Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

PRMIA Notes > Oprisk > Flashcards

Oprisk Flashcards

1
Q

Risk Capacity

A

level risk firm’s resources can tolerate / ability withstand worst case outcome of risk taking

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Risk Appetite

A

expression of risk boundaries / desired level risk taking

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Risk Appetite -

  1. eg of quantification
  2. escalation,
  3. link to loss expectation
A

eg. no appetite indiv losses above $x within 12mo.

Losses above $y reported to risk committee

Loss expectation is effectively its appetite -sb included in budget. Most fin institutions expect loss of 2% revenue annually to OpRisk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Risk Appetite zero eg

A

If appetite says zero appetite phone outages and had 30min outage lost $5k, and backup sys costs $60K, willing to invest?

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Risk Culture

A

policing of risk appetite / incentives

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Threshold for investigation

A

What op risk threshold triggers investigation (what mean, AUO?)
$10k? EB okay with this? Give them analysis

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Requirements in Policy

A

-start with what are obligations? What do on top of that?

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Communication tip

A

Policy approved -email to all staff -1 thing want you to remember we’ve changed threshold op risk events from 8K to 10K

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Mtgs op risk

A

not say monthly discuss all incidents over 10K. What is obligation -put in policy and ensure it done e.g meet quarterly incidents >50K or 100K

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Exceptions approved?

A

Yes no

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Stress tests

A

must perform monthly, qtly, yrly

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Process flows every area -ask 3 qs:

A
  1. Controls effective? 2. Proper reporting? 3. Risk part everything do
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Incident reporting

A

if 29 events in year, 14 full op losses, ensure reports for each

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

3 lines alternatives:

A
  1. Initial control, 2. Challenge, 3. Assurance
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Diagram op loss by category -% of total loss

A
  • damage physical assets
  • business disruption, sys fail
  • internal fraud
  • empl practices-workplace safety
  • clients, products and bus practices
  • external fraud
  • exec delivery process mgmt
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Risk assessment lifecycle

A

1.Define Risk assessment units (e.g. settlements, finance etc);

Determining risk

  • function approach (easier owner, not easy end-to-end) e.g. asset mgmt -private banking, mortgage etc
  • process approach (easier end-to-end, easier hand-off points -biggest risk, difficult one owner) e.g. onboarding -KYC, account setup etc
  • blended e.g. asset management -client onboarding

Risk assessment
1.heatmap:
Risks name (lending, fees, external fraud, legal violations, employee discrimination, privacy, systems failure, sustainability)
Inherent risk of each of above (H, M, L)
Linked control (regulatory rules matrix, privacy procedures, regular salary demographic analysis etc)
Linked process (client onboarding, credit underwriting, account setup, transaction monitoring, regulatory reviews, salary audits, securities trading)
Notes (recent audit findings, no recent findings, non-critical audit findings, parallel servers not up-to-date

17
Q

2.top down workshops

A
  • mgmt determines inherent risk
  • sr mgmt priorities, hand-offs, people set impact and ranking). Top down e.g. scenarios (may not found with walk-through

Helps us get our emerging risks -if talk about competitor in scenarios what happened to them, might new risk worry about

Initial risk qs:

  1. top risks ranked (e.g. AML, data protection, IT related) -which processes carry highest risk e.g.
  2. state of controls to deal w the risks?
  3. control gaps?
  4. who own action plans to address gaps?
  5. what learnt to apply to next risk assessment cycle?

(Buy-in, getting people to admit to issues, needs high level support
Short email saying in prep i want consider scenarios affect your part org. “What if” lost power both offices as same time? How would losing one sites affect us? Gets people talking how deal scenarios. Ask list of internal events happened, losses in last 2yrs -if nothing, then ask, I see lot IT issues -is this power, people?
On KYC -ask how get documentation? Do customers come to branch?
Ask q -can this happen here)

Scenarios

  • construct from peer loss events (Get GEMS data)
  • history of breaches internally e.g. jeopardize customer info, rogue trader etc.
  • new scenarios where potential IC fail/repu risk occur
  • link new scenarios to pre-workshop materials
  • Eg 1 pager

Facilitator

  • ask about Audit findings on risk X,Y,Z -does this risk concern you and how? (Read AUO reports) risks identified in audit findings?
  • look at risk taxonomy, x risks not discussed -what are exposures?
  • what processes carry highest risk?
  • hand-offs -what you do with it once received? Higher risk on handoff, hand-ins

Nice documentation of eg on disaster recovery -key risks, controls, external, internal losses, KRIs, quick color coding on top

