Chapter 3 - Operational risk Flashcards
1.1 What does the Basel committee define operational risk as?
what does it cover, and exclude?
The risk of loss resulting from inadequate or failed internal processes, people, and systems or from external events.
OR includes legal risk but excludes reputational risk
1.2 what does the Basel committee ask banks to do to reduce OR?
what does it recognize?
Hold capital
It recognizes that operational risk management depends on range of factors including: size, sophistication, nature of product and complexity
what are the elements of an effective operational risk management framework?
clear risk oversight by boards and seniors
strong operational risk culture
strong internal controls culture
Effective internal reporting
Contingency planning
What are the seven operational risk types?
Internal fraud, external fraud, employment practices/work safety, clients products and business practices, damage to physical assets, business disruption and systems failure, execution delivery and process management (failed transaction processes)
1.3 What risks are easily identified?
Market and Credit risk are observable, but Operational risk is not.
What other risks are affected by operational risk?
- reputational risk
- Compliance risk/regulatory
- credit risk
- markets risk
- liquidity risk
- investment risk
what is an operational risk policy?
Provides a roadmap to organization on how to operate regarding operational risk. It should take a company-wide approach.
it is a document that outlines firm’s strategy and objectives for operational risk management. it is also a boundary for other risks, such as credit and market to be clarified.
it allows fairness and centralized controls
what is included in a operational risk policy?
Building this framework includes:
- defining the firm’s operational risk appetite
- defining methodoly used to identify and categories the operational risks that are in the org
- defining the methodoly to measure
- assigning responsibility to line managers to own the mitigating actions
- assigning responsibility for monitoring the effects
- establishing the reporting and escalating mechanisms
what is the process of defining an operational risk policy?
cyclical and continuous , maturing in line with the firms understanding of its operational risk profile.
What does an operational risk policy address?
- Key officers
- Roles and responsibilities
- Segregation of duties
- cross-functional involvement and agreement
Who are the key officers and their duties?
Line managers - Monitoring and reporting to board
Senior business managers - Responsible for operational risk in their areas
Group risk management function - overall financial risk
Certain staff - Risk representatives/champions for behalf of the owning manager and have dual reporting lines
3.3.1 What is the role of operational risk management function?
- work with managers and other risk owners to access
- provide a reporting for risk representatives
- support and maintain operational risk systems
- benchmark good industry practice
- provide risk oversight and monitoring
- issues escalated
- conduct qualitative operational risk analysis (loss casual analysis (trends), HR reports from exit interviews, internal audits
- statistical modelling
what are the common identifications of operational risk?
- Self-assessment
- KRIs
- Risk and control workshops
- loss data casual trend analysis
- external loss data
- audit reviews
requires full involvement from risk owners and support from risk functions.
managing the risk and reduction of potential impact and occurrence.
How to reduce impact of it materializing
How to reduce impact if it does materialise?
reduce impact of it
- identify risk
- establish clear ownership
- set up risk indicators
If it does materialise
- insurance polices
- speedy escalation
- assign owner
3.3.2 What are the stages of a risk management framework?
- Risk identification
- Risk measurement and assessment
- Management and control
- Risk monitoring
- Risk reporting
- Operational risk policy
3.3.3 Understand purpose of identifying and categorising risks
purpose - to help establish risk profile and appetite for risk
categories will enable:
- common language
- capital allocation
- understanding each OR thing better
3.4.2 What is a self-assessment risk identification? The limitations? how to overcome
Involves a checklist of the risks that a particular area of the firm faces, managers and staff then score the risks based on profitability or impact.
The limitations are:
- It is subjective, combining the scores can be difficult, it can be difficult to work out average.
To overcome this weakness, assemble key staff in a workshop and brain storm risks.
3.4.3 what is risk categorisation? Examples in operational risk
- Combining the use of operational risks, people, systems, process, External events.
Examples:
people - inadequate defined roles and responsibilities
Process - lack of written procedures
System - Passwords being shared
External - outsource supplier late
3.5.1 What are the main reasons for measuring and assessing operational risk?
- Establish quantitative baseline for improving control environment
- Provide incentive for risk management
- Improve management decision-making
- Satisfy regulators and shareholders
- Make an assessment of financial risk exposure
What is the main difficulty of measuring operational risk? How has this tried to be sorted?
Lack of relevant and objective data, many firms do not have historic data loss
Banking and insurance industries has anonymously shared their losses with other firms in same industry
3.5.2 What are the basic terms used in the assessment and measurement of operational risk?
Risk measurement - describes use of quantitative techniques to understand risk profile. This includes statistical modelling, predictions, such as firm’s risk indicators. refers to activities and decisions that are intended to control a risk.
Risk assessment - makes use of whatever objective data is there, and uses human judgement to estimate the impact.
3.5.3 What is an impact and Likelihood Assessment? What is it s/o? What is the severity ranked on? Example of ratings?
One of the simplest methods of assessing risks and ranks risks in order of severity. They can be subjective (Using experience of professionals) or objective (being supported by historical data)
Severity ranked on two criteria’s: Likelihood of risk being realised and the magnitude of impact.
Very low = 1 = not likely to occur in 10 years
Impact = very low = 1 = less than £1000
What is the overall risk score for a impact/likelihood assessment?
Risk score is the product of the likelihood rating scores and the impact rating scores
Risk score = Likelihood score x Impact score
What is a heat map?
A heat map is where risk can be plotted according to its score, and colour coded to give an indication of which risks are inside/outside of risk tolerance.
high score = red
low score = green