Part 5

Question 1

Data collection

Answer 1

= Gathering detialed infrmation about incidients and events potentially posing risks to the organisation
Creates a comprehensive database that aids risk assessment and management.

important for identifying pattern, finding root causes and improving risk mgmt

Question 2

methods of data collection

Answer 2

• automated systems - software captures and logs info/incidents in real time
• Manual reporting - encourage staff to report incidints through escalation pathways
• Audits and reveiws
• Leverage exisiting data sources

Question 3

benefits of comprehensive data collection

Answer 3

• trend analysis - identify patterns and incidents over time
• Risk assessment - mreo accurate
• Regukatory compliance - makes icndident reporting easier
• Continuous improvement - nsights for enhancing risk mgmt

Question 4

importance of loss reporting and reg. requirements - BCBS history/fun requirements

Answer 4

• Understanding loss causes and values it key for op risk mgmt
• helps improve regulatory controls
• High quality data helps comply with pillar 2, reducing the amount of regulatory capital teh firm needs to hold.
• BCBS data quality requriements - must hold a 10 year history, 20000EUR threshold, event mapping and independant data accuracy reviews (audits)

Question 5

Loss vs Incidents and the fallacy of non-financial impacts

Answer 5

• Basel only focusses on financial losses and ignores non-financial whereas firms track incidents not just losses
• Near misses show where losses were avoided by luck or accident and are not reported.
• Direct losses = immediate fin consequence
• Indirect losses = resulting impacts like loss of customer, reputational damage etc
• Non-fin. impacts fallacy = reputational damage, loss of customers etc aren’t directly fianancial losses but have financial consequences and should not be ignored

Question 6

incdent data collection - information needed

Answer 6

• Core data - stick to essential data to avoid over reporting and use standardised ways of recording info (drop down lists)
• Loss reporting - net (including reimbursements) vs gross (total) losses and thresholds can range from $0 to 20K EUR.
• Key dates - material incidients to be reported in 2-5 days
• Severity judgement - using potential loss, not actual loss. near misses to be treated as actual losses. Use severity bands (£10K-100K eg)
• Grouped losses caused by the same failure.

Question 7

incident data collection steps

Answer 7

• Reporting system establshed
• Recoridng - standardised forms/fields to report incidnets
• reviewing data regulary
• Analyse data to identify trends and route causes
• Reporting to mgmt and the regulator

Question 8

types of incident data + near misses

Answer 8

• Internal data - operational failures, process and human failures
• external data - mkt distributions, regulatory changes, competitor failures
• Near misses - events that could have not caused harm but didn’t - IDs vulnerabilities

Question 9

incetivising timely self reporting

Answer 9

• Incetive practices - can be encouragement to bollockings from audit from not raising incidents
• Self reporting requirements - usually mandatory with penalities where reports weren’t made
• Risk metrics in scorecards - qunatify risk data such as overdeu action plans, common practices etc
• Increased fundign to LOBs with better risk mgmt

Question 10

Boundary event reporting - what is it, Basel view, manager view

Answer 10

= boundary events are when impacts materialise in a different risk class than the cause of the incident (ie operational failure impacts credit risk)
* Basel committee approach - suggests recording events where they materialise as long as the losses are covered by risk weighted capital
* Mgmt view - most firms reclassify teh events into the original risk class, espcially for major losses.

reccomended to reclassify boundary events only for major events to balance collecting key info with business pushback

Question 11

review and validation of data collection

Answer 11

• Reg. focuses ensures accuracy and completeness. regulators assess bredth/depth of data using records, audits and the internal general ledger
• IT logs feed priority 1 and 2 incidents in op risk databases
• Other sources may be in place to deal with lawsuits/customer complaints etc
• leverage data from across LOBs to reduce duplicated effort and for a wider data sample

Question 12

Ensuring data quality and accuracy

Answer 12

• Standard reporting - standard templates for reporting
• Training for staff on how to use ^ and common risks
• Verification process to validate data
• ensure confidentiality to ensure honest replies

