Chapter 3 - Operational risk Flashcards

1
Q

What does the Basel committee define operational risk as?
what does it cover, and exclude?

A

The risk of loss resulting from inadequate or failed internal processes, people, and systems or from external events.

OR includes legal risk but excludes reputational risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

what does the Basel committee ask banks to do to reduce OR?

A

Hold capital

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What are the seven operational risk types?

A

Internal fraud, external fraud, employment practises/work safety, clients products and business practices, damage to physical assets, business disruption and systems failure, execution delivery and process management.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What risks are easily identified?

A

Market and Credit risk are observable, but Operational risk is not.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What other risks are affected by operational risk?

A
  • reputational risk
  • Compliance risk/regulatory
  • credit risk
  • markets risk
  • liquidity risk
  • investment risk
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

what is an operational risk policy?

A

Provides a roadmap to organisation on how to operate regarding operational risk. It should take a company-wide approach.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What does an operational risk policy address?

A
  • Key officers
  • Roles and responsibilities
  • Segregation of duties
  • cross-functional involvement and agreement
  • consequences
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Who are the key officers and their duties?

A

Line managers - Monitoring and reporting to board
Senior business managers - Responsible for their side of business
Group risk management function - overall financial risk
Certain staff - Risk representatives and have dual reporting lines

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is the role of operational risk management function?

A
  • work with managers and other risk owners to access
  • provide a reporting for risk representatives
  • support and maintain operational risk systems
  • benchmark good industry practice
  • provide risk oversight and monitoring
  • issues escalated
  • conduct qualitative operational risk analysis
  • statistical modelling
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

what are the common identifications of operational risk?

A
  • Self-assessment
  • KRIs
  • Risk and control workshops
  • loss data casual trend analysis
  • external loss data
  • audit reviews
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What are the stages of a risk management framework?

A
  • Risk identification
  • Risk measurement and assessment
  • Management and control
  • Risk monitoring
  • Risk reporting
  • Operational risk policy
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is a self-assessment risk identification? The limitations?

A
  • Involves a checklist of the risks that a particular area of the firm faces.

Managers are then required to score each risk by probability or impact.

The limitations are:
- It is subjective, combining the scores can be difficult

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

what is risk categorisation? Examples in operational risk

A
  • Combining the use of operational risks, people, systems, process, External events.

Examples:
people - inadequate defined roles and responsibilities
Process - lack of written procedures
System - Passwords being shared
External - outsource supplier late

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What are the main reasons for measuring and assessing operational risk?

A
  • Establish quantitative baseline for improving control environment
  • Provide incentive for risk management
  • Improve management decision-making
  • Satisfy regulators and shareholders
  • Make an assessment of financial risk exposure
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is the main difficulty of measuring operational risk? How has this tried to be sorted?

A

Lack of relevant and objective data, many firms do not have historic data loss

Banking and insurance industries has anonymously shared their losses with other firms in same industry

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What are the basic terms used in the assessment and measurement of operational risk?

A

Risk measurement - describes use of quantitative techniques to understand risk profile. This includes statistics, such as firm’s risk indicators.

Risk assessment - makes use of whatever objective data is there, and uses human judgement to estimate the impact.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What is an impact and Likelihood Assessment? What is it s/o? What is the severity ranked on? Example of ratings?

A

One of the simplest methods of assessing risks and ranks risks in order of severity. They can be subjective (Using experience of professionals) or objective (being supported by historical data)

Severity ranked on two criteria’s: Likelihood of risk being realised and the magnitude of impact.

Very low = 1 = not likely to occur in 10 years
Impact = very low = 1 = less than £1000

18
Q

What is the overall risk score for a impact/likelihood assessment?

A

Risk score is the product of the likelihood rating scores and the impact rating scores

Risk score = Likelihood score x Impact score

19
Q

What is a heat map?

A

A heat map is where risk can be plotted according to its score, and colour coded to give an indication of which risks are inside/outside of risk tolerance.

high score = red
low score = green

20
Q

How are risk scored separately on a gross/net basis? What does a gross/net approach allow?

A

Gross risk = assumes that there are no controls in place/ controls failed.

Net risk = consideration of control environment.

Allows the effectiveness of controls to be evaluated separately from the risks which they mitigate.

21
Q

what are the advantages of an impact and likelihood assessment? what are the disadvantages?

