Chapter 3 - Operational risk Flashcards
What does the Basel committee define operational risk as?
what does it cover, and exclude?
The risk of loss resulting from inadequate or failed internal processes, people, and systems or from external events.
OR includes legal risk but excludes reputational risk
what does the Basel committee ask banks to do to reduce OR?
Hold capital
What are the seven operational risk types?
Internal fraud, external fraud, employment practises/work safety, clients products and business practices, damage to physical assets, business disruption and systems failure, execution delivery and process management.
What risks are easily identified?
Market and Credit risk are observable, but Operational risk is not.
What other risks are affected by operational risk?
- reputational risk
- Compliance risk/regulatory
- credit risk
- markets risk
- liquidity risk
- investment risk
what is an operational risk policy?
Provides a roadmap to organisation on how to operate regarding operational risk. It should take a company-wide approach.
What does an operational risk policy address?
- Key officers
- Roles and responsibilities
- Segregation of duties
- cross-functional involvement and agreement
- consequences
Who are the key officers and their duties?
Line managers - Monitoring and reporting to board
Senior business managers - Responsible for their side of business
Group risk management function - overall financial risk
Certain staff - Risk representatives and have dual reporting lines
What is the role of operational risk management function?
- work with managers and other risk owners to access
- provide a reporting for risk representatives
- support and maintain operational risk systems
- benchmark good industry practice
- provide risk oversight and monitoring
- issues escalated
- conduct qualitative operational risk analysis
- statistical modelling
what are the common identifications of operational risk?
- Self-assessment
- KRIs
- Risk and control workshops
- loss data casual trend analysis
- external loss data
- audit reviews
What are the stages of a risk management framework?
- Risk identification
- Risk measurement and assessment
- Management and control
- Risk monitoring
- Risk reporting
- Operational risk policy
What is a self-assessment risk identification? The limitations?
- Involves a checklist of the risks that a particular area of the firm faces.
Managers are then required to score each risk by probability or impact.
The limitations are:
- It is subjective, combining the scores can be difficult
what is risk categorisation? Examples in operational risk
- Combining the use of operational risks, people, systems, process, External events.
Examples:
people - inadequate defined roles and responsibilities
Process - lack of written procedures
System - Passwords being shared
External - outsource supplier late
What are the main reasons for measuring and assessing operational risk?
- Establish quantitative baseline for improving control environment
- Provide incentive for risk management
- Improve management decision-making
- Satisfy regulators and shareholders
- Make an assessment of financial risk exposure
What is the main difficulty of measuring operational risk? How has this tried to be sorted?
Lack of relevant and objective data, many firms do not have historic data loss
Banking and insurance industries has anonymously shared their losses with other firms in same industry
What are the basic terms used in the assessment and measurement of operational risk?
Risk measurement - describes use of quantitative techniques to understand risk profile. This includes statistics, such as firm’s risk indicators.
Risk assessment - makes use of whatever objective data is there, and uses human judgement to estimate the impact.
What is an impact and Likelihood Assessment? What is it s/o? What is the severity ranked on? Example of ratings?
One of the simplest methods of assessing risks and ranks risks in order of severity. They can be subjective (Using experience of professionals) or objective (being supported by historical data)
Severity ranked on two criteria’s: Likelihood of risk being realised and the magnitude of impact.
Very low = 1 = not likely to occur in 10 years
Impact = very low = 1 = less than £1000
What is the overall risk score for a impact/likelihood assessment?
Risk score is the product of the likelihood rating scores and the impact rating scores
Risk score = Likelihood score x Impact score
What is a heat map?
A heat map is where risk can be plotted according to its score, and colour coded to give an indication of which risks are inside/outside of risk tolerance.
high score = red
low score = green
How are risk scored separately on a gross/net basis? What does a gross/net approach allow?
Gross risk = assumes that there are no controls in place/ controls failed.
Net risk = consideration of control environment.
Allows the effectiveness of controls to be evaluated separately from the risks which they mitigate.
what are the advantages of an impact and likelihood assessment? what are the disadvantages?
- Provides a simple method to view
- Provides an evaluation
- Focuses on most important risk
- Can be used with minimal hard data
- Captures wide range of risk possibilities
- Encourages risk aware culture
Disadvantages
- presents an over-simplified subjective view
how should subjective assessments be validated?
- real loss data
- independent party, such as internal audit, a central risk function or peer review
What is a scenario analysis?
Top-down approach of highlighting potential risk combinations in order to allow preventative action to be taken. It uses scenarios that have occurred in the past
what is a bottom-up approach?
Seeks to analyse the individual risks and adequacy of controls across business processes. It builds up a detailed profile of the risk that occur in each area and provides an overall measure of exposure for departments.
Advs - Address risk and control, Accountability is defined, encourages continuous improvements
Disadvs - Takes time to implement, Subjectively influenced, not straight-forward
How can KRI’s be used for operational risk? Adv and Dis
The firm can work on their top rating risks and plot the risk on a graph.
Advantages =
- They allow trends to be monitored, they allow limits of acceptability, they provide a basis for objective risk measurement
Disadvantages =
- Can cause skewed business performance if managers start managing to their KRI’s in attempt to enhance bonus ratings
How can a historical loss data be used in measuring operational risk?
It maps the actual losses experienced by the firm and can be used in measurement process, using benchmarking or statistical methods.
A loss distribution curve = predicts future losses
‘Fat tail’ = reflects the fact that losses are not normally distributed
What does expected and unexpected losses mean?
Expected = errors that occur with reasonable frequency, they represent known process weakness that are in the company’s risk profile.
Unexpected = low-frequency, high-impact event that causes serious problems.
what are the practical obstacles to implement an operational risk management framework?
- Data collection constraints
- Cultural constraints
- Resource and costs constraints
- Indicator Constraints - difficult to design risk indicators
What would be the headings in a risk register?
- Objectives
- description of risk
- Risk ranking
- Lead person or department
- Action plan
- Target and completion date
- Sources of assurance and oversight
- Mitigating controls
- Gross, net , residual risk
How can a risk be completely avoided?
- withdrawing
- changing a product offering
- deciding not to take on new business
what is the most common way to help manage risk?
Introduction of key controls into the firm’s processes
Controls as a method of operational risk mitigation?
Two types and examples
controls and check points design into them to detect errors and prevent fraud and theft. The identification of these controls gaps is a key objective of ORM function.
Two common types
Preventative controls - Prevent errors occurring in the first place, they tackle the root of cause. An example would be the provision of Individual IT passwords, others include setting up maintenance, training, use of systems to eliminate risk.
Detective controls - Detect errors once they have occurred, and quality assurance checks fall under this category
Financial crime compliance? Money laundering and Terrorist Financing requirements
Money laundering = act of turning dirty money into money which appears to be legit.
Three stages
- Placement, layering, integration
Terrorist financing requirements:
- Customer identification, record-keeping, report suspicious activity
Operational Resilience? the two plans, what both are subject to. what firms also need
A business will need these two-pieces of planning to operate after a disaster.
- Business continuity plan - Where will staff work if office is out of action?
- Disaster recovery - procedures which deal with IT and other infrastructure required to keep business running.
Both of these must be subject to regular testing.
Firms must also need a crisis management team.
Outsourcing
outsource some aspects of its business to third parties to manage risk
Insurance
Firms may get insurance policies to cover losses
what are the 10 steps to cyber security?
- Information risk management regime
- secure IT systems
- Network security
- Penetration Testing
- Managing user privileges
- User education and awarness
- incident management
- malware preventation
- monitoring
- removable media controls
- home and mobile working
Data protection - the fines
Fines up to £20 million or 4% of global revenue
how is historical loss data used in managing operational risk?
Two main ways this data is used:
Escalation Threshold - losses of various amounts are escalated to pre-defined levels within the organisation. Allows governance bodies to monitor losses
Loss Causal analysis
give three examples of ways to reduce the operational risk associated with information and physical security?
- visible ID cards
- sign-in visitors
- vetting all staff ad contractors for previous criminal records
