Operational Risk and Resilience Flashcards
Operational Risk Definition
the risk or loss resulting from inadequate or failed
internal processes
people,
systems
external events
Operational risk steps
(1) risk identification
(2) risk assessment
(3) risk mitigation
(4) risk monitoring.
Risk identification
determine as many relevant risks as possible that could negatively impact the firm’s business goals.
Group brainstorming activities and interviews with staff might be used in this step.
Risk assessment
involves determining the probability and severity of the risks identified as a means of prioritization. Tools such as stress testing and scenario analysis would be used in this step.
Risk mitigation
looks to minimize or eliminate risks that have a high probability of occurring or high severity if they occur.
Methods such as internal controls, purchasing insurance as protection, or minimizing exposure are commonly used in this step.
Risk monitoring
verify if the risk management process is operating as expected and if the firm’s operations are robust. If not, then the risk management cycle continues again with remedial actions taken in the first three steps before performing another step of risk monitoring and evaluation. Reviewing incident reports and developing key risk indicators would occur in this step.
Operational Risk categories from Basel
Internal fraud (IF)
External fraud (EF)
Employment practices and workplace safety (EPWS)
Clients, products, and business practices (CPBP)
Damage to physical assets (DPA)
Business disruption and system failures (BDSF)
Execution, delivery, and process management (EDPM)
Operational risks - general attributes
(1) heterogeneous
(2) idiosyncratic
(3) heavy tailed
(4) interconnected
(5) dynamic
Operational Resilience items
Business continuity.
Key services.
Impact tolerance levels.
Disruption processes.
Feedback.
Business continuity.
This focuses on minimizing the disruptions to business processes.
Key services.
This focuses on determining and ensuring that the absolute, most critical business services can continue with little or no disruption.
Impact tolerance levels.
This is similar to the acceptable disruption time of a key service or time needed to recover from an incident
Disruption processes.
This focuses on how to respond to disruptions, retaining the confidence of important stakeholders, and effective communication during disruptions.
Feedback.
This focuses on takeaways from past incidents to prevent similar problems from occurring in the future. The goal is to always enhance the ability to deal with unexpected events with high impact
