Part 4

Question 1

Risk mitigation and it’s importance

Answer 1

= Implementing measures to reduce the liklihood and impact of identified risks.

Importance
* Protects organisations from potential losses
* Ensures business continuity
* Enhances operational resillience and regultory compliance
* Builds stakeholder confidence

Question 2

Risk mitigation stratergies - ARSA

Answer 2

• Avoidance = eliminate activities or conditions that expose the firm to risk (i.e. avoid investing in high risk products)
• Reduction = implement controlsto reduce the liklihood or impact of risks (enhance cyber security measures)
• Sharing = transfering or sharing risk with other parties (ie insurance)
• Acceptance = Acknowledge risks and accept them but ensure additional controls are in place

Question 3

Types of controls - PDCD

Answer 3

• Preventative - reduce liklihood of an event happening (segregation of duties, varying access, etc)
• Detective = detect events during or after they occur (exception reports, file reconciliations)
• Corrective - mitigate impacts after an event (redundancy plans/backups)
• Deterrent - act as a deterance to prevent errors from arrising

Question 4

Control testing - 4 methods

Answer 4

• Self certification/inquiry - interviews with the control owner to understand the process in place. Limited to low risk/secondary controls types due to a lack of evidence
• Examination - review of supporting documentation providing assurance and is suitable for automated controls
• observation - real time oversight of control execution, suitbale for key controls to assess design and effectiveness
• Reperformance - most rigorous test, replicating control processes on sample transactions, provides the highest assurance and is reccomended for high risk environemnts

View week 4, page 10 for table overview

Question 5

Indicators of poor controls

Answer 5

• Optimistic controls - over estimate the strength of the control and often become tick box exercises
• Duplicative controls - commonly the ‘4 eye check’ where someone else checks the same info. Dilutes responsibility. Works best when using different depertments (maker/checker)
• more of the same: adding more controls of the same design after a previous control failures

Question 6

4 Types of human error leading to control breaks and solutions

Answer 6

• Slips - not paying attention, distracted, responsibilities not clear.
• Mistakes - incorrect actions caused by flawed/conflicting procedures and knowledge based errors driven by lack of training.
• violations - deliberate disregard for rules, mitigated bu supervision/firm culture
• Active vs latent errors - active=direct operator error like pressing the wrong button, entering too many zeros etc
  latent = flawed processes/systems manifesting issues later down the line

Solutions include
* Checklists
* communication protocols
* standardisation
* Improved work environments

Question 7

Risk transfers

Answer 7

• Moving teh risk consequence or cause over to another party
• Examples are insurance to cover losses from operational incidents
• Outsourcing - delegating non-core activities out to specialists

Considerations:
* Cost of risk transfer vs risk reduction
* reputational risk cannot be outsourced

Question 8

cl

implementing risk mitigation measures

Answer 8

• prioritisation - prioritise mitigation measures based on risk assessments
• resource allocation - allocate sufficient funds/resources for effective implementation.
• training/awareness - provide training on risk mitigation plans
• documentation - document the mitigation measures and impelemtation process

Question 9

Developing risk mitigation plans - 5 steps

Answer 9

1. clearly descirbe the risk and potential impact
2. outline the specific mitigation measures to reduce risk
3. responsibilities to be assigned for implementing mitigation measures
4. resources - identify the resources required to do the above
5. timeline - establish a timeline for implementing the measures

Question 10

monitoring and reviewing risk mtigiation measures

Answer 10

• Continuous montioring - using KRIs and other metrics to monitor risks
• Regular reviews - reveiws to assess controls effectivenenss
• Feedback loops - establish feedback mechanisms to capture lessons learned/improve plans
• Adjustment updates - make necessary adjustments to mitigation measures based on monitoring results and changing risk landscapes

Question 11

Root cause analysis - uses what to identify problems,

Answer 11

= systematic process used to identify the underlying causes of problems or incidents.
* helps identify why an issue occured and prevents it from happening again
* Importance - essential for problem solving and continuous improvement in op risk mgmt.

Question 12

Root cause analysis - best practices, BCBS revue standard and the roles of each, what type of Template

Answer 12

• Root cause analysis - essential for material op risk events/near misses. BCBS reccomends having RCA thresholds that are reviewed by 1st+2nd line of defence
• 1st LOD - leads RCA and creates action points based on control deficiencies
• 2nd LOD - monitors and tracks action items identified by 1st LOD and escalates issues to senior mgmt where needed.
• Standardised templates help conduct RCA consistently. Sharing details of risk events across LOBs also helps understanding.

Question 13

benefits of root cause analysis

Answer 13

• true cause identification - identifies the true cause of the problems and not just symptoms/impacts
• recurrance reduction - reduces the liklihood of similar issues recurring if mitigation methods are implimented correctly post RCA.
• Long term solutions - helps develop sustainable solutons rather than temporary fixes
• Operational efficiency - enhances overall operational efficiency and effectiveness by addressing root causes of issues.

Question 14

Bow tie tool - common features

Answer 14

• Imbalanced preventative/detective controls, leading to the firm haviing to fiure fight and remidiate every time something goes wrong.
• Defective internal communication flows leading to duplicated efforts or one LOB doing something harmful to anotehr LOB by mistake.
• Excessively low red KRI thresholds - makes identifying true red events hard
• Poor third party management processes if risks are outsourced

Question 15

Steps in a route cause analysis

Answer 15

1. Define the problem - clearly describe the issue and teh impact
2. Collect data relevant to the problem
3. identify possible causes of the issues
4. Analyse the causes to find the route cause
5. develop solutions and action plans to address the route cause
6. implement and monitor the solutions and their efffectiveness

Question 16

RCA Tools and Techniques

Answer 16

• 5 why’s- ask why multiple times to drill down to route causes
• fishbone diagram (ishikawa) - visual diagram to catagorise potential causes
• Pareto analysis - focuses on identifying the most significant causes using teh 80/20 rule
• Failure mode and effects analysis (FMEA) - systematic method for evaluating processes to identify where and how they can fail.

