CISI Risk - Chapter 3 Flashcards
BIS Definition of operational risk
The risk of loss resulting from inadequate or failed internal process, people and
systems or from external events
2 common methods to to remain vigilant to changes in their risk profile
1 - Creation of Key Risk Indictors
2- Capture and analysis of loss data
Does the BIS definition of operational risk include legal risk?
Yes
Does the BIS definition of operational risk include reputation risk?
No
7 Elements of a effective operational risk management framework
Clear risk oversight
Strong operational risk culture
Strong internal culture
Clear lines of responsibility
Segregation of duties
Effective internal reporting
Contingency planning
What is covered under internal fraud
Employee theft, insider trading
What is covered under external fraud?
Robbery, forgery, hacking
What is covered under employment practices and workplace safety?
Health and safety and discrimation claims
What is covered under Clients, products and business practices
Misue of confidential information and money laundering
What is covered under Damage to physical assets
Natural disasters, terroism, war
What is covered under Business disruption and system filures
Hardware, software and telecommunictions outages
What is covered under Execution, delivery and system failure
losses from failed transaction processig or process management outsourcing vendor disruptions/failures
What is an operational risk policy?
A document which outlines a firms strategy and objectives for operational risk management
Who sets the operational risk policy?
The board
What is an operational risk framework?
Independent centralized risk management department
Areas addressed by an operational risk policy (4)
Identification of key officers
Roles and Responsibilities
Segregation of duties
Cross-Functional involvement & Agreement
3 objectives of an ORM (Operational Risk Management)
Identify, measure and assess operational risk
What will a ORM look to do to operational risks?
Reduce cost of losses
Reduce Likelihood of risk events occurring
6 key ways of Identifying and assessing risks
Self assessment
KRI
Workshops
Loss data casual trend analysis
External loss data
Audit reviews
3 key ways to reduce the likelihood of a risk materializing is to?
Clearly identify risk before it occurs
Establish clear ownership of the risk
Set u and monitor KRI’s
3 key ways to reduce the impact of a risk should it occour?
Speedy escalation
Owner has been assigned to fix the issue
Appropriate insurance policies
What are the 7 stages in a risk management framework?
Identification
Measurement and assessment
management and control
Monitoring
Reporting
Policy & Appetite setting
Risk Management Framework - What is Risk Identification
Clearly identify the firms risks using methods such as:
Self assessment
KRI
Workshops
Loss data casual trend analysis
External loss data
Audit reviews
Risk Management Framework - What is Risk Measurement & Assessment
Score the impact and likelihood of the risk
Risk Management Framework - What is Risk Management and Control
Appropriate controls in place to mitigate risks.
Risk Management Framework - What is Risk Monitoring
Monitor the KRIs and act before they reach the pre-defined limits
What is actual losses associated with?
Historical loss data
What is historical loss data?
Historical loss data analysis maps actual losses experienced by a firm to a
sensible categorisation system.
Risk Management Framework - What is Risk Reporting
Reporting losses and near misses
What is risk assessment
Evaluating measurement data & estimating impact on business
Subjective
Risk Management Framework - What is Risk Operational Policy
Lessons learned are used to update the risk policy
What is risk measurement?
Quantitative technique to understand size of risks
Objective (Factual)
2 limitations of Self-Assessment Rik identifcation
Subjective by managers - To fix this it should be independently validated
Difficult to apply consistently across multiple functions and locations
What is the main difficulty in Measuring & Assessing operational risk ?
Lack of relevant and objective data
Is risk assessment objective or subjective?
Subjective
Is risk measurement objective or subjective
Objective
How have banks tackled not having enough historic data to accurately monitor and assess risks?
Anomalously sharing their losses with other firms in the same industry
How is the risk score calcualted?
Risk score = Likelihood X impact score
2 disadvantages to likelihood assessment?
Tends to be subjective
May be over-simplified
2 ways all subjective assessment should be validated by?
Real loss data
An independent party
6 Advantages of Impact and likelihood assessment:
- Simple method
- Focuses management attention on the most important risks
- Minimal hard data required if historical data is not available
- Captures wide range of risks
- Used to anticipate loss by ranking potential risk of new situations
- Forward-looking as well as backward-looking
- Encourages a risk-aware culture
What is bottom up analysis?
Analyse individual risks in each process and aggregate them to provide overall
measures of exposure.
Is scenario analysis top down or bottom up?
Top down
Disadvantage of scenario analysis
Depends on expertise of professionals involved
5 Advantage of Bottom-up analysis
*Looks at process level
* Accountability/responsibility clearly
defined
* Encourages risk awareness at the
earliest opportunity
* Encourages continuous
improvement
* Improves quality of management
information
5 Disadvantages of of Bottom-up analysis
- Very time-consuming
- Major undertaking especially
where change is constant - Difficult to apply consistent rules
- Process-focused so risks
occurring at the process
interface may be overlooked - Introspective – macro view
ignored
What are KRIs?
Key Risk Indicators -
- KRIs are a ‘health check’ on the performance of the business.
- KRIs allow companies to identify their risk status at any given time.
What do the Process related KRIs revolve around?
Business procsess
4 advantages of KRIs
- Possible to monitor trends and
anticipate problems - Limits of acceptability can be
established - Basis of objective performance
measurement - Acts as early warning system
3 Disadvantges of KRIs
- Can be misleading if used in
isolation - Can be difficult to obtain
automatically - Management of KRIs to enhance
bonuses
What do the Non-Process related KRIs revolve around?
Staff and resolution times
What are Expected losses?
Occurs with reasonable frequency
Sit within the risk appetite of the firm
What are Unexpected losses?
Low-frequency, high impact losses that cause SERIOUS issues
Advantage of Historical loss data?
understand size of losses in monetary terms attributed to particular risks
Disadvantage of Historical loss data?
Does not predict unexpected losses/Near misses. Not so great with small amounts of data
What is the fine for breaking GDPR?
20 Milly or 4% of global revenue
4 Practical constraints to implementing an operational risk management framework
Data collection constrains
Cultural constraints
Resource and cost constraints
Indicator constraints
8 headers of a risk register (Risk Log)
Risk description
- Objective under threat
- Risk score or ranking
- Risk owner or lead person
- Action plan
- Completion dates
- Assurance and oversight
- Mitigating controls
What is Risk Acceptamce
Continuing the business decsion even though a risk had been identified
What is a preventative control?
Prevent errors occurring in the first place..
3 types of preventative controls
maintenance of procedures
Use of training
Automation
What is detective control?
Detect errors once they have occurred, quality assurance checks fall under this category
What is Layering?
Moving money around the financial system to make it hard to track. Buying/selling financial instruments.
3 stages to money laundering operation
Placement, Layering and Integration
What is Intergration
The ultimate beneficiary is now holding clean money, even though it was once dirty
What is Placement?
Introduction of dirty money into financial system. Deposit of ill-gotten gains into a bank account
What 3 ways do the AML require firms to do to reduce money laundering
Identify customers
Record keeping
Report suspicious activity
What is penetration testing?
Ethical hacking. Probing for vulnerabilities in a network/system
What is a business continuity plan (BCP)
Deals with premises and people aspects post disaster
What is a Disaster Recovery (DR)
IT and infrastructure post disaster
What are escalation thresholds?
losses of predefined amounts have clear escalation processes to senior members at the firm
What is Loss causal analysis
Identifying the underlying cause of a loss and ensuring history does not repeat itself.
