Mod 29: Management of operational and other risks Flashcards
Explain the key to successful management of operational risk
The operational risk management process
* The key to managing operational risk is to have sufficient controls in the business. This is much more important than trying to quantify operational risks.
* Controls in this context means a combination of information, assessment and response, ie what information do we have that we can use to decide what course of action to take.
* An example of an external control framework is that provided by the COSO cube.
©
Outline eight desirable characteristics of operational risk controls
Characteristics of operational risk controls
1. they are subjective (not objective nor neutral)
2. they need to be focussed on results
3. they are required for measurable and non-measurable events. .
4. standardised for efficient communication
5. high quality, so as to improve management
6. few, rather than many
7. meaningful and appropriate
8. timely, so as to give sufficient warning
9. simple, so they are easily understood.
List mitigating actions (other than risk transfer through insurance) that are commonly used to reduce the likelihood and/or impact of losses arising from operational risks
Mitigating actions to reduce likelihood / impact operational risk
* outsourcing (people, processes, systems)
* due diligence (people, processes, systems, eg if outsourced)
* business continuity and crisis management plans and resources (all!)
* horizon scanning (regulatory, event)
* maintenance (technology, systems, event)
* security (technology, crime)
* good HR practices (people, employment-related, agency)
* careful underwriting, product design and pricing (people, adverse selection, moral hazard)
* education, checks and balances (people, bias, model) good change management (process, technology, model)
* strong relationships with stakeholders (regulatory, reputational, people)
* sound ERM framework (reputational, all!)
©
List management actions that might be taken in respect of residual retained operational risk (ie operational risk net of transfer and mitigation)
Actions in respect of residual retained operational risks
* self-insure against operational losses by establishing reserves
* including allowance for operational risk in the allocation of economic capital – to incentivise management to improve operational risk management
©
State the factors that an organisation should consider before outsourcing non-core activities
Factors to consider before outsourcing
* its regulatory environment and the status of the third-party
* the possible failure of the third-party to deliver its commitments
* the reduced control it has over the processes and people in the third-party
* the financial standing of the third-party
* the competency, business continuity plans and risk processes of the third-party
* its legal agreement with the third-party including the right to terminate, and the third-party’s right to sub-contract
* how it will monitor the third-party ©
Describe what is meant by business continuity and crisis management
Business continuity and crisis management
* A broad definition of business continuity includes safeguarding the business’s reputation, brand and other value-creating activities.
* Companies should develop a Business Continuity Plan (BCP) and test it regularly so as to reassure stakeholders.
* Examples of actions in a BCP are to maintain offsite back-ups of data and renting a redundant office block and computer system.
* A Crisis Management Plan (CMP) can ensure a clear and organised response in the event of a significant incident. A Crisis Management Group (CMG) will take control of an issue and co-ordinate action.
* Preparedness ensures a company can take advantage of unexpected gains, or stem losses in the event of a critical incident.
* A business may also purchase consequential loss insurance (compensation for loss of profits during the period of disruption
Give examples of the management of specific technology risks ©
Management of specific technology risks
* keeping systems up-to-date – balancing functionality with costs
* routine maintenance – especially for IT solutions that were developed in-house
thorough testing (for robustness and compatibility) when introducing new IT systems
* quick response IT helpdesks to deal with minor IT issues
* training staff – eg not to open suspicious email attachments
* restrictions on employees’ use of social media applications or use of devices (eg USB drives) that might circumvent IT security
* implementing and testing security software and routines, such as firewalls, back-ups and regular password changes, to prevent cyber-attacks and ensure data can be rapidly recovered in the event of loss
Give examples of the management of employment-related risks
Management of employment-related risks
- competency management, eg:
1. new employee induction
2. CPD and professional qualifications
3. training on risk - cost-effective recruitment of the right individuals
- enforceable contracts of employment
- talent management – ie retention, promotion and transfer
- identification of poor performers, subsequent support and possible disciplinary action
- appraisal / performance management processes, in particular NEDs
- relationship management – with employee-related collective bodies, eg unions.
©
Give examples of the management of process (change) risk
Management of process (change) risk
- pilot studies
- precise definition of the requirements of any new solution to best meet the needs of the whole enterprise
- designing systems that can be easily maintained, enhanced and upgraded
- careful deployment of the new systems with user education
- stress testing of any new process or system – in isolation of and within the larger structure into which it is to be placed
- processes should be monitored and reviewed for effectiveness soon after implementation and regularly thereafter
©
Give examples of the management of model risk ©
Management of model risk
* ensure a robust process around the choice of model
* have documented processes for the model and assumptions, with clear audit trails and change-management routines
* test the model thoroughly before use
* maintain and develop the model over time, with regular reviews
* ensure staff are adequately trained and have clear accountabilities
* understand the (sensitivities to) key drivers / assumptions in the model
* use models only for their intended purpose
* appreciate the limitations of the model
* avoid overly complex models (principle of parsimony)
* ensure workings / results easy to communicate and are capable of independent verification for reasonableness
Give examples of the management of data risk ©
Management of data risk
- limit what can be entered to what is valid (eg range checks)
- check data entry (eg spot, consistency,
- reasonableness checks)
- re-check data on transfer and, in particular, de-duplicate
- ensure the data is credible (sufficient quantity)
- ensure the data is relevant to the purpose (especially external data)
- carry out regular backups of data
- ensure that data is stored securely
- ensure staff are adequately trained (eg in data protection, handling big data)
©
Outline a seven-step, enterprise-wide process for transferring operational
Enterprise-wide process for transferring operational risk
1. identify operational risk exposures
2. quantify their probabilities, severities and (economic) capital requirements
3. integrate the operational risk with credit and market risk to establish an enterprise-wide risk profile
4. establish limits on operational risk
5. implement internal controls
6. develop strategies for risk transfer and financing
7. evaluate alternatives providers and structures based on a cost / benefit analysis
©
Outline the features of best practice operational risk management
Features of best practice operational risk management
1. operational risks
* broad definition of operational risk
* internal and external early warning
* indicators economic capital allocated to operational risk
2. systems
* qualitative and quantitative tools including scenario and simulation risk models
3. operational risk function
* insurance function fully integrated with operational risk function
Outline how liquidity risk should be managed ©
Management of liquidity risk
Managing liquidity risk requires a company to actively monitor its liquidity requirements, both within and across legal entities, allowing for differing transferability of liquidity assets (or fungibility), due to exchange and other regulatory barriers.
Market liquidity risk can be managed by:
* varying investment strategy using swaps
* having a contingency fund consisting of high-quality,
* liquid assets.
Funding liquidity (considered alongside credit risks) can be managed by:
* diversifying sources of funding (by type and term)
* continuously monitoring the ability to raise additional capital
* contingency sources of funding from their bank (eg a line of credit).
©
Outline activities designed to reduce feedback risk (the spread of risk through a financial system)
Activities designed to reduce feedback risk
* investing only in exchange-traded instruments to pool counterparty risk
* suspension of trading on an exchange by circuit breakers
* actions by Governments or central banks – to reduce likelihood of occurrence (eg by acting as a lender of last resort), or reduce the financial consequences of an event (eg by reducing interest rates)
* regulations may require establishment of additional reserves (eg in the ‘good times’)
* avoiding pro-cyclical regulations, eg those that encourage all similar organisations to adopt similar strategies
* physically separating types of businesses (eg investment banking and retail banking)
©
