Chapter 3 - Operational Risk Flashcards
What is operational risk defined as?
The risk of loss arising from inadequate or failed internal processes, people, and systems, or from external events
This definition includes legal risk but excludes strategic and reputational risk.
What are the areas covered by the Basel Committee on Banking Supervision (BCBS) guidance on operational risk management?
- Fundamental Principles
- Governance
- Risk management environment
- Information and Communications Technology (ICT)
- Business continuity planning (BCP)
- Role of disclosure
(Should be 9 categories?)
What are the 2 Fundamendal Principles for Operational Risk Management?
Principle 1:
* The board should take the lead in establishing a strong risk management culture, implemented by senior management
Principle 2:
* Banks should develop, implement, and maintain an operational risk management framework that is fully integrated into the bank’s overall risk management processes.
Implemented by senior management.
What are the 3 Governance Principles for Operational Risk Management?
Board of Directors:
Principle 3:
* The board of directors should approve and periodically review the operational
risk management framework, and ensure that senior management implements the policies,
processes, and systems of the operational risk management framework effectively at all
decision levels.
Principle 4:
* The board of directors should approve and periodically review a risk appetite
and tolerance statement for operational risk that articulates the nature, type, and levels of
operational risk the bank is willing to assume.
Senior Management
Principle 5:
* Senior management should develop, for approval by the board of directors, a clear,
effective, and robust governance structure with well-defined, transparent, and consistent
lines of responsibility.
What are the 4 Risk Management Environment Operational Risk Management Principles?
identification and assessment
Principle 6:
Senior management should ensure the comprehensive identification and
assessment of the operational risk inherent in all material products, activities, processes, and
systems, to make sure the inherent risks and incentives are well understood.
Principle 7:
Senior management should ensure that the bank’s change management process
is comprehensive, appropriately resourced, and adequately articulated between the relevant
lines of defence.
monitoring and reporting
Principle 8:
Senior management should implement a process to regularly monitor operational
risk profiles and material operational exposures. Appropriate reporting mechanisms should
be in place at the board of directors, senior management, and business unit levels, to support
proactive management of operational risk.
control and mitigation
Principle 9:
Banks should have a strong control environment that utilises policies, processes
and systems, appropriate internal controls, and appropriate risk mitigation and/or transfer
strategies.
What is the Operational Risk Management Principle for ICT?
Principle 10:
Banks should implement a robust ICT risk management programme in alignment
with their operational risk management framework.
What is the Operational Risk Management Principle for Business Continuity Planning (BCP)?
Principle 11:
Banks should have business continuity plans in place to ensure their ability to
operate on an ongoing basis and limit losses in the event of a severe business disruption.
Business continuity plans should be linked to the bank’s operational risk management
framework.
What is the Operational Risk Management Principle for the Role of Disclosure?
Principle 12:
A bank’s public disclosures should allow stakeholders to assess its approach to
operational risk management and its operational risk exposure.
The risk management three lines of defence model.
- Management team
- Independent corporate operational risk function
- Independent assurance function to verify and validate the ORMF (e.g. internal/external audit)
What is the responsibility of the management team in the first line of defence?
Identifying, assessing, monitoring, and managing inherent operational risks
What does the second line of defence in risk management provide?
An independent view of the business units’…
1. Risk identification and assessment processes
2. Key operational risks
3. Risk and control effectiveness
4. Compliance with risk tolerances.
Challenges on the implementation of…
1. Risk management tools
2. Processes
3. Measuring activities
4. Reporting systems
What does the third line of defence in risk management provide?
Provides a completely independent view of the effectiveness of the bank’s ORMF
Typically reports to the board
Function:
1. Reviews the design and implementation of the ORMF and governance processes
2. Reviews validation processes to ensure that they are consistent with the bank’s
policies
3. Ensuring that risk quantification systems are robust, i.e. by validating that inputs,
assumptions, and methodologies are correct, and that risk quantification accurately
reflects the bank’s risk profile
4. Ensuring that management responds appropriately to findings raised and regularly
reports on pending and closed issues
What is operational resilience?
The ability of a bank to continue to deliver critical operations during and after disruption
This includes identifying threats and recovering from disruptive events.
What are the 7 BCBS Principles of Operational Resilience?
