Learning objectives: Explain best practices for the collection of operational loss data and reporting of operational loss incidents, including regulatory expectations. Explain operational risk-assessment processes and tools, including risk control self-assessments (RCSAs), likelihood assessment scales, and heatmaps. Describe the differences among key risk indicators (KRIs), key performance indicators (KPIs), and key control indicators (KCIs).
Questions:
23.4.1. Paula is refactoring the operational incident (loss) database as part of an update to her firm's risk and control self-assessment (RCSA) procedure according to a new operational risk management framework (ORMF). The RSCA procedure will include the following steps: identify covered risks (from among the risk taxonomies); refactor incident database; audit existing data quality; propose any modifications to improve quality of future data; design key risk and key control indicators (KRIs & KCIs); and design heatmap(s).
One of the key steps in this RSCA is an audit of the data quality. In regard to her database audit, each of the following statements is true EXCEPT which is false?
a. Each operational incident has (at least) four important dates: occurrence, discovery, reporting, and accounting (settlement)
b. The gap between the discovery date and the settlement date should rarely exceed a few months and never exceed one year; otherwise, the IT reporting system itself probably requires an upgrade
c. A non-zero minimum threshold (e.g., €5,000) for loss reporting is acceptable such that losses below the threshold are deemed immaterial
d. Although the general ledger is a great source for benchmarking, is it not a perfect substitute for a dedicated operational event database
23.4.2. Ethan is designing the risk and control self-assessment (RCSA) process for his employer. His boss requests that the process is able to generate report(s) for the board, and she also hopes the RCSA process can eventually be automated. Ethan's initial design includes (as one step) combining the two dimensions of likelihood and impact into a color-coded matrix. Each dimension has a four-level scale (i.e., numbered 1 to 4) as illustrated below:
In regard to this RCSA process and his initial heatmap, each of the following statements is true EXCEPT which is false?
a. A key function of the RCSA is to determine whether the control environment of an activity (or unit) aligns with the firm's risk appetite
b. At the end of this RCSA exercise, his firm should have a good understanding of its inherent risks, control effectiveness, and residual risks
c. Impact types (horizontal axis) commonly include financial, regulatory, service continuity, customer, and reputation; likelihood scales (vertical axis) are expressed either in percentages or frequency of occurrence
d. In order to compare loss events implications on a single dimension, his algorithm should multiply likelihood by probability; e.g., total score of 4 to both likely-but-low-impact (1 * 4 = 4) and remote-but-extreme-impact (4 * 1 = 4) events
23.4.3. Sally is revising her firm's operational risk monitoring metrics. Her client attrition and retention metrics include likelihood key risk indicators (aka, KRI of likelihood), such as drop(s) in customer satisfaction, and impact KRIs (aka, KRI of impact), such as an increase(s) in value generated by top-10 clients. She is also revising key performance indicators (KPIs) and key control indicators (KCIs). The net promoter score is an example of one of her potential KPIs. Missed due diligence items is an example of one of her potential KCIs.
In regard to these metrics (KRI, KPI, and KCI), each of the following is true EXCEPT which is false?
a. Some metrics can be both KPI and KRIs or even share elements of all three (KPI, KRI, and KCI)
b. KRI thresholds and governance vary according to the organization's risk appetite and risk tolerance levels
c. Natural language (NLP) machine learning methods are a cost-effective substitute for the risk control and self-assessment (RCSA) because it eliminates the need to select and design key risk indicators (KRIs)
d. Key performance indicator (KPI) is more likely to be a lagging metric, while key risk indicator is more likely to be a leading metric
Answers here:
Questions:
23.4.1. Paula is refactoring the operational incident (loss) database as part of an update to her firm's risk and control self-assessment (RCSA) procedure according to a new operational risk management framework (ORMF). The RSCA procedure will include the following steps: identify covered risks (from among the risk taxonomies); refactor incident database; audit existing data quality; propose any modifications to improve quality of future data; design key risk and key control indicators (KRIs & KCIs); and design heatmap(s).
One of the key steps in this RSCA is an audit of the data quality. In regard to her database audit, each of the following statements is true EXCEPT which is false?
a. Each operational incident has (at least) four important dates: occurrence, discovery, reporting, and accounting (settlement)
b. The gap between the discovery date and the settlement date should rarely exceed a few months and never exceed one year; otherwise, the IT reporting system itself probably requires an upgrade
c. A non-zero minimum threshold (e.g., €5,000) for loss reporting is acceptable such that losses below the threshold are deemed immaterial
d. Although the general ledger is a great source for benchmarking, is it not a perfect substitute for a dedicated operational event database
23.4.2. Ethan is designing the risk and control self-assessment (RCSA) process for his employer. His boss requests that the process is able to generate report(s) for the board, and she also hopes the RCSA process can eventually be automated. Ethan's initial design includes (as one step) combining the two dimensions of likelihood and impact into a color-coded matrix. Each dimension has a four-level scale (i.e., numbered 1 to 4) as illustrated below:
In regard to this RCSA process and his initial heatmap, each of the following statements is true EXCEPT which is false?
a. A key function of the RCSA is to determine whether the control environment of an activity (or unit) aligns with the firm's risk appetite
b. At the end of this RCSA exercise, his firm should have a good understanding of its inherent risks, control effectiveness, and residual risks
c. Impact types (horizontal axis) commonly include financial, regulatory, service continuity, customer, and reputation; likelihood scales (vertical axis) are expressed either in percentages or frequency of occurrence
d. In order to compare loss events implications on a single dimension, his algorithm should multiply likelihood by probability; e.g., total score of 4 to both likely-but-low-impact (1 * 4 = 4) and remote-but-extreme-impact (4 * 1 = 4) events
23.4.3. Sally is revising her firm's operational risk monitoring metrics. Her client attrition and retention metrics include likelihood key risk indicators (aka, KRI of likelihood), such as drop(s) in customer satisfaction, and impact KRIs (aka, KRI of impact), such as an increase(s) in value generated by top-10 clients. She is also revising key performance indicators (KPIs) and key control indicators (KCIs). The net promoter score is an example of one of her potential KPIs. Missed due diligence items is an example of one of her potential KCIs.
In regard to these metrics (KRI, KPI, and KCI), each of the following is true EXCEPT which is false?
a. Some metrics can be both KPI and KRIs or even share elements of all three (KPI, KRI, and KCI)
b. KRI thresholds and governance vary according to the organization's risk appetite and risk tolerance levels
c. Natural language (NLP) machine learning methods are a cost-effective substitute for the risk control and self-assessment (RCSA) because it eliminates the need to select and design key risk indicators (KRIs)
d. Key performance indicator (KPI) is more likely to be a lagging metric, while key risk indicator is more likely to be a leading metric
Answers here:
Last edited by a moderator:
