Part 2 - Op risk mgmt Flashcards
Risk connectivity
= means the interdependance between different risks
Recognising the interconnections helps identify ripple effects in the org. caused by 1 root risk - creates more comprehensive risk stratergies.
Better identified by experienced professionals than complex data sets
Importance of risk connectivity
- understanding it helps identify hidden vulnerabilities that may not be obvious otherwise
- Helps anticipate how one risk triggers others and how to manage cascade effects
- enhances risk mitigation stratergies
- improves decision making in prioritising certain risks based on their connectivity
Risk networks
- Visual model of connections between different risks
- Nodes are used to represent risks and the lines connecting them represent the interdepandancy of the risks.
- Helps model the risk landsacpe of a firm
They can also represent the liklihood of contagion of risks using colours
Creating risk networks
- Identify all key risks and list them
- Map the conections between the different risks through cause/effectt relationships
- Analyse connections and their strength to understand impact
- Create a risk network model to visualise the connectivity
3 tools for analysing risk connectivity
- Casual loop diagrams show cause and effect relationships between risks, helping to identify feedback loops and effects.
- Bow tie analysis visualises risk pathways and possible control measures - helps understand scenarios and mitigation stratergies.
- Network analysis software software like Gephi and UCINET can map and analyse risk networks in detail, enabling a deeper understanding of risk interdependance/networks
positives of risk networks
- Gives a holistic view of risk landscape=comprehensive risk mgmt
- Enhances predictive capabilities
- Improves resource allocation by focussing on the most critical risk connections
- Supports effective decision making and communication
- helps develop more comprehensive risk mgmt stratergies
Challenges/negatives of risk connectivity analysis
- complexity of identifying and mapping all relevant connections between risks
- Need for accurate and detailed data on risk events - needs continuous data collection and analysis
- dynamic nature of risks means networks need regular updates
- potential for data overload if the information isn’t prroperly managed, makes it very hard to read/understand
Risk connectivity mgmt best practices
- Regularly update risk networks for changing environments
- involve cross functional teams to diversify the perspective
- use advanced analytical tools to increase accuracy
- integrate risk connectivity analysis into overall risk framework
- provide training and a risk aware culture
Risk appetite meaning
= the amount of risk a firm is willing to take to achieve it’s objectives
* It is critical to risk mgmt as it establishes the boundaries within which the firm can operate by balancing risk and reward
Angles of risk appetite examples
- Balancing risk and return in investments - higher risk = higher potential return
- Credit risk lending - interest rates based on borrow risk of default
- credit/market risk trade offs - accepting risk to increase returns
- operational risk considered a burden as it doesn’t generate financial return, therefore firms often have a low/zero risk appretite.
- balancing benefits and returns - op risk must be managed too balance returns with the possibility of a severe event
- risk appetite must be tied to exposure limits, controls etc
Importance of risk appetite
- Alligns risk taking with organisational stratergy and objectives
- provides a framework for consistent decision making
- helps maintain a balance between risk an opportunity
- Enhances stakeholder confidence by demonstrating controlled risk taking
Risk appetite structure
- Risk appetite - qualitative assessment, implicitt risk/reward trade off per risk category
- risk tolerance - metrics, value at risk, indicators, etc
- key controls - internal controls to manage limits
- risk limits - KPIs, monitoring, loss/budget tolerance levels
Process of establishing risk appetite
- Assess current risk profile - evaluate risk exposure and allignment with strategic goals
- Stakeholder engagement - loop in key stakeholders to get their perspective
- define risk appetite - create a risk appetite statement
- Communication/immplementation - communicate the risk appetite across the firm and integrate into decision making process
- Monitoring and review - regularly monitor and review the risk appetite to ensure it remains relevant/effective
Risk appetite framework
- Governance structure - define responsibilities for setting/overseeing risk appetite
- risk assessment process - implement processes and assess/measure risk against the appetite
- reporting/escalations - mechanisms to escalate appetite breaches
- integration with strategic planning - ensure appetite is integrated into strategic planning.
