CISI Risk - Chapter 3

Question 1

BIS Definition of operational risk

Answer 1

The risk of loss resulting from inadequate or failed internal process, people and
systems or from external events

Question 2

2 common methods to to remain vigilant to changes in their risk profile

Answer 2

1 - Creation of Key Risk Indictors
2- Capture and analysis of loss data

Question 3

Does the BIS definition of operational risk include legal risk?

Answer 3

Yes

Question 4

Does the BIS definition of operational risk include reputation risk?

Answer 4

No

Question 5

7 Elements of a effective operational risk management framework

Answer 5

Clear risk oversight
Strong operational risk culture
Strong internal culture
Clear lines of responsibility
Segregation of duties
Effective internal reporting
Contingency planning

Question 6

What is covered under internal fraud

Answer 6

Employee theft, insider trading

Question 7

What is covered under external fraud?

Answer 7

Robbery, forgery, hacking

Question 8

What is covered under employment practices and workplace safety?

Answer 8

Health and safety and discrimation claims

Question 9

What is covered under Clients, products and business practices

Answer 9

Misue of confidential information and money laundering

Question 10

What is covered under Damage to physical assets

Answer 10

Natural disasters, terroism, war

Question 11

What is covered under Business disruption and system filures

Answer 11

Hardware, software and telecommunictions outages

Question 12

What is covered under Execution, delivery and system failure

Answer 12

losses from failed transaction processig or process management outsourcing vendor disruptions/failures

Question 13

What is an operational risk policy?

Answer 13

A document which outlines a firms strategy and objectives for operational risk management

Question 14

Who sets the operational risk policy?

Answer 14

The board

Question 15

What is an operational risk framework?

Answer 15

Independent centralized risk management department

Question 16

Areas addressed by an operational risk policy (4)

Answer 16

Identification of key officers
Roles and Responsibilities
Segregation of duties
Cross-Functional involvement & Agreement

Question 17

3 objectives of an ORM (Operational Risk Management)

Answer 17

Identify, measure and assess operational risk

Question 18

What will a ORM look to do to operational risks?

Answer 18

Reduce cost of losses
Reduce Likelihood of risk events occurring

Question 18

6 key ways of Identifying and assessing risks

Answer 18

Self assessment
KRI
Workshops
Loss data casual trend analysis
External loss data
Audit reviews

Question 19

3 key ways to reduce the likelihood of a risk materializing is to?

Answer 19

Clearly identify risk before it occurs
Establish clear ownership of the risk
Set u and monitor KRI’s

Question 20

3 key ways to reduce the impact of a risk should it occour?

Answer 20

Speedy escalation
Owner has been assigned to fix the issue
Appropriate insurance policies

Question 21

What are the 7 stages in a risk management framework?

Answer 21

Identification
Measurement and assessment
management and control
Monitoring
Reporting
Policy & Appetite setting

Question 22

Risk Management Framework - What is Risk Identification

Answer 22

Clearly identify the firms risks using methods such as:

Self assessment
KRI
Workshops
Loss data casual trend analysis
External loss data
Audit reviews

Question 23

Risk Management Framework - What is Risk Measurement & Assessment

Answer 23

Score the impact and likelihood of the risk

Question 24

Risk Management Framework - What is Risk Management and Control

Answer 24

Appropriate controls in place to mitigate risks.

Question 25

Risk Management Framework - What is Risk Monitoring

Answer 25

Monitor the KRIs and act before they reach the pre-defined limits

Question 26

What is actual losses associated with?

Answer 26

Historical loss data

Question 27

What is historical loss data?

Answer 27

Historical loss data analysis maps actual losses experienced by a firm to a sensible categorisation system.

Question 28

Risk Management Framework - What is Risk Reporting

Answer 28

Reporting losses and near misses

Question 29

What is risk assessment

Answer 29

Evaluating measurement data & estimating impact on business Subjective

Question 30

Risk Management Framework - What is Risk Operational Policy

Answer 30

Lessons learned are used to update the risk policy

Question 31

What is risk measurement?

Answer 31

Quantitative technique to understand size of risks Objective (Factual)

Question 31

2 limitations of Self-Assessment Rik identifcation

Answer 31

Subjective by managers - To fix this it should be independently validated Difficult to apply consistently across multiple functions and locations

Question 32

What is the main difficulty in Measuring & Assessing operational risk ?

Answer 32

Lack of relevant and objective data

Question 32

Is risk assessment objective or subjective?

Answer 32

Subjective

Question 32

Is risk measurement objective or subjective

Answer 32

Objective

Question 33

How have banks tackled not having enough historic data to accurately monitor and assess risks?

