Chapter 3 - Risk Definition and Taxonomy Flashcards
Is technology a risk or resource
a resource
is manual processing considered a risk
it’s a cause/risk driver- increases
probability of risk e.g. input errors and omissions
what are the Risks due to
manual processing
errors in the valuation of funds, errors in accounting records, omitting to send reports to clients
are Inadequate supervision or insufficient training considered risks
they are control failures
solution to control failiures
fix the control. Or add a secondary control
what can Inadequate supervision lead to
internal fraud, sub-standard productivity resulting in customer dissatisfaction or loss.
how should Risks be defined as
negative events, uncertainties, incidents or accidents. They should be specific and concrete
simple question to define risks
“What could go wrong?”
Basel category level 1
Event-type
category
Basel category level 2
categories (sub categories of level 1)
Basel category level 3
Activity examples
Level 2 categories of Internal fraud (level 1)
- Unauthorised activity
- Theft and Fraud
Level 2 categories of external fraud (level 1)
- Systems security
- Theft and Fraud
Risk of too much detail in risk identification
detrimental to quality of information and is difficult to review- drains effort without benefits
How many levels of regulatory categories does basel commitee recognise
2 levels of category, level 3 is just for detail/examples
what is required when for firms to categorise risks
firms are required to map risk categories to the Basel categories
what do firms not have to do when classifying risks
n doesn’t have to define a firm’s risk taxonomy these days
When was the basel classification drafted
almsot 20 years ago
what has led to tncrease in cybercrime
mass digitization
what has multiplied the risks of outsourcing project/change management, and information management
Business transformation and wider international operations
what have business practices been renamed as
conduct
what did 08 highlight the need for higher focus on
“conduct,” anti-money laundering (AML),
international sanctions and preventing tax-evasion
how many risk classification’s do Basel have
7
dictionary definition of taxonomy
a “scheme of classification.”
what does taxonomy mean in terms of risk management
categorizing risks and recording causes, impacts and controls as a MECE system
whats a mece system
Mutually Exclusive and Collectively Exhaustive
Basel definition of operational risk
“The risk from failed internal processes, people, systems or external events”
What was initially counted as a loss from operational risk in the 1990s - what did this grow to include
At first only financial, now reputational is included
What are the current four commonly used
categories for the impacts of operational risks
financial, reputation , regulatory non-compliance and customer detriment
Which firms find continuity of services important
online financial services or trading platforms
a common category of impact for firms where continuity of service is important
service disruption
PPSE/ causes of risk in a mece taxonomy
people, processes, systems or external events
The four main categories of controls in a mece taxonomy
Preventive, Detective, Corrective, Directive
Preventive control
reduce likelihood of risks by mitigating their causes
Detective control
during the event/soon after, early detection to reduce impact
Corrective control
reduces impacts caused by incidents. Damage is repaired /loss compensated by using backup and redundancies
Directive control
comprises guidelines and procedures that structure the mode of operations to reduce risks.
When does detective control have a preventative element
if detection also identifies the cause of an incident
4 parts of a mece taxonomy
Causes
Risks
Impacts
Controls
4 impacts of risks in a mece taxonomy
Financial loss
Reputation damage
Regulatory breach
Customer detriment
Operations risk L1 code
5
Information security risk L1 code
6