A
  • Provides a simple method to view
  • Provides an evaluation
  • Focuses on most important risk
  • Can be used with minimal hard data
  • Captures wide range of risk possibilities
  • Encourages risk aware culture

Disadvantages
- presents an over-simplified subjective view

22
Q

how should subjective assessments be validated?

A
  • real loss data
  • independent party, such as internal audit, a central risk function or peer review
23
Q

What is a scenario analysis?

A

Top-down approach of highlighting potential risk combinations in order to allow preventative action to be taken. It uses scenarios that have occurred in the past

24
Q

what is a bottom-up approach?

A

Seeks to analyse the individual risks and adequacy of controls across business processes. It builds up a detailed profile of the risk that occur in each area and provides an overall measure of exposure for departments.

Advs - Address risk and control, Accountability is defined, encourages continuous improvements

Disadvs - Takes time to implement, Subjectively influenced, not straight-forward

25
Q

How can KRI’s be used for operational risk? Adv and Dis

A

The firm can work on their top rating risks and plot the risk on a graph.

Advantages =
- They allow trends to be monitored, they allow limits of acceptability, they provide a basis for objective risk measurement

Disadvantages =
- Can cause skewed business performance if managers start managing to their KRI’s in attempt to enhance bonus ratings

26
Q

How can a historical loss data be used in measuring operational risk?

A

It maps the actual losses experienced by the firm and can be used in measurement process, using benchmarking or statistical methods.

A loss distribution curve = predicts future losses
‘Fat tail’ = reflects the fact that losses are not normally distributed

27
Q

What does expected and unexpected losses mean?

A

Expected = errors that occur with reasonable frequency, they represent known process weakness that are in the company’s risk profile.

Unexpected = low-frequency, high-impact event that causes serious problems.

28
Q

what are the practical obstacles to implement an operational risk management framework?

A
  • Data collection constraints
  • Cultural constraints
  • Resource and costs constraints
  • Indicator Constraints - difficult to design risk indicators
29
Q

What would be the headings in a risk register?

A
  • Objectives
  • description of risk
  • Risk ranking
  • Lead person or department
  • Action plan
  • Target and completion date
  • Sources of assurance and oversight
  • Mitigating controls
  • Gross, net , residual risk
30
Q

How can a risk be completely avoided?

A
  • withdrawing
  • changing a product offering
  • deciding not to take on new business
31
Q

what is the most common way to help manage risk?

A

Introduction of key controls into the firm’s processes

32
Q

Controls as a method of operational risk mitigation?

Two types and examples

A

controls and check points design into them to detect errors and prevent fraud and theft. The identification of these controls gaps is a key objective of ORM function.

Two common types
Preventative controls - Prevent errors occurring in the first place, they tackle the root of cause. An example would be the provision of Individual IT passwords, others include setting up maintenance, training, use of systems to eliminate risk.

Detective controls - Detect errors once they have occurred, and quality assurance checks fall under this category

33
Q

Financial crime compliance? Money laundering and Terrorist Financing requirements

A

Money laundering = act of turning dirty money into money which appears to be legit.

Three stages
- Placement, layering, integration

Terrorist financing requirements:
- Customer identification, record-keeping, report suspicious activity

34
Q

Operational Resilience? the two plans, what both are subject to. what firms also need

A

A business will need these two-pieces of planning to operate after a disaster.

  • Business continuity plan - Where will staff work if office is out of action?
  • Disaster recovery - procedures which deal with IT and other infrastructure required to keep business running.

Both of these must be subject to regular testing.

Firms must also need a crisis management team.

35
Q

Outsourcing

A

outsource some aspects of its business to third parties to manage risk

36
Q

Insurance

A

Firms may get insurance policies to cover losses

37
Q

what are the 10 steps to cyber security?

A
  • Information risk management regime
  • secure IT systems
  • Network security
  • Penetration Testing
  • Managing user privileges
  • User education and awarness
  • incident management
  • malware preventation
  • monitoring
  • removable media controls
  • home and mobile working
38
Q

Data protection - the fines

A

Fines up to £20 million or 4% of global revenue

39
Q

how is historical loss data used in managing operational risk?

A

Two main ways this data is used:

Escalation Threshold - losses of various amounts are escalated to pre-defined levels within the organisation. Allows governance bodies to monitor losses

Loss Causal analysis

40
Q

give three examples of ways to reduce the operational risk associated with information and physical security?

A
  • visible ID cards
  • sign-in visitors
  • vetting all staff ad contractors for previous criminal records