CISI Risk - Chapter 3 Flashcards

1
Q

BIS Definition of operational risk

A

The risk of loss resulting from inadequate or failed internal process, people and
systems or from external events

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

2 common methods to to remain vigilant to changes in their risk profile

A

1 - Creation of Key Risk Indictors
2- Capture and analysis of loss data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Does the BIS definition of operational risk include legal risk?

A

Yes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Does the BIS definition of operational risk include reputation risk?

A

No

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

7 Elements of a effective operational risk management framework

A

Clear risk oversight
Strong operational risk culture
Strong internal culture
Clear lines of responsibility
Segregation of duties
Effective internal reporting
Contingency planning

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is covered under internal fraud

A

Employee theft, insider trading

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is covered under external fraud?

A

Robbery, forgery, hacking

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is covered under employment practices and workplace safety?

A

Health and safety and discrimation claims

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is covered under Clients, products and business practices

A

Misue of confidential information and money laundering

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is covered under Damage to physical assets

A

Natural disasters, terroism, war

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is covered under Business disruption and system filures

A

Hardware, software and telecommunictions outages

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is covered under Execution, delivery and system failure

A

losses from failed transaction processig or process management outsourcing vendor disruptions/failures

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is an operational risk policy?

A

A document which outlines a firms strategy and objectives for operational risk management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Who sets the operational risk policy?

A

The board

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is an operational risk framework?

A

Independent centralized risk management department

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Areas addressed by an operational risk policy (4)

A

Identification of key officers
Roles and Responsibilities
Segregation of duties
Cross-Functional involvement & Agreement

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

3 objectives of an ORM (Operational Risk Management)

A

Identify, measure and assess operational risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What will a ORM look to do to operational risks?

A

Reduce cost of losses
Reduce Likelihood of risk events occurring

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

6 key ways of Identifying and assessing risks

A

Self assessment
KRI
Workshops
Loss data casual trend analysis
External loss data
Audit reviews

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

3 key ways to reduce the likelihood of a risk materializing is to?

A

Clearly identify risk before it occurs
Establish clear ownership of the risk
Set u and monitor KRI’s

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

3 key ways to reduce the impact of a risk should it occour?

A

Speedy escalation
Owner has been assigned to fix the issue
Appropriate insurance policies

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What are the 7 stages in a risk management framework?

A

Identification
Measurement and assessment
management and control
Monitoring
Reporting
Policy & Appetite setting

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Risk Management Framework - What is Risk Identification

A

Clearly identify the firms risks using methods such as:

Self assessment
KRI
Workshops
Loss data casual trend analysis
External loss data
Audit reviews

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Risk Management Framework - What is Risk Measurement & Assessment