Question 17

Action plans - design and governance. Purpose, who helps driving action plans

Answer 17

• Purpose = designed to reduce risk levels or improve processes/controls, typically following incidents or near misses that exceed the risk appetite.
• Not all incidents need an action plan - they are initiated when risk events/assessments reveal impacts above current appetite.
• However, discounnects between risk appetite and action plans can lead to wasted resources
• Clear ownership for execution, deadlines for implementation and consistency with the risk appetite are key elements in a successful action plan.
• 2nd LOD help design action plans to prevent the business don’t cut corners to save money

Question 18

Developing action plans - POARRTE

Answer 18

• prblem statement - define the issue that needs addressing
• Objectives - state the desired outcomes off the action plan
• Actions - list actions required to address the route cause
• Responsibilities - assign roles/responsibilities for each action
• Resources - identify resources needed - money, people, etc
• Timeline - establish a timeline for implementing the actions
• Evaluation - define metrics and methods for evaluating teh effectiveness of the action plan

Question 20

monitoring and reviewing action plans

Answer 20

• Continuous montioring - using KPIs and other metrics to monitor risks
• Regular reviews - reveiws to assess action plan’s effectivenenss
• Feedback loops - establish feedback mechanisms to capture lessons learned/improve plans
• Adjustment updates - make necessary adjustments to action plans based on monitoring results and changing risk landscapes

Question 21

Future of RCA and action plans

Answer 21

• emerging trends - incorporate advances analytics and machine learning to enhance RCA
• Continuous improvement - ongoing refinement of RCA process using the latest tech and insights
• adaptation to change - flexibility to adapt RCA processes to changing risk appetites
• systematic approach - adoption of tools like bow tie analysis for more comprehensive root cause identification and action plans

Question 22

Meaning of conduct and culture

Answer 22

• Conduct = behaviour of individuals within the organisation and how they adhere to policies rules and ethical standards.
• Culture = encompasses the shared values, beliefs and norms that influence how employees think, behave and interact with a firm

Importance = both conduct and culture are critical for establishing strong risk mgmt frameworks

Question 23

Importance of conduct and culture

Answer 23

• Promotes ethics/integrity in the firm’s culture
• Fosters risk aware culture
• Stakeholder trust - builds trust among stakeholders including customers, employees and regulators
• sustainable success - long term success for the firm and risk resillience.

Question 24

Factors to build a strong risk culture

Answer 24

• Commitment from management to risk mgmt and ethics
• Ckear values and expectations - define and communicate the organisation’s values and expected conduct
• Training and awareness - provide regular training on risk mgmt, ethics, etc
• open and transparent communication around risk and ethics
• accountability - establish accountability for risk mgmt at all levels.

Question 25

‘Willingness and ability’ process for effecting changes

Answer 25

• Both willingness and ability are required to effect change.
• Training and guidance to close gaps in knowledge
• Clarifiying basics - clearly explained foundational concepts such as op risk events to ensure a base level of knowledge

Question 27

Levels of incetives requried to achieve change

Answer 27

• Personal motivation dirven by the individual
• Social motivation driven by peers/peer pressure
• Structural motivation - encourgaed by formal rewards/incetive schemes
• Effective change - combining all 3 motivation levels with training is teh key to driving change

Question 28

Propinquity and consistent message – influencing the environment

Answer 28

• Propinquity - fosters familiarity and understanding between teams. Achieved by putting teams with similar processes near each other to share ideas
• Occuational propinquity - psychological impact of working closely togther leads to acceptance over time and better relationshps
• Consistency - physcial environment should allign with company’s cultural messages.

Question 29

using rules to influence a positive environment

Answer 29

• Incentive structures - ensure tehre is no conflict between remuneration and risk culture
• Positive reinforcement - recognise and reward good conduct, incident reporting and risk mgmt = boosts culture
• Risk based performance measures
• negative reinforcement - telling people off who break rules/fuck up

Question 30

Assessing progress of influencing the environement.

Answer 30

• define success
• Set target behaviours and measurable criteria
• Track the behviours regularly
• Patience - not a quick process

Question 31

Conduct risk - how is it assessed

Answer 31

= the risk of inappropriate, unethical or unlawful behaviour by employees.

Assessed by:
* Surveys/questionaires - get feeback on conduct issues
* Incident reporting systems - systems to track and report conduct issues
* Audits and reviews of policies and practices
* behavioral analysis - use data analytics to identify behaviour patterns

Question 32

promoting ehtical conduct - stratergies

Answer 32

• code of conduct
• Leaders lead by example and make more ethical decisions
• Rewards and recognition for employees demonstrating ethical behaviour
• Protect whistleblowers
• regular training

Question 33

Role of leadership in shaping culture

Answer 33

• Clear visions and values of the orgamisation
• Set and communicate behviour expectations
• Engaging and inclusive environment
• leadership acts accordingly with the code of conduct
• Feedback welcomed in order to improve

Question 34

• Tools for measuring culture and conduct

Answer 34

• Culture surveys
• focus groups - get in depth insights
• performance metrics
• exit interviews - get feedback from people leaving the firm on culture
• 360 feedback for leadership and conduct

Question 35

Benefits of positive culture and conduct

Answer 35

• better reputation
• better employee engagement
• Conduct risk mitigation
• Regulatory compliace
• driver better firm performance as a whole

Question 36

done