
- Expected operational risks, which are inherently associated with the internal or external environment of the firm, are managed within the planning and execution of business activities.
- Firms may incorporate these risks within the pricing of their products, raise accounting provisions, include them as part of business budgets, or invest in improving the efficiency of business processes.
Examples of expected operational risks include credit card fraud for a firm offering credit card products, damages due to hurricanes for an asset management firm with offices in a city which experiences a hurricane season every year, and disruption to IT systems due to power cuts for an insurance firm with offices in a city where seasonal power cuts are normal.
How are unexpected operational risks managed?
- Unexpected operational risks, which are not an inherent part of the internal or external environment of the firm, may be managed with support from specialist departments (e.g., Business Continuity Management department) to deal with business continuity related risks.
- Such risks may be managed using capital reserves, insurance, or investment in controls.
Examples of unexpected operational risks include disruption to IT Systems due to the escalation of a cyber war between two or more countries, damage to physical assets due to solar storms, and disruptions to business operations due to the rapid spread of a serious epidemic.
Identify the common risk types.
Financial services firms face a variety of risks, which can be categorized as follows:
**Strategic Risk: **Uncertainties that may affect or be created by an organisation’s business strategy and strategic objectives. This could include failure to meet customer needs, over-reliance on a single product, or failure to anticipate a new competitor.
**Credit Risk: **The risk of loss due to counterparty default. This could occur when a business is unable to repay a loan due to the failure of a major creditor, a customer defaults on their mortgage payments, or an insurance company is unable to claim on a reinsurer.
**Market Risk: **The risk of loss due to adverse economic changes in market conditions, rates or prices or fluctuations in volatility. This could include loss of revenue due to changes in exchange rates, losses in an investment portfolio due to a significant drop in a market index, or unexpected increase in debt-related interest payments due to policy changes.
Liquidity Risk: The risk of not having adequate funds available to meet financial commitments. This could be caused by a significant change to the credit rating of an organisation or a country, or significant level of uncertainty in the market which may dry up demand for financial instruments.
**Insurance Risk: **Also known as underwriting risk, it is the risk of a claim being made on an insurance policy. This could include business interruption, cyber-crime, directors’ and officers’ liability, key man, motor (individual or fleet), property, professional indemnity, terrorism, unauthorised trading, as well as life and health policies.
Operational Risk: The risk of loss, direct or indirect, resulting from inadequate or failed internal processes, people and systems or from external events. This could include accepting or offering a bribe, theft of customer data from IT Systems by hackers, or intentional mis-selling of products/services to clients.
How are the boundaries between different types of risks determined in Enterprise Risk Management (ERM) and how are they managed?
- Enterprise Risk Management (ERM) is an integrated approach to managing risks, recognizing their interconnectivity.It ensures clear differentiation between various risk types. Operational risk managers often interact with other risk managers to justify the inclusion of certain risks under operational risk management.
The boundaries between different risks are determined by their causal factors.
* For instance, a credit risk caused by fraud or procedural failures in the credit process is considered under operational risk management.
* Similarly, market risk caused by transactional errors or fraud,
* liquidity risk caused by non-economic factors,
* insurance risk caused by policy failures or errors in actuarial modelling,
* and strategic risk caused by errors in business judgement or governance are all considered under operational risk management.
- Credit risk - fraud, procedual failures.
- Market risk - Transactional errors or fraud
- Liquidity risk - Non -economic factors
- Insurance risk - policy failures or errors in actuarial modelling
- Strategic risk -Errors in business judgement or governance.
What is the Bow-Tie model and how does it help in visualising and managing risk?
*The Bow-Tie model is a widely recognized tool for visualizing risk. It organizes the cause, event, and impacts of a risk, and adds controls between these components to ‘compress’ the gaps.
* The model differentiates between preventative controls, which reduce the likelihood of a risk event occurring, and corrective controls, which reduce the impact of a risk event after it has occurred.
* The model suggests that while causal factors alone do not cause damage or disruption, an event cannot occur without a causal factor.
* This model helps firms understand and manage the interdependencies between different components of risk.
How are the causes and impacts of operational risks categorized, and how do they relate to different operational risk events?
*Operational risks are driven by four primary causes: process, systems, people, and external factors. Some firms also consider strategy and management as additional drivers.
* The impacts of these risks are typically categorized into five types: financial impacts, efficiency impacts, service impacts, **lost business opportunities, **and reputational impacts.
