Part 1 - Risk Identification

Question 1

Types of operational risk

Answer 1

• Internal Fraud - employees fraud, unauthorised activity from employees
• External fraud- theft, hacking etc
• Employment practices and workplace safety - disputes, safety issues.
• Clients, products, biz practices - client complaints, product issues
• Damage to physical assets - destruction due to events like wildfires, natural disasters etc.
• Business disruption and system failures - IT failure
• Execution, delivery and process mgmt - processing errors

Question 2

Risk mgmt sequence

Answer 2

Preventive controls
Understand risk exposure, stratergy and environment

Risks/events
Become incidents when the effects are materialised

Corrective controls and incident mgmt
Manage the fin. and non fin. impacts

Question 4

Operational risk definition

Answer 4

the risk of loss as a result of ineffective or failed internal processes, people, systems, or external events that can disrupt the flow of business operations.

Question 5

4 Risk management actions and tools to manage the risk

Answer 5

1. Risk identification - identify exposures and vulnerabilities, risk wheels, root causes of impacts, past loss/near miss data, process mapping.
2. Risk assessment - Expected losses as a result of certain risks, RCSA scenarios
3. Risk Monitoring - KPI and KRIs, risk reporting
4. Risk Mitigation - internal controls+testing, bow-tie analysis, preventative action plans

Question 6

Top down risk analysis

Answer 6

• Typically performed 1-4 times a year depending on risks/growth levels
• Top level mgmt identify major risks - CRO, executive committee/BoD, LOB heads
• primary objective = identify major business threats that could impact strategic objectives. Focusses on risks that have significant implications for the firm’s future.
• Risks are identified using brainstorming workshops, exposure reviews, risk wheels and casual analysis
• Create the high level inputs for risk and control self assessments (RCSAs) to ensure identified risks are systematically managed throughout the organisation

Question 7

Bottom up risk identification

Answer 7

• Focusses on detailed process level risks.
• Better for smaller organisations
• concentrates on local vulnerabilities and gives granualr risk views for specific business orgs
• Uses process mapping to task, identify risks and identifies how/where these may arise in a process function.
• Employees/process specialists are interviewed to understand risks of specific processes
• Outcome=detailed risk register highlighting smaller risks (often missed by top down). Creates a comprehensive risk landsacpe

Question 8

Examples of risk exposures

Answer 8

• Key distribution channels
• Major clients
• main suppliers/supply chain security
• Critical systems
• Regulatory exposuremain revenue generating activies
• Brand value

Question 9

Examples of key vulnerabilities

Answer 9

• Weakest links
• Fragile systems/old systems
• At risk revenue channels
• unintegrated systems/processes
• parts of the business not keen to adopt risk mgmt practices
• small unmonitored systems/operations
• Unmaintained systems
• BCP due for testing or updates

By identifying exposures/vulnerabilities it allows organisations to mitigate more specific risks that typical generic risks may not discuss

Question 10

Risk Wheels

Answer 10

• Used to spark creativity to consider a broader range of risks in brainstorming sessions
• The wheel is made up of a broad number of high level risk types that have high/low level risks that need to be identified and managed
• Risk wheel components: strategic objectives, political and social risks, tech risks, legal risk, nautral events, etc
• • = helps highlight the connections between different risk types, encouraging discussions on various risk themes.
• Useful for financial and non financial firms to understand potential risks and their impacts

Question 11

Root cause analysis

Answer 11

• Drills down to the route causes of risks to identify issues.
• focusses on the impact of risk on reputation/revenue sources
• Allows organisations to implement targeted risk management stratergies

Question 12

Process mapping

Answer 12

• Process mapping establishes tasks and maps controls with corresponding risks, providing a visual
  representation of processes and associated risks.
• Common in IT, operations and project mgmt to identify risks in specific operations
• Granular detail level however, higher level can be useful to understand an overview of risk drivers
• Highlights over or under controlled risks and allows a more balanced risk approach is implemented. Gives a comprehensive view of processes and their risks
• Often modelled with flow charts

Question 13

Interviews of key staff

Answer 13

• New and experienced staff can offer insights into operations and their potential risks
• ‘Auditing with your feet’ technique to gain firsthand insights into op risks.
• ‘Amazement reports’ - new hires offer first impressions/surprises to help identify risks that have potentially been overlooked.
• Help understand + and - from different perspectives to help identify risks that may otehrwise be missed.
• Can often provide more practical insights than formal reports

Question 14

Scenario analysis

Answer 14

• Essential for calculating regulatory capital (AMA)
• Focusses on high severity and low frequency events
• Not limited to financial impact - includes overal mgmt of events

Question 15

Steps of scenario analysis

Answer 15

1. Preparation and governance
2. risk generation and selection
3. assessment
4. Validation
5. Incorporation into mgmt
6. scenario aggregation
   incorporation into capital

Question 16

scenario preparation and governance pack contents

Answer 16

• External loss data
• internal loss data - post incidents/near misses
• RCSA results
• key risk indicator scores
• Audti issues + other issue logs
• concentrated exposures and vulnerabilities
• Any other relevant docs

Question 17

4 main rules for scenario generation

Answer 17

• Focus on quantity - idea that quantity breads quality
• No criticism - supportive atmosphere where everyone can express ideas, even if they’re a bit fruity
• Encourage unusual ideas - can lead to new important ideas
• combine and improve upon ideas - blending ideas to create new ones

Facillitator has a role to drive discussion and these points.
It is important that biases are ironed out by not over estimating the impact of the most recent events or focussing excessively on external factors

Question 18

Risk management taxonomy

Answer 18

• Preventative - aims to reduce liklihood of risks materialising by mitigating their possible causes.
• Detective - takes place during/straight after an event to reduce impact. There is a preventitive element if detection also identifies the cause.
• Corrective - this reduce impacts by incidents. damage repaired/loss compensated by usin backups/redundancies
• Directive - guidelines and procedures that structure the mode of operations to reduce risk.

Provides a framework for identifying/managing risks as well as alligning them with mgmt practices across the org. helps promote communication between stakeholders.

Question 19

Risk taxonomies should identify

Answer 19

• Risk causes
• The actual risks
• the impacts of the risks should they materialise
• the controls to prevent risk materialisation

Question 20

Developing a risk taxonomy

Answer 20

• Identify key risk categories for the org
• define each risk category with specific examples
• Map risks to business objectives and processes
• Regularly review and update it

Question 21

Benefits of a robust risk taxonomy

Answer 21

• Enhances clarity and consistency of risk identification
• Imporves risk assessment/mitigation
• Enables better risk reporting/communication
• Supports reg. compliance/risk governance

Question 22

Done