Ch 3 Operational Risk Appetite

Question 1

What are the key elements that constitute a firm’s risk appetite framework?

Answer 1

• An overall enterprise risk appetite statement which outlines the general approach and attitude of the firm towards risk.
• Risk specific appetite statements covering various types of risks such as market, credit, insurance, and operational risk. These statements define the firm’s appetite for each specific type of risk.
• Targets for risk taking, acceptability limits, and/or tolerance thresholds for specific risk event types. These provide quantifiable measures for the firm’s risk appetite.
• Policies and procedures, which may contain qualitative statements about the acceptability of particular risk events (e.g., financial crime). These policies and procedures may further elaborate on any targets for risk taking, acceptability limits, or tolerance thresholds for specific risk events.

Metrics for monitoring the firm’s risks to ensure that they remain within the specified targets for risk taking, acceptability limits, and tolerance thresholds. These metrics provide a means for the firm to continuously monitor and manage its risk profile.

• General approach and attitude to risk
• Risk specific statements. e.g credit, market risk
• Policies and procedures
• Metrics for monitoring

Question 2

What is the purpose of a risk appetite statement and what are the benefits from establishing and communicating a firm’s operational risk appetite?

Answer 2

• The risk appetite statement clearly communicates the firm’s risk tolerance to its employees and stakeholders, ensuring balanced risk exposure. It also signals the firm’s risk stance to external parties.

From a business perspective, the benefits from establishing and communicating a firm’s operational risk appetite are:

• Enabling the governing body to exercise oversight by stating the nature and level of risks it considers acceptable or unacceptable.
  Providing a means of expressing senior management’s attitude to risk.
  Establishing a framework for making risk-based decisions.
  Allocating resources to priority risk areas.
  Aligning strategic goals with operational risk activities by balancing business returns with the related risks inherent in pursuing those goals.

Question 3

What is the purpose of an “Operational Risk Appetite Statement” document and how is it used by firms?

Answer 3

• The “Operational Risk Appetite Statement” clearly communicates a firm’s risk tolerance to employees and stakeholders, ensuring balanced risk exposure.
• Firms create internal and external versions of this statement, excluding sensitive information from the external version to avoid competitive disadvantages. The external statement’s content is included in annual reports and regulatory documents.

Question 4

What is the purpose of an operational risk appetite statement and how does it reflect a firm’s attitude towards operational risk?

Answer 4

• The purpose of an operational risk appetite statement is to express a firm’s overall attitude towards operational risk, and to communicate the types and levels of operational risk exposure that are acceptable or unacceptable.
• This reflects the firm’s ‘philosophy’ towards operational risk, which could range from being risk-averse, risk-neutral, to risk-preferring.
• The statement includes qualitative and quantitative measures, such as ‘no appetite for regulatory compliance breaches’ or specific acceptability limits and tolerance thresholds for operational risk events.
• Given the wide range of risks covered within operational risk management, the statements are often organized in logical groupings based on operational risk categories (e.g., Financial Crime, Technology Failure) or stakeholders who may be impacted by operational risk (e.g., Customers, Employees).

• To express a firm’s attitude to risk
• To reflect a firm’s philosophy to op risk
• Qualitative and quantitative aspects

Question 5

What are qualitative expressions of operational risk appetite and how are they used in risk management?

Answer 5

*Qualitative expressions of operational risk appetite are narrative statements indicating a firm’s risk tolerance.
* They are aspirational, as operational risk can occur despite controls. Some statements include prompt identification and mitigation of risks.
* They can be provided using likelihood and impact risk matrices, which are ordinal scales. These expressions explain a firm’s attitudes, behaviours, and values related to risk management.
* While useful for difficult-to-assess risks and easier to communicate, they can be viewed as imprecise and subjective. Hence, most firms also use quantitative expressions of risk appetite.

Question 6

How do firms express their operational risk appetite and what methods do they use to measure it?

Answer 6

• Firms express operational risk appetite by setting numerical limits for risk losses, which may be ‘soft’ and exceedable. They use a forward-looking model to estimate potential loss events and their occurrence intervals. Some firms combine loss limits and interval limits based on scenario/model outputs.
• Loss event-based methods are simple but can be manipulated. Measures based on occurrence intervals are subjective. Operational risk events are among many risk and control indicators used, with limits and thresholds supporting decision making.
• **Value-at-risk (VaR) is a capital modelling tool **used for various risk types, including operational risk. It estimates the probability of exceeding a given loss level over a time horizon at a specified confidence level, which informs the amount of operational risk capital held.

• By setting numerical limits to risk losses
• Loss event based methods
• VAR - value at risk modelling - capital modelling tool.

Question 7

What is the difference between operational risk appetite, tolerance, and capacity, and how are they measured?

Answer 7

Appetite: The level of operational risk loss or events a firm is prepared to experience in its daily operations without further mitigation or investment in the control framework.
Tolerance: A higher level of operational risk loss/event that a firm is prepared to tolerate by taking further mitigating action to ensure its survival.
**Capacity: **The maximum level of operational risk loss/event a firm can absorb without breaching solvency, regulatory, or other critical thresholds.
*** Value-at-risk (VaR) **is a capital modelling tool used for various risk types, including operational risk. It estimates the probability of exceeding a given loss level over a time horizon at a specified confidence level, informing the amount of operational risk capital held. A traditional RAG (Red-Amber-Green) framework provides insight into the difference between operational risk appetite and tolerance.