Examples.
* An Internal Fraud event, primarily caused by people and secondarily by process, can have a primary impact on financials and a secondary impact on reputation.
* A Business Disruption and System Failures event, primarily caused by systems and secondarily by process and external factors, can have a primary impact on service and secondary impacts on efficiency, reputation, business opportunities, and financials.
This mapping helps firms understand the interdependencies between different components of risk and manage them effectively.
What are the key steps in the operational risk management process and how often is it applied?
The operational risk management process is integrated into key activities of a firm and involves five key steps:
Trigger: The process begins due to business needs like decision making, strategic planning, product development, changes in the business environment, significant incidents, or periodic review of operational risks.
Risk Identification: Relevant operational risks are identified based on the trigger.
**Risk Assessment: **The firm analyses key aspects of risk and assesses measures like likelihood, financial impacts, or reputational impacts.
**Risk Response: **The firm decides how to respond to each risk, which could involve accepting, reducing, transferring, or avoiding the risk.
**Risk Monitoring/Reporting: **The outcomes are reported to stakeholders and actions are implemented to monitor changes to certain risks.
This process may be applied multiple times for the same trigger, such as during a 6-month product development period.
What triggers the operational risk management process in a firm?
Decision making: Such as purchasing new IT systems, considering outsourcing options, establishing new vendor relationships, or opening new business operations in a foreign country.
Strategic planning: This involves defining strategic objectives and implementing the strategic plan.
New product development: This includes the development of a new product and its market launch.
Internal business environment changes: These could be a high level of customer churn, an unexpected increase in revenue, or organisational restructuring.
**External business environment changes: **These could be changes to existing regulations, technology trends, or competitor activity.
Significant incidents: These could occur inside or outside the firm, such as a significant cyber theft, a significant terrorist event, or a significant failure of IT systems.
Periodic review of operational risks: This could be a quarterly review of IT risks, a semi-annual review of the business continuity plan, or a yearly review of all operational risks.
What are the common risk responses a firm may consider based on the outcomes of the risk assessment activity and their risk appetite?
Risk Acceptance: If a risk exposure is within its risk appetite, the firm may elect to do nothing additional about the risk and accept the current level of exposure, or may even consider increasing its risk appetite if it has not reviewed for some time.
Risk Reduction: The firm may decide to reduce the likelihood and/or impact of risk through management actions, changing the underlying business process, changing existing controls or introducing new controls.
Risk Transfer: The firm may decide to transfer some aspects of risk exposure to another party, either through the use of insurance or by contractual arrangements. This is also sometimes referred to as sharing the risk. It should be noted that while some aspect of the risk exposure may be transferred to another party, the firm still owns the risk and may remain exposed to some of the financial exposure and all of the reputational exposure of the risk.
Risk Avoidance: The firm may decide to avoid the risk, which may require it to stop offering certain products, exit certain markets or stop performing certain processes.
What are the key components of the operational risk framework and governance structures
- The basic risk management process(Trigger, risk identification,assessment,response,monitoring/reporting) - The operational risk managment process
- Mandate, terms of reference, framework and policy.
- Operational risk governance
- Risk appetite
- Risk and control self-assessment (RCSA)
- Risk and control indicators
- Events, losses, near misses and gains/offsets
- Scenario analysis
- Operational risk modelling
- Operational risk reporting
What is the role of the governing body or board risk committee in operational risk management, and what does an operational risk management framework entail?
- The governing body or board risk committee typically sets mandates for risk functions.
- These mandates outline the role, accountabilities, responsibilities, scope, objectives, and relationships with other functions.
- An operational risk management framework should be established by the firm. This framework should define the firm’s operational risk management objectives, the tools and techniques for risk management, the firm’s approach to risk appetite and tolerance, and escalation and reporting requirements.
What is the structure of risk governance in a firm and how does the ‘three lines of defence’ model work within this structure?
- Risk governance is vital in any firm. It starts from the governing body, through a board risk committee, to an operational risk committee.
- This is often supported by divisional and subsidiary company risk committees.
- The Chief Risk Officer (CRO), who reports to the CEO or directly to the governing body, oversees the management of core risk types.
- The ‘three lines of defence’ model is integral to this framework. The first line, the business, owns and manages its risk. The second line provides independent control and oversight. The third line, usually the internal audit function, assures that risks are managed appropriately.
The governance structure is centered on risk accountability, delegation, and clear escalation structures and reporting lines.