Operational Risk Flashcards
Types of Risk in Regulatory Def
Internal fraud, external fraud, employment practices and workplace safety, business practices (client facing), damage to physical assets, business disruption and system failures, process management.
Unofficial definition
Operation risk is everything that is not credit and market risk.
Risk management framework
A representation of actions, techniques or tools deployed to manage the risk of an entity.
Four main activities of risk management
Risk identification, risk assessment, risk mitigation and risk monitoring.
Corollary definition of risk
Risk of impact due to event, caused by cause.
Exposure
The surface at risk.
Environment
This refers both to external and internal environments, which are controllable only to a certain extent.
Internal business environment
The organizational features of the firm, such as effective straight-through processing, competent staff and inspiring leaders.
Strategy
The most controllable part of risk causes. A major driver of exposure to operational risk.
Events
Risks turn into ‘events’ or ‘incidents’ when they become a reality rather than a possibility. An event is the materialization of a risk.
Preventative controls
Besides process design and sensible organization of tasks, internal controls are the main methods for risk reduction.
Corrective controls
Reaction once an incident occurs, early intervention and contingency planning.
Risk identification
Exposures and vulnerabilities, risk wheel, root causes of impact, past losses and near misses, process mapping interviews.
Risk assessment
Expected losses, RCSA, scenarios.
Risk mitigation
Internal controls & testing/bowtie analysis + preventative action plans.
Risk monitoring
KPI, KRI, risk reporting.
Examples of top down
Risks to strategy, emerging risks, global trends, major threats.
Examples of bottom up
Operational efficiency, organized processes, efficient systems, competent staff.
Types of Exposures
Key distribution channels, main clients, main suppliers and third parties, critical systems, regulatory exposure, main drivers of revenues, brand value.
Types of Vulnerabilities
Weakest links, fragile systems, revenue channels at risk, systems or processes not integrated, parts of the business resistant to risk management, unmonitored operations or people, unmaintained systems, BCP due for testing or updates.
The Risk Wheel
Governance, strategic objectives, reward & value, political & social, reputation & ethics, technology, project & change, regulation, legal liability, natural events, information, business continuity.
Scenario analysis
The assessment and management of the exposure to high severity, low frequency events on the firm.
Scenario analysis steps
Preparation and governance, generation and selection, assessment, validation, incorporation into management, scenario aggregation, incorporation into capital.
Preparation documents
External loss data, internal loss data, RCSA results, key risk indicator scores, audit issues and other issue logs, concentrated exposures, relevant documents for risk and exposure assessment.
Internal fraud
Losses due to acts of a type intended to defraud, misappropriate property or circumvent regulations, the law or company policy, excluding diversity/discrimination events, which involve at least one internal party.
External fraud
Losses due to acts of a type intended to defraud, misappropriate property or circumvent the law, by a third party.
Employee practices and workplace safety
Losses arising from acts inconsistent with employment, health, or safety laws or agreements, from payment of personal injury claims or from diversity/discrimination events.
Clients’ products & business practices
Losses arising from an unintentional or negligent failure to meet a professional obligation to specific clients (including fiduciary and suitability requirements) or from the nature or design of a product.
Damage to physical assets
Losses arising from loss or damage to physical assets from natural disaster or other events.
Execution, delivery, and process management
Losses from failed transaction processing or process management, from relations with trade counter-parties and vendors.
Basel definition of operational risk
The risk of loss resulting from inadequate or failed internal processes, people and systems or from external events.
Preventive
The aim is to reduce the likelihood of risks materializing by mitigating their possible causes.
Detective
This takes place during the event or soon after, with early detection helping to reduce impact. There is a preventive element if detection also identifies the cause of an incident.
Corrective
This reduces impacts caused by incidents. Damage is repaired or loss is compensated for by using backup and redundancies.
Directive
This comprises guidelines and procedures that structure the mode of operations to reduce risks.
Risk appetite
Qualitative statements, implicit risk/reward tradeoff, or pure risk avoidance at a cost, per risk category.
Risk tolerance
Metrics translating appetite, value at risk, indicators, budget.
Key controls
Internal controls and processes ensuring the respect of risk limits.
Risk limits
Key indicators and thresholds, allow monitoring, loss budget or incident tolerance.
Governance
What to do if limits are breached, risk owners and accountabilities.
KRI
Key Risk Indicator.
Top four KRIs
Aggressive profit growth targets, under-investment in infrastructure and people, regulatory negligence, top-level wishful risk appetite statements that are not consistently tied to actual controls and limits.
RCSA
Risk and Control Self-Assessment.
RAU
Risk Assessment Unit.
Assessment dimensions
Probability of occurrence, impact if occurring, velocity.
RSA
Residual risk self-assessment.
Key risks exposures
A view of the magnitude of impacts if key controls are missing or failing.
Four types of impact
Financial, regulatory, customer, reputation.
SMA
Standardized Management Approach.
IMA
Internal Modeling Approach.
