Chapter 3 - Operational risk

Question 1

1.1 What does the Basel committee define operational risk as?
what does it cover, and exclude?

Answer 1

The risk of loss resulting from inadequate or failed internal processes, people, and systems or from external events.

OR includes legal risk but excludes reputational risk

Question 2

1.2 what does the Basel committee ask banks to do to reduce OR?

what does it recognize?

Answer 2

Hold capital

It recognizes that operational risk management depends on range of factors including: size, sophistication, nature of product and complexity

Question 3

what are the elements of an effective operational risk management framework?

Answer 3

clear risk oversight by boards and seniors

strong operational risk culture

strong internal controls culture

Effective internal reporting

Contingency planning

Question 4

What are the seven operational risk types?

Answer 4

Internal fraud, external fraud, employment practices/work safety, clients products and business practices, damage to physical assets, business disruption and systems failure, execution delivery and process management (failed transaction processes)

Question 5

1.3 What risks are easily identified?

Answer 5

Market and Credit risk are observable, but Operational risk is not.

Question 6

What other risks are affected by operational risk?

Answer 6

• reputational risk
• Compliance risk/regulatory
• credit risk
• markets risk
• liquidity risk
• investment risk

Question 7

what is an operational risk policy?

Answer 7

Provides a roadmap to organization on how to operate regarding operational risk. It should take a company-wide approach.

it is a document that outlines firm’s strategy and objectives for operational risk management. it is also a boundary for other risks, such as credit and market to be clarified.

it allows fairness and centralized controls

Question 8

what is included in a operational risk policy?

Answer 8

Building this framework includes:
- defining the firm’s operational risk appetite
- defining methodoly used to identify and categories the operational risks that are in the org
- defining the methodoly to measure
- assigning responsibility to line managers to own the mitigating actions
- assigning responsibility for monitoring the effects
- establishing the reporting and escalating mechanisms

Question 9

what is the process of defining an operational risk policy?

Answer 9

cyclical and continuous , maturing in line with the firms understanding of its operational risk profile.

Question 10

What does an operational risk policy address?

Answer 10

• Key officers
• Roles and responsibilities
• Segregation of duties
• cross-functional involvement and agreement

Question 11

Who are the key officers and their duties?

Answer 11

Line managers - Monitoring and reporting to board
Senior business managers - Responsible for operational risk in their areas
Group risk management function - overall financial risk
Certain staff - Risk representatives/champions for behalf of the owning manager and have dual reporting lines

Question 12

3.3.1 What is the role of operational risk management function?

Answer 12

• work with managers and other risk owners to access
• provide a reporting for risk representatives
• support and maintain operational risk systems
• benchmark good industry practice
• provide risk oversight and monitoring
• issues escalated
• conduct qualitative operational risk analysis (loss casual analysis (trends), HR reports from exit interviews, internal audits
• statistical modelling

Question 13

what are the common identifications of operational risk?

Answer 13

• Self-assessment
• KRIs
• Risk and control workshops
• loss data casual trend analysis
• external loss data
• audit reviews

requires full involvement from risk owners and support from risk functions.

Question 14

managing the risk and reduction of potential impact and occurrence.

How to reduce impact of it materializing

How to reduce impact if it does materialise?

Answer 14

reduce impact of it
- identify risk
- establish clear ownership
- set up risk indicators

If it does materialise
- insurance polices
- speedy escalation
- assign owner

Question 15

3.3.2 What are the stages of a risk management framework?

Answer 15

• Risk identification
• Risk measurement and assessment
• Management and control
• Risk monitoring
• Risk reporting
• Operational risk policy

Question 16

3.3.3 Understand purpose of identifying and categorising risks

Answer 16

purpose - to help establish risk profile and appetite for risk

categories will enable:
- common language
- capital allocation
- understanding each OR thing better

Question 17

3.4.2 What is a self-assessment risk identification? The limitations? how to overcome

Answer 17

Involves a checklist of the risks that a particular area of the firm faces, managers and staff then score the risks based on profitability or impact.

The limitations are:
- It is subjective, combining the scores can be difficult, it can be difficult to work out average.

To overcome this weakness, assemble key staff in a workshop and brain storm risks.

Question 18

3.4.3 what is risk categorisation? Examples in operational risk

Answer 18

• Combining the use of operational risks, people, systems, process, External events.

Examples:
people - inadequate defined roles and responsibilities
Process - lack of written procedures
System - Passwords being shared
External - outsource supplier late

Question 19

3.5.1 What are the main reasons for measuring and assessing operational risk?

Answer 19

• Establish quantitative baseline for improving control environment
• Provide incentive for risk management
• Improve management decision-making
• Satisfy regulators and shareholders
• Make an assessment of financial risk exposure

Question 20

What is the main difficulty of measuring operational risk? How has this tried to be sorted?

Answer 20

Lack of relevant and objective data, many firms do not have historic data loss

Banking and insurance industries has anonymously shared their losses with other firms in same industry

Question 21

3.5.2 What are the basic terms used in the assessment and measurement of operational risk?

Answer 21

Risk measurement - describes use of quantitative techniques to understand risk profile. This includes statistical modelling, predictions, such as firm’s risk indicators. refers to activities and decisions that are intended to control a risk.

Risk assessment - makes use of whatever objective data is there, and uses human judgement to estimate the impact.

Question 22

3.5.3 What is an impact and Likelihood Assessment? What is it s/o? What is the severity ranked on? Example of ratings?

Answer 22

One of the simplest methods of assessing risks and ranks risks in order of severity. They can be subjective (Using experience of professionals) or objective (being supported by historical data)

Severity ranked on two criteria’s: Likelihood of risk being realised and the magnitude of impact.

Very low = 1 = not likely to occur in 10 years
Impact = very low = 1 = less than £1000

Question 23

What is the overall risk score for a impact/likelihood assessment?

Answer 23

Risk score is the product of the likelihood rating scores and the impact rating scores

Risk score = Likelihood score x Impact score

Question 24

What is a heat map?

Answer 24

A heat map is where risk can be plotted according to its score, and colour coded to give an indication of which risks are inside/outside of risk tolerance.

high score = red
low score = green

Question 25

How are risk scored separately on a gross/net basis? What does a gross/net approach allow?

Answer 25

Gross risk = assumes that there are no controls in place/ controls failed. Net risk = consideration of control environment. Allows the effectiveness of controls to be evaluated separately from the risks which they mitigate.

Question 26

what are the advantages of an impact and likelihood assessment? what are the disadvantages?

Answer 26

- Provides a simple method to view - Provides an evaluation - Focuses on most important risk - Can be used with minimal hard data - Captures wide range of risk possibilities - Encourages risk aware culture Disadvantages - presents an over-simplified subjective view

Question 27

how should subjective assessments be validated?

Answer 27

- real loss data - independent party, such as internal audit, a central risk function or peer review

Question 28

What is a scenario analysis?

Answer 28

Top-down approach of highlighting potential risk combinations in order to allow preventative action to be taken. It uses scenarios that have occurred in the past

Question 29

what is a bottom-up approach?

Answer 29

Seeks to analyse the individual risks and adequacy of controls across business processes. It builds up a detailed profile of the risk that occur in each area and provides an overall measure of exposure for departments. involves line managers. Advs - Address risk and control, Accountability is defined, encourages continuous improvements Disadvs - Takes time to implement, Subjectively influenced, not straight-forward

Question 30

3.5.4 How can KRI's be used for operational risk? Adv and Dis

Answer 30

The firm can work on their top rating risks and plot the risk on a graph. Advantages = - They allow trends to be monitored, they allow limits of acceptability, they provide a basis for objective risk measurement Disadvantages = - Can cause skewed business performance if managers start managing to their KRI's in attempt to enhance bonus ratings

Question 31

3.5.5 How can a historical loss data be used in measuring operational risk?

Answer 31

It maps the actual losses experienced by the firm and can be used in measurement process, using benchmarking or statistical methods. A loss distribution curve = predicts future losses 'Fat tail' = reflects the fact that losses are not normally distributed

Question 32

What does expected and unexpected losses mean?

Answer 32

Expected = errors that occur with reasonable frequency, they represent known process weakness that are in the company's risk profile. Unexpected = low-frequency, high-impact event that causes serious problems.

Question 33

3.5.6 what are the practical obstacles to implement an operational risk management framework?

