Learning objectives: Identify roles and responsibilities of different organizational committees, and explain how risk reports should be developed for each committee or business function. Describe components of operational risk reports and explain best practices in operational risk reporting. Describe challenges to reporting operational risks, including characteristics of operational loss data, and explain ways to overcome these challenges. Explain best practices for reporting risk exposures to regulators and external stakeholders.
Questions:
23.7.1. Sally has just started her new job as Chief Risk Officer (CRO) at a large bank with operations in several major cities on five continents. The board of directors includes an executive committee, an audit committee, and a risk committee. External stakeholders, as usual, include regulators and the public. With respect to risk management, the bank utilizes a traditional three lines of defense (3LoD) model. In terms of risk reporting. However, the bank's risk reporting function is a bit disorganized because various leaders, over the years, have requested various types of reports. Sally wants to unify (e.g., introduce greater coherence) and, if possible, streamline the risk reporting function.
In regard to risk reporting best practices, which of the following statements is TRUE?
a. Risk reports should be condensed to just a few pages to avoid overwhelming the readers.
b. Averages are better than medians because outliers should be incorporated into summary statistics rather than reported separately
c. Different management levels and decision-making bodies should receive the same operational risk information (i.e., identical in type and level of detail) to avoid conflicts
d. The central operational risk function collects and synthesizes operational risk information for the operational risk committee and provides feedback to the business lines based on aggregated operational risk reporting
23.7.2. Peter is a certified