Question 13

Data collection challenges

Answer 13

Underreporting - fear of blame and repercussions can lead to underreporting incidents
* poor quality data
* combining data from various sources is challenging
* Timelines can affect accuracy /usefulness

Question 14

Key Risk Indications (KRIs)

Answer 14

= metrics used to monitor the level of exposure to risks and the effectiveness of a firm’s controls
Provides early warning signs of potential risk events and supports proactive risk mgmt/reg compliance.

they monitor risk taking and potential impacts of risk events
transaltes board level risk appetite into LOB level

Question 15

Categories of KRIs -ESFC

Answer 15

• Exposure indicators - monitor changes in the firm’s risk exposure
• Stress indicators - capture stress in the firm’s resources
• failure indicators - indicate failing performance or control weaknesses
• Casual indicators - focus on root causes and drivers of key risks

Question 16

Roles of KRIs in risk monitoring - indicators role, leading/lagging KRIs

Answer 16

• Risk indicators - track changes in risk exposure of a firm
• Leading KRIs - focusses on risk drivers to flag risks before they arise - focus on causes of risks
• Lagging KRIs - track events that have already occured, identify controls that need correcting

Question 17

Roles of KRIs to report to the board

Answer 17

• Board defines risk appetite and ensures there are effective controls to keep within that
• Risk appetite to define acceptable levels of risk to achieve objectives
• Risk indetification and control - board identify key risks that could impact the business, evalute current controls and add more if needed.
  *

Question 18

designing KRIs

Answer 18

• early warning devices - signal changes in risk levels
• Address specific risks rather than general events
• Business relevant KRIs
• Data driven KRIs
• Owned by business unites to ensure data quality/ownership

Question 19

Factors of reflecting BEICF

Answer 19

• Risk sensitive
• provide mgmt with information on the org risk profile
• respresnet meaningful risk drivers that can be quantified
• to be used across the whole firm

Question 20

Implementing KRIs

Answer 20

• Identify relevant metrics using existing KPIs as potential KRIS
• Set thresholds for risk exposure
• Assign responsibilities
• Regular review and update KRIs

Question 21

Key performance, risk and control indicators

Answer 21

• KRIs- metrics tracking ecposure to operational risk either in liklihood or impact
• KPIs - measure performance (number of events etc)
• KCIs - measure control effectiveness and signal weakness or failure of controls
• the metrics can overlap and often indicate similar things

Question 22

10 features of leading KRIs

Answer 22

1. Early Warning: Signal changes in risk levels (e.g., increased likelihood or impact).
2. Focus on Risks, Not Events: Address risk drivers; lagging KRIs indicate missing controls.
3. Activity-Specific: Tailored to each firm’s risk profile; focus on key risks, not non-issues.
4. Data & Experience: Combine data with business intuition, especially in areas with limited
   data.
5. Business Ownership: KRIs should be used and owned by business leaders for governance
   and data quality.
6. Cost-Effective: Ensure the value of information outweighs the cost of data collection.
7. Timely Monitoring: Frequency should match the activity (e.g., real-time for IT, quarterly for
   HR).
8. Support Decisions: KRIs must aid in decision-making.
9. Thresholds Aligned with Risk Appetite: Set thresholds based on tolerance for risk.
10. Regular Review: Back-test and refresh KRIs annually for relevance

Question 23

Selecting KRIs - numbers and data to use

Answer 23

• Identify common risk drivers e.g. internal fraud, IT failures
• Identify existing metrics that are potentially recorded under other names
• Engage SMEs to identify key risks and metrics
• Make KRIs cost effective - use automation, exisiting metrics etc
• avoid comercial KRI databases as tehy are very generic
• Focus on reliance by tracking issues/vulnerabilities

Question 24

KRI thresholds and key definitions - identify what, analyse what, watch out for, gradually increase what

Answer 24

• Identify the % tolerance the firm has for each risk - whether it be 0% or 10% etc
• Deviations from normal (above and below) - analyse trends to find spikes/lulls
• Cluster based - a jump in data may constitute a natural threshold
• Gradually increase expectations for KRIs with high failure rate to slowly deliver change

