ERM Chapter 29 Flashcards
Having sufficient controls is the key to managing operational risk. What are eight desirable characteristics of controls in this context?
- Focused on results
- In place for both measurable and non-measurable events
- Standardised for efficient communication
- High quality, so as to improve management
- Few, rather than many
- Meaningful and appropriate
- Timely, so as to give sufficient warning
- Simple, so they are easily understood
Outline the risks associated with outsourcing.
Outsourcing can bring business benefits (such as transferring some risks to a third party) but also has its own risks that need to be managed, such as:
- the possible failure of the third party to deliver its commitments
- the reduced control it has over the processes and people in the third party
What five considerations should a company make before entering into an outsourcing agreement with a third party.
- Its regulatory environment and the status of the third party
- The financial standing of the third party
- The competency, business continuity plans and risk processes of the third party
- Its legal agreement with the third party including the right to terminate, and the third party’s right to sub-contract
- How it will monitor the third party
List seven external event risks that are known to have impacted on businesses, in order of frequency of occurrence.
- Loss of IT or telephone capacity
- Loss of people and skills
- Bad PR or negative publicity
- Disruption to supply chain
- Fire/flooding/high winds
- Protest from pressure groups e.g. animal rights
- Terrorist damage
Outline business continuity and crisis management.
- business continuity includes safeguarding a company’s reputation, brand and other value-creating activities
- a company should develop a Business Continuity Plan and test it regularly to reassure stakeholders that business interruptions can be managed
- pre-emptive actions may include taking period backups of data incase of hard drive failures
- having a crisis management plan can ensure a clear and organised response in the event of a significant incident
- the company may also purchase consequential loss insurance to compensate for losses during a period of business disruption
List types of operational risk that require management.
- outsourcing risk
- external events
- business continuity
- regulatory and legal risks
- technology risk
- crime risk
- people risk
- bias
- process risk
- model risk and data risk
Outline regulatory and legal risk
- impact can be significant, including fines, reputational damage and loss of authorisation to trade
- these risks can be managed via:
> keeping abreast of changes in regulation and laws and be aware of impending changes and their likely impact
> it may be possible to influence changes through lobbying groups
Provide examples of how technology risk can be controlled.
- keeping systems up to date
- routine maintenance
- thorough testing when introducing new IT systems
- quick response IT helpdesks to deal with minor IT issues
- training staff
- restrictions on employees use of social media applications or use of devices that might circumvent IT security
- implementing and testing security software and routines, such as firewalls, back-ups and regular password changes, to prevent cyber attacks and ensure data can be rapidly recovered in the event of loss
Outline crime risk.
- crime risk covers a wide spectrum from petty theft to major fraud, and the management of the risk should reflect the severity
- a balance should be met regarding the cost of controls and the amount saved by these controls
Outline the types of people risk, and how they can be managed.
Employment related:
- refers to the behaviour of a business towards its people, and the behaviour of people towards the business
- it can be managed through:
> recruitment processes - cost-effective recruitment of the right people, and enforceable contracts of employment
> competency management process - training requirements and risk training
> appraisals and performance management processes - talent management, retention of the right employees, identification of poor performers, and regular appraisal of NED’s in particular
> relationship management - with employee related collective bodies e.g. unions
Adverse Selection:
- the need to distinguish between customers who present different risks in order to prevent being selected against e.g. banks that offer free banking run the risk of being adversely selected against by low-balance, high-activity customers
- managed by careful underwriting and product design and pricing
Moral hazard:
- the risk that the insured, having obtained cover, will act in a way that is of detriment to the insurer
- more generally, any situation where a person makes the decision about how much risk to take, while someone else bears the cost if things go wrong
- can be managed by making the consequences unattractive (e.g. offence to make a fraudulent claim) and by prevention (e.g. ensuring an insurable interest exists in a life policy)
Agency risk:
- difference of interests
- managed by corporate governance policies or by aligning interests, perhaps through share-based remuneration
How is bias avoided?
- checks and balances should be build into the system
- assessments should be subjected to competent and genuinely independent checking
- consider introducing an optimism bias into the appraisal of capital projects
- educate people about the problem of unintentional bias
Outline process risk and how it can be managed.
- risk through the introduction of changes into business processes or IT systems where new processes or systems may fail or be poorly implemented
- can be managed via:
> undertaking pilot studies
> precise definition of the requirements of any new solution to best meet the needs of the whole enterprise
> designing systems that can be easily maintained, enhanced and upgraded
> careful deployment of the new systems with user education
How can model risk and data risk be managed?
Model risk can be managed via:
- having documented processes for model building and testing
- having clear audit trails and change-management routines
- using models only for their intended purpose
Data risk can be managed via:
- limit what can be entered to what is valid
- check data entry
- re-check data on transfer and, in particular, de-duplicate
How is reputational risk managed?
- a sound ERM framework
- business continuity and crisis management plans and processes
- strong relationships with key stakeholders
Describe a seven step enterprise wide process for transferring operational risk.
- identify operational risk exposures
- quantify their probabilities, severities and capital requirements
- integrate the operational risk with credit and market risk to establish an enterprise wide risk profile
- establish operational risk limits
- implement internal controls
- develop risk transfer and financing strategies
- evaluate alternative providers and structures based on a cost/benefit analysis