- Governance
- Operational risk management
- Business continuity planning and testing
- Mapping interconnections and interdependencies
- Third-party dependency management
- Incident management
- ICT, including cyber security
Explain Each (page 83)
Examples of Risk Transfer
- Insurance (including fidelity bond insurance, liability insurance, property insurance, etc.)
- Alternative Risk Transfer (including derivative instruments, catastrophe bonds, etc.)
What is a catastrophe bond?
A financial instrument used to transfer operational risk, including cyber risk exposures, to capital markets
Catastrophe bonds can insure against various operational risk losses such as fraud, unauthorized activity, and compliance issues.
What are the three approaches defined by the Basel II Framework for calculating regulatory capital requirements for operational risk?
- Basic indicator approach (BIA)
- Standardised approach (SA)
- Advanced measurement approaches (AMAs)
How is capital for operational risk calculated under the Basic Indicator Approach (BIA)?
As a fixed percentage of the average positive annual gross income over the previous three years, excluding years with negative gross income
This approach is the simplest of the three defined by Basel II.
What is the Standardised Approach (SA) in the context of operational risk?
An approach where banks’ operating activities are divided into eight business lines, and operational risk is measured as a percentage of the annual gross income for each line
Negative gross income can offset positive gross income at the discretion of local regulators.
List the eight business lines defined under the Standardised Approach (SA).
- Corporate finance
- Trading and sales
- Retail banking
- Commercial banking
- Payment and settlement
- Agency services
- Asset management
- Retail brokerage
What is the difference between the Alternative Standardised Approach (ASA) and the Standardised Approach (SA)
ASA is the same as for SA except for two business lines:
1. Retail banking
2. Commercial banking
Gross loans and advances are multipled by a fixed factor “m” for these business lines, instead of gross income.
Same betas as SA.
What does the Advanced Measurement Approach (AMA) allow banks to do?
Calculate regulatory capital using a risk measure generated by the bank’s own internal operational risk management system
This approach requires regulatory approval and must meet predefined criteria.
What types of operational risk losses must be modeled under the Advanced Measurement Approach (AMA)?
- Internal fraud
- External fraud
- Employment practices and workplace safety
- Clients, products, and business practices
- Damage to physical assets
- Business disruption and system failures
- Execution, delivery, and process management
What are the two underlying assumptions for the New Standardised Approach (2023)
- That banks’ operational risk increases at an increasing rate with size
- That banks which have experienced higher operational risk losses in the past are more likely to do so in the future.
Requirements to Qualify for AMA
Qualitative Criteria
1. Management and board oversight of operational risk management
2. Sound operational risk systems in place
3. Sufficient resources and control functions to understand and use this approach
4. Independent operational risk function to design and implement a suitable operational
risk management framework
5. Internal operational risk system integrated with day-to-day risk management processes. Outputs must be used for reporting, analysis, and capital allocation
6. A suitable approach for allocating operational risk capital to key business lines, and
incentives in place to improve operational risk management throughout the firm
7. Regular reporting of operational risk exposures and losses to management and the
board
8. Well-documented operational risk system and a process to ensure compliance with
internal policies and controls
9. Regular reviews by internal and external auditors of activities of business units and the
independent operational risk function.
Quantitative Criteria
1. The approach used to measure operational risk must capture potentially severe “tail”
loss events and must meet a soundness standard comparable to an internal-ratingsbased
approach for credit risk (i.e. measure losses over a one year holding period and
99,9th percentile confidence interval)
2. The bank must have rigorous model-development procedures and independent
model validation
3. The bank should calculate operational risk capital as the sum of expected losses
and unexpected losses unless it can be shown that expected losses are allowed for
appropriately in internal processes (e.g. accounting provisions, budgets)
4. The bank’s risk measurement must be sufficiently granular to capture the key drivers of
operational risk, particularly in the tail of the distribution
5. The bank must demonstrate that correlation assumptions between different risk types
are appropriate
6. Strict requirements on the quality, relevance, and credibility of internal and external
loss data.
What is the purpose of business continuity and disaster recovery plans in operational risk management?
To ensure banks can continue operations or recover in a timely manner following a disruption
These plans have gained importance since the pandemic, emphasizing remote work capabilities.
What are the BCBS principles behind business continuity planning?
