Chapter 3 - Operational risk Flashcards

1
Q

1.1 What does the Basel committee define operational risk as?
what does it cover, and exclude?

A

The risk of loss resulting from inadequate or failed internal processes, people, and systems or from external events.

OR includes legal risk but excludes reputational risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

1.2 what does the Basel committee ask banks to do to reduce OR?

what does it recognize?

A

Hold capital

It recognizes that operational risk management depends on range of factors including: size, sophistication, nature of product and complexity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

what are the elements of an effective operational risk management framework?

A

clear risk oversight by boards and seniors

strong operational risk culture

strong internal controls culture

Effective internal reporting

Contingency planning

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What are the seven operational risk types?

A

Internal fraud, external fraud, employment practices/work safety, clients products and business practices, damage to physical assets, business disruption and systems failure, execution delivery and process management (failed transaction processes)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

1.3 What risks are easily identified?

A

Market and Credit risk are observable, but Operational risk is not.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What other risks are affected by operational risk?

A
  • reputational risk
  • Compliance risk/regulatory
  • credit risk
  • markets risk
  • liquidity risk
  • investment risk
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

what is an operational risk policy?

A

Provides a roadmap to organization on how to operate regarding operational risk. It should take a company-wide approach.

it is a document that outlines firm’s strategy and objectives for operational risk management. it is also a boundary for other risks, such as credit and market to be clarified.

it allows fairness and centralized controls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

what is included in a operational risk policy?

A

Building this framework includes:
- defining the firm’s operational risk appetite
- defining methodoly used to identify and categories the operational risks that are in the org
- defining the methodoly to measure
- assigning responsibility to line managers to own the mitigating actions
- assigning responsibility for monitoring the effects
- establishing the reporting and escalating mechanisms

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

what is the process of defining an operational risk policy?

A

cyclical and continuous , maturing in line with the firms understanding of its operational risk profile.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What does an operational risk policy address?

A
  • Key officers
  • Roles and responsibilities
  • Segregation of duties
  • cross-functional involvement and agreement
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Who are the key officers and their duties?

A

Line managers - Monitoring and reporting to board
Senior business managers - Responsible for operational risk in their areas
Group risk management function - overall financial risk
Certain staff - Risk representatives/champions for behalf of the owning manager and have dual reporting lines

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

3.3.1 What is the role of operational risk management function?

A
  • work with managers and other risk owners to access
  • provide a reporting for risk representatives
  • support and maintain operational risk systems
  • benchmark good industry practice
  • provide risk oversight and monitoring
  • issues escalated
  • conduct qualitative operational risk analysis (loss casual analysis (trends), HR reports from exit interviews, internal audits
  • statistical modelling
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

what are the common identifications of operational risk?

A
  • Self-assessment
  • KRIs
  • Risk and control workshops
  • loss data casual trend analysis
  • external loss data
  • audit reviews

requires full involvement from risk owners and support from risk functions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

managing the risk and reduction of potential impact and occurrence.

How to reduce impact of it materializing

How to reduce impact if it does materialise?

A

reduce impact of it
- identify risk
- establish clear ownership
- set up risk indicators

If it does materialise
- insurance polices
- speedy escalation
- assign owner

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

3.3.2 What are the stages of a risk management framework?

A
  • Risk identification
  • Risk measurement and assessment
  • Management and control
  • Risk monitoring
  • Risk reporting
  • Operational risk policy
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

3.3.3 Understand purpose of identifying and categorising risks

A

purpose - to help establish risk profile and appetite for risk

categories will enable:
- common language
- capital allocation
- understanding each OR thing better

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

3.4.2 What is a self-assessment risk identification? The limitations? how to overcome

A

Involves a checklist of the risks that a particular area of the firm faces, managers and staff then score the risks based on profitability or impact.

The limitations are:
- It is subjective, combining the scores can be difficult, it can be difficult to work out average.

To overcome this weakness, assemble key staff in a workshop and brain storm risks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

3.4.3 what is risk categorisation? Examples in operational risk

A
  • Combining the use of operational risks, people, systems, process, External events.

Examples:
people - inadequate defined roles and responsibilities
Process - lack of written procedures
System - Passwords being shared
External - outsource supplier late

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

3.5.1 What are the main reasons for measuring and assessing operational risk?

A
  • Establish quantitative baseline for improving control environment
  • Provide incentive for risk management
  • Improve management decision-making
  • Satisfy regulators and shareholders
  • Make an assessment of financial risk exposure
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What is the main difficulty of measuring operational risk? How has this tried to be sorted?

A

Lack of relevant and objective data, many firms do not have historic data loss

Banking and insurance industries has anonymously shared their losses with other firms in same industry

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

3.5.2 What are the basic terms used in the assessment and measurement of operational risk?

A

Risk measurement - describes use of quantitative techniques to understand risk profile. This includes statistical modelling, predictions, such as firm’s risk indicators. refers to activities and decisions that are intended to control a risk.

Risk assessment - makes use of whatever objective data is there, and uses human judgement to estimate the impact.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

3.5.3 What is an impact and Likelihood Assessment? What is it s/o? What is the severity ranked on? Example of ratings?

A

One of the simplest methods of assessing risks and ranks risks in order of severity. They can be subjective (Using experience of professionals) or objective (being supported by historical data)

Severity ranked on two criteria’s: Likelihood of risk being realised and the magnitude of impact.

Very low = 1 = not likely to occur in 10 years
Impact = very low = 1 = less than £1000

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What is the overall risk score for a impact/likelihood assessment?

A

Risk score is the product of the likelihood rating scores and the impact rating scores

Risk score = Likelihood score x Impact score

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What is a heat map?

A

A heat map is where risk can be plotted according to its score, and colour coded to give an indication of which risks are inside/outside of risk tolerance.

high score = red
low score = green

25
How are risk scored separately on a gross/net basis? What does a gross/net approach allow?
Gross risk = assumes that there are no controls in place/ controls failed. Net risk = consideration of control environment. Allows the effectiveness of controls to be evaluated separately from the risks which they mitigate.
26
what are the advantages of an impact and likelihood assessment? what are the disadvantages?
- Provides a simple method to view - Provides an evaluation - Focuses on most important risk - Can be used with minimal hard data - Captures wide range of risk possibilities - Encourages risk aware culture Disadvantages - presents an over-simplified subjective view
27
how should subjective assessments be validated?
- real loss data - independent party, such as internal audit, a central risk function or peer review
28
What is a scenario analysis?
Top-down approach of highlighting potential risk combinations in order to allow preventative action to be taken. It uses scenarios that have occurred in the past
29
what is a bottom-up approach?
Seeks to analyse the individual risks and adequacy of controls across business processes. It builds up a detailed profile of the risk that occur in each area and provides an overall measure of exposure for departments. involves line managers. Advs - Address risk and control, Accountability is defined, encourages continuous improvements Disadvs - Takes time to implement, Subjectively influenced, not straight-forward
30
3.5.4 How can KRI's be used for operational risk? Adv and Dis
The firm can work on their top rating risks and plot the risk on a graph. Advantages = - They allow trends to be monitored, they allow limits of acceptability, they provide a basis for objective risk measurement Disadvantages = - Can cause skewed business performance if managers start managing to their KRI's in attempt to enhance bonus ratings
31
3.5.5 How can a historical loss data be used in measuring operational risk?
It maps the actual losses experienced by the firm and can be used in measurement process, using benchmarking or statistical methods. A loss distribution curve = predicts future losses 'Fat tail' = reflects the fact that losses are not normally distributed
32
What does expected and unexpected losses mean?
Expected = errors that occur with reasonable frequency, they represent known process weakness that are in the company's risk profile. Unexpected = low-frequency, high-impact event that causes serious problems.
33
3.5.6 what are the practical obstacles to implement an operational risk management framework?
- Data collection constraints - Cultural constraints - Resource and costs constraints - Indicator Constraints - difficult to design risk indicators
34
3.6.1 What would be the headings in a risk register?
- Objectives - description of risk - Risk ranking - Lead person or department - Action plan - Target and completion date - Sources of assurance and oversight - Mitigating controls - Gross, net , residual risk
35
3.6.2 what is the following method which includes transferring risk?
Risk transfer - using outsourcing or insurance
36
3.6.2 How can a risk be completely avoided?
- withdrawing - changing a product offering - deciding not to take on new business
37
3.6.2 What is the method risk acceptance includes?
Most common action is to introduce the key controls into firm's processes (this is only required when business has accepted the risk) Another method of managing risk exposure is expend resources to mitigate it, simply just accepting the consequences.
38
what is the most common way to help manage risk?
Introduction of key controls into the firm's processes
39
6.3.3 Controls as a method of operational risk mitigation? Two types and examples
controls and check points design into them to detect errors and prevent fraud and theft. The identification of these controls gaps is a key objective of ORM function. Two common types Preventative controls - Prevent errors occurring in the first place, they tackle the root of cause. An example would be the provision of Individual IT passwords, others include setting up maintenance, training, use of systems to eliminate risk. Detective controls - Detect errors once they have occurred, and quality assurance checks fall under this category
40
Financial crime compliance? Money laundering and Terrorist Financing requirements
Money laundering = act of turning dirty money into money which appears to be legit. Three stages - Placement, layering, integration Terrorist financing requirements and money laundering by the AML - Customer identification, record-keeping, report suspicious activity
41
what are the set of risk management responses by firms for financial crime?
1) Educate staff on society, firm, individuals 2) systems and controls 3) monitor staff compliance 4) escalating behavioural exceptions 5) informing authorities
42
Operational Resilience? the two plans, what both are subject to. what firms also need
A business will need these two-pieces of planning to operate after a disaster. - Business continuity plan - Deals with premises and people - Disaster recovery - procedures which deal with IT and other infrastructure required to keep business running. Both of these must be subject to regular testing and brought to required standard. Firms must also need a crisis management team.
43
Outsourcing
outsource some aspects of its business to third parties to manage risk
44
Insurance
Firms may get insurance policies to cover losses
45
what are the 10 steps to cyber security?
- Information risk management regime - secure IT systems - Network security - Penetration Testing - Managing user privileges - User education and awarness - incident management - malware preventation - monitoring - removable media controls - home and mobile working
46
Data protection - the fines
Fines up to £20 million or 4% of global revenue
47
how is historical loss data used in managing operational risk?
Two main ways this data is used: Escalation Threshold - losses of various amounts are escalated to pre-defined levels within the organisation. Allows governance bodies to monitor losses Loss Causal analysis
48
give three examples of ways to reduce the operational risk associated with information and physical security?
- visible ID cards - sign-in visitors - vetting all staff ad contractors for previous criminal records
49
what stage in the operational risk framework focuses on acting on controls indicators before they reach their predefined limits?
risk monitoring
50
operational risk is best managed by who? who challenges and monitors them?
Business departments operational risk management function
51
how can a firm reduce the likihood of operational risk occuring?
preventive controls insurance, contingency and detective controls reduce the impact
52
what does a bottom-up approach include?
uses experience of relevant personnel and loss data
53
losses from discrimination rules are based on what
employment practises
54
what is the development of key process controls an example of?
risk mitigation
55
why is segregation of duties established?
effectively manage and control processes
56
what is used to conduct in-depth investigations to understand losses?
loss casual analysis
57
what is the primary purpose of identifying and categorising OR?
establish firms risk profile and appetite
58
which stage in money laundering helps effectively identify customers?
Placement
59
losses arising from a breach of fiduarcy duties include?
Business practises