Answer 33

- Data collection constraints - Cultural constraints - Resource and costs constraints - Indicator Constraints - difficult to design risk indicators

Question 34

3.6.1 What would be the headings in a risk register?

Answer 34

- Objectives - description of risk - Risk ranking - Lead person or department - Action plan - Target and completion date - Sources of assurance and oversight - Mitigating controls - Gross, net , residual risk

Question 35

3.6.2 what is the following method which includes transferring risk?

Answer 35

Risk transfer - using outsourcing or insurance

Question 36

3.6.2 How can a risk be completely avoided?

Answer 36

- withdrawing - changing a product offering - deciding not to take on new business

Question 37

3.6.2 What is the method risk acceptance includes?

Answer 37

Most common action is to introduce the key controls into firm's processes (this is only required when business has accepted the risk) Another method of managing risk exposure is expend resources to mitigate it, simply just accepting the consequences.

Question 38

what is the most common way to help manage risk?

Answer 38

Introduction of key controls into the firm's processes

Question 39

6.3.3 Controls as a method of operational risk mitigation? Two types and examples

Answer 39

controls and check points design into them to detect errors and prevent fraud and theft. The identification of these controls gaps is a key objective of ORM function. Two common types Preventative controls - Prevent errors occurring in the first place, they tackle the root of cause. An example would be the provision of Individual IT passwords, others include setting up maintenance, training, use of systems to eliminate risk. Detective controls - Detect errors once they have occurred, and quality assurance checks fall under this category

Question 40

Financial crime compliance? Money laundering and Terrorist Financing requirements

Answer 40

Money laundering = act of turning dirty money into money which appears to be legit. Three stages - Placement, layering, integration Terrorist financing requirements and money laundering by the AML - Customer identification, record-keeping, report suspicious activity

Question 41

what are the set of risk management responses by firms for financial crime?

Answer 41

1) Educate staff on society, firm, individuals 2) systems and controls 3) monitor staff compliance 4) escalating behavioural exceptions 5) informing authorities

Question 42

Operational Resilience? the two plans, what both are subject to. what firms also need

Answer 42

A business will need these two-pieces of planning to operate after a disaster. - Business continuity plan - Deals with premises and people - Disaster recovery - procedures which deal with IT and other infrastructure required to keep business running. Both of these must be subject to regular testing and brought to required standard. Firms must also need a crisis management team.

Question 43

Outsourcing

Answer 43

outsource some aspects of its business to third parties to manage risk

Question 44

Insurance

Answer 44

Firms may get insurance policies to cover losses

Question 45

what are the 10 steps to cyber security?

Answer 45

- Information risk management regime - secure IT systems - Network security - Penetration Testing - Managing user privileges - User education and awarness - incident management - malware preventation - monitoring - removable media controls - home and mobile working

Question 46

Data protection - the fines

Answer 46

Fines up to £20 million or 4% of global revenue

Question 47

how is historical loss data used in managing operational risk?

Answer 47

Two main ways this data is used: Escalation Threshold - losses of various amounts are escalated to pre-defined levels within the organisation. Allows governance bodies to monitor losses Loss Causal analysis

Question 48

give three examples of ways to reduce the operational risk associated with information and physical security?

Answer 48

- visible ID cards - sign-in visitors - vetting all staff ad contractors for previous criminal records

Question 49

what stage in the operational risk framework focuses on acting on controls indicators before they reach their predefined limits?

Answer 49

risk monitoring

Question 50

operational risk is best managed by who? who challenges and monitors them?

Answer 50

Business departments operational risk management function

Question 51

how can a firm reduce the likihood of operational risk occuring?

Answer 51

preventive controls insurance, contingency and detective controls reduce the impact

Question 52

what does a bottom-up approach include?

Answer 52

uses experience of relevant personnel and loss data

Question 53

losses from discrimination rules are based on what

Answer 53

employment practises

Question 54

what is the development of key process controls an example of?

Answer 54

risk mitigation

Question 55

why is segregation of duties established?

Answer 55

effectively manage and control processes

Question 56

what is used to conduct in-depth investigations to understand losses?

Answer 56

loss casual analysis

Question 57

what is the primary purpose of identifying and categorising OR?

Answer 57

establish firms risk profile and appetite

Question 58

which stage in money laundering helps effectively identify customers?

Answer 58

Placement

Question 59

losses arising from a breach of fiduarcy duties include?

Answer 59

Business practises