- Board and senior management responsibility
- Major operational disruptions
- Reocvery objectives
- Communications
- Cross-border communications
- Testing
- Business continuity management reviews by financial authorities
Define conduct risk.
The risk of actions taken by a financial institution that lead to customer detriment, market instability, or hindered competition
Effective management of conduct risk is crucial to mitigate regulatory action and reputational damage.
What are some key controls that banks should establish to manage conduct risk?
- Formal complaints procedure
- Whistle-blowing procedure
- Transaction monitoring systems
- Restrictions on personal account dealing
- Chinese walls between divisions
Fill in the blank: The capital requirement under the new standardised approach is determined by multiplying the business indicator component (BIC) by the _______.
internal loss multiplier (ILM)
What is a key challenge for banks using Advanced Measurement Approaches (AMAs)?
Excessive variability in risk-weighted assets, making it difficult for stakeholders to trust reported numbers
Different internal methodologies can complicate comparisons of capital ratios across banks.
What is the Financial Sector Regulation Act of 2017?
Legislation that empowers the FSCA to set conduct standards for financial institutions in South Africa
This act is part of a broader regulatory framework for the financial services industry.
What are the expected outcomes of treating customers fairly according to the FSCA?
- TCF is central to the bank’s culture
- Products are suitably designed for targeted customers
- Clear information is provided to customers
- Advice provided is suitable to customers’ needs
- Financial products perform as expected
- No unreasonable barriers post-sale
What is the purpose of the draft Conduct of Financial Institutions (CoFI) Bill?
To consolidate conduct requirements for financial institutions into a single bill
The CoFI Bill aims to simplify regulations and ensure compliance across the industry.
Part of the Twin Peaks Regulatory model
What is the definition of outsourcing in a banking context?
Using a service provider to perform a business activity or function on behalf of the bank
Outsourcing can involve third parties or affiliates within a corporate group.
What are some operational risks associated with outsourcing?
- Reduced management control
- Altered risk profile of the bank
- Increased complexity of relationships
What should a bank’s outsourcing policy include?
- Identification and assessment of risks (board-approved outsourcing policy)
- Due diligence processes for service providers
- Valid legal contracts
- Monitoring processes
- Contingency and business continuity plans
- Outsourcing plan (including risk assessments)
- Administrative measures and reporting
- Notify regulator of outsourcing, and demonstrte the steps followed to verify the service provider’s performance levels
What I are the key risks and issues associated with machine learning algorithms?
- Complexity of models is much greater, making it more difficult to identify model risks
- Many algorithms have a “black-box” approach and model results cannot be easily explained (if at all). This makes machine learning algorithms less transparent and less interpretable
- These models are typically built using specialised software and this requires significant computing power to develop and implement
- These algorithms can amplify bias, in particular if the data that the model were trained on are biased, but can also introduce unintended bias against certain groups of people.
- AI / ML models also typically use a large number of inputs, relative to more traditional models. This can result in models being much more complex than necessary, resulting in spurious accuracy or overfitting of training data.
- Banks also need to ensure that their data governance structures are suitable to ensure that the quality and quantity of data is sufficient for the effective training of machine learning models.
What is Benford’s Law?
A statistical principle stating smaller digits occur more frequently than larger digits in naturally occurring datasets
This law can be used to detect anomalies in transaction data.
What is the importance of a risk management framework for AI/ML models?
To manage complexities and unintended consequences of machine learning algorithms
Such frameworks help ensure that models are used appropriately and effectively.
What constitutes fraud in a banking context?
Intentional deceptive behavior aimed at unlawful gain, often monetary
Examples include accounting fraud, credit card fraud, and money laundering.
What is the trade-off in fraud detection models?
Between model sensitivity and customer experience
More sensitive models may lead to increased false positives, affecting customer satisfaction.
What is the role of digital analysis in fraud detection?
To identify anomalies in transaction data based on statistical principles like Benford’s Law
This approach helps detect potential fraudulent activities.
What are some IT risks faced by banks?
[“System failures leading to data loss”, “Undetected software errors”, “Increased complexity of data systems”]
What should an IT risk management framework include?
