Module 6 - Midterm Pt 1 Flashcards
An indisputable tenant of risk management
one must understand risk in order to manage it
Understanding risk requires
the ability to measure and monitor a given risk so
that mitigating plans can be put in place to reduce the risk to an acceptable level, that is in line with the organization’s approved risk appetite
Importance of Understanding Business Risks
Without the ability to effectively measure and monitor risk, no risk program can be successful
Assessing risk is not a simple task (True/False)
TRUE: Anyone who has ever performed a risk assessment knows that they can be notoriously difficult, some risk types more so than others
Common Tools and Methodologies
- Loss Data Collection & Loss Event Root Cause Analysis
- Risk and Control Self-Assessment
- Key Risk Indicators
- Scenario Analysis
Loss Data Collection & Loss Event Root Cause Analysis
The goal is to understand so future losses and
events can be prevented (focused on the past)
Risk and Control Self-Assessment
Goal is to implement controls so that risks
are better managed to within acceptable levels (focused on the present)
Key Risk Indicators
Goal is to inform choices about portfolio and take mitigating actions (focused on the future)
Scenario Analysis
Goal is to identify and understand potential future risk events so that management can take action (focused on the future)
Common Tools and Methodologies Framework examples
Heat Map, Bow-tie, FMEA
The losses incurred by an organization should be recorded in a database based on
a defined taxonomy and on a consistent basis
Regulators require banks to use the Basel-defined seven event type classifications for lost data
- Clients, Products and Business Practices
- Business Disruption and System Failures
- Execution, Delivery and Process Management
- Internal Fraud
- External Fraud
- Employment Practices and Workplace Safety
- Damage to Physical Assets
Clients, Products, and Business Practices examples
Non-compliance with laws and regulations, inadequate disclosures
ex event: A company is fined by a regulatory agency for failure to comply with anti-money laundering laws
Business Disruption and System Failures examples
Extended system downtime
ex event: server outage causes key internal systems to be inaccessible for a prolonged period of time
Execution, Delivery, and Process Management examples
Data entry error, failure to conduct due diligence, reporting failure
e.g. event: When making a payment for an outstanding invoice, an employee pays the vendor $6,000 instead of $600
Internal Fraud examples
Collusion, embezzlement
e.g. event: An employee redirects internal funds to his or her personal bank account
External Fraud examples
Robbery, hacking, theft of information
e.g. event: A bank’s retail branch is robbed, resulting in financial losses
Employment Practices and Workplace Safety Examples
Allegations of discrimination, unsafe work environment
e.g. event: Lawsuit against a company alleging that an employee was denied a promotion due to being a member of a protected class
Damage to Physical Assets examples
Natural disaster
e.g. event: A hurricane causes physical damage to a company’s office, forcing temporary relocation
Regulators expect banks to use ‘External
Losses’ suffered by other banks to
monitor and measure their risk exposures
Review of External Losses ensures
- adequate data
- understand current industry trends
- a more holistic view of all your risk exposures
To make Review of External Losses exercise productive
should establish a clear relevance criterion for external losses that is based on Business activities
Operational Riskdata eXchange Association
(ORX)
an Industry Association established in 2002 to collect anonymized Operational Loss data and disseminate it to banks
Heat Map Purpose
Visual prioritization of risks
Bow-Tie Analysis Purpose
Detailed cause-effect risk analysis
RCSA Purpose
Risk identification and control evaluation
Heat Map Focus
Prioritizing risks by impact/likelihood
Bow-Tie Analysis Focus
Preventive and mitigating controls
RCSA Focus
Operational-level risk management
