Chapter 6: Operational Risk Tools - Operational Risk Indicators Flashcards
What are the potential limitations and challenges of using risk and control indicators in operational risk management?
Risk and control indicators are beneficial for operational risk management, but they have limitations.
* They provide an indication, not a full picture, of risk exposure and control effectiveness.
* They can offer early warnings but also false alarms.
* Some indicators may temporarily align with the risk or control they track but may not indicate the causes of operational loss events and control failures.
* Not all risks can be measured via risk indicators, and finding good ones is challenging.
* A bad indicator can mislead senior management, so no indicator is sometimes better.
What are risk indicators in operational risk management and can you provide some examples?
Risk indicators are metrics that monitor changes in risk exposure.
* Risk indicators provide information on the exposure to a specific operational risk at a given time, often indicating changes in inherent risk, the risk present without controls. Examples of risk indicators include:
* Staff turnover: Linked to internal fraud, process errors, data entry errors, and employee relations. High turnover may indicate low morale and higher operational risks.
Number of attempted hacking attacks: Indicates the level of hacking activity and if the organization is a target. Linked to external fraud and systems failure.
Systems availability: A measure of IT systems reliability.
Credit rating of key third-party contractors: A weak financial position increases the likelihood of failure. Linked to the failure of a key supplier or outsourcing partner.
Staff satisfaction surveys: Dissatisfied staff are more likely to commit fraud or behave negligently, leading to employee relation issues and other risks.
What are Control Indicators (CIs) or Key Control Indicators (KCIs) in operational risk management and can you provide some examples?
Control Indicators (CIs) or Key Control Indicators (KCIs) are metrics that assess if a control is meeting its objectives, indicating whether a control is functioning as intended.
Examples of control indicators include:
Frequency of data backups: Linked to systems failures and damage to physical assets. Infrequent or missed backups increase the risk of data loss.
Frequency of fire alarm tests and building evacuations: Linked to damage to physical assets. Infrequent testing increases the risk of control failure.
**Delays in patching IT systems: **Linked to systems failure and external fraud. Delays in software patches increase the risk of system failure or hacking attacks.
What are performance indicators and how can they impact operational risk management?
Performance indicators are metrics that measure organizational performance or the achievement of business targets. They are typically more relevant to finance, accounting, and general business management than to operational risk.
However, some performance indicators can impact operational risk management. For example:
Asset growth: Fast-growing organizations are often more vulnerable to operational risk events due to the inability of existing systems and controls to keep up with rapid growth or because management/employees become overloaded.
Cost to income ratio: An increasing ratio shows rising costs versus income. This could lead to pressure to cut costs and relax control environments to save money, potentially leading to an operational risk event.
Customer retention: Low levels of customer retention could indicate competitors offering more attractive products or failings in operational processes resulting in poor customer service.
Can there be overlaps between different types of metrics in operational risk management?
- Yes, in operational risk management, some metrics can serve as performance, risk, and control indicators.
- If a metric indicates operational risk, it should be used regardless of its label. For instance, high IT system downtime may be a performance indicator due to a successful new product, but it could also indicate data entry/integrity risks.
Examples of overlapping metrics include poor call centre performance, **inability to adhere to budgets, reduction in operational efficiency, and overdue deal confirmations.
** These metrics can indicate various risks such as customer complaints, potential for internal fraud, weaknesses in processes and systems, and increased risk of legal disputes or processing errors.
What is the role of risk and control indicators in operational risk management and what are some considerations when selecting these indicators?
*Risk and control indicators are essential in operational risk management for risk identification, risk and control assessments, and implementing effective risk appetite and governance frameworks.
* They indicate risk exposure, control effectiveness, or performance, and can warn of changes in operational risk exposure or control effectiveness.
* However, due to time and expense, it’s impractical to monitor all potential operational risk and control indicators.
* If too many indicators are monitored, it may overwhelm management.
The desirable features of operational risk indicators
- Relevant-The indicator in question must be relevant to the element that is being monitored (e.g. a particular operational risk exposure or control).
-
Measurable -Indicators should be quantifiable for accuracy, aiding in trend identification and objective monitoring. Effective indicators should help organisations to predict future changes in risk exposure or control effectiveness, rather than simply indicating what has happened already. This means that they should be leading rather than lagging.
* Preventative (Leading)-indicators can be used to help reduce the likelihood of future operational risk loss events and or reduce their impact. - Easy to monitor
- Comparable
- Auditable
What are the two main approaches that organisations can use to select the operational risk or control indicators they want to monitor, and how do they differ?
***The top-down approach **-starts with senior management or directors choosing indicators to be monitored across the business.This approach can facilitate aggregation and senior management understanding.
* The bottom-up approach-allows business entity or other managers to choose and monitor their own sets of indicators, ensuring that they can select those most relevant to their particular situation.
* The selection process must take into account the results of the Risk Control Self-Assessment (RCSA), ensuring a clear linkage between identified operational risk exposures and the metrics chosen to gauge the changing levels of these exposures.
- What are the key elements to consider when changing the set of indicators used for operational risk monitoring in an organization?
