Learning objectives: Describe an operational risk management framework and assess the types of risks that can fall within the scope of such a framework. Describe the seven Basel II event risk categories and identify examples of operational risk events in each category. Explain characteristics of operational risk exposures and operational loss events, and challenges that can arise in managing operational risk due to these characteristics. Describe operational resilience, identify the elements of an operational resilience framework, and summarize regulatory expectations for operational resilience.
Questions:
23.1.1. Alice is an Operational Risk Analyst at a large bank, and she is tasked with analyzing the bank's operational risk profile. She decides to use the Basel level 1 categories of operational risk in her framework. She gathers data on past operational losses and incidents at the bank and assigns them to the categories (via their sub-levels). For example, years ago, an employee embezzled funds from a customer account; she classifies this loss under Internal Fraud. In another case, a network outage prevented customers from accessing their accounts online; she classifies this loss under the Business Disruption and Systems Failures category.
Because she has many years of data, let's assume her findings are very similar to the frequency/severity findings observed by ORX (and conveniently summarized in GARP's reading!).
Under this assumption (i.e., her frequency/severity loss profile is similar to the broader population), each of the following statements is true EXCEPT which is false?
a. External fraud is high-severity, low-frequency risk type
b. In regard to severity, the largest losses accrue to the clients, products, and business practice (CPBP) risk category
c. She excluded losses due to legal risk because they cannot be cleanly mapped to any single Level 1 risk category
d. Compared to other Level 1 operational risk categories, damage to physical assets (DPA) tends to cause the least severe losses and with a frequency that is among the lowest
23.1.2. Andrew is preparing to make a presentation to the board. The presentation's goal is to introduce a new, proposed operational risk management (ORM) framework and get the board's feedback on the way to eventual approval. It happens to be the case that his company is publicly traded with a high cost of capital due to its above-average beta.
The board members are generally more familiar with market and credit risk but less familiar with operational risk. Therefore, his presentation will review several of the features (and nature) of operational risk, including its dynamic evolution. His presentation will briefly explore the skewed, heavy-tailed feature of operational risk. For candidate frequency distributions, he will illustrate the Poisson and negative binomial. For candidate severity distributions, he will illustrate the log-normal and generalized Pareto Distribution (GPD).
In addition to these features (i.e., dynamic, heavy-tailed), which of the following is TRUE about operational risk?
a. The easiest way for a high-beta firm to lower its beta is to centralize the operational risk management (ORM) function
b. Operational risk is highly homogeneous because so-called boundary events define clusters that contain loss events and their shared (aka, common) features
c. ORM is valuable because it reduces regulatory capital, and regulatory capital is a good indicator of the firm's quality of risk management
d. Most causes of operational risk trace to control weaknesses; human biases and behavioral failings; and/or operating environment changes
23.1.3. According to U.S. agencies (the Fed, OCC, and FDIC), operational resilience is "the ability to deliver operations, including critical operations and core business lines, through a disruption from any hazard. It is the outcome of effective operational risk management combined with sufficient financial and operational resources to prepare, adapt, withstand, and recover from disruptions."
Their first sound practice--which GARP argues is the foundational building block of operational resilience--is effective governance. In addition, which of the following statements is TRUE about operational resilience?
a. Incident management involves establishing procedures for preventing all possible disruptions before they occur.
b. Among the necessary building blocks of operational resilience, the firm should include third-party risk management and scenario analysis
c. Because it is a BCBS concept, operational resilience is only relevant for financial institutions and not for other types of organizations.
d. The best operational resilience framework is a significant one-time effort that does not require ongoing attention or maintenance once it has been established
Answers here:
Questions:
23.1.1. Alice is an Operational Risk Analyst at a large bank, and she is tasked with analyzing the bank's operational risk profile. She decides to use the Basel level 1 categories of operational risk in her framework. She gathers data on past operational losses and incidents at the bank and assigns them to the categories (via their sub-levels). For example, years ago, an employee embezzled funds from a customer account; she classifies this loss under Internal Fraud. In another case, a network outage prevented customers from accessing their accounts online; she classifies this loss under the Business Disruption and Systems Failures category.
Because she has many years of data, let's assume her findings are very similar to the frequency/severity findings observed by ORX (and conveniently summarized in GARP's reading!).
Under this assumption (i.e., her frequency/severity loss profile is similar to the broader population), each of the following statements is true EXCEPT which is false?
a. External fraud is high-severity, low-frequency risk type
b. In regard to severity, the largest losses accrue to the clients, products, and business practice (CPBP) risk category
c. She excluded losses due to legal risk because they cannot be cleanly mapped to any single Level 1 risk category
d. Compared to other Level 1 operational risk categories, damage to physical assets (DPA) tends to cause the least severe losses and with a frequency that is among the lowest
23.1.2. Andrew is preparing to make a presentation to the board. The presentation's goal is to introduce a new, proposed operational risk management (ORM) framework and get the board's feedback on the way to eventual approval. It happens to be the case that his company is publicly traded with a high cost of capital due to its above-average beta.
The board members are generally more familiar with market and credit risk but less familiar with operational risk. Therefore, his presentation will review several of the features (and nature) of operational risk, including its dynamic evolution. His presentation will briefly explore the skewed, heavy-tailed feature of operational risk. For candidate frequency distributions, he will illustrate the Poisson and negative binomial. For candidate severity distributions, he will illustrate the log-normal and generalized Pareto Distribution (GPD).
In addition to these features (i.e., dynamic, heavy-tailed), which of the following is TRUE about operational risk?
a. The easiest way for a high-beta firm to lower its beta is to centralize the operational risk management (ORM) function
b. Operational risk is highly homogeneous because so-called boundary events define clusters that contain loss events and their shared (aka, common) features
c. ORM is valuable because it reduces regulatory capital, and regulatory capital is a good indicator of the firm's quality of risk management
d. Most causes of operational risk trace to control weaknesses; human biases and behavioral failings; and/or operating environment changes
23.1.3. According to U.S. agencies (the Fed, OCC, and FDIC), operational resilience is "the ability to deliver operations, including critical operations and core business lines, through a disruption from any hazard. It is the outcome of effective operational risk management combined with sufficient financial and operational resources to prepare, adapt, withstand, and recover from disruptions."
Their first sound practice--which GARP argues is the foundational building block of operational resilience--is effective governance. In addition, which of the following statements is TRUE about operational resilience?
a. Incident management involves establishing procedures for preventing all possible disruptions before they occur.
b. Among the necessary building blocks of operational resilience, the firm should include third-party risk management and scenario analysis
c. Because it is a BCBS concept, operational resilience is only relevant for financial institutions and not for other types of organizations.
d. The best operational resilience framework is a significant one-time effort that does not require ongoing attention or maintenance once it has been established
Answers here:
