29. Managing operational risks

Question 1

What are the characteristics of desirable operational risk controls

Answer 1

• Focussed on results
• In place for measurable and non-measurable events
• Standardised for efficient communication
• High quality, to improve management
• Few rather than many
• Meaningful and appropriate
• Timely, to give sufficient warning
• Simple, so easily understood

Question 2

What risks are associated with outsourcing

Answer 2

o Failure to deliver commitments
o Reduced control over processes and people

Question 3

What considerations must you take before entering an outsourcing agreement

Answer 3

o Regulatory environment and status of 3rd party
o Financial standing of 3rd party
o Competency, business continuity plans and risk processes
o Legal agreement with 3rd party incl. right to terminate, and 3rd party’s right to sub-contract
o How 3rd party will be monitored

Question 4

List examples of external events

Answer 4

o Loss of IT / telephone capacity
o Loss of people and skills
o Bad PR / negative publicity
o Disrupted supply chains
o Fire/flooding/high winds
o Protest from pressure groups (e.g. animal rights activists)
o Terrorist damage

Question 5

Explain how business continuity and crisis management can be used to manage risk

Answer 5

• BC defn: safeguarding business’s reputation, brand and other value-creating activities
• Develop BCP and test it regularly
  o Reassures stakeholders that business interruption risks managed
• E.g.
  o Offsite back-ups of data in case hard drive fails
  o Renting redundant office block and computer system ready for activation
• CMP
  o Ensures clear and organised responses in event of significant incident
  o CM Group takes control of issue and co-ordinates action
• Could take advantage of unexpected gains or reduce losses in event of critical incident
• Consequential loss insurance for compensation for loss of profits due to business disruption

Question 6

How would you manage reputational risks

Answer 6

o Stay aware of regulatory and legal changes and likely impact
o Influence changes through lobbying

Question 7

How would you manage technology risk?

Answer 7

• Keep systems up-to-date – balance functionality with costs
• Routine maintenance – esp for IT solutions developed in-house
• Thorough testing for robustness and compatibility when introducing new IT systems
• Quick response to IT helpdesks to deal with minor IT issues
• Train staff – e.g. phishin
• Restric employees’ social media usage or devises that might circumvent IT security e.g. usb drives
• Implement and test security software and routines
  o e.g. firewalls, backups and regular password changes
  o To prevent cyber attacks and ensure data rapidly recovered in event of loss

Question 8

In what ways to people introduce risk to organisation

Answer 8

• Employment
• Adverse selection
• Moral hazard
• Agency risk
• Bias

Question 9

Suggest ways to manage risks associated with employment

Answer 9

• Recruitment processes
  o Cost effective recruitment of right people
  o Enforceable employment contracts
• Competency management processes
  o Training requirements – incl. induction, CPD and professional qualifications
  o Risk training enhances understanding of risk management
• Appraisals and performance management processes
  o Talent management – promotion and transfer
  o Retaining right employees
  o Identify poor performers, support and disciplinary action
  o NED must regularly appraise skills, knowledge and expertise and undertake professional development where necessary
• Relationship management
  o Employment-related collective bodies, e.g., unions

Question 10

Suggest ways to manage risks associated with adverse selection

Answer 10

• Underwriting
• Product design
• Pricing

Question 11

Suggest ways to manage risks associated with moral hazard

Answer 11

• Make consequences unattractive – e.g. make it an offence to make fraudulent claim
• Prevention – e.g. ensure insurable interest

Question 12

Suggest ways to manage agency risk

Answer 12

• Use incentivising performance and remuneration structure

Question 13

Suggest ways to manage risks associated with bias

Answer 13

• Checks and balances built into system
• Assessments must be checked by an independent and competent checker
• Consider introducing an “optimism bias” into appraisal of capital projects
• Education on unintentional bias

Question 14

Suggest ways to manage process risk / change management

Answer 14

• Pilot studies
• Precise definition of requirements of new solution to best meet needs of whole org
• Design systems that can be easily maintained, enhanced and upgraded
• Carefully deploy new systems by educating users
• Must stress test new system in isolation and within larger org
• Must review new processes regularly for effectiveness

Question 15

Suggest ways to manage model risk

Answer 15

• Ensure robust process around choice of model
• Document processes for model and assumptions
• Clear audit trails and change-management routines
• Test model thoroughly before use
• Maintain and develop model over time, with regular reviews
• Ensure staff adequately trained and clear accountabilities
• Understand key drivers / assumptions in model …
  … and subject model to tests of parameter uncertainty
• Use models only for intended purpose
• Appreciate limitations of model
• Avoid overly complex models (principle of parsimony)
• Ensure workings and results are easy to communicate and appreciate …
  … and capable of independent verification for reasonableness

Question 16

Suggest ways to manage data risk

Answer 16

• Limit what can be entered to what is valid, eg range checks
• Check data entry (spot checks, consistency checks, reasonableness)
• Recheck data on transfer and , remove duplicates
• Ensure data is credible …
  … and relevant for its purpose esp if using external data
• Carry out regular backups of data
• Ensure data stored securely
• Ensure staff adequately trained, eg in data protection, handling big data

Question 17

Suggest ways to manage reputational risk

Answer 17

• Sound ERM framework
• BCP and CMP
• Strong relationships with key stakeholders

Question 18

How would you manage market liquidity risk

Answer 18

• Varying investment strategy
• Use swaps
• Contingency fund with high-quality, liquid assets

Question 19

How would you manage funding liquidity risk

Answer 19

• Diversify sources of funding by type and term
• Continuous monitoring of ability to raise extra capital
• Contingency sources of funding to draw upon in stressful times e.g. line of credit

Question 20

How is feedback risk managed?

Answer 20

• Invest only in exchanged-traded instruments, to pool/diversify counterparty risk
• Suspending trading on stock exchange by circuit breakers if theres a large market movement
• Govt / central banks intervening to prop up a bank by acting as lender of last resort, or reduce financial consequences (eg reduce interest rates)
• Regulations requiring establishment of additional reserves (eg Basel III requires companies to build up additional reserves in “good times”)
• Avoid regulations increasing pro-cyclicality, eg solvency regulations encouraging all similar organisations to adopt similar investment and risk mitigation strategies
• Physically separating types of businesses

Question 21

What is the seven step enterprise wide process for transferring operational risks

Answer 21

• Identify operational risk exposures
• Quantify probabilities, severities and capital requirements
• Integrate operational risk with credit and market risk to get enterprise-wide risk profile
• Establish operational risk limits
• Implement internal controls
• Develop risk transfer and financing strategies
• Evaluate alt providers and structures based on cost/ benefit analysis
  o Compare ceded risk-adjusted return on capital to cost of equity to see if it enhances shareholder value