A

Score the impact and likelihood of the risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Risk Management Framework - What is Risk Management and Control
Appropriate controls in place to mitigate risks.
25
Risk Management Framework - What is Risk Monitoring
Monitor the KRIs and act before they reach the pre-defined limits
26
What is actual losses associated with?
Historical loss data
27
What is historical loss data?
Historical loss data analysis maps actual losses experienced by a firm to a sensible categorisation system.
28
Risk Management Framework - What is Risk Reporting
Reporting losses and near misses
29
What is risk assessment
Evaluating measurement data & estimating impact on business Subjective
30
Risk Management Framework - What is Risk Operational Policy
Lessons learned are used to update the risk policy
31
What is risk measurement?
Quantitative technique to understand size of risks Objective (Factual)
31
2 limitations of Self-Assessment Rik identifcation
Subjective by managers - To fix this it should be independently validated Difficult to apply consistently across multiple functions and locations
32
What is the main difficulty in Measuring & Assessing operational risk ?
Lack of relevant and objective data
32
Is risk assessment objective or subjective?
Subjective
32
Is risk measurement objective or subjective
Objective
33
How have banks tackled not having enough historic data to accurately monitor and assess risks?
Anomalously sharing their losses with other firms in the same industry
34
How is the risk score calcualted?
Risk score = Likelihood X impact score
35
2 disadvantages to likelihood assessment?
Tends to be subjective May be over-simplified
35
2 ways all subjective assessment should be validated by?
Real loss data An independent party
36
6 Advantages of Impact and likelihood assessment:
- Simple method - Focuses management attention on the most important risks - Minimal hard data required if historical data is not available - Captures wide range of risks - Used to anticipate loss by ranking potential risk of new situations * Forward-looking as well as backward-looking - Encourages a risk-aware culture
37
What is bottom up analysis?
Analyse individual risks in each process and aggregate them to provide overall measures of exposure.
37
Is scenario analysis top down or bottom up?
Top down
38
Disadvantage of scenario analysis
Depends on expertise of professionals involved
39
5 Advantage of Bottom-up analysis
*Looks at process level * Accountability/responsibility clearly defined * Encourages risk awareness at the earliest opportunity * Encourages continuous improvement * Improves quality of management information
40
5 Disadvantages of of Bottom-up analysis
* Very time-consuming * Major undertaking especially where change is constant * Difficult to apply consistent rules * Process-focused so risks occurring at the process interface may be overlooked * Introspective – macro view ignored
41
What are KRIs?
Key Risk Indicators - * KRIs are a ‘health check’ on the performance of the business. * KRIs allow companies to identify their risk status at any given time.
41
What do the Process related KRIs revolve around?
Business procsess
42
4 advantages of KRIs
* Possible to monitor trends and anticipate problems * Limits of acceptability can be established * Basis of objective performance measurement * Acts as early warning system
43
3 Disadvantges of KRIs
* Can be misleading if used in isolation * Can be difficult to obtain automatically * Management of KRIs to enhance bonuses
44
What do the Non-Process related KRIs revolve around?
Staff and resolution times
45
What are Expected losses?
Occurs with reasonable frequency Sit within the risk appetite of the firm
46
What are Unexpected losses?
Low-frequency, high impact losses that cause SERIOUS issues
47
Advantage of Historical loss data?
understand size of losses in monetary terms attributed to particular risks
48
Disadvantage of Historical loss data?
Does not predict unexpected losses/Near misses. Not so great with small amounts of data
49
What is the fine for breaking GDPR?
20 Milly or 4% of global revenue
50
4 Practical constraints to implementing an operational risk management framework
Data collection constrains Cultural constraints Resource and cost constraints Indicator constraints
51
8 headers of a risk register (Risk Log)
Risk description - Objective under threat - Risk score or ranking - Risk owner or lead person - Action plan - Completion dates - Assurance and oversight - Mitigating controls
52
What is Risk Acceptamce
Continuing the business decsion even though a risk had been identified
53
What is a preventative control?
Prevent errors occurring in the first place..
54
3 types of preventative controls
maintenance of procedures Use of training Automation
55
What is detective control?
Detect errors once they have occurred, quality assurance checks fall under this category
55
What is Layering?
Moving money around the financial system to make it hard to track. Buying/selling financial instruments.
55
3 stages to money laundering operation
Placement, Layering and Integration
56
What is Intergration
The ultimate beneficiary is now holding clean money, even though it was once dirty
57
What is Placement?
Introduction of dirty money into financial system. Deposit of ill-gotten gains into a bank account
58
What 3 ways do the AML require firms to do to reduce money laundering
Identify customers Record keeping Report suspicious activity
58
What is penetration testing?
Ethical hacking. Probing for vulnerabilities in a network/system
58
What is a business continuity plan (BCP)
Deals with premises and people aspects post disaster
58
What is a Disaster Recovery (DR)
IT and infrastructure post disaster
59
What are escalation thresholds?
losses of predefined amounts have clear escalation processes to senior members at the firm
60
What is Loss causal analysis
Identifying the underlying cause of a loss and ensuring history does not repeat itself.