Question 25

KRI governance - what rating style, what should thresholds be across LOBS, what must be clear defied

Answer 25

* Colour responses (RAG rating) * Governance for thresholds should be the same across LOBs regardless of varying appetites * roles and actions must be clear before an indicator becomes red * Identify action owners for when there is a breach * be set up to avoid confilcts of interest/maniupluation

Question 26

Challenges of using KRIs

Answer 26

* Data may not be available/accurate/detailed enough * Defining appropriate thresholds * Integration of KRIs into other risk mgmt tools * challenges of continuously improving KRIs

Question 27

future trends with KRIs - integration with what, adapt in what, cross industry what

Answer 27

* Using big data/advanced analytics to enhance accuracy * integration with enterprise risk management systems * KRIs that adapt to realt time changes in risk landscape * colllaboration across industry peers to create more accuract KRIs *

Question 28

Risk reporting

Answer 28

= the process of communicating information about the risk environment, exposure and management activities to stakeholders. Helps inform decision making to support risk mgmt processes and ensure reg. compliance.

Question 29

3 golden rules of risk reporting - cost, purpose, reporting

Answer 29

* Value must exceed cost - ensure the cost of collecting info and reporting it is justified by the value it brings * Clear purpose - should have a clear reason for existence and should drive decision making * Purposeful reporting - ensure all info reported has a purpose

Question 30

Typical content of risk reports

Answer 30

* Incident reports - number and size of events, trends, top loss events. issued monthly/weekly depending on firm size * Top risks - typically top 10 and offer actionable insights * KRI dashboards to show risk status * Metrics alligned to firm's risk appetite * Emerging risks - typically upcoming changes to regs etc * Action plan tracking

Question 31

Challenges of risk reporting

Answer 31

* Balancing information so it is not info overload * Preventing oversimplification of key data * Filtering risk information based on the audience * Aggregating qualitative data without losing it's purpose/specificity * Maintaining stakeholder engagement

Question 32

Seperating risk monitoring and reporting

Answer 32

* Risk monitoring = occurs at the process/operational level and alerts are escalated to mgmt. * Risk reporting = focusses on need to know info based on the level of mgmt the report is aimed - process and risk mgmt - all data needed to be shared - dept. heads - info requiring action+periodic summaries - Exec. committee - high level data required for decision making Best practices: * Focus on controls * include balanced reporting - highlight red flags and green indicators to a full view of risk performance * clear classification taxonomy

Question 33

Agregating risk data

Answer 33

* Conversion and addition - convert qualitative metrics into monetary units for aggregation (like reputational damage into fin. loss) * Worst case reporting - report the worst score in a data set conservatively * Categorisation - report the % of risks that are red, amber green to give a balanced view

Question 34

reporting on conduct

Answer 34

* conduct metrics monitor empolyee behaviour and compliance such as missed trainings, disciplinary actions and comppliance fails

Question 35

Altervantives to using averages in risk reporting

Answer 35

* Averages can mask severe issues in risk reporting as they don't ientify te extreme outliers which in this context are teh points risk mgmt are looking for. * Medians and quartiles and preffered as they identify and consider teh outliers * splitting loss data is also common practice - small expected losses to be rported together whereas large unexpected losses should be reported individually

Question 36

benchmarking losses again gross income targets - common ratios and underperforming number

Answer 36

* Reporting losses as a % of gross income to senior mgmt captures attention. COMMON RATIOS - 1.8%-2.2% = highly effectice op risk mgmt - 2.2-3% = standard expected range - >3% = higher losses due to manual processes and underincestment Underrepoting is often idnicated by losses falling under 1.5% - not a good thing Food retail and telecoms report op losses of circa 2%

Question 37

Turning data into actionable steps

Answer 37

* Deviations in teh norm are identified in data sets - - give insights * Patterns can be analyses to review outliers, clusters etc. interpret to do RCA/action plans * Pay attention to positives to give a balanced view of risk mgmt