Part 5 Flashcards
Data collection
= Gathering detialed infrmation about incidients and events potentially posing risks to the organisation
Creates a comprehensive database that aids risk assessment and management.
important for identifying pattern, finding root causes and improving risk mgmt
methods of data collection
- automated systems - software captures and logs info/incidents in real time
- Manual reporting - encourage staff to report incidints through escalation pathways
- Audits and reveiws
- Leverage exisiting data sources
benefits of comprehensive data collection
- trend analysis - identify patterns and incidents over time
- Risk assessment - mreo accurate
- Regukatory compliance - makes icndident reporting easier
- Continuous improvement - nsights for enhancing risk mgmt
importance of loss reporting and reg. requirements - BCBS history/fun requirements
- Understanding loss causes and values it key for op risk mgmt
- helps improve regulatory controls
- High quality data helps comply with pillar 2, reducing the amount of regulatory capital teh firm needs to hold.
- BCBS data quality requriements - must hold a 10 year history, 20000EUR threshold, event mapping and independant data accuracy reviews (audits)
Loss vs Incidents and the fallacy of non-financial impacts
- Basel only focusses on financial losses and ignores non-financial whereas firms track incidents not just losses
- Near misses show where losses were avoided by luck or accident and are not reported.
- Direct losses = immediate fin consequence
- Indirect losses = resulting impacts like loss of customer, reputational damage etc
- Non-fin. impacts fallacy = reputational damage, loss of customers etc aren’t directly fianancial losses but have financial consequences and should not be ignored
incdent data collection - information needed
- Core data - stick to essential data to avoid over reporting and use standardised ways of recording info (drop down lists)
- Loss reporting - net (including reimbursements) vs gross (total) losses and thresholds can range from $0 to 20K EUR.
- Key dates - material incidients to be reported in 2-5 days
- Severity judgement - using potential loss, not actual loss. near misses to be treated as actual losses. Use severity bands (£10K-100K eg)
- Grouped losses caused by the same failure.
incident data collection steps
- Reporting system establshed
- Recoridng - standardised forms/fields to report incidnets
- reviewing data regulary
- Analyse data to identify trends and route causes
- Reporting to mgmt and the regulator
types of incident data + near misses
- Internal data - operational failures, process and human failures
- external data - mkt distributions, regulatory changes, competitor failures
- Near misses - events that could have not caused harm but didn’t - IDs vulnerabilities
incetivising timely self reporting
- Incetive practices - can be encouragement to bollockings from audit from not raising incidents
- Self reporting requirements - usually mandatory with penalities where reports weren’t made
- Risk metrics in scorecards - qunatify risk data such as overdeu action plans, common practices etc
- Increased fundign to LOBs with better risk mgmt
Boundary event reporting - what is it, Basel view, manager view
= boundary events are when impacts materialise in a different risk class than the cause of the incident (ie operational failure impacts credit risk)
* Basel committee approach - suggests recording events where they materialise as long as the losses are covered by risk weighted capital
* Mgmt view - most firms reclassify teh events into the original risk class, espcially for major losses.
reccomended to reclassify boundary events only for major events to balance collecting key info with business pushback
review and validation of data collection
- Reg. focuses ensures accuracy and completeness. regulators assess bredth/depth of data using records, audits and the internal general ledger
- IT logs feed priority 1 and 2 incidents in op risk databases
- Other sources may be in place to deal with lawsuits/customer complaints etc
- leverage data from across LOBs to reduce duplicated effort and for a wider data sample
Ensuring data quality and accuracy
- Standard reporting - standard templates for reporting
- Training for staff on how to use ^ and common risks
- Verification process to validate data
- ensure confidentiality to ensure honest replies
Data collection challenges
Underreporting - fear of blame and repercussions can lead to underreporting incidents
* poor quality data
* combining data from various sources is challenging
* Timelines can affect accuracy /usefulness
Key Risk Indications (KRIs)
= metrics used to monitor the level of exposure to risks and the effectiveness of a firm’s controls
Provides early warning signs of potential risk events and supports proactive risk mgmt/reg compliance.
they monitor risk taking and potential impacts of risk events
transaltes board level risk appetite into LOB level
Categories of KRIs -ESFC
- Exposure indicators - monitor changes in the firm’s risk exposure
- Stress indicators - capture stress in the firm’s resources
- failure indicators - indicate failing performance or control weaknesses
- Casual indicators - focus on root causes and drivers of key risks
Roles of KRIs in risk monitoring - indicators role, leading/lagging KRIs
- Risk indicators - track changes in risk exposure of a firm
- Leading KRIs - focusses on risk drivers to flag risks before they arise - focus on causes of risks
- Lagging KRIs - track events that have already occured, identify controls that need correcting
Roles of KRIs to report to the board
- Board defines risk appetite and ensures there are effective controls to keep within that
- Risk appetite to define acceptable levels of risk to achieve objectives
- Risk indetification and control - board identify key risks that could impact the business, evalute current controls and add more if needed.
*
designing KRIs
- early warning devices - signal changes in risk levels
- Address specific risks rather than general events
- Business relevant KRIs
- Data driven KRIs
- Owned by business unites to ensure data quality/ownership
Factors of reflecting BEICF
- Risk sensitive
- provide mgmt with information on the org risk profile
- respresnet meaningful risk drivers that can be quantified
- to be used across the whole firm
Implementing KRIs
- Identify relevant metrics using existing KPIs as potential KRIS
- Set thresholds for risk exposure
- Assign responsibilities
- Regular review and update KRIs
Key performance, risk and control indicators
- KRIs- metrics tracking ecposure to operational risk either in liklihood or impact
- KPIs - measure performance (number of events etc)
- KCIs - measure control effectiveness and signal weakness or failure of controls
- the metrics can overlap and often indicate similar things
10 features of leading KRIs
- Early Warning: Signal changes in risk levels (e.g., increased likelihood or impact).
