Part 3

Question 1

Scenario assessment

Answer 1

=A method used to evaluate the impact of potential risk events on an organisation.
It creates detailed scenarios to understand how differenet high severity, low frequency risk events affect the business

Question 2

Severity assessments - part of the scenario assessment

Answer 2

1. severity assessments evaluate total fin/non-fin impacts
2. They convert non financial impacts (eg service interruption) into financial terms for a complete assessment.
3. Assess impact after mitigation efforts (not including insurance)
4. Link impacts to potential financial loss of business (ie lost clients worth $50 mil
5. Use peers loss data to benchmark severity, particularly usefull for unfamilliar 1 off scenarios
6. smaller firms can leverage large firm’s loss data to adjust their risk framework as they grow.

Question 3

Importance of scenario assessment

Answer 3

• Enhances preparedness for unexpected events
• provides insights into potential impacts/responses
• Supports strategic plannning and decision making
• Helps calculate regulatory capital requirements (under the Advance Measurement Approach)

Question 4

Steps in conducting a scenario assessment

Answer 4

1. Prep/governance - Establish a strcutured approach with clear governance
2. scenario generation - generate a range of scenarios and select the most relevant ones
3. assess the impact/likelihood of each scenario
4. validate scenarios with relevant stakeholders/experts
5. Use scenarios to inform risk mgmt and strategic planning
6. aggregate the results and report to senior mgmt/regulators

Question 5

Frequency assessment

Answer 5

=Evaluates the probability of each scenario occuring in the coming year - alligning with the capital measurement

Attributing probability to rare, low frequency events is difficult and can lead to inaccurate.

Internal risks can are aligned with results from the RCSA exercise.

Question 6

Scenario generation and selection techniques - how many scenarios, techniques, purpose.

Answer 6

• Brainstorming - generates a wide range of scenarios and encourgaes creativity/divergent thinking
• Clearly outline selection criteria to prioritise scenarios for their impact and impact on the firm.
• Consolidate similar scenarios and exclude negligible ones.
• Focus on around 15 relevant scenarios for detailed assessment.

Question 7

Scenario assessment techniques

Answer 7

• Strucutured expert analysis - use strcutured questions/benchmakrs to reduce estimation bias based on past events
• Availability and recency bias - recent events seems more likely to occur than older ones. therefore data from further back is used for stable risks (pandemics, fraud) and more recent for rapidly evolving risks (cybercrime)
• Anchoring, confirmation and group polarisation bias - ‘herd mentality’ causing bias. Mitigated by doing private votes before results are discussed.
• group size/dynamics - smaller groups of SMEs are more effective than large groups as large groups can be inefficient/biased
• Bias awareness and training - estimation biases are deeply ingrained and understanind them can help individuals avoid being biased.

Question 8

Delphi method of scenario assessment/generation - 4 stages and calculations

Answer 8

Focusses on pooling expert judgements
1. Silent collection - individuals write down their assessment with influence from others
2. Disclose estimates - all responses are collated and shared with the group for comparison.
3. Optimal reassessment - participants are allowed to modify answers after seeing estimates/answers of others. significant changes can trigger more rounds however forcing the same answer at this stage is discouraged.
4. final estimate calculation - calculated using the lowest, highest and average responses (weighted for accuracy)

Final estimate = [lowest response + (n-2) X average response + highest response)] /number of participants (n)

Question 9

Fault Tree Analysis (FTA)

Answer 9

= breaks down scenarios into conditions that must occur in order to cause a disaster.

This helps banks (classed as high reliability organisations) layer independant controls to lower risks. e.g. layering 3 independant controls with a 10% failure rate lowers the chance of them all failing to 0.1%.

Question 10

Fault trees and Bayesian models - condittional probability - recommended to use for what assessment, benefit for breaking down into accuracy

Answer 10

• Conditional probability in controls - more realistic scenarios often have partialy dependant control failures that require conditional probabilities.
• Bayesian models - update likelihood assessments based on new information or expert opinions, using conditional probabilities to refine estimations
• Recommendation for using FTA as a scenario assessment.
• breaking down scenarios into likelihood and impact components enhances accuracy and transparency of the assessment process.
• Use experts/stakeholders to review scenarios and offer feedback. Also need to ensure they are regularly updated

Question 11

Scenario documentation and validation - contents of a scenario summary doc, type of template, who reviews it, relies on what

Answer 11

• The entire scenario analysis process must be documented in detail with each scenario summarised in a sheet with title, description, rationale, assessment range and relevant incidents.
• use standardised templates to ensure consistency
• Use independant third parties to review consistency of the process
• Validation is reliant on documents from scenario workshops etc.
• Similar scenarios can be combined to assess collective risk.
• The scenario list is then presented to the board for approval

Large firms will have 50 scenarios, mid firms have 15 and small 6-10

Question 12

benefits of scenario assessment

Answer 12

• Enhanced preparedness - improves firm’s readiness for unexpected events
• Improves strategic decision making/planning
• supports regulatory compliance for risk assessments
• Improves risk mgmt and mitigation plans
• Facilitiates continuous improvement in risk mgmt practice

