Risk Identification Flashcards
What are the stages of the risk management life cycle?
- Risk Identification
- Risk Assessment – probability and impact
- Risk Mitigation – how to mitigate a risk to an acceptable level
- Monitoring and Reporting – reporting should show the status of risks
What are the Prudential Regulation Authority (PRA) operational risk guidelines cover?
- Consideration of a firm’s customers, products and activities - including sources of business and volume of transactions
- The design implementation and operation of end-to-end processes and systems
- The risk culture of the firm
- The operating environment
What risks must be reported to the PRA?
- Significant failures in systems and controls
- Significant operational loss
- Intention to enter into, or significantly change a material outsourcing arrangement
What risks can be reported to the PRA?
- Significant operational exposures
- Invocation of a business continuity plan
- Significant changes to an organisation, infrastructure or business operating environment
How should a bank be structured to manage risk?
-
Board of Directors – ultimately responsible for the risk management framework
- Functions within the firm – some risk responsibilities will be delegated to employees
-
Monitoring systems – the board will monitor delegated authorities
- Internal Audit
- Risk Reporting Function
- External Audit
What is the importance of risk management?
- Provide information to help management make informed risk decisions
- Understand the links between operational risks
- Provide a basis for risk measurement and assessment
- Set boundaries between risk types
- Develop a common language for risk management to enable clear communication
What issues are associated to self-assessed risk identification?
Once a risk has been compiled, managers make their own assessment of their exposure to each risk on a regular basis. However this is:
- Subjective and open to abuse/manipulation
- Difficult to apply consistently across various business units and multiple locations
What is Residual Risk?
(Inherent risk) x (Control risk) = Residual risk
- Inherent risk - risk related to the nature of the activities being undertaken
- Control risk – the risk that errors in transactions will not be prevented, detected and corrected by the internal control systems
- Residual risk – can never be reduced to zero – it is not possible to make profits w/o taking risk
What is Risk Appetite?
Risk appetite is the amount of risk exposure that an org is willing to accept/retain. Risk appetite is distributed among liquidity, strategic, credit, market and ops risks. It is important that it is realistic.
How is risk appetite determined?
- Where should resources be allocated to minimise risk exposure – why?
- What level of risk exposure requires immediate action – why?
- What level of risk exposure requires a formal response strategy – why?
- What past events have occurred and at what level were they managed – why?
How is risk appetite quantified?
- Decide on the key metrics
- Back test the data over time
- Look for consistency
- Discuss with key officers
- Attempt to reach consensus
- Communicate the decision
How does one manage risk appetite?
Risk appetite is managed by referencing it to set thresholds –a specific definition of what constitutes acceptable risk for each expression of appetite.
How does risk appetite relate to capital?
- Risk appetite is the context of regulatory capital requirements – e.g. Basel
- Risk appetite must be optimised to maximise shareholder value
What is the management aim for different risks in relation to their risk appetite threshold?
- Market and credit risk are likely to be up to the stated level under the risk appetite analysis
- Operational risk is likely to be mitigated downwards