[“Policies and procedures for managing IT risks”, “Processes for detecting and limiting risks”, “Regular independent reviews”, “Roles and responsibilities for managing IT risk”, “Ongoing monitoring and risk metrics”]
What is the first step in IT risk management?
Identify and prioritise IT assets in terms of criticality to business operations.
What should banks assess regarding IT risks?
Identify and assess the likelihood and impact of current and emerging IT risks.
What practices should be implemented to mitigate IT risks?
Implement appropriate practices and controls to mitigate risks according to IT asset criticality and bank’s risk tolerance.
What is necessary for ongoing IT risk management?
Establish ongoing monitoring and risk metrics for IT risks and establish a risk register.
What people management procedures should banks establish?
Screening of employees, vendors, and contractors, and providing appropriate training.
Why are dedicated IT resources important in banks?
To ensure all business units are covered and not exposing other divisions to risk.
What should an IT services framework include?
Governance, processes and procedures for change management, software release management, incident management, and capacity management.
What oversight should be included in the bank’s ERMF?
Oversight of IT risk management.
What is the purpose of a centralized IT risk governance forum?
To address IT risks and design a governance framework for new IT systems integration.
What must banks do to protect sensitive information?
Define, document, and implement solutions to protect sensitive information, including customer records.
What measures should be implemented for online transactions?
Use second-factor authentication or one-time PINs to verify identity or approve transactions.
What should a bank’s IT project management framework include?
Governance structures, stakeholder engagement, risk management, change control, cost, and benefit realization.
What should be included in a bank’s business continuity plan?
Procedures and policies for recovery and resumption of IT systems after a disruption.
What is a recommended approach for data backup?
Use cloud computing or storage solutions for efficient data backups.
What should banks ensure when outsourcing IT services?
That relevant regulatory requirements regarding outsourcing of material business activities are met.
What is the role of the bank’s internal control functions?
To independently review and ensure compliance of the bank’s IT activities with policies and regulations.
What is cybercrime?
A malicious attack on or using a computer or computer network.
What are common objectives of cybercriminals targeting banks?
- Impersonating people to defraud banks
- Holding individuals or institutions to ransom
- Selling data to criminal third parties.
What types of attacks do cybercriminals use against banks?
- Data theft
- Malicious programs
- Denial-of-service attacks.
What measures should banks implement to combat cybercrime?
- Establish firewalls
- Ensure secure password protection
- Monitor network activity
- Keep software security patches updated.
What is phishing in the context of cybercrime?
A social engineering tactic to trick individuals into providing security information.
What should banks do to enhance employee awareness of cybercrime?
- Establish reporting systems for suspected phishing
- Implement minimum password standards
- Provide regular cybersecurity training.
What is the importance of a social media policy for banks?
To manage risks related to bank security and employee behavior on social media.
How can banks mitigate losses from cybercrime?
By investing in cybersecurity and cooperating with other banks to share vulnerabilities.
What is the role of insurance in cyber risk management?
To provide coverage against cybercrime and business disruption, but not a substitute for risk management.
What unique challenges do cyber risks present to banks?
- Persistent campaigns by sophisticated attackers
- Interconnectedness creating multiple attack vectors
- Potential ineffectiveness of traditional risk management.
What are the key principles of cyber resilience according to BIS guidance?
- Governance
- Identification
- Protection
- Detection
- Response and recovery
- Testing
- Situational awareness
- Learning and evolving.
What should the governance framework for cyber resilience include?
A strategy defining risk tolerance, risk identification, mitigation, and management.
What is the purpose of identifying functions and assets in cyber resilience?
To perform risk assessments and prioritize cyber resilience efforts.
What protective controls should banks implement?
- Encryption
- Authentication
- Access control
- Cyber risk management in change processes.
What is the importance of continuous monitoring in cyber resilience?
To detect anomalous activities and vulnerabilities in real-time.
What should banks do immediately after detecting a cyber attack?
Contain the attack and initiate recovery efforts.
What types of testing should banks conduct for cyber resilience?
- Vulnerability assessments
- Scenario-based testing
- Penetration tests
- Red team tests.
What is the significance of situational awareness in cyber resilience?
To identify cyber threats that could materially affect the bank’s operations.
How can banks learn from cyber events?
By identifying key lessons from past incidents and monitoring technological developments.
What does the Reserve Bank’s Guidance Note G4/2017 address?