Question 13

Systematic estimation and mitigation of bias

Answer 13

• SMEs create a scenario assessment based on likelihood of worst case events occuring in a variety of time frames
  This is however, less popular with regulators due to it’s lack of structure/unreliability

.+ quick and inexpensive
.- relies on selecting experts who may be biased

Question 14

Mgmt lessons from scenario analysis

Answer 14

• puts focus on response and risk mitigation instead of exact probabilities of the risk happening
• scenarios should be grouped by their impact on the firm - facilitates focusses assessments and mitigation efforts
• If risks breach the firms appetite, further mitigation/escalations should be required and in place
• Risks within the appetite are required to be continuously monitored
• firms must have responses in place for events even if they are unlikely

Question 15

Regulatory capital

Answer 15

= minimum amount of capital that a fin. institution must hold as required by regulators
It ensures that institutions can absorb a reasonable loss and it protects depositors/clients and the financial system

It helps prevent runs on banks thus enhancing the strength of the fin. system.

Question 17

3 Basel pillars

Answer 17

1. min. regulatory capital to cover mkt, credit and operational risks
2. supervisory review process - allows for adjustments to the capital required for pillar 1 based on an institution’s risk exposure.
3. market discipline -

Question 18

Regulatory capital for operational risk - Basel pillar 1 - % firms must hold, based on what over what time.

Answer 18

• Standard approach for op risk = regulatory capital is based on the avergae annual gross income over the past 3 years. Basic indicator approach - Of this, 15% (alpha factor) will be required to held by local banks. For the standard ised approach (TSA) reg. capital is based on the banks risk profile (beat approach) and can vary from 12,15,18%
• Beat values - calculated in the late 1990s out of a sample of 29 firms, NOT REPRESENTATIVE OF TODAY’S LANDSCAPE, therefore the focus for banks/regulators have shifted to pillar 2.
• Sound management should be a key focus as well as having regulatory capital to prevent failures of operation.
• Principles for sound operation risk introducted in 2003 and revised iin 2011 and 2014

Question 19

Capital modelling approaches - standard and internal

Answer 19

• Standardised approach: uses predefined risk weightings for certain asset classes. it is very simple but does not effectively consider the institution’s risk profile
• Internal ratings based approach (IRB): allows banks to estimate risk using their own risk models. more effectively models the firm’s risk but requires regulatory approval

Question 20

Advanced modelling techniques

Answer 20

• Value at risk (VAR) - measure potential loss n a portfolio over a defined period of time to a set confidence level (ie 90% chance of loss in a 10 year period with a 95% confidence rate)
• stress testing: tests extreme scenarios to assess impact on capital
• scenario analysis - evaluates teh impact on various scenarios on a firm’s capital

Question 21

11. principals of sound op risk mgmt

Answer 21

1. Op risk culture
2. Op risk mgmt framework
3. board of directors
4. Op risk appetite and tolerance
5. senior mgmt
6. risk identification and assessment
7. change mgmt
8. moitoring and reporting
9. control and mitigation
10. business resillience and continuity
11. role of disclosure

Question 22

Advanced measurement approach (AMA) criteria - reporting history of…, map risks to what, implications on who, encourage active day to day what

Answer 22

• Incident reporting history of 5 years (now 10)
• mapping of risks and losses to regulatory categories
• operational risk mgmt function
• implicationof the senior mgmt in risk management
• written policies and procedures
• active day to day op risk mgmt

Question 23

regulatory capital for op risk - internal and external loss data use

Answer 23

• internal loss data - info on previous losses/trends
• rules on how to map incidents and their data
• external data - data sourced from public/private databases to compare against internal data
• Mixing internal and external data is important to adjust data to suit the firm’s size as well as using one data set when the other does not have enough info.

Question 24

4 types of models

Answer 24

• Stochastic - part of the loss distribution approach (LDA), purely quantitative and focus on past losses. Extrapolate future losses distributions up to the 99.9th %. quite common
• scenario based - qualitative model for when internal loss data is insufficient. Common in the EU and insurance firms
• Hybrid - most common and allign with AMA reg expectations. creates a 99.9% confidence loss distribution report based on past incident data and scenario based losses.
• Factor models - explain behaviour of variables based on influencing factors (economy, controls etc) and are common in equity pricing. Overtaken by stochastic models as they are hard to calibrate

Question 25

Challenges of capital modelling

Answer 25

* Data quality - ensuring data is accurate and comprehensive * Model risk - risk of model inaccuracies leading to false outputs * regulatory changes - addapting to evloving reg requirements * complexity - ensuring the models are understood by those using them

Question 26

Model validation and back testing

Answer 26

* Model validation - ensures models are accurate and reliable. It checks assumptions, methodologies and data used. * back testing - compares model predicitions to actual outcomes to assess accuracy. helps refine the models accuracy

Question 27

Loss Distribution approach (LDA) overview - helps when there is a lack of, what distribution does it use, how to the models become reliable

Answer 27

* Models represent reality through repeated observations that create patterns. * Helped combat data scarcity when regulators needed banks to calculate risk capital * LDA - modelled using discrete distriubtions, typically poisson distriubtion which is used bu 90% of AMA firms. The other 10% use Negative Binomial Distriubutions. * Severity - is modelled using continuous, asymmetric distriubutions to account for both small and major losses. Lognormal distribution is the most common but Weibull and GPD are used for heavy tailed data * Aggregated loss distribution - frequency and severity are combined into an aggregated distribution. Monte Carlo Simulation is most common. Fast fourier and Paner recursion are other models that are more maths focussed than computing power.

