Chapter 7: Operational Risk Tools – Events and Losses Flashcards
Why are loss events considered important in operational risk management?
*They validate other operational risk tools such as risk and control self-assessment and scenario analysis.
* The size or number of these events can be useful risk indicators, especially when monitoring risk appetite and tolerance.
* While past events do not necessarily predict future risk exposure, the recording and analysis of these events offer opportunities for learning and risk mitigation.
What is boundary risk in operational risk management and how are losses from other risk types like Credit, Liquidity, Market, and Insurance treated?
- Boundary risk is the risk that an operational failure (e.g., data error, system outage, cyberattack) will cause losses in other risk areas, such as credit, liquidity, market, or insurance risks. It highlights the interconnectedness of risks within an organization.
Key Points
- Focus: Boundary risk emphasizes how problems in one area can spill over into others.
- Management: While losses stemming from boundary risk are typically managed within their specific risk categories, understanding the root operational causes is crucial for holistic risk mitigation.
When a firm identifies the loss or impact of an operational risk event, to what extent does it include indirect costs?
*When a firm identifies the loss or impact of an operational risk event, it should ideally include both direct and indirect costs.
* Direct costs are those that are immediately attributable to the event, such as fines, reparations, or immediate loss of revenue.
* Indirect costs, on the other hand, can include a wide range of impacts that are not immediately quantifiable but can have a significant effect on the firm’s operations or reputation over time.
*e.g loss of customer trust, damage to brand reputation, increased regulatory scrutiny, and the cost of implementing new processes or controls to prevent similar events in the future.
The extent to which a firm includes indirect costs
* can vary based on the firm’s risk management strategy
* The specific nature of the operational risk event
* and the firm’s ability to accurately quantify and attribute these indirect costs.
Describe the attributes of event data and their use
- Event Description and Type:Regulatory frameworks (Basel, Solvency II) offer standard risk event types, but firms need their own taxonomies aligned with their specific business.
- Amount:Convert foreign currency losses to the firm’s reporting currency.
- Date:Record both the event discovery date and the actual occurrence date for risk management accuracy.
- Recoveries:Record both the original and net loss (after recoveries) since the initial figure reflects the true impact of the operational failure.
- Business Entity:Precisely identify the entity within a group responsible for the loss to enable targeted analysis and comparisons.
- Business Activity:Pinpoint the specific business activity where the failure occurred. This helps spot systemic control weaknesses across locations or firms with shared activities.
- Geographic Location:Track locations for pinpointing control weaknesses, legal disparities, or cultural factors contributing to events.
- Event Description:A brief description aids in analyzing the root cause of the event, leading to focused management action.
Consider why knowledge of the business entity is important when analysing losses and describe what the limitations of the analysis would be without this information.
Knowledge of the business entity is crucial when analyzing losses for several reasons:
**Understanding Business Operations: **Each business entity has unique operations, processes, and risk profiles. Understanding these can help identify potential sources of operational risk and areas where losses may occur.
Contextualizing Losses: The impact of a loss can vary significantly depending on the nature of the business entity. For example, a small loss for a large corporation might be a significant loss for a small business.
Identifying Control Weaknesses: Knowledge of the business entity can help identify weaknesses in internal controls that may have contributed to the loss.
Tailoring Risk Mitigation Strategies: Effective risk mitigation strategies are often specific to the business entity. Understanding the business can help tailor these strategies to prevent future losses.
Without this information, the analysis would face several limitations:
Lack of Context: Without knowledge of the business entity, it would be difficult to understand the context in which the loss occurred, making it harder to identify the root cause and potential solutions.
Ineffective Risk Mitigation: Without understanding the specific operations and risk profile of the business entity, risk mitigation strategies may not be effective or appropriate.
**Inaccurate Assessment of Impact: **Without knowledge of the business entity, it would be challenging to accurately assess the impact of the loss on the business.
Difficulty in Identifying Patterns: If losses are analyzed without considering the specific business entity, it may be difficult to identify patterns or trends in losses that could indicate larger systemic issues.
When a firm reports operational risk events, does it include all the elements included in this section? In particular, how does it handle the problems identified regarding amount and date?
*This can include the nature of the event, the date it occurred or was detected, the amount of loss, any recoveries, the geographical location, and the business entity involved.
However, the specific elements included can vary based on the firm’s operational risk management strategy, the nature of the event, and regulatory requirements.
Regarding the amount and date:
* Amount: The firm records both the original loss and any subsequent recoveries.This approach ensures that the true cost of the operational failure is captured.If the loss is in a foreign currency, it needs to be converted to the firm’s reporting currency.
* Date: The firm may record the date of occurrence, the date of detection, or both. If an event spans over a period of time, the firm may choose to record the start date, the end date, or both. The choice can significantly impact the assessment of the event’s frequency or likelihood.
Why is understanding the cause of a risk event crucial in operational risk management?
- Understanding the cause of a risk event is crucial as it enables an analysis of whether controls or mitigants have failed and whether it’s necessary to reassess risk exposure.
- Operational risks can be categorized by four root causes: failure of people, processes, systems, and external events.
- The firm’s internal environment, reflected in strategic business decisions or risk culture, can also be a root cause.
- Identifying events and their impacts is fundamental, but understanding why the event occurred is key for root cause analysis, primarily interested in identifying control failure.
- Causal analysis enables management to assess the benefits of increasing controls, depending on the likely costs which might be saved.
Why is setting a reporting threshold significant in operational risk management and what factors should be considered when setting it?
Why Reporting Thresholds Matter
Prioritize Significant Risks: Ensure focus on events with the potential to cause major damage.
** Improve Data**: Promote consistent reporting for reliable trend analysis and comparisons.
Targeted Mitigation: Capture data needed to identify root causes and develop effective solutions.