18
Q

3.identify controls

A

-Bottom up e.g. process mapping (seen by people working with related processes)
Material risks from top down approach drive process part of risk assess

19
Q

4.process reviews

A
  • Walkthroughs, process maps, find control gaps -s document owner, team members, compliance persons, where obligations
  • where control breaks, when process crosses boundary, swim lane
  • talk about how loan put together -yellow stickies and find things not aware of
  • look for segregation issues, reporting loss events, poor audit
  • look for increase volumes 300% uptick, means more errors
  • helps develop KRIs
20
Q

5.control substantiation/assess

A

-determines control effectiveness
-bottom up view of effectiveness of control environment
-controls mapped via above
-linked to material top down -sb assessed first
-start with 1.design of control effective/well designed (design)
-then 2.how effective control is executed/quality control (performance)
-both above look at control effectiveness (design) and performance (execution) -best way walkthrough
-best to have effective control easy to do and automated than manual one
E.g. report from system that shows what’s executed in day v tick boxes
-control 1/week if an account is reactivated, what happens after?
-need rating scale for both above
E.g. control on monthly a/c recons -done but manual and ad-hoc. We come back in a month to walkthrough to test design effective and executed effectively.
-Test executed effectively (performance), following q:
1.control occur right frequency?
2.control occur right point in the process?E.g. ahead of or concurrent with
3.Executor have proper knowledge/expertise?
4.Attributes of control e.g. detective (impl concurrent or post-execution) or preventative, key (primary to mitigate the risk) or non-key (supplement key, not mitigate risk on their own)/manual/auto, impact impl?

-Hierarchy evaluating control effectiveness: ROEI (1.Reperformance, 2.Observation, 3.Examination, 4.Inquiry -for lower risk areas)

  • Control Testing/sustantiation programme qs:
    1. independence -control validation snot performed person resp executing control or in person’s chain of command
  • E.g. payments, maybe lots of non-key controls and key control is only 1 person has authority to make payment.
  • not pass fail, but is it well designed, quality executed?
  • sample size? Too large costly esp. re-performance -balance population, frequency, severity of risk
21
Q

6.identify issues

A

things:

  1. issue of ineffective controls/gaps identified and articulated
  2. linked to corporate taxonomy for tracking
  3. root cause analysis
22
Q

7.design action plans

A
  1. action plan owned/executed by business but validated by Controllership to address root cause
    - 14 actions from assessment, 12 completed, 2 not done 3mo overdue
  2. progress on impl of action plan monitored corporate sys, reported to Governance committees
  3. closure of action plan formal tollgate process ensure it addressed issue
  4. if execution req time, compensating controls interim
  5. newly impl control tested at least 1 time in 12mo after execution ensure working
23
Q

8.oversight and monitoring

A

.

24
Q

9.management validation

A
  • Residual Risk calculated before this step and over-ridden if nec based on knowledge and appetite (in some areas like AML, any level risk managed)
  • mgmt team together -these are risks found, these controls improving, new level of residual risk
25
Q

Barrings lessons learnt:

A
  1. Internal processes -lack segregation, no reporting of loss events, poor audit
  2. People
  3. Systems 88888 account
  4. external events -earthquake
26
Q

If outsource, think risk assessment (do AML etc checks)

Qs:

A
  1. inherent risks
  2. 3rd party interact with customers?
  3. laws/regs ALM
  4. transparency its ops
  5. BCP/DR/IT security/HR
27
Q

If new product/service -qs:

A
  1. inherent attributes raise risk profile of entity e.g. cash or payment may higher AML
  2. customers -attract customers higher risk for AML e.g. PEPs
  3. Geography -local regs/OFAC issues?
28
Q
  • Measuring op risk, get insights our performance against our appetite. KRIs -both backward/forward, then link to higher goals e.g. maintain losses no more than x% revenue by impl new STP, & resolve exceptions within 2day turnaround
  • Eg. Table $appetite and $tolerance
A

.

