Unit 3

Question 1

Risk culture definition- IRM

Answer 1

Risk culture is a term describing the values, beliefs, knowledge and understanding about risk shared by a group of people with a common purpose, in particular the employees of an organisation or of teams or groups within an organisation.’

Question 2

Risk culture- definition 2

Answer 2

Culture is difficult to define. Generally a reflection of the overall attitude of every component of mgt within a company. Culture determines how individuals will behave in particular circumstances. Defines how an individual feels obliged to behave in all circumstances.

A good risk culture will be the product of individual and group values and of attitudes and patterns of behaviour

Question 3

PRA on serious failings in the culture of firms.

Answer 3

The advancement of the PRA’s objectives ultimately relies on firms conducting their business in a safe and sound manner, and support for the PRA’s objectives should be embedded in every firm’s culture.

Question 4

PRA -other points

Answer 4

1. Not just letter of requirements, maintain sight of the overriding principle of their safety and soundness and to act accordingly.
2. No ‘right’ culture but Board and management clearly understand the circumstances in which the firms viability would be under question, whether accepted orthodoxies are challenged and whether action is taken to address risks on a timely basis.
3. Individuals take responsibility. Remuneration and incentive schemes should reward careful and prudent management.
4. Identification of failings in culture not limited to individual serious occurrences but may include poorly functioning board, weak control areas, poor senior management behaviour

Question 5

Implementation barriers and actions-1

Answer 5

Lack of understanding of RM and belief it will suppress entrepreneurship

Establish shared understanding; common expectations and consistent language

Question 6

Implementation barriers and actions-2

Answer 6

Lack of support and commitment from senior management

Identify sponsor on Board and confirm shared and common priorities

Question 7

Implementation barriers and actions-3

Answer 7

Seen as just another initiative, so relevance and importance not accepted

Agree strategy with anticipated outcomes and confirms anticipated benefits

Question 8

Implementation barriers and actions-4

Answer 8

Benefits not perceived as being significant

Complete realistic analysis of achievements and impact on mission of organisation

Question 9

Implementation barriers and actions-5

Answer 9

Not seen as core part of business activity and too time consuming

Align effort with core processes and achievement of mission of the organisation

Question 10

Implementation barriers and actions-6

Answer 10

Approach too complicated and over analytical- risk overkill

Establish appropriate level of sophistication for RM framework

Question 11

Implementation barriers and actions-7

Answer 11

Responsibilities unclear and need for external consultants unclear

Establish agreed risk architecture with clear roles and responsibilities accepted

Question 12

Implementation barriers and actions-8

Answer 12

Risks separated from where they arose and should be managed

Include RM in job description to ensure risks managed in context that gave rise to them

Question 13

Implementation barriers and actions-9

Answer 13

RM seen as static activity not appropriate for dynamic org

Align RM effort with mission of org and with business decision making

Question 14

Implementation barriers and actions-10

Answer 14

RM too expensive and seeking to take over all aspects of company

Be realistic. Don’t claim ALL the business activities within the org are RM by another name

Question 15

When analysing org behaviour and risk culture consider

Answer 15

• tone from top
• how does org respond to bad news
• risk governance is well articulated
• risk transparency is evident

Question 16

HSE research-components of a risk aware culture - how do you achieve a successful risk culture

Answer 16

Leadership- strong leadership in relation to strategy, projects, ops

Involvement- of all stakeholders in all stages of RM process

Learning- emphasis on training in RM procedures and learning from events

Accountability- absence of automatic blame culture but appropriate accountability for actions

Communication- openness on all RM issues and the lessons learnt

Question 17

IRM risk culture report- management of risk culture

Answer 17

Risk culture
Org culture
Behaviours
Personal ethics
Personal pre disposition to risk

Question 18

Risk appetite definition -long version

Answer 18

After risks have been rated in terms of likelihood and impact, risk appetite is the immediate willingness of an organisation to undertake an activity that involves risk. Risk attitude and the risk criteria represent longer term view of risk in the same way as a person will have re food.

Question 19

Risk appetite and risk exposure are consequences of

Answer 19

Business decision rather than driver. risk appetite answered in context of STOC

Question 20

Link between appetite, exposure and capacity

Answer 20

Most organisations haven’t determined the value they should risk, (RA) nor calculated how much value is actually at risk (risk exposure) nor the capability of the org to take risk (risk capacity)

Question 21

Risk appetite definition-IRM

Answer 21

Amount of risk that an org is willing to seek or accept in the pursuit of long term objectives.

