Chapter 3: Operational Risk

Question 1

what is the definition of operational risk?

Answer 1

‘The risk of loss resulting from inadequate or failed internal processes, people and systems or from external events’

Question 2

what does the definition of operational risk include exclude?

Answer 2

includes legal risk but doesn’t cover reputational risk

Question 3

what are the crucial elements of an effective operational risk management framework according to the BIS?

Answer 3

• clear risk oversight by management
• strong operational risk culture
• strong internal control culture
• effective internal reporting
• contingency planning

Question 4

what are the 7 operational risk types provided by Basel?

Answer 4

Internal fraud
external fraud
Employment and workplace safety
Client, products and business practices
Damage to physical assets
Business disruptions and system failures
Execution and delivery management

Question 5

what are AML provisions aimed at requiring firms to do?

Answer 5

• Identify customers and report suspicious transactions
• keep adequate records
• report suspicious activity or behaviour

Question 6

what are the set of appropriate risk management responses by firms?

Answer 6

• educating staff on risks
• putting systems and controls to mitigate risks
• monitoring staff compliance
• escalating behavioural exceptions
• penalising contravention

Question 7

what other risks can operational risk cause?

Answer 7

reputational, compliance, credit, market risks, liquidity, investment risks

Question 8

what does a firm’s operational risk policy include?

Answer 8

defines a coherent, consistent approach to operational risk management, provides roadmap to move organisation to comprehensive firmwide methodology to risks

Question 9

what does the operational risk framework involve?

Answer 9

• defining appetite
• defining methodology
• assigning responsibility
• establishing reporting and escalating mechanisms

Question 10

what does a common operational policy and terminology existing globally allow?

Answer 10

• balance between global standardisation and regional differences
• sense of fairness
• centralised control

Question 11

what should the op. risk policy address to meet prime objectives?

Answer 11

• identifying key officers
• roles and responsibilities
• segregation of duties
• cross-functional involvement and agreement

Question 12

what is the role of the op. risk management function?

Answer 12

• work with managers to asses and quantify risks
• provide a line for risk reporting
• support and maintain op. risk system
• benchmark good practice
• risk oversight and monitoring
• ensure issues are properly escalated
• conduct qualitative op. risk analysis
• conduct statistical modelling

Question 13

what are the various methods used for the practical capture and identification of op. risk?

Answer 13

• self assessment
• key risk indicators
• workshops
• data analysis
• external loss data
• audit reviews

Question 14

what are the key steps to stopping a risk materialising?

Answer 14

• clear identification before the risk occurs
• establishment of clear ownership of the risk
• setting up and monitoring KRIs

Question 15

what are the stages of the op. risk management framework?

Answer 15

1. identification
2. measurement and assessment
3. monitoring
4. reporting
5. op. risk policy updates

Question 16

what is the purpose of identifying and categorising risks?

Answer 16

helps firm to establish their risk profile and appetite for risk

Question 17

what are the limitations of the self assessment method of identifying op. risks?

Answer 17

• subjective
• can be difficult

Question 18

what are the main reasons for assessing and measuring op. risk?

Answer 18

• establishing a quantitative baseline for improving the control environment
• provide incentive for risk management
• improve management decision-making
• satisfy regulators and shareholders
• make assessment of the financial risk exposure

Question 19

what is the main difficulty of assessing and measuring op. risk?

Answer 19

lack of relevant and objective data

Question 20

what is the definition of risk measurement?

Answer 20

use of quantitative techniques to understand the size of a firms risk profile. includes statistical modelling and making predictions

Question 21

what does an impact and likelihood assessment do?

Answer 21

enables risks to be ranked in order of their severity, may be subjective or objective

Question 22

how is the overall risk rating score accumulated?

Answer 22

it is the product of the likelihood rating scores and impact rating scores (risk score= likelihood score x impact score)

Question 23

what are gross and net risk?

Answer 23

gross risk is risk that assumes there are no controls in place, net risk is risks with consideration of the control environment

Question 24

what are the advantages of an impact and likelihood assessment?

Answer 24

• simple method
• provides evaluation of effectiveness of control environment
• focuses attention on the most important risks
• uses minimal hard data
• captures wide range of risk possibilities
• encourages risk-aware culture and environment

Question 25

what are the disadvantages of an impact and likelihood assessment?

Answer 25

over-simplified and subjective

Question 26

what does scenario analysis use to capture scenario risks?

Answer 26

uses the experience of business professionals to capture possible scenarios that have occurred in the past, or may result in loss in the future

Question 27

what does the bottom-up approach seek to do?

Answer 27

analyse the individual risks and adequate controls across business processes. builds up a detailed profile of the risks that occur in each area.

Question 28

what are the advantages of a bottom up approach?

Answer 28

• addresses risk and control issues at the process level
• accountability and responsibility
• encourages a more transparent risk culture
• encourages continuous improvement
• improved management information quality

Question 29

what are the disadvantages of a bottom up approach?

Answer 29

• takes time to implement
• can be subjectively influenced by managers
• aggregating risks upwards t management is not straightforward

Question 30

How are KRIs identified?

Answer 30

top risks are identified and then data to describe the current status of those risks and then define the upper and lower limits on the data provides indicators on the firms key risks

Question 31

how can warning thresholds be established?

Answer 31

be defining limits of acceptability for each of the indicators

Question 32

what are the advantages of using KRIs?

Answer 32

• allow trends to be monitored
• allow limits of acceptability to be established
• provides a basis for objective risk measurement

Question 33

what is the main disadvantage of using KRIs?

Answer 33

can cause skewed business performance

Question 34

how can historical loss data be used to measure op. risk?

Answer 34

once data has been collected, can be used in the measurement process, using benchmarking or statistical methods.

Question 35

what can a loss distribution curve be used for?

Answer 35

records the value of all material losses in a particular risk category over a time period. some prediction of future losses can be made within specified confidence limits

Question 36

what are some of the practical obstacles to implementing an operational risk management framework?

Answer 36

data collection restraints, cultural constraints, resource and cost constraints, indicator constraints (designing risk indicators that monitor the full range of risks)

Question 37

what is the risk register?

Answer 37

consists of a list of identified risks linked to the business objectives that would be threatened if the risks in the list were to materialise

Question 38

how are risks delegated in a risk register?

Answer 38

each risk is delegated to an owner or lead and then mitigating processes will be put in place

Question 39

how to controls allow op. risk mitigation?

Answer 39

ensures check points designed to detect errors and prevent fraud and theft

Question 40

what are preventative controls?

Answer 40

controls designed and in place to prevent risks from occuring in the first place by tackling the root cause

Question 41

what are detective controls?

Answer 41

controls designed to detect errors once they have occurred, QC checks fall under this category

Question 42

what does a BCP plan do?

Answer 42

business continuity plan, deals with premisis and people aspects to ensure the business can continue after a disaster

Question 43

what does disaster recovery do?

Answer 43

deals with IT and infrastructure required to keep the business running after a disaster

Question 44

what is outsourcing?

Answer 44

when the firm outsources some aspects of its business to a third party with specific expertise in managing certain risks

Question 45

what is physical security?

Answer 45

operational risks that arise out of physical notions e.g., new staff, external threats

Question 46

why is risk awareness training important?

Answer 46

should be given to staff to help them understand the principle of reducing the likelihood of risk occurring

Question 47

what is the relationship between firms and data protection?

Answer 47

firms are legally obliged to take the greatest care with data relating to their customers. customers must be able to give and retract consent on how data is used and stored