Chapter 9: Operational Risk Governance Flashcards
(22 cards)
What is Operational Risk Governance?
What do they ensure and what are they key to acheiving?
- Operational risk governance refers to the policies, processes,
and structures used to manage operational risks. - It ensures that risks are identified, assessed, managed, and
monitored effectively - Key for maintaining integrity and meeting strategic objectives
What are the Key Components of Operational Risk
Governance?
The 5 Rs.
- Risk Culture
- Risk Appetite
- Risk Policies and Procedures
- Risk Identification and Assessment
- Risk Monitoring and Reporting
What are the 3 Lines of Defense?
Think about your role.
- Business (Operational risk management)
- Risk Function: Develops risk methodologies (2LOD / Complaince etc.)
- Audit (independent assurance on the effectiveness of risk management)
Who are Risk Owners?
What are they impacted by?
Risk owners are those impacted by the consequences of the
risks (the consequences owners, to be precise)
What roles do the 1st Line of Defense typically carry out?
There are 5, think about your role.
- Complete and validate a collection of risk events
- Regular self assesment of risks and controls
- Report of issues, KRIs and KPI
- Defintions on whats reported, based on the risk at hand and the appetite (taxonomy)
- Corresponding follow ups and action plans
What are the main roles of “Risk Champions” or 1.5 LOD?
6 (try to be along the right lines, similar to the 1LOD)
- The main correspondent for risk issues
- Collecting and recording the risk events and losses
- Mapping the risks and controls in line with the group definitions
- Following up on the control rules defined, in the context of the risk profile of the entity, and the quality of the operational environment
- Contributing to the redesign of procedures if needed
- Contributing to the follow-up of audit tracking and risk management action plans.
What is the 2LOD (Risk Functions) key roles and responsibilities?
D.M.C
- Define risk appetite for the business and the board.
- Monitor risk exposure within risk appetite and own the risk management framework.
- Challenge, advise or intervene on strategic decisions regarding risk-taking.
What are “Risk Champions” and why do they exist?
Part of the 1LOD, but specialise predominantly, understanding the business specific risks and terminology in greater detail to liase with the other risk functions.
To operate effectively, what powers must the 2LOD have?
The risk function must have enough authority to halt decisions that exceed risk appetite or conflict with regulatory
standards.
Is Internal Audit independent of other risk functions?
Yes, with clear boundaries.
How does internal audit approach its assessment of risk management, compliance, and finance functions?
Internal audit assesses the adequacy and effectiveness of these functions by conducting its own evaluation of activities under review, ensuring an unbiased and independent assessment.
Do internal audit and the risk function differ in their assessments and the way they are coordinated?
What is the nuance here?
Yes. while both use risk assessment tools, their tools and approaches often differ. In some firms, audit and risk coordinate by exchanging information to avoid overlapping assessments.
What is the importance of judgment in the internal audit process according to the Institute of Internal Auditors?
Should they always use their own judgement?
Internal audit can consider work done by other functions but must always use informed judgment and conduct its own testing, especially if reducing scrutiny, to ensure thorough and independent evaluations.
What is the issue with the 1LOD and 2LOD being completley independent?
The duplication of what, and when is this ineffective.
Duplication with internal audit and is ineffective unless the first line’s risk management is well embedded
What is the “key difference” between the 1LOD and 2LOD?
How can 2LOD influence the 1LOD?
1LOD owns the risks, 2LOD owns the methodology. 2LOD can guide without taking ownership by asking Qs and challenging answers.
What is the “Partnership Model”?
The “partnership model” highlights an area of explicit cooperation and joint decisions between the risk function and the business.
In a nutshell, explain what the LODs do together in the “Partnership Model” and what they each do seperatley?
Together: Identify risks, agree on procedures, capital requirements etc.
1LOD: Implement the controls, monitor their effectiveness, work within the appetite (all the doing)
2LOD: Develop the EMRF, provide oversight, report on L2, escalate breaches.
What is the purpose of the “Board of Directors”?
Where do they sit?
- Sets the tone at the top and approves the risk management framework.
- Ensures alignment with strategic objectives.
Sits above the three lines of defense.
Who are “Boards” largely made up of?
Which type of directors? Exec - Depend
- Executive Directors: Actively involved in the management of the firm.
- Non-Executive Directors: Not active in the firm’s management.
- Dependent Directors: Represent the interests of certain shareholders.
- Independent Directors: Not tied to specific shareholder interests; maintain independence.
What is the function of the “Risk Committee”?
The risk committee makes recommendations to the board with regards to risk-based decisions, risk exposure and risk management
Are Risk Committees, divided per cateogries?
If so, what are the categories?
Yes.
Fraud, information security, legal and compliance, market, credit
What is the difference between a policy and a procedure?
A policy defines the organisation’s approach to risk management, whereas a procedure provides detailed steps for identifying, assessing, mitigating, and monitoring risks.