29
Q

-Expected (cost of doing business -going to lose 2% on risk appetite in investment banking) and Unexpected loss (less frequent, higher severity, unusual cause -sb focus of sr mgmt, need to express appetite in similar way as for expected loss).
Unexpected loss -Table top risks e.gfraud, 1in25yrs 12m, appetite 10m, tolerance 20m, profile: green amber, red, status with arrows straight, down, up, mgmt view: green amber red. Need to see things and small things lead to big.
Loss investigation table of 5 step approach:
1.reference existing framework -quantification, was loss foreseen by scenarios/KRIs, ‘back test’ against risk appetite.
Is it a near miss or dollar loss? If large loss, inform quickly. Expected/not? S have expected based on risk appetite?
2.assess process & control weaknesses -were controls missing or failed? Multiple control failures? Dependencies IT, 3rd parties?
3.assess mgmt accountability (mgmt weakness/behaviour, mgmt responses, incentives, sanctions)
4.address remediation/mitigation (control gaps, ST actions, tech experts, LT recom)
5.report to governance forum (explain findings, remedial actions, approval of remediation/mitigation, followuup, impl status)

Is loss data being collected to check performance against risk tolerance/appetite/capacity
OpRisk events haven’t passed to GL?
Benchmarks -bank our size, complexity sb losing x% revenue on internal fraud. We have 2x 3x that -is something wrong with our processes?
Incident reporting:
-loss event date, discovery date (if too long -highlights issue), capture date, detection point -where was it found? Found by control process? Audit found -then bad too late, If 1st line finds good, staff Id, date entered in GL, risk category (Basel?), org unit (bearing loss), counterparty/client, product/process, loss description, direct/indirect impacts, recovery amt, loss type (expected, unexpected, group loss, control failure, root cause, mitigating actions

When calculating (using hybrid statistical & qualitative) regulatory capital allocation for 3 risks (credit, operational, market), start with oprisk data:

  1. internal loss data (ILD)
  2. external loss data (ELD)
  3. Scenario data (SD)
  4. Bus envir & IC factors (BEICF)
A

.

30
Q

KRIs
-monitor risk exposure at: particular instance/period of time. Early warning tool of pot risk exposures
-E.g. #failed trades/day e.g. 420, of how many in a day e.g. 1K or 1m, and over 1mo? If see big increase #failed trades, issue in few days.
-KRI framework:
-Pilot-buy-in
-KRI selection (inputs new business or products)
-confirm data, source and metrics
-frequency of data collection & reporting
-limits and thresholds
-exception management & reporting -feeds to refine limits, thresholds and appetite
If implemented well, help quantify risks, opp improve processes, link KRIs to risk causes, monitor exposure of adverse events before occur, set working level risk appetite based event freq, help scenario analysis, stress test exercises
-E.g. if volume increases massively, or cash transactions peak, what mean on increased risk, knowing processes already.
-E.g. turnover staff, transactions in diff parts of org, different days, months, weeks
-E.g. AIB John Rusnak -increasing amounts capital tied up in currency markets s been indicator

KRI & Processes -map processes, understand profile of exceptions/errors (numerators) v volume (denominator). Most useful KRI: cash transactions / team member

  • effectivenesss of controls within each process, measured against predet thresholds/tolerances
  • Objective KRI data avoids pitfalls of self assessment
  • if we see <1% errors, it’s green, if 5% errors orange etc. RAG status (but avoid oversimplification that two ambers = red)
  • Some KRIs target underlying causes/process failure e.g. volumes -large increases in volume work expected e.g. loan applications 200-300% up underwriting staff pressure making errors shortcuts, Staff turnover or sickness rates indicator of morale/engagement, customer complaints conduct issues

Select appropriate KRIs -good diagram
Eg. Good KRI -time betwee i.e. avg time between dormant account being activated and loan being taken out on that account.
Major risks in processes e.g. cash leaving org
Thresholds KRIs trigger management escalation -market benchmarks

A

.

31
Q

Toolsets and reporting
-nice diagram controls within processes then itemize and assess risk
-precanned reports e.g. losses by category of business area by month, trends relevant KRIs,
heat map assessment results
Outstanding issues and actions

-make reports user friendly not ‘dump’ of data

A

.

32
Q

Risk Capital Charge

A

-credit, market, operational risk quantified

32
Q

Scenarios

A
  • can be linked to processes, controls, contingency plans
  • Quantify scenarios -assessment template
  • frequency losses ranges 0-1m, 1-10m, 10-100m, >1b
  • impact assessment e.g. est total freq 50% percentile loss, 80% percentile loss, 99% percentile loss
34
Q

Insurance to hedge operational risk

A

Eg. Riggs Bank AML

  • no risk assessment sys to identify high risk accounts
  • inadequate client info
  • lack process handle accounts PEPs
  • failure to do enhanced monitoring high risk acs
  • failure monitor wire transfer activity
  • failure detect/report suspicious activity
  • untimely IA
  • Inadequate AML training

PRMIA Notes (1 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions