Chapter 1 - Risk Identification Tools Flashcards
What are the most dangerous risks
those we ignore, as they can lead to nasty surprises
What must be done before organizing risks in a register
identify risks specific to your business, not just an external list, and then assess, mitigate and monitor them
How should Risk identification in an organization take place
top-down at senior management level, and
bottom-up at business process level
What does top-down Risk identification at senior management level look at
the large exposures and threats to the business
What does bottom-up Risk identification at business process level look at
local or specific vulnerabilities or inefficiencies
Do you need top down and bottom up risk identifcation or can you survive with just one
both are vital because it is not sufficient to have one without the other
How often should Top-down risk analysis be performed
between one and four times a year
What determines the frequency of top down risk analysis
the growth and development of the business and the level of risks
What is the aim of Top-down risk analysis
identify key risks, the major threats that
jeopardize objectives
Who do Top-down risk identification sessions typically include
Senior risk owners, Executive committee members, Heads of business lines
How are Top-down risk identification sessions organized as
brainstorming workshops
What is Top-down risk identification exercises similar to
scenario generation, which is the first phase of scenario analysis
For small to medium-sized firms, how should top down risk ident. meetings take place
with both risk identification and scenario generation in mind in order to save time
what can the result of top down risk ident. meetings be used as inputs for
risk and control self-assessment (RCSA) exercises and scenario analysis
What 4 risks does top down look at
- Risks to strategy
- Emerging risks
- Global trends
- Major threats
What 4 things does bottom up look at
- Operational efficiency:
- Organized processes
- Efficient systems
- Competent staff
what is one of the most efficient ways to identify important threats to a business
Top-down risk analysis
is top down or bottom up more common in the industry
bottom-up
who tends to employ only bottom up risk identification
firms new to the discipline, where the practice is the least
mature.
If the scope of the bottom-up risk identification exercise is too restricted what happens?
the output will be a disparate collection of small risks, eg manual errors/process risks, not much value to senior management.
what are the most common bottom-up risk identification techniques
process mapping and interviews
What are the typical large exposures for a business
large company projects and critical third parties
What are an increasing focus in operational risk management
Operational risks related to projects and
to outsourcing practices
Large exposure typically relates to what category of risk?
high impact/low probability risks
vulnerabilities relate to what type of risks
higher frequency but not necessarily lower impact
What are the two benefits to the risk identification method of exposure
and vulnerabilities
it’s business-driven (s doesn’t require risk management jargon, everyone can relate to) and specific (tailored to a given organization)
ready-made lists from industry bodies or the Basel Committee are useful during what stage of identifying risk
ex-post check, to ensure that the exercise has not missed some significant threat
who popularized the risk wheel
Institute of Risk Management (IRM) in London
what is the risk wheel
support tool to spark creativity during risk identification brainstorming sessions
is there only one risk wheel
There are many versions
what risk has increased as of recent
political risks and instability
what benefit is provided by the circular presentation of the risk wheel
encourages managers to connect risk types, highlighting chains of causes and effects
what do risk relationships help with
to prioritize risk mitigation.
foreseeable advances in operational risk management
The evolution of risk lists into risk networks
What is the most common risk and control identification approach, bottom-up?
Process mapping
where is Process mapping well developed
information technology, operations and
project management
what level should process description be at
level 2 or level 3
what if risk ident. is too high-level,
will not be revealing enough
what two types of employees stand out when it comes to risk interviews
the most experienced and recent hires
what will risk reports rarely be better than
‘ears on the ground’ speaking to employees
what is an “amazement report”
the experience of new employees in their first six weeks, before habit tames their surprise.
what is the first thing we review in most institutions
Past losses, or “lagging indicators,”
how can we refine the technique of using the past to predict the future
we should distinguish between internal losses, external losses and
near misses
what do Internal losses indicate
concentrations of operational risk in a firm
where do internal losses affect banks
back offices: first financial market activities, retail and then the IT department
natural operational risk drivers
number of transactions and the size of the money flows
which internal losses should be budgeted and accounted for in pricing
repeated internal losses which do not represent systematic failure in internal controls but simply the level a business is exposed to operational risk
what acts as a systematic benchmark that helps risk identification and assessment for mature firms
External losses
definition of Near misses
incidents that could have occurred but did not because of sheer luck or fortuitous intervention outside the normal control
where are near misses more likely reported
firms which have a no-blame culture
