Module 24: Assessment of operational risks Flashcards Preview

Enterprise Risk Management (IFoA ST9) > Module 24: Assessment of operational risks > Flashcards

Flashcards in Module 24: Assessment of operational risks Deck (35)
Loading flashcards...
1
Q

Loss incident databases

A

Help a company to

  • learn lessons from previous loss incidents,
  • analyse trends in operational losses

It supports analysis of the root causes of operational losses and any mitigation strategies applied.

2
Q

Top-down models

A

use readily-available data and fairly simple calculations to give a general picture of the operational risk of a company.

3
Q

Scenario analysis has benefits including: (5)

A
  • Capturing the opinions, concerns and experience of risk managers
  • Not relying heavily on the availability / accuracy / relevance of historic data.
  • Providing an opportunity to predict high-impact events.
  • Identifying and improving understanding of cause-and-effect relationships.
  • Reducing risk-reward arbitrage opportunities.
4
Q

3 Examples of top-down models

A
  • implied capital and income volatility models - both assess operational risk as a balancing item
  • economic pricing models, eg CAPM
  • analogue models, which utilise data from similar companies
5
Q

Operational risk has traditionally been managed on an informal basis, but there are 3 main reasons why a more formal approach is advantageous:

A
  • Operational risk is the main driver behind many cases of major financial disaster in recent times.
  • Operational risk is inter-linked with credit and market risk and it is particularly important to minimise the likelihood of operational risk failure during already stressed market conditions.
  • Operational risk may otherwise be treated differently in different areas of the company. This can lead to key risks being overlooked and decisions being taken based on inaccurate information or an incorrect assessment of a business unit’s risk-adjusted returns.
6
Q

5 Steps of the operational risk assessment & management process

A
  • risk policy and organisation
  • risk identification and assessment
  • capital allocation and performance measurement
  • risk mitigation and control
  • risk transfer and finance
7
Q

State what feature of operational loss data (other than its low volume) means applying statistical methods to it can be difficult.

A

Some classes of operational loss appear to have an underlying cyclical component and/or depend on current economic conditions.

This means applying statistical methods to the loss data can be difficult.

8
Q

Credible data is needed in 3 specific areas to apply the Basel Advanced Measurement Approach

A
  • internal data on repetitive, high frequency losses over a three to five year period
  • external data on non-repetitive, low frequency losses
  • suitable stress scenarios to consider
9
Q

Main advantage of bottom-up models

A

They give a more robust picture of a company’s overall risk profile.

10
Q

Analysis of (publicly available) data on operational risk indicates that: (3)

A
  • the distribution of operational losses is skewed to large numbers of small losses and is heavy-tailed
  • loss frequency may vary significantly over time, and losses occur randomly in time
  • some classes of loss are cyclical and/or depend on economic conditions
11
Q

2 stages in a comprehensive operational risk management policy

A
  • risk policy and organisation
    covering: principles, definitions, objectives, processes and tools, organisational structure, roles and responsibilities
  • risk identification and assessment - using a wide range of tools and techniques, eg loss incident databases, control self-assessment, risk mapping, KRIs and minimum performance triggers.
12
Q

Bottom-up models

A

Start at a low level of detail and then aggregate the results.

13
Q

3 Limitations of the implied capital approach

A
  1. Total risk capital needs to be estimated (which is not straightforward)
  2. Inter-relationships between the different types of risk are ignored.
  3. This model does not capture case and effect scenarios, ie where operational risk arises in the company and its specific impact.
14
Q

Economic Pricing Model

A

The Capital Asset Pricing Model (CAPM) is the most widely used example of this kind of model.

CAPM assumes that all market information is included in a company’s share price and so the impact of any publicised operational losses can be identified by looking at the movement in a company’s share price and strippin gout the overall market movement.

15
Q

Risk mapping

A

This tool ranks the company’s key risk exposures by severity and likelihood of occurrence.

It helps a company to prioritise its risks and ensure resources are targeted to the most important risks.

16
Q

4 Limitations of the Economic pricing model

A
  1. No information on losses due to specific risks - only the aggregate view.
  2. The level of operational risk capital is unaffected by any controls put in place, so there is little motivation to improve the risk management process.
  3. Tail-end risks (ie extreme events) are not accounted for thoroughly.
  4. It does not help anticipate (and so avoid) incidents of operational risk, as there is no consideration of individual risks in isolation.
17
Q

State a relative advantage of the Economic pricing model

A

This model includes both the aggregate effect of specific risk events and the “softer” issues (eg opportunity cost and/or damage to reputation / brand).

18
Q

State a relative advantage of the income volatility model (when compared to the implied capital model)

A

There is better data availability of total income volatility than for the total risk capital needed.

19
Q

Factor-based models

A

A simpler approach under which it is assumed that losses are related to the volume of transactions (by number or value).

A weighting is applied to the actual or expected volume of transactions.

20
Q

The Basel advanced measurement approach (AMA)

A

assesses operational risk using internal models (ie statistical analysis) and scenario analysis (subject to approval and continual checking by the supervisory authorities).