Resource Optimization: Focus efforts on investigations and actions in line with the magnitude of risks.
Factors to Consider When Setting Thresholds
Your Risk Appetite: Higher risk tolerance may allow for higher reporting thresholds.
Industry Standards: Use peer benchmarks as a guide, but tailor to your specific needs.
** Regulations**: Comply with any mandatory reporting requirements.
Historical Losses: Analyze past patterns to pinpoint potential high-impact events.
Business Complexity: Riskier operations often need lower thresholds for closer monitoring.
Balance: Avoid overwhelming your system with minor incidents.
Use Both Financial & Qualitative Measures: Consider reputation risks, potential for regulatory scrutiny, etc.
**Regular Review: **Adjust thresholds as your business, risk landscape, and regulations change.
How does a firm’s policy and culture influence the completeness of operational risk event reporting?
Policy
- Clear rules: Well-defined policies on what to report, and how, ensures more complete data.
- Easy reporting: Multiple reporting options encourage employees to speak up.
Culture
- Focus on solutions: Prioritizing learning over blame makes reporting easier.
- Safe environment: Employees need protection to report without fear of punishment.
- Leadership matters: Management sets the tone. If they take risks seriously, others will too.
Why Incomplete Reporting is Bad
- Bad decisions: Firms can’t address risks they don’t know exist.
- Repeated mistakes: Without reporting, the same problems happen again and again.
- Regulatory trouble: Hiding problems can lead to fines and damage trust.
Who is typically authorized to report an operational risk event and how does this impact the reporting process?
- Often, the person who detects a loss is authorized to report it. Alternatively, they may report to the department that originated the loss.
- Some organizations require a copy of the report to be sent to the originating department’s manager for validation.This can lead to more accurate reports but may discourage whistleblowing, leading some firms to allow anonymous reporting.
How can losses and event data contribute to risk and control self-assessments (RCSAs) and improve operational risk management?
- Losses and event data, analyzed through root cause analysis, can highlight control failures and performance issues.
- They’re useful for challenging both impact and likelihood assessments.
- Past events can indicate if assessments are overly optimistic or pessimistic. Historic frequency data can challenge likelihood assessments, especially when a more optimistic assessment has been made due to ‘bad luck’.
- RCSAs involve subjective judgments in assessing likelihood and impact and are subject to cognitive biases. Using historical loss data can counter bias, make assessments more objective, and validate RCSA outcomes.
- It shows distributions of both frequency and impact of operational risk loss events, improving assessments.
Using loss event data in this way emphasizes the benefit of causal analysis and raises its awareness.
How does loss data enhance the RCSA process?
- Loss data reveals root causes of control failures, helping to improve control design, assess control effectiveness, and reduce biases in risk assessments.
Describe the benefits and limitations of sources of external loss event data
Media reports, social media and public data, Competitors’ internal losses and consortia databases
*Media reports, social media and public data,**
Exposure Insights: Media reports on major events (pandemics, disasters, corporate failures) highlight potential risks, even if your firm hasn’t directly experienced them.
Causal Analysis Aid: Details reported in the media can assist in reviewing your own controls, estimating potential impacts, and improving continuity planning.
Testing Scenarios: Media coverage can help evaluate the assumptions you make during scenario planning and risk assessments.
Competitors’ internal losses and consortia databases
* Direct comparison with another firm’s experience is challenging due to differences in risk culture, strategy, and control environment.
* Data completeness issues affect all risk event reporting, and legal constraints may prevent firms from disclosing settlement costs.
* Data quality varies due to different classification approaches, collection thresholds and practices, stages in data collection maturity, and regulatory requirements across jurisdictions.
* Many firms subscribe to databases that provide information on large risk events experienced by members, mostly less prominent than headline events.
Explain the uses of external loss event data
scenarios, Benchmarking, Risk identification, new product analysis,setting risk appetite,Risk education and awareness
**Scenarios **
* External data, reflecting unexperienced events, is beneficial for creating realistic scenarios and understanding new or emerging risks. For maximum utility, these data reports should detail the event’s background, governance, unfolding, and aftermath, including consequences and remedial actions.
Benchmarking
* Firms can benchmark their risk assessments and internal reporting processes using external data and peer experiences, which also reveal potential consequences like fines or reputational damage. If sufficiently detailed, this data can also help measure the time from an incident’s occurrence to its detection, offering valuable insights.
Risk identification
* While firms often identify risks based on past events or their risk register, external events provide fresh perspectives and, coupled with causal analysis, can prompt a reassessment and reprioritization of risks.
New product analysis
* External data aids in developing risk control frameworks, enhances management’s understanding of product-related risks for informed decision-making, and should ideally span an entire economic cycle to unmask potential downturn risks.
Setting risk appetite
* Insights from competitors’ experiences serve as a valuable gauge of a firm’s risk tolerance, as they can uncover potential risks that might exceed this tolerance. Such insights are also beneficial for firms when evaluating their own risk appetite.
* Risk education and awareness
* External data, offering unique insights beyond internal sources, broadens a firm’s understanding of potential risks and aids in training staff to identify and mitigate these risks effectively.
Do firms use external data in all the ways identified in this section? If so, how does it ensure that external data is relevant to your firm?
- They leverage it for risk assessment, scenario creation, benchmarking, and gaining insights into potential consequences of risk events.
- However, the extent and manner of usage can vary based on the firm’s specific needs, industry, and regulatory environment.
- Firms ensure the relevance of external data by aligning it with their objectives, validating its accuracy, analyzing it in the context of their operations, and updating it regularly. While external data offers valuable insights, it should be used alongside internal data and expert judgment, adhering to all relevant data privacy and protection regulations.