- Focus on Risks, Not Events: Address risk drivers; lagging KRIs indicate missing controls.
- Activity-Specific: Tailored to each firm’s risk profile; focus on key risks, not non-issues.
- Data & Experience: Combine data with business intuition, especially in areas with limited
data. - Business Ownership: KRIs should be used and owned by business leaders for governance
and data quality. - Cost-Effective: Ensure the value of information outweighs the cost of data collection.
- Timely Monitoring: Frequency should match the activity (e.g., real-time for IT, quarterly for
HR). - Support Decisions: KRIs must aid in decision-making.
- Thresholds Aligned with Risk Appetite: Set thresholds based on tolerance for risk.
- Regular Review: Back-test and refresh KRIs annually for relevance
Selecting KRIs - numbers and data to use
- Identify common risk drivers e.g. internal fraud, IT failures
- Identify existing metrics that are potentially recorded under other names
- Engage SMEs to identify key risks and metrics
- Make KRIs cost effective - use automation, exisiting metrics etc
- avoid comercial KRI databases as tehy are very generic
- Focus on reliance by tracking issues/vulnerabilities
KRI thresholds and key definitions - identify what, analyse what, watch out for, gradually increase what
- Identify the % tolerance the firm has for each risk - whether it be 0% or 10% etc
- Deviations from normal (above and below) - analyse trends to find spikes/lulls
- Cluster based - a jump in data may constitute a natural threshold
- Gradually increase expectations for KRIs with high failure rate to slowly deliver change
KRI governance - what rating style, what should thresholds be across LOBS, what must be clear defied
- Colour responses (RAG rating)
- Governance for thresholds should be the same across LOBs regardless of varying appetites
- roles and actions must be clear before an indicator becomes red
- Identify action owners for when there is a breach
- be set up to avoid confilcts of interest/maniupluation
Challenges of using KRIs
- Data may not be available/accurate/detailed enough
- Defining appropriate thresholds
- Integration of KRIs into other risk mgmt tools
- challenges of continuously improving KRIs
future trends with KRIs - integration with what, adapt in what, cross industry what
- Using big data/advanced analytics to enhance accuracy
- integration with enterprise risk management systems
- KRIs that adapt to realt time changes in risk landscape
- colllaboration across industry peers to create more accuract KRIs
*
Risk reporting
= the process of communicating information about the risk environment, exposure and management activities to stakeholders.
Helps inform decision making to support risk mgmt processes and ensure reg. compliance.
3 golden rules of risk reporting - cost, purpose, reporting
- Value must exceed cost - ensure the cost of collecting info and reporting it is justified by the value it brings
- Clear purpose - should have a clear reason for existence and should drive decision making
- Purposeful reporting - ensure all info reported has a purpose
Typical content of risk reports
- Incident reports - number and size of events, trends, top loss events. issued monthly/weekly depending on firm size
- Top risks - typically top 10 and offer actionable insights
- KRI dashboards to show risk status
- Metrics alligned to firm’s risk appetite
- Emerging risks - typically upcoming changes to regs etc
- Action plan tracking
Challenges of risk reporting
- Balancing information so it is not info overload
- Preventing oversimplification of key data
- Filtering risk information based on the audience
- Aggregating qualitative data without losing it’s purpose/specificity
- Maintaining stakeholder engagement
Seperating risk monitoring and reporting
- Risk monitoring = occurs at the process/operational level and alerts are escalated to mgmt.
- Risk reporting = focusses on need to know info based on the level of mgmt the report is aimed
- process and risk mgmt - all data needed to be shared
- dept. heads - info requiring action+periodic summaries
- Exec. committee - high level data required for decision making
Best practices:
* Focus on controls
* include balanced reporting - highlight red flags and green indicators to a full view of risk performance
* clear classification taxonomy
Agregating risk data
- Conversion and addition - convert qualitative metrics into monetary units for aggregation (like reputational damage into fin. loss)
- Worst case reporting - report the worst score in a data set conservatively
- Categorisation - report the % of risks that are red, amber green to give a balanced view
reporting on conduct
- conduct metrics monitor empolyee behaviour and compliance such as missed trainings, disciplinary actions and comppliance fails
Altervantives to using averages in risk reporting
- Averages can mask severe issues in risk reporting as they don’t ientify te extreme outliers which in this context are teh points risk mgmt are looking for.
- Medians and quartiles and preffered as they identify and consider teh outliers
- splitting loss data is also common practice - small expected losses to be rported together whereas large unexpected losses should be reported individually
benchmarking losses again gross income targets - common ratios and underperforming number
- Reporting losses as a % of gross income to senior mgmt captures attention.
COMMON RATIOS
- 1.8%-2.2% = highly effectice op risk mgmt
- 2.2-3% = standard expected range
- >3% = higher losses due to manual processes and underincestment
Underrepoting is often idnicated by losses falling under 1.5% - not a good thing
Food retail and telecoms report op losses of circa 2%
Turning data into actionable steps
- Deviations in teh norm are identified in data sets - - give insights
- Patterns can be analyses to review outliers, clusters etc. interpret to do RCA/action plans
- Pay attention to positives to give a balanced view of risk mgmt