The standard for this approach is a 1-year holding period and a 99.9% confidence interval.

21
Q

Implied capital model

A

Operational risk capital =
total risk capital
- non-operational-risk capital

22
Q

Outline the benefit of consistent and effective operational risk management that is distinct from the general benefits arising from the management of other types of risk.

A

It minimises the impact of reputational damage arising from incidents linked to operational losses.

Such incidents are likely to give the company the appearance of being badly managed and ill-equipped to deal with errors other than risk events.

In addition:

  • It minimises day-to-day losses and reduces the potential for more extreme and costly incidents.
  • It improves a company’s ability to meet its business objectives (by reducing the time spent on crisis management).
  • It strengthens the overall ERM process and framework.
23
Q

Risk indicators and minimum acceptable performance triggers

A

Quantitative measures can be set up (eg number of customer complaints) and used to establish goals and levels of minimum acceptable performance (MAP).

Action plans should be in place to deal with any non-attainment of the MAP.

24
Q

Key advantage of the implied capital model

A

The approach is simple and forward-looking.

25
Q

4 Examples of tools to assess, measure and manage operational risks

A
  • loss incident databases
  • controls self-assessment
  • risk mapping
  • risk indicators and minimum acceptable performance triggers
26
Q

Outline the steps involved in the process of applying scenario analysis to an assessment of operational risk exposure.

A

Scenario analysis is a means of evaluating risk where a full mathematical model is inappropriate.

Scenario analysis is frequently used when evaluating operational risks.

It involves a number of steps:

  • Risk exposures need to be grouped into broad categories.
    E.g. - all risks involving financial fraud; all risks involving system errors.
    This step is likely to involve input from a wide range of senior individuals in the organisation.
  • For each group of risks, a plausible adverse scenario is developed.
    The scenario needs to be plausible, otherwise it will not be possible to determine the consequences of the risk event.
    The scenario is deemed to be representative of all risk in the group.
  • For each scenario, the consequences of the risk event occurring are calculated.
    Again, this is likely to involve senior staff input.
    The financial consequences include:
    — redress paid to those affected
    — the cost of correcting systems and records
    — regulatory fees and fines
    — opportunity costs while any changes are made;
    etc.
    In practice the mid-point of a range of possible values is usually taken.
  • The total costs calculated are taken as the financial cost of all risks represented by the chosen scenario.
  • The assessments of likelihood and severity made by a scenario analysis can be displayed on a risk map.
27
Q

Controls self-assessment

A

This is an internal analysis of the key risks and their controls and management implications.

28
Q

Income Volatility Model

A

The model looks at income volatility as the primary factor determining capital allocation.

It states that income volatility due to operational risk can be found as follows:

Operational risk capital =
total income-volatility
- non-operational-risk income-volatility

29
Q

The nature of operational risk: (5)

A

Operational risk:

  • has no inherent upside
  • has been the main driver behind many recent major financial disasters
  • is inter-linked with credit and market risks
  • may be exacerbated by being treated differently across different parts of a single organisation
  • should be managed carefully so as to minimise associated reputational risk
30
Q

2 Different approaches that may be used to assess different sub-categories of operational risks

A
  • the small day-to-day mistakes made in the course of business may be modelled using statistical distributions
  • infrequent large events may be modelled using EVT
31
Q

Key disadvantage of factor-based models in general

A

Operational risk exposure may not be proportional to business volume,

ie volume is not necessarily a suitable proxy for risk exposure.

32
Q

Interest in the active management of operational risk has been kick-started in recent times by: (4)

A
  1. The advent of enterprise-wide risk management.
  2. The introduction of new regulatory capital requirements (which include a requirement to assess operational risk).
  3. The increasing emphasis on sophisticated quantitative models for other types of risks.
  4. The fact that, unlike many other forms of risk, it has no inherent upside potential.
33
Q

2 Limitations of the income volatility model

A
  1. It ignores the rapid evolution of companies and industries - over time the income volatility of companies will change (ie it is not forward looking).
  2. By focusing on income rather than value, this model does not capture the “softer” measures of risk, such as opportunity cost and the value of reputation/brand.
34
Q

3 Limitations of bottom-up models

A
  1. It is difficult to break down reported aggregate losses into their constituent components (eg in order to apply non-life reserving techniques to the components, each of which has a different risk of loss).
  2. There may be little robust internal historic data, especially for low probability and high- (but uncertainly high-) impact events.
  3. Differences between companies mean that application of external data (to supplement limited internal data) is difficult.
35
Q

6 Components of a comprehensive operational risk management policy

A
  1. Principles for operational risk management
  2. Definitions and taxonomy for operational risk
  3. Objectives and goals of operational risk management
  4. Operational risk management processes and tools.
  5. Organisational structure, as it applies to operational risk management.
  6. Roles and responsibilities of different business areas involved in operational risk management.

Decks in Enterprise Risk Management (IFoA ST9) Class (48):