Answer 33

Anomalously sharing their losses with other firms in the same industry

Question 34

How is the risk score calcualted?

Answer 34

Risk score = Likelihood X impact score

Question 35

2 disadvantages to likelihood assessment?

Answer 35

Tends to be subjective May be over-simplified

Question 35

2 ways all subjective assessment should be validated by?

Answer 35

Real loss data An independent party

Question 36

6 Advantages of Impact and likelihood assessment:

Answer 36

- Simple method - Focuses management attention on the most important risks - Minimal hard data required if historical data is not available - Captures wide range of risks - Used to anticipate loss by ranking potential risk of new situations * Forward-looking as well as backward-looking - Encourages a risk-aware culture

Question 37

What is bottom up analysis?

Answer 37

Analyse individual risks in each process and aggregate them to provide overall measures of exposure.

Question 37

Is scenario analysis top down or bottom up?

Answer 37

Top down

Question 38

Disadvantage of scenario analysis

Answer 38

Depends on expertise of professionals involved

Question 39

5 Advantage of Bottom-up analysis

Answer 39

*Looks at process level * Accountability/responsibility clearly defined * Encourages risk awareness at the earliest opportunity * Encourages continuous improvement * Improves quality of management information

Question 40

5 Disadvantages of of Bottom-up analysis

Answer 40

* Very time-consuming * Major undertaking especially where change is constant * Difficult to apply consistent rules * Process-focused so risks occurring at the process interface may be overlooked * Introspective – macro view ignored

Question 41

What are KRIs?

Answer 41

Key Risk Indicators - * KRIs are a ‘health check’ on the performance of the business. * KRIs allow companies to identify their risk status at any given time.

Question 41

What do the Process related KRIs revolve around?

Answer 41

Business procsess

Question 42

4 advantages of KRIs

Answer 42

* Possible to monitor trends and anticipate problems * Limits of acceptability can be established * Basis of objective performance measurement * Acts as early warning system

Question 43

3 Disadvantges of KRIs

Answer 43

* Can be misleading if used in isolation * Can be difficult to obtain automatically * Management of KRIs to enhance bonuses

Question 44

What do the Non-Process related KRIs revolve around?

Answer 44

Staff and resolution times

Question 45

What are Expected losses?

Answer 45

Occurs with reasonable frequency Sit within the risk appetite of the firm

Question 46

What are Unexpected losses?

Answer 46

Low-frequency, high impact losses that cause SERIOUS issues

Question 47

Advantage of Historical loss data?

Answer 47

understand size of losses in monetary terms attributed to particular risks

Question 48

Disadvantage of Historical loss data?

Answer 48

Does not predict unexpected losses/Near misses. Not so great with small amounts of data

Question 49

What is the fine for breaking GDPR?

Answer 49

20 Milly or 4% of global revenue

Question 50

4 Practical constraints to implementing an operational risk management framework

Answer 50

Data collection constrains Cultural constraints Resource and cost constraints Indicator constraints

Question 51

8 headers of a risk register (Risk Log)

Answer 51

Risk description - Objective under threat - Risk score or ranking - Risk owner or lead person - Action plan - Completion dates - Assurance and oversight - Mitigating controls

Question 52

What is Risk Acceptamce

Answer 52

Continuing the business decsion even though a risk had been identified

Question 53

What is a preventative control?

Answer 53

Prevent errors occurring in the first place..

Question 54

3 types of preventative controls

Answer 54

maintenance of procedures Use of training Automation

Question 55

What is detective control?

Answer 55

Detect errors once they have occurred, quality assurance checks fall under this category

Question 55

What is Layering?

Answer 55

Moving money around the financial system to make it hard to track. Buying/selling financial instruments.

Question 55

3 stages to money laundering operation

Answer 55

Placement, Layering and Integration

Question 56

What is Intergration

Answer 56

The ultimate beneficiary is now holding clean money, even though it was once dirty

Question 57

What is Placement?

Answer 57

Introduction of dirty money into financial system. Deposit of ill-gotten gains into a bank account

Question 58

What 3 ways do the AML require firms to do to reduce money laundering

Answer 58

Identify customers Record keeping Report suspicious activity

Question 58

What is penetration testing?

Answer 58

Ethical hacking. Probing for vulnerabilities in a network/system

Question 58

What is a business continuity plan (BCP)

Answer 58

Deals with premises and people aspects post disaster

Question 58

What is a Disaster Recovery (DR)

Answer 58

IT and infrastructure post disaster

Question 59

What are escalation thresholds?

Answer 59

losses of predefined amounts have clear escalation processes to senior members at the firm

Question 60

What is Loss causal analysis

Answer 60

Identifying the underlying cause of a loss and ensuring history does not repeat itself.