- Review frequency.
- Authority for approving the addition, change, or removal of selected indicators.
- Procedures for handling data from a removed indicator, whether it will be retained or deleted.
- When replacing an indicator, deciding if past data should be recalculated or amended for the new indicator.
- Introduction of indicators for new products or business activities, including the duration of monitoring post implementation.
- Introduction of indicators following recommendations by department managers, regulators, and/or auditors.
*For geographically dispersed groups, ensuring that remote entities’ indicator selection processes align with the group as a whole to maintain consistent group-wide operational risk monitoring.
- should the indicator be removed or added?
- should the past data be considered or recalculated?
- Indicators to be introduced when new products or activities are implemented.
- When recommended by regulators
How many operational risk indicators should an organization monitor and what should be the frequency of monitoring?
Design Considerations:
*Number of Indicators: There’s no fixed rule for the number of indicators.The number of indicators should be determined based on the number and nature of the key operational risks identified.
* Frequency of Monitoring:The frequency typically aligns with the cycle of the activity related to the indicator.For instance, indicators related to real-time market transactions might require continuous monitoring, while others like staff turnover might be assessed monthly or quarterly.
* Other Factors:Other considerations include the availability of data required to monitor the selected indicators, the cost of processing or storing data for the selected indicators, and the intended audience for the indicators (local management, executive management, or governing body).
Remember, the goal is to select a set of indicators that provides a clear, accurate, and manageable view of the organization’s operational risk profile.
What is the significance of thresholds, limits, and targets in operational risk indicators, and how do they contribute to effective decision making?
- Thresholds, limits, and targets add value to operational risk indicators by providing a basis for effective decision making.
- Targets imply a specific value that the organization aims for. For example, a firm might set a target to reduce its operational losses below a certain amount or set a target level for staff turnover.
- Limits imply a maximum absolute or tolerable value for a particular indicator. For instance, a firm might set a limit on the delay permitted for overdue audit actions related to operational risk systems and controls.
- Thresholds imply a value which, when exceeded, requires management action.
These elements are closely linked to an organization’s operational risk appetite. They help firms make more effective use of their limited risk management resources by clarifying when action may be required.
What are the key considerations and methods for setting thresholds for operational risk indicators?
Risk Appetite: The organization’s appetite for risk influences the conservativeness of the thresholds. Greater risk appetite generally leads to less conservative thresholds.
Historical Values: Reviewing historical values of an indicator can help identify potential spikes and set relevant thresholds. However, clear correlations between indicators and identified events are rare.
Benchmark Data: Comparing the values of an indicator with those of peer organizations can provide a reference point for setting thresholds. This is common in areas like staff turnover.
Expert Judgment: If trend or benchmark data is not available, seeking expert judgment is an option. However, care is needed as expert opinions can differ significantly.
Periodic Review: Over time, as a firm becomes more risk aware, indicator thresholds should be tightened. This implies that the organization should periodically review not just the indicators it is using, but its thresholds also.
What are the considerations and procedures involved in changing and using thresholds for operational risk indicators?
Considerations
Risk Appetite: Align thresholds with your organization’s risk appetite and tolerance.
** Historical Data:** Analyze past KRI/KPI trends and fluctuations to guide threshold setting.
** Industry Benchmarks: Use benchmarks for context, not as the sole determinant.
** Qualitative Factors: Consider strategic shifts, regulatory changes, and emerging risks.
** Dynamic Nature:** Regularly review and adjust thresholds in response to a changing risk landscape.
Procedures
** Identify KRIs/KPIs:** Select metrics that directly align with your key operational risks.
** Analyze Data:** Examine past data for patterns and potential vulnerabilities.
** Gather Input:** Consult risk experts, business managers, and relevant stakeholders.
** Calibrate:** Set thresholds that balance sensitivity with practicality. Consider tiered alerts.
** Obtain Approval:** Secure risk committee and board approval for alignment.
What are lagging indicators in operational risk management, and how can they be used effectively?
Lagging indicators in operational risk management are based on historical data and provide information on past events.
Examples of lagging indicators include:
* Value of Operational Loss Events:
* Number of Closed Customer Complaints:
* Number of Days Lost Due to Health and Safety Incidents:
* Number of Bank Cards Reported Stolen:
What are leading indicators in operational risk management, and how do they differ from lagging indicators?
Leading indicators in operational risk management provide information on potential future changes in risk exposure or control effectiveness.
* True leading indicators are rare as even forward-looking indicators may rely on historical trends.
Examples include:
* Percentage of Product Suitability Approvals Outstanding:This metric, linked to mis-selling risks, reports the number of outstanding suitability approvals as a percentage of the total.
**Percentage of IT Staff Not Up-to-Date with Important Hardware/Software Training: **This indicator, linked to systems failure and hacking attacks, reflects the risk of errors occurring when staff members lag behind in maintaining their skills.
* Number of Best Execution Exceptions:This indicator, linked to customer compensation claims, counts instances where trades on behalf of a customer are not made on the best possible contractual terms or at the best possible price.
