Chapter 2: Management of Operational Risk Flashcards
6 questions
What is the role of a robust governance framework and the governing body in the management of operational risk?
- The management of operational risk, including its identification, assessment, control, and monitoring, is successful when set in the context of a robust governance framework.
- This framework ensures all individuals, from the governing body down, are clear about their roles and responsibilities and work in a supportive risk culture.
- The governing body, which could be a board in companies or other structures in partnerships or trusts, plays a crucial role.
- Operational risk management also recognizes the needs and expectations of all external stakeholders such as regulators, investors, customers, and third parties, indicating its scope is not limited to internal people, processes, and systems.
The governance framework for managing operational risk
What is the Risk Governance Framework?
- The Risk Governance Framework comprises the governing body, risk owners, risk oversight functions, and risk assurance. The latter three are known as the ‘three lines of defence’, reporting to the governing body.
How is Operational Risk distinguished?
- Operational Risk is distinguished into a discipline and a function.
- As a discipline, it’s everyone’s responsibility in a firm, cutting across all three lines of defence.
- As a function, it’s part of the risk oversight function, in the second line of defence.
How does the Three Lines of Defence Model function in risk management, and what are the roles and responsibilities of each line?
Three Lines of Defence Model in risk management is a complex structure where tasks may overlap due to the intricate nature of risk management.
First Line - Risk Owners: Composed of business line managers, front office staff, and support functions. They integrate operational risk management within business activities, establish a risk and control environment, ensure resources for managing risks, and promote a risk culture.
**Second Line - Risk Oversight: **Provides independent risk oversight and implements risk management policies. They develop and implement the operational risk framework, facilitate policy application, ensure clarity of risk responsibilities, develop tools and processes, monitor risk appetite, report to management and governance bodies, and challenge the first line’s risk assessment.
**Third Line - Risk Assurance (Internal Audit): **Independent of the other lines. They provide assurance on the firm’s governance, risk management, internal controls, systems, and processes. They review the operational risk framework, key controls mitigating risks, and the process of setting and adjusting risk appetite. The audit frequency reflects the risks posed by business units. They must have necessary status and resources within the firm for prompt resolution of recommendations and observations. Failure to promptly deal with audit issues indicates the lack of importance accorded to risk and the audit function.
**Reflect on some of the advantages and disadvantages of the three lines of defence model.
Advantages
Improved coverage of risks and controls: By dividing responsibilities among different lines of defence, the model ensures a comprehensive approach to risk management.
More insight into risks and solutions: The model facilitates a deeper understanding of risks and how to manage them.
Organization-wide view of risks: The model encourages a holistic view of risks and risk management across the entire organization.
**Structural approach from different angles and specialisms: **The model allows for a structured approach to risk management from various perspectives within the organization.
Disadvantages
**Complexity: **The model can be complex and difficult to implement, particularly in larger organizations.
Potential for siloed operations: Each line of defence operates independently, which can lead to inefficiencies and slow responses.
Defensive approach: The model is inherently defensive, focusing on mitigating risks rather than proactively preventing them.
What are the key components of a clear operational risk policy and how does it enable a firm to achieve its business objectives?
An operational risk policy is a tool for communicating the firm’s approach to managing operational risks. It includes:
Purpose and Scope: Outlines the firm’s risk management objectives.
**Definitions: **Clarifies the firm’s understanding of operational risk and its scope.
Operational Risk Appetite: States the firm’s risk objectives.
Roles and Responsibilities: Describes the risk management structure and duties of different functions.
Operational Risk Management Framework and Processes: Provides an overview of the risk management framework, processes, and how deviations from policy are handled.
Ethical and Behavioural Guidelines: Defines core values and acceptable behaviours in risk management.
Glossary of Terms: Ensures consistent language use in operational risk management.
The policy should be clearly communicated to all staff. This approach helps the firm manage operational risks effectively and achieve its business objectives.
How does a governing body establish an organisational culture and a risk culture, and what are the key elements for successfully embedding these cultures in a firm?
- Organisational culture is a shared understanding developed by a group to solve problems. Risk culture is the shared values, beliefs, knowledge, and understanding about risk.
Embedding these cultures requires:
- Leadership commitment to uphold expected values and behaviours.
- Clear communication and acceptance of these values and behaviours.
- Clarity about roles and responsibilities.
- Rewards that incentivise good behaviour and deter poor behaviour.
- Selection and training of people in the firm’s values and behaviours.
What is the ‘use test’ in operational risk management and how can a firm satisfy it?
*The ‘use test’ is a regulatory term that checks if governance tools and processes are actually used and integrated into a firm’s risk governance framework. It applies to all tools and processes in a firm’s daily operations.
* In operational risk, the ‘use test’ is passed if policies and procedures are followed, and decisions consider risk. Firms satisfy the ‘use test’ by integrating operational risk management into daily business processes and decision-making.
* Passing the ‘use test’ involves positive responses to questions about senior management’s embodiment of risk culture and values, risk consideration in decisions, proper report reviews, effective indicators, and full reporting of loss events.
