Enterprise. Study Unit 5: Operational Risk Management Flashcards
Risk: basic principles
The uncertainty that an event could cause positive or negative results if it occurs
measured in terms of impact (low to high) and likelihood (low to high)
There are standards, benchmarks or guidance for organisations to manage risk management
Basel (Banking industry)
COSO (United States)
King (South Africa)
Sarbanes-Oxley (United States)
Classification of risks Financial risks
risk exposures that will lead to a direct financial loss & negatively influence profitability
Credit risk
Market risk-
Liquidity risk
Risk factors-Interest rates and exchange rates
Classification of risks Non-financial risks
risks exposures that could negatively influence the operations & ultimately incur losses of a quantitative or qualitative nature, indirectly influencing profitability.
Operational risk
Legal risk
Strategic risk
Reputational risk
Risk factors- People, technology, regulations, external factors, processes
Risk management framework
the combination of an organisation’s attitude, procedures and actions in response to the various types of risks exposed to, detailed in its risk management strategy, process, structures and culture
risk management strategy (Y2.3.1) – sets out the overall mission, goals & objectives for managing risks linked to stakeholder value
risk management process (Y2.3.2) – the components of a risk management process to be followed when managing risks exposures
risk management structure (Y2.3.3) – the governance structures for risk management, & roles & responsibilities for managing risks in each business unit
risk management culture (Y2.3.4) – the value adding activities & the main principles for managing risks
Risk management strategy
approach to, planning and activities implemented by an organisation to manage risk
Risk management strategy process (Y2.3.1)
Collate data - collate data regarding business strategy & objectives, understand risk management requirements, including resources, & mitigation tools. draw risk profile.
Evaluate data – draw a risk profile, indicating the likelihood od occurrence & impact
Risk appetite (Y2.2.2) – determine the business tolerance for potential loss due to risk
Risk management objectives (e.g. cost v benefit, time frame, CSF’s & KPI’s) - determine the short, medium & long term objectives for managing risks. Formulate short term objectives.
Monitoring and reporting – continuous monitoring of the execution of the risk management action plan. Continuous identification & evaluation of risk exposure, and the adequacy of controls.
Risk management process
steps, actions and procedures during which specific risks to the organisation are identified and addressed
Risk management process (Y2.3.2)
Risk identification (Y2.3.2 ) – define and understand the nature of the risk that is faced. Commitment to risk management. Acknowledging risk exposure (please note that Young chapter 4 specifically deals with operational risk identification. This chapter can assist to gain perspective for discussion type questions on risk identification)
Risk evaluation / assessment (Y2.3.2 & Y5.3.1) – assessment & measurement of the identified risk exposures. Quantification of exposure, its potential & severity
Implementing appropriate controls (Y2.3.2; Y6.2 & Y6.4) – application of techniques to reduce the probability of loss.
Risk financing – financially providing for the consequences of risk, eg insurance or risk-based pricing
Risk monitoring – ensuring the effectiveness of the risk management system & techniques applied. May use on-going system testing or auditing.
Risk management structures
an organisation’s structures to govern its risk management framework, including an assignment of roles and responsibilities
senior management
risk management (specialists)
business/ operational management
risk compliance and monitoring functions
Risk management is the responsibility of all levels of management. These levels can be split into 3 main levels; (Y2.3.3)
top management – Board of directors should ensure that appropriate corporate governance frameworks are established & operating, And that a risk management committee exists,
risk management group – responsible for setting policies & strategies & for monitoring,
business management – responsible for risk management within the various units. Creating a culture of risk awareness
Risk management structures- compliance management
Regulatory reporting
Risk management structures - Internal Audit
Board audit committee
Risk management structures - Enterprise management
Management process
Risk profile
Risk appetite
Risk management culture
the corporate or organisational shared values in respect of managing risks (Y2.3.5)
Risk management culture must be established throughout the organisation to ensure the active involvement of all employees
additional features of a successful risk culture may include; (Y2.3.5)
Adequate risk management skills & knowledge.
Transparent & timely risk information available at the required management levels,
A commitment to ethical principles by all employees,
A consistent attitude from top management regarding risk taking & risk avoidance,
Clear accountability & ownership of risks & risk areas
Effective risk reporting & constantly learning from experience
Appropriate risk taking behaviour
Process for Risk Identification
Identification of various vulnerabilities created by employees, internal processes and systems, and external events
The Upsize & Downsize of Risk
Upside of risk - Invest in preventive controls (proactive risk management) - Reduces losses and prevents negative events from occurring
Downside of risk
Results from fraud, theft, system downtime (reactive downtime)
Losses and or negative influence on the organisation