The adequacy of banks’ cyber resilience policies, processes, and practices.
What important points should be included in an IT risk management framework?
Defined roles and responsibilities for managing IT risk, including the board, senior management, and the IT risk management team
Additional points include policies and procedures for managing IT risks, processes for detecting risks, independent reviews, identification of critical IT assets, assessment of IT risks, implementation of controls, ongoing monitoring, and people management procedures.
What policies should be in place to manage IT risks?
Policies, standards, and procedures for managing IT risks and protecting IT assets
This includes clear guidelines on how to handle various IT risk scenarios.
What processes should be implemented to control major IT risks?
Processes for detecting, controlling, and limiting major risks in a manner proportional to the level of risk
This ensures that the response to risks is appropriate to the severity of the threat.
What is essential for the ongoing assessment of IT risks?
Independent reviews and regular updates to take into account developments in the IT risk landscape
This helps organizations stay current with emerging risks and management practices.
How should banks prioritize their IT assets?
Identification and prioritisation of IT assets in terms of criticality to business operations
This ensures that essential systems receive the appropriate level of protection.
What should banks assess regarding current and emerging IT risks?
The likelihood and impact of current and emerging IT risks identified and assessed
This involves evaluating potential threats and their implications for the organization.
What practices should banks implement to mitigate IT risks?
Implementation of appropriate practices and controls to mitigate risks in accordance with the criticality of the relevant IT asset and the bank’s risk tolerance
This aligns risk management strategies with organizational priorities.
What kind of monitoring should be conducted for IT risks?
Ongoing monitoring and risk metrics for IT risks and establishment of a risk register
This helps in tracking risks and ensuring timely responses.
What people management procedures should banks have?
People management procedures, including screening of employees, vendors, and contractors, and providing appropriate training
This reduces risks associated with human factors in IT security.
What is a key component of a conduct risk framework in banks?
A formal complaints procedure, where complaints are logged and reviewed as part of the conduct risk framework
This allows for systematic handling of issues that may arise.
What is necessary to support whistle-blowing in banks?
A whistle-blowing procedure and suitable protection mechanisms for whistle-blowers
This encourages reporting of conduct risks without fear of retaliation.
What should banks implement for transaction monitoring?
Suitable transaction monitoring systems in place
This helps in identifying unusual patterns that could indicate conduct risks.
What restrictions should banks impose to manage conduct risk?
Restrictions on personal account dealing
This prevents conflicts of interest among employees.
What is the impact of outsourcing on a bank’s operational risk?
Banks are exposed to significant operational risk through their arrangements with external vendors when outsourcing material activities and functions
This can lead to loss of direct control and increased risk exposure.
How does the complexity of outsourcing relationships affect risk?
The risk increases as the number and complexity of outsourcing relationships increases
More relationships can lead to greater potential for mismanagement and oversight issues.
What should banks have to manage outsourcing risks effectively?
A board-approved outsourcing policy governing how they will identify, assess, manage, mitigate, and report on risks related to outsourcing arrangements
This formalizes the approach to outsourcing and risk management.
What is necessary for the selection of service providers in outsourcing?
Create suitable due diligence processes for selecting service providers
This ensures that vendors meet the bank’s risk and operational standards.
What should banks ensure regarding contracts with third parties?
Ensure valid legal contracts are in place for outsourcing with third parties
This protects the bank’s interests and clarifies expectations.
What monitoring processes should banks implement for outsourced functions?
Have suitable monitoring processes in place
This allows banks to oversee the performance and compliance of outsourced activities.
What plans should banks develop for continuity in outsourcing?
Develop viable contingency and business-continuity plans
This prepares banks for potential disruptions in outsourced services.
What must banks demonstrate to regulators regarding outsourcing?
Be able to demonstrate to the regulator the steps followed to verify a service provider’s performance levels
This ensures transparency and accountability in outsourcing arrangements.
What should banks notify regulators about concerning outsourcing?
Notify the regulator of such outsourcing
This ensures that regulatory bodies are aware of the bank’s outsourcing activities.
Principle List
BCBS (9 principles from section 1)
Common approaches to identifying fraud
- Statistical outliers
- Classification using machine learning
- Digital analysis (Benford’s law)
- Duplication testing