* Evidence of passing the ‘use test’ includes the review and use of event reports, risk and control assessments, risk indicators, scenarios, and reports, and escalation to senior management and governance bodies when problems aren’t resolved or responses are unsatisfactory.
How does change management integrate with risk management in a firm, and why is it important?
*Change management is integral to risk management as it addresses constant internal and external changes in a firm. Internally, changes relate to strategy, objectives, personnel, and introduction of new products or systems.
* Externally, changes occur in political, regulatory, economic, social, technological, environmental, and legal aspects. Given that operational risk includes ‘the risk of loss from external events’, these external changes are crucial.
* Consequently, risks and risk appetites are always changing, requiring continuous identification, assessment, monitoring, and management of operational risk. The frequency of these activities depends on the likelihood of change in individual risks.
Overall, clear roles and responsibilities for change management, aligned with the three lines of defence, are essential. This ensures operational risk management is integrated into the firm’s daily operations, enabling effective risk management amidst constant change.
Briefly Document 2-3 examples of where a change within the internal or external environment may introduce new operational risk or change the level of exposure to operational risks.
**Introduction of New Technology (Internal Change): **When a firm decides to implement a new technology or software, it can introduce new operational risks. For instance, there could be risks related to data migration, system compatibility, or employee training. If not managed properly, these could lead to data loss, system downtime, or errors in operations.
Regulatory Changes (External Change): Changes in regulations or laws can significantly impact a firm’s operational risk. For instance, the introduction of GDPR (General Data Protection Regulation) in the European Union brought about significant changes in how companies handle personal data. Non-compliance with such regulations can lead to hefty fines and reputational damage.
**Pandemic or Natural Disasters (External Change): **Events like the COVID-19 pandemic or a natural disaster can drastically change a firm’s operational risk exposure. For example, the shift to remote work during the pandemic introduced new risks related to cybersecurity, data privacy, and employee health and safety.
In each of these scenarios, the firm would need to reassess its operational risk framework and make necessary adjustments to mitigate the new or changed risks.
What are the roles and responsibilities of the operational risk function in a firm?
So “operational risk function” in this section refers to any function within the second line which has been assigned responsibilities for operational risk management.
**The operational risk function is responsible for: **
* Developing and implementing the operational risk management framework throughout the firm.
* Assessing exposure to each major operational risk to ensure it is in line with agreed risk appetite.
* Establishing appropriate scenario planning for operational risks to understand their impact on the business and on risk appetites.
* Designing and implementing a risk reporting system for operational risk and reporting to senior management, as appropriate, on operational risk events, exposures, assessments and indicators, including escalation of risk exposures exceeding agreed appetites.
* Establishing a process for embedding awareness of operational risk throughout the firm.
The function should also be involved in providing a due diligence appraisal of the operational risks involved in strategic transactions, new initiatives or new products.
What are the responsibilities of the governing body in a firm with respect to operational risk management?
- Establishing a clear strategy and risk management objectives for the firm.
- Articulating and communicating a clear risk appetite to support the strategy.
- Establishing and communicating the components of the firm’s risk culture.
- Approving policies and key roles and responsibilities for the management of operational risk.
- Holding executive management to account for delivering the strategy, managing within the agreed risk appetite and policies, and maintaining the agreed risk culture.
What is the role of the risk committee in a firm and what other types of risk committees can a firm establish?
- The risk committee is a sub-committee of the governing body. It has primary risk oversight responsibility on behalf of the governing body and advises the governing body on risk matters such as risk strategy, risk appetite, and risk culture.
- It also provides advice on the risk aspects of strategic transactions. While its membership may include executive directors, it should be chaired by an independent non-executive director.
- The chair of the committee is responsible for safeguarding the independence, and overseeing the performance, of the firm’s risk function, including the chief risk officer.
In addition to the risk committee set up by the governing body, a firm may also establish other risk committees such as:
- Risk committees within the first line to perform the oversight role at a business unit/division level.
- Risk committees for each geographic location where it has business operations to perform the oversight role for the assigned geographic locations.
- Risk committees on a specific operational risk type (e.g., IT Risk Committee) to perform the oversight role for a specific operational risk type.
What is the role of the independent risk management function and the operational risk function in a firm?
- The independent risk management function oversees and challenges the risk management framework but doesn’t manage risk directly - that’s the job of risk owners in business lines or support functions.
- The operational risk function, a part of the risk management function, needs appropriate authority, status, and resources to fulfil its responsibilities. Executive management and the governing body must provide full support to the risk management function.
What is the role of the Chief Risk Officer (CRO) in a firm and what are their primary responsibilities?
*provide risk management leadership
* vision and direction, develop and review risk management policies.
* Establish the risk management framework across the firm,
* and develop a supporting infrastructure to ensure that risk policies are being followed and that risk exposures are being maintained within agreed risk appetite.
* The CRO also has a responsibility to challenge risk exposures and decisions and act as an adviser to the governing body, business lines, and support functions.