Question 8

How can a firm integrate operational risk appetite within the operational risk monitoring and reporting process?

Answer 8

Integrating operational risk appetite within the operational risk monitoring and reporting process involves two main steps:
* Data Collection and Reporting,-firms need to collect and report data regularly to ensure their operational risk exposure aligns with their risk appetite. The integrity of this data in terms of completeness, accuracy, and timeliness is crucial.
* Data Interpretation.-the collected data is converted into meaningful information by adding business context and interpretation. This involves comparing the data with business performance indicators, identifying and investigating adverse variances and trends, and analyzing underlying causes.

• Data collection and reporting
• Data interpretation

Question 9

What are the challenges in monitoring operational risk appetite at a senior management or governing body level?

Answer 9

• The challenges include difficulties in aggregating operational risk data,
• setting and aggregating Red-Amber-Green thresholds across the firm,
• and the potential for a business unit’s operational scale to not breach the group level appetite, resulting in a perpetual Green status.
• A Red status at the business unit level may not be significant at the group level, diluting the value of flagging operational risk exceeding defined risk appetite at a senior level.

Question 10

How can recalibration at divisional and/or group levels be achieved?

Answer 10

• Recalibration can be achieved by applying a weighting factor to the reported data, according to the relative scale of the business level.

Question 11

Why should a business, even if not of material value, manage operational risk within the appropriate operational risk appetite?

Answer 11

*It should be a concern at the group level because poorly managed operational risk in one business may affect the reputation of the group as a whole and could conceal a potential risk concentration.

Question 12

What is the importance of the aggregate level of exposure and the reporting of operational risk appetite information?

Answer 12

• The aggregate level of exposure needs diligent management, and a qualitative and evaluative approach at the group level is necessary, regardless of the quality of the aggregated reporting system.
• Reporting of operational risk appetite information should not be perceived as a vehicle for presenting an over-optimistic interpretation of operational risk exposures.
• Its real value lies in providing early warnings for timely management intervention and action to avert emerging issues.

Question 13

What is the role of the Chief Risk Officer (CRO) and the Group Head of Operational Risk Management in the design and implementation of a firm’s operational risk appetite?

Answer 13

• The Chief Risk Officer (CRO) plays a central role in designing the firm’s operational risk appetite and ensures it aligns with the group’s approach to other key risks such as market, credit, liquidity, and insurance risk.
• The Head of Operational Risk Management or any other officer responsible for managing operational risk in the second line also plays a crucial role.They support the design and implementation of the firm’s operational risk appetite and assist the governing body, senior management, and CRO in setting the organisation’s operational risk appetite.
• They are also responsible for supporting the monitoring of the firm’s operational risk appetite by collecting and collating operational risk data and turning it into informative operational risk appetite reports.

Question 14

What are the responsibilities of Business Unit Management and Internal Audit in managing and auditing a firm’s operational risk appetite?

Answer 14

• Business Unit Management is tasked with ensuring their decisions align with the firm’s operational risk appetite and capacity. They implement the risk appetite framework in their area, provide necessary data for monitoring, and set a local risk appetite consistent with the firm’s group level appetite.
  * Internal Audit, while not directly involved in the design or implementation of the risk appetite, provides assurance of its effective design, implementation, and communication. They ensure its integration within business operations and decision-making, and alert when they believe operational risk exposures have exceeded the defined appetite level.

Question 15

What are the four key principles that need to be considered when implementing an operational risk appetite framework to ensure that it supports an effective risk culture?

Answer 15

• Principle One: The operational risk appetite should be aligned with the firm’s strategy and culture. All aspects of the appetite must be consistent with its strategy and culture.
• Principle Two: The firm should ensure that the operational risk appetite appropriately balances risk-taking and control. Risk should only be taken where the expected benefits justify the risk being taken.
  * Principle Three: The firm should recognise that operational risk appetite is dynamic, requiring regular reviews and monitoring of alignment between operational risk exposure and operational risk appetite.

Principle Four: The firm should communicate operational risk appetite information to both internal and external stakeholders. This principle is closely linked to effective corporate governance. A governing body cannot be effective without communicating the types and level of operational risk that it regards as acceptable and unacceptable.

• Alignment to strategy and culture
• The balance between risk taking and control
• Regular reviews and monitoring
• Effective corporate governance

Question 16

What are the challenges and implications of implementing an effective and appropriate operational risk appetite?

Answer 16

• Implementing an effective and appropriate operational risk appetite can be a major challenge due to the diversity of operational risk exposures and the difficulties associated with assessing many of them.
• Firms that expose themselves to excessive amounts of operational risk may find their business operations frequently disrupted and they may even become insolvent.
• On the other hand, firms that attempt to over-control or avoid operational risk may fail to meet their strategic objectives. Therefore, finding the right balance between these two extremes is crucial for the success of a firm.

• Diversity of op risk exposures - difficulty in managing them.
• Disruption - due to excessive exposure to op risk.
• Finding the balance between risk and control.