Question 28

Units of measure for capital modelling

Answer 28

* External fraud = depends on the LOB * Internal fraud = no. events per business entity (under the same senior mgmt) * Damage to physcial assets = grouped for all LOBs * Processing error events = depends on LOB

Question 29

basel pillar 2 - supervisory review process (SREP), ICAAP and CCAR, solvency assessments, governance and culture

Answer 29

* SREP - allows regulators to asses a firm's impact on the fin system if they fail considering the firm's nature, scale and complexity of their activities. Stress testing is typically used here. * Capital sufficiency evaluation - EU = ICAAP, Insurance firms = Own Risk and Solvency Assesssment (ORSA), US = Comprehensive Capital Analysis and review (CCAR) * Solvency assessments - indetifies threats and large loss scenarios and assesses a firm's resillience to internal and external shocks. Stress testing is used * governance and culture - regulators form and opinion on a firm's governance, culture and values and mgmt efffectiveness through risk reporting.

Question 30

Stress testing- 4 kinds of

Answer 30

* Sensitivity stress testing - test robustness of models by changing key parameters (these can affect business plans, revenue and solvency) * Scenario stress testing - focusses on low frequency high impact events and their impact. The US places more focus on legal/compliance events than the EU * reverse stress testing - identifies events that could cause firms to fail and aims to ensure the events are unlikely beyond a 99.9% confidence level. If the event is unmanagable wind-down planning is implemented to reduce disruption. * macroeconomic stress testing - regulators provide macro shock scenarios to large fin firms to assess solvency. smaller firms are meant to test against global macro shocks.

Question 31

Wind-down planning

Answer 31

* identifies situations where the firm is no longer viable (large fin losses, loss of key clients/infrastructure etc) by reviewing the business model, vulnerabilities and key revenue drivers. * the firm must identify indicators of winding down and assess their internal/external impact. * mitigation measures must be put in place as well as transition planning. Orderly closure requires assessment of liquidity solvenCY, personnel and infrastrcuture.

Question 32

Operational risk governance

Answer 32

= policies, processes and strcutures used to manage operational risks. It ensures risks are ID'd, assessed, managed and monitored effectively. It provides a strcutured appraoch to managing risks which helps firms comply with regulations as well as improve stability/resillience. promotes a risk aware culture and supports informated decision making/strategic planning.

Question 33

3 lines of defence

Answer 33

* 1st line - operational management - identifies and manages risks within their areas. * 2nd line - Risk mgmt and compliance functions - provides support/oversight to the first line. * 3rd line - internal audit - provides independant assurance on the effectiveness of risk mgmt.

Question 34

1st line of defence - operational mgmt - what do they assess, identify what

Answer 34

* ID's situations where the firm is at risk/not viable * reviews business model, vulnerabilities, key revenue drivers * firms must ID winding down indicators and their impact internally/externally. * assess **liquidity, solvency, personnel, infrastrcuture** * includes mitigation measures and transition planning

Question 35

Line of defence '1.5' - risk champions - collect and record what, map risks in line with…, champion what, part of what follow ups

Answer 35

* main correspondants for risk issues * collect and record risk events/losses * mapping risks and controls in line with the group definitions * maintaining the controls rules * Championing redesing of operating procedures if needed * be part of the follow up process after audits

Question 36

2nd line of defence - risk and compliance function

Answer 36

**3 key roles** * Define risk appetite for the business and the board * Monitor risk exposure within risk appetite and own the risk mgmt framework * challenge and advise on strategic decisions relating to risk taking Helps guide decision making by asessing risks in new ventures, products, other strateigic actions. has the authority to hal decisions that may breach risk appetite

Question 37

3rd line of defence - internal audit. Institute of audit 3 guidance points

Answer 37

* Independant party to the risk management process. * It assesses the risks and compliance across the firm using some similar and some difference risk assessment tools to the first and second LOD. * Some firms allow for audit and risk to overlap their findings Institute of internal auditors guidance: * Internal audit must be independant of risk mgmt and compliance * Scope: must assess the effectiveness of the above functions and conduct it's own review of activites * judgement: can leverage work done by other depts. but must use informed judgement and do it's own testing.

Question 38

Risk committee and organisation

Answer 38

1. ultimate authority - above the 3 LOD and is responsible for the overall governance of the firm 2. 1 delegates powers to committees such as teh executive committe, risk and audit 3. executive and non executive directors manage the sub depts.