Challenges of setting a risk appetite
- Balancing risk/opporutnity - finding the right balance between risk and opportunity
- quantify risk appetite - difficult to quantify certain risk and translate into metrics
- communication and staff engagement - ensuring appetite is understood and implemented by staff
- adapting to change - regularly update appetite to reflect change in risk landscape
Benefits of a well defined risk appetite
- enhanced decision making based on firm’s goals
- improved risk mgmt, identification and mitigation
- increased stakeholder confidence by taking controlled, calculated risks
- ensures risk taking is alligned to the firm’s stratergy
- regulatory compliance - keeps regulators happy
Top down approaches to risk appetite
- Adjusting risk policies - the board my have to adjust risk policies to cover gaps identified in risk assessments
- regulatory and standard practice - regulators enforce changes to their laws/rules or specifically make the firm adust their risk mgmt due to inadequacies
- Revealing discrepancies - compare top down and bottom up risk assessments/appetites to reveal discpreancies and amend them
Bottom up appraoch to risk appetite
- observe risk taking behavior at a process/business practice level and assess risk appetite from the findings
*
How risk appetite alligns to the rest of the risk framework
- Board level - how much risk capital the firm holds compared to the min reg. requirement - more capital=more risk appetite
- business line level - how much risk is taken in the actions of the LOB in the day to day process
- Risk management tools - used to communicate rrisk appetites within business units
- firms wide KRIs so LOBs can link their risk appetite to the stratergy to the firm and adjust it accordingly
- loss tolerance - both financial and non-financial loss, ie disruption to customers
- process based KRIs and incident monitoring
Key risk indicators for operational risk
- Aggressive profit growth targets
- under-investment in people and infrastructure
- regulatory negligence
- top level wishful risk appetite statements that are not consistently tied to actual controls/limits
Risk and Control Self Assessments (RCSA) process overview
- define the RCSA objectives and gather relevant data
- identify key risks and corresponding controls
- assess liklihood/impact of identified risks and the effectiveness of their corresponding controls
- develop action plans to address weak areas
- document and report the findings of action plans
- monitor the implementation of action plans and review/update the RCSA process
Risk and Control Self Assessments (RCSA)
= is a systematic process for indentifying and assessing risks and controls within a firm
helps to evaluate the effectiveness of risk management practices and control mechanisms.
- enhances risk awareness and ownership in a firm
- identifies potential risk exposures and control weaknesses
- provides a strcutured approach for continuous risk mgmt
- supports regulatory compliance and risk governance
Componenets of RCSA
- Risk identification - identify risk posed by business processes
- risk assessment - evaluate the impact/liklihood of the risks if materialised
- control identification - identify exisiting controls
- Control assessment - evaluate the effectiveness of existing controls
- action plans: developing action plans to address control weaknesses and enhance risk management
RCSA exercises completed when building one
- Key risk exposures and their impact if controls fail
- assessment of controls (preventative and detective) effectiveness
- estimates the expected losses if the risk materialised
- estimates of stress shortfalls or stressed losses - ie a worst case scenario model of the losses
- list of further mitigating action plans for residual risks that sit above the risk appetite allowance
impact scales
- relative impact scales - impacts are often measured in % and are adaptable to different business sizes but are harder to interpret
- Most firms use 2 impact scales - a whole firm scale and an LOB scale - however, this creates challenges when comparing results.
- 4 point scale - many firms use a 4 point scale, removing insignificant impacts to focus on meaningful risks
- firms may employ multiple different risk scales as ‘one size fits all’ is often not the case.
*
liklihood scales
= measures risks by their frequency - ‘occuring once in every X years’ and their % chance of occuring the following year.
* This is critical for risks like cyberattacks, tech changes, regulatory conditions etc - large events
* liklihood scales have moved to a 4 point scale
* facilitators must ensure the same definitions are used by all parties to ensure consistency across the firm
Impact scales
= measures the impact of a risk materialising
Can be broken down into
* exterme impact - impact large enough to threaten a firm’s survival
* major impact - doesn’t threaten survival but immediately gains the attention of top level mgmt
* moderate - significant but is dealt with internally with minimal external impact
* low - large enough to quallify as an event but is just considered a cost of doing business
Heatmaps
using heat maps can indicate the relationship between impact and the liklihood of a risk materialising.
For example, low impact low liklihood events may be green and rare liklihood extreme impact events will be bright red
Risk identification techniques
- brainstorming sessions - engage employees in identifying potential risks through structured brainstorming sessions
- Process mapping - visualises business processes and identifies risks at each step
- interviews and surveys - conduct interviews and surveys with key stakeholders to gather insights on potential risks
- Review of past incidents - analyse past incidents and near misses to identify recurring risks
Risk assessment methods
- Qualitative assessments - use subjective judgement to evaluate the liklihood and impact of risks
- quantitative assessment - numerical data/models to assess risk
- risk matrix - create a risk matrix to visualise risks based on liklihood/impact
- scenario analysis - develop scenarios to understand the potential impact of different risk events
Control assessment techniques
- control testing - perform tests to evaluate the effectiveness of exisiting controls
- control self assessments - engage employees in assessing the effectiveness of controls within their areas of responsibility.
- audits and reviews - conduct internal audits and reviews to assess controls effectiveness
- benchmarking - compare controls with industry best practices and standards
action plans and follow up steps
- Develop SMART action plans
- Assign clear responsibilities for implementing action plans
- monitor the implementation of the action plan and following up to ensure timely completion
- review and update action plans based on changes to the risk profile
Done
