Nicole Seaman

Director of FRM Operations
Staff member
Learning objectives: Compare different top-down and bottom-up approaches and tools for identifying operational risks. Describe best practices in the process of scenario analysis for operational risk. Describe and apply an operational risk taxonomy and give examples of different taxonomies of operational risks. Describe and apply the Level 1, 2, and 3 categories in the Basel operational risk taxonomy.


23.3.1. Peter is developing operational risk taxonomies for his financial services firm. His approach is influenced by the ORX taxonomy ( and their box tie structure:


Consequently, he is developing at least four taxonomies: causes, controls, risk events, and impacts. In regard to these operational risk taxonomies, each of the following statements is true EXCEPT which is false?

a. Causes include people, processes, systems, and external events (aka, PPSE)
b. Risk events include the seven Basel event types plus (+) risk events that are elevated to highest-level (aka, Level 1), including third-party failure, statutory reporting & tax, data management, information/cyber security, and model risk
c. Controls are preventative, detective, corrective (i.e., to mitigate impact), or directive
d. Impacts include people, external fraud, internal fraud, physical security & safety, business continuity, transaction processing & execution, technology, conduct, legal, financial crime, and regulatory compliance

23.3.2. An operational risk management framework (ORMF) includes identification, assessment, mitigation, and monitoring. The first step, risk identification, is an essential task with a long history and dynamic evolution in corporate practice. In regard to modern practice, which of the following statements about risk identification is TRUE?

a. Horizon scanning is a top-down approach that might be achieved in a structured way with a PESTLE analysis
b. Because bottom-up tools only identify risks that have already occurred (rather than potential future risks), their chief drawback is a tendency to overlook non-financial risks such as reputational or compliance
c. The bank should choose between either a top-down or bottom-up approach to risk identification in order to avoid confusing those in the middle of the organization
d. Although popular in the 80s and 90s, the risk wheel should be avoided because it is a novelty, and gamification tends to distract from the seriousness of the exercise

23.3.3. Patricia is a risk analyst who works for a large international bank. Her team is developing a new risk management framework for the bank and is currently working on risk identification. As part of extreme risk identification, Patricia has been assigned the important task of designing and performing the firm's scenario analysis. Soon she will facilitate a brainstorming session for which she has prepared the following documents: external loss data, internal loss data (including near misses), risk and control self-assessment (RCSA) results, key risk indicator scores, audit issues, and concentrated exposures.

Assuming she continues to follow best (or good) practice with respect to scenario analysis, which of the following is a TRUE statement?

a. Because most large operational losses result from external causes, her primary focus should be scenarios driven by external causes
b. She should compare her firm's generated scenarios to industry-specific list(s) published by external sources, but such a comparison should be made after her firm's own internal generation exercise
c. The initial output of scenario identification should be limited to approximately 10 or 12 scenarios in order to avoid the fallacy of missing the forest for the trees
d. Because the ultimate goal of scenario analysis is to predict the future with a sufficient degree of certainty, her process should acknowledge and elevate the role of human subjectivity

Answers here: