Chapter 3: Operational Risk Flashcards
What is the definition of operational risk?
The risk of loss resulting from inadequate or failed internal processes, people and systems or from external events.
What does the Basel Committee require banks to do?
Hold capital for operational risk
What is an example of a workplace safety operational risk event?
Personal injury claim, Health and Safety fines
What does improper dissemination mean?
Giving out misleading information about an investment or issuer of an investment purposely.
What 3 provisions are used to prevent Money Laundering and Terrorist financing?
- Customer Identification (KYC)
- Record keeping of customer activity
- Reporting suspicious activity to authorities
How can Operational Risk cause Reputational Risk?
If clients or media become aware of the issue it can tarnish the firms reputation.
How does Segregation of Duties reduce operational risk?
If an employee has access to multiple areas of an institution they can cover up losses and skirt in place risk mechanisms.
How does having an independent centralized risk department help?
Work with other departments to improve controls
Maintain operational risk systems and framework
Ensure there are no ownerless areas of the bank
Escalation, analysis, oversight etc
What 3 ways can you reduce the likelihood of a risk materializing?
- Identify the risk
- Clear ownership for the risk
- Set up risk indicators
What are the 6 steps of a Risk Management Framework?
- Risk Identification
- Risk Measurement
- Management and Control
- Risk Monitoring
- Risk Reporting
- Operational Risk Policy / Appetite
Why is it useful to categorize risks?
More succinct risk frameworks, based on each category
Better understanding where weaknesses lie
Resource allocation
What categories can you put operational risk into?
Process risks
People risks
System risks
External events
What are the limitations of Self-Assessment Risk Identification
It is subjective, and open to abuse. Should be independently validated.
Aggregating scores can be difficult. People view risks subjectively.
What is risk measurement?
Using quantitative techniques to understand the size of a firm’s risk profile.
What is risk assessment?
Using human judgement to analyse risk data to estimate business impact.
What is Impact and Likelihood Assessment?
Using the product of an events Likelihood and Impact ratings to determine the event Severity/Risk.
Likelihood can be events per year, Impact can be financial loss.
What is Scenario Analysis?
‘Top down’ method, highlights potential risk combinations.
Using a model possible scenarios can be used to determine which risks are exposed. Preventative measures can be used to decrease the risk of occurrence.
What is Bottom-Up Analysis?
Identifying individual risks and control inadequacy across business processes.
Aggregate them for a detailed profile of risks in each department
What are some pros and cons of Bottom-Up Analysis?
Its advantages are:
* It addresses risk and control issues at the process level.
* Accountability and responsibility for risk management can be clearly defined.
* It encourages a more transparent and risk aware culture.
* It encourages continuous improvement.
be taken immediately if necessary.
* It can improve the quality of management information.
Its disadvantages are:
* It takes time to implement.
* It can be subjectively influenced by managers if not properly managed.
What is a Key Risk?
Risks with the highest severity.
What are Key Risk indicators?
Quantitative data that describes the status of a Key Risk
What are the advantages of KRIs?
- Trends can be monitored, problems anticipated
- Basis for objective risk management
What are expected losses?
Losses that occur with a regular frequency, usually with limited business impact. In a firms risk appetite.
What are unexpected losses?
Low frequency, high impact events. Hard to manage due to small sample.
What are some constraints of operational risk management?
Data collection - hard to build a comprehensive data set.
Cultural constraints - Many people are opposed to operational controls
Resource - Takes a lot of time and resources to implement
Indicators - Often the indicators are not comprehensive
What is a risk register?
List of key risks from high to low impact
Includes the impact of risk, risk owner, action plan, mitigation controls etc.
If a risk is too high and managing it is too resource intensive what can be done?
Withdraw from business
Modify a product offering
E.g. Prime for CS
What is a preventative control?
Prevents error from occuring in the first place. Conventionally technological
E.g. Bilateral matching in CREST prevents incorrect settlement
Segregation of duties
What is a detective control?
Detect errors once they have occurred.
Fails reports
EOD’s
What is a business continuity plan (BCP)
Deals with premises and people plan after a disaster. “Where will staff work if main site is out of action?”
What is disaster recovery?
Procedures which deal with IT and key infrastructure to keep business running
How can you outsource risk?
Allowing a third-party to handle it.
In Prime, many hedge funds have J.P.M handle settlement risk.
What is the major disadvantage of KRIs?
Can affect business performance if managers start managing to their KRIs to enhance bonus rating.
E.g. Rich cancelling the SLRs.
What kind of operational risk would a damage to premises be called?
Damage to physical assets
A firm decides it is not worth the expense of mitigating a risk. What would this be called?
Risk acceptance
Customer identification prevents which stage of money laundering?
Placement/Layering
Report suspicious customers and identify customers
Which type of risk assessment uses loss data and experience of personnel to measure risk?
Bottom-up measurement
Who is operational risk best MANAGED by?
Business departments in which they arise. E.g. OTMs managed by us.
Best planned and monitored by a centralised risk department though.