Question 22

Risk capacity definition

Answer 22

RC of the organisation needs to be fully utilised to ensure that risk taking is at the optimal level and delivers maximum benefit

Question 23

Risk appetite statement types

Answer 23

Qualitative- Low/ modest/ moderate/high
As words- no appetite for hazard risks or maintain a credit rating of at least BBB+
- maintain an EPS level within the upper quartile of the peer group

Quantitative

Question 24

ORSA and ICAAP re RA

Answer 24

Reports need to show how decisions taken link to risk appetite and the required and available capital

Question 25

Key principles of RA

Answer 25

• can be complex. Better to acknowledge and deal with it than ignore and over-simplify • needs to be measurable. Relevant and accurate data is key. Same controls as for accounting. • not a single, fixed concept-range which may change over time • developed in the context of an orgs RM capability, which is a function of risk capacity and RM maturity • must take into account differing views at strategic, tactical and operational level • integrated with the control culture of the org. Propensity to take risk and propensity to exercise control.

Question 26

RA and board -needs to exercise governance at 4key points

Answer 26

Approval Measurement Monitoring Learning

Question 27

5 tests in reviewing org RA framework

Answer 27

1. Do mgrs making decisions understand the degree to which they are permitted to expose the org to the consequences of an event/situation? Needs to guide mgrs in practical decision making 2. Do execs understand their aggregated and interlinked level of risk so they can determine whether it is acceptable or not? 3. Do the board and executive leadership understand the aggregated and interlinked level of risk for the org as a whole? 4. Are mgrs and execs clear that risk appetite is not constant 5. Are risk decisions made with full consideration of reward?

Question 28

Insurance firms requiring internal model approval in Solvency 2 must:

Answer 28

make sure that they have training of all users of the internal model. This training should ensure that people understand its strengths, limitations and key assumptions. The regulator may look for evidence that training sessions have taken place.

Question 29

EM3 and STOC

Answer 29

●● embrace opportunity risks (strategy); ●● manage uncertainty risks (tactics); ●● mitigate hazard risks (operations); and ●● minimize compliance risks (compliance).

Question 30

Reason for communicating risk information and providing risk training?

Answer 30

Ensure that a consistent response to similar risk events is always achieved

Question 31

Which parts of Lilac covered in risk training?

Answer 31

ILAC

Question 32

Risk training-key features

Answer 32

Not just existing risks but also new ones. Ensure staff are aware of risks, can identify risk exposures and understand the importance of managing them and what to do when they need advice or have concerns

Question 33

PRA re risk training

Answer 33

A firm must provide for a risk management function that is structured in such a way as to facilitate the implementation of the RM system

Question 34

EIOPA - training statement

Answer 34

Persons who effectively run the undertaking or have other key functions are ‘fit’ and take account of the respective duties allocated to ensure diversity of qualifications, knowledge and relevant experience so org is managed and overseen in a professional manner

Question 35

RIMS - core competencies of risk managers

Answer 35

- conceptual skills such as planning, organising, strategic thinking, decision making. - Technical skills in relation to RM process, risk analysis, risk control, ERM and insurance or banking knowledge - core competency skills such as personal skills, interpersonal skills, business skills, leadership

Question 36

RM technical skills associated with planning RM strategy

Answer 36

Evaluate status Develop strategy

Question 37

RM technical skills associated with implementing a RM architecture

Answer 37

Design architecture Develop processes Build awareness

Question 38

RM technical skills associated with measuring RM performance

Answer 38

Facilitate assessments Evaluate controls Improve controls

Question 39

RM technical skills associated with learning from RM experience

Answer 39

Evaluate framework Design reports

Question 40

People skills

Answer 40

Communication Relationships Analytical Mgt

Question 41

BIS states org should have a senior mgr/ CRO with

Answer 41

primary responsibility for overseeing the development and implementation of the bank’s risk management function. This includes the ongoing strengthening of staff skills and enhancements to risk management systems, policies, processes, quantitative models and reports as necessary to ensure that the bank’s risk management capabilities are sufficiently robust and effective to fully support its strategic objectives and all its risk-taking activities. The CRO is responsible for supporting the board in its engagement with and oversight of the development of the risk appetite and for translating the risk appetite into a risk limits structure.’

Question 42

Conduct risk definition

Answer 42

Any risk to fair customer outcomes or market integrity

Question 43

Impact / severity of of conduct risk driven by:

Answer 43

- nature of relationship with the client eg retail or private bank, personal lines insurance customer - types of products and services offered eg current accounts, mortgages, lending, investments, retirement planning, inheritance tax planning - customer profile inc financial circumstances, knowledge and experience, objectives

Question 44

Individual conduct rules

Answer 44

1. You must act with integrity 2. You must with due skill, care and diligence 3. You must be open and co-operative with regulators

Question 45

SMR Conduct rules

Answer 45

4. Take reasonable steps to ensure business of the firm for which you are responsible is controlled effectively 5. Take reasonable steps to ensure compliance with Reg requirements and standards 6. Take reasonable steps to ensure that any delegation of your responsibilities is to an appropriate person and you oversee the discharge of the delegated responsibility effectively 7. You must disclose appropriately any information of which the FCA or PRA would reasonably expect notice.