Module 29: Management of operational and other risks

Question 1

The key to managing operational risk

Answer 1

having sufficient effective controls (ie a combination of information, assessment and response).

Question 2

5 Features of best-practice operational risk management

Answer 2

• broad definition of operational risk
• internal and external early warning indicators
• qualitative and quantitative assessment tools (eg scenario testing and simulation models)
• capital is allocated to operational risk
• insurance function is fully integrated with the operational risk function

Question 3

11 Actions aimed at managing operational risks

Answer 3

• outsourcing (people, processes, systems)
• business continuity and crisis management plans and resources
• horizon scanning (regulatory, event)
• maintenance (technology, systems, event)
• security (technology, crime)
• good HR practices (people: employment-related, agency)
• careful underwriting, product design and pricing (people: adverse selection, moral hazard)
• education, checks and balances (people: bias)
• good change management (process, technology, model)
• strong relationship with key stakeholders (regulatory, reputational)
• sound ERM framework that is integrated into the business (reputational)

Question 4

7 Steps of an Enterprise-wide process for transferring operational risk

Answer 4

1. identify operational risk exposures
2. quantify them (probabilities, severities and capital requirements)
3. integrate the operational risk with credit and market risk to establish an enterprise-wide risk profile
4. establish limits
5. implement controls
6. develop strategies for risk transfer and financing
7. evaluate alternatives (providers and structures) based on a cost/benefit analysis.

Question 5

2 Actions in respect of retained operational risks

Answer 5

• establishing reserves (self-insurance)
• allowing for operational risk when allocating (economic) capital - to incentivise management to improve operational risk management.

Question 6

6 Actions to manage liquidity risk

Answer 6

• active monitoring of liquidity requirements, within and across legal entities, allowing for differing transferability of liquid assets (fungibility)
• varying investment strategy
• using swaps
• maintenance of a contingency fund
• diversifying sources of funding
• obtaining contingent sources of funding

Question 7

A business can manage some systemic risks by: (2)

Answer 7

• ensuring it deals with a diverse range of counterparties, eg avoiding concentration by imposing internal limits
• trading via exchanges

Question 8

5 Activities designed to reduce feedback risk

Answer 8

• the use of circuit breakers by exchanges
• certain government actions (eg propping up a bank)
• regulations requiring the establishment of reserves
• avoiding pro-cyclical regulations
• physically separating certain types of businesses (eg retail and investment banking)

Question 9

5 Processes to manage other risks

Answer 9

• underwriting
• risk transfer
• reducing risk concentrations
• improving diversification
• hedging

Question 10

Operational risk management:

define “controls”

Answer 10

Controls in this context means a combination of information, assessment and response.

I.e. what information do we have that we can use to decide what course of action to take.

Question 11

Outline 8 desirable features of controls

Answer 11

1. focussed on results
2. in place for both measurable and non-measurable events
3. standardised for efficient communication
4. high quality, so as to improve management
5. few, rather than many
6. meaningful and appropriate
7. timely, so as to give sufficient warning
8. simple, so they are easily understood

Question 12

2 Disadvantages of outsourcing

Answer 12

Additional risks that need to be managed, including:

• possible failure of the third-party to deliver its commitments
• reduced control over the processes and people in the third party

Question 13

5 Considerations a company should make before entering into an outsourcing agreement with a third-party

Answer 13

1. Regulatory environment and the status of the third party
2. Financial standing of the third party
3. Competency, business continuity plans and risk processes of the third party
4. Its legal agreement with the third party, including the right to terminate and the third party’s right to sub-contract
5. How it will monitor the third party

Question 14

7 External event risks known to have impacted on businesses

Answer 14

1. Loss of IT or telephony capacity
2. Loss of people or skills
3. Bad PR or negative publicity
4. Disruption to supply chain
5. fire / flooding / high winds
6. Protest from pressure groups
7. Terrorist damage

Question 15

Broad definition of business continuity

Answer 15

Safeguarding the business’ reputation, brand and other value-creating activities.

Question 16

7 Actions that can be taken to manage technology and cyber-crime risks

Answer 16

1. Keeping systems up-to-date
2. Routine maintenance
3. Thorough testing (for robustness and compatibility) when introducing new IT systems.
4. Quick response IT helpdesks to deal with minor IT issues.
5. Training staff - eg not to open suspicious email attachments.
6. Restrictions on employees’ use of social media applications or use of devices that might circumvent IT security.
7. Implementing and testing security software and routines, such as firewalls, back-ups and regular password changes, to prevent cyber attacks and ensure data can be rapidly recovered in the event of loss.

Question 17

State how the risk of adverse selection can be managed

Answer 17

By careful underwriting and product design and pricing.

Question 18

Process risk

Answer 18

The introduction of changes into business processes or IT systems introduces the risk to the business that the new processes or systems may fail or be poorly implemented.

Question 19

State how process risks can be managed

Answer 19

• undertaking pilot studies
• precise definition of the requirements of any new solution to best meet the needs of the whole enterprise
• designing systems that can be easily maintained, enhanced and upgraded
• careful deployment of the new systems with user education

Question 20

To manage model risk it is important to: (3)

Answer 20

• have documented processes for model building and testing
• have clear audit trails and change-management routines
• use models only for their intended purpose

Question 21

To manage data risk it is important to: (3)

Answer 21

• limit what can be entered to what is valid (eg range checks)
• check data entry
• re-check data on transfer and, in particular, de-duplicate.

Question 22

State 3 defenses against reputational risk

Answer 22

• a sound ERM framework
• business continuity and crisis management plans and processes
• strong relationships with key stakeholders

Question 23

3 Methods of managing market liquidity risk

Answer 23

1. Varying investment strategy
2. Using swaps
3. Having a contingency fund of high-quality liquid assets

Question 24

3 Methods of managing funding liquidity risk

Answer 24

1. Diversifying sources of funding.
2. Continuously monitoring the ability to raise additional capital.
3. Contingency sources of funding from their bank (eg a line of credit) to draw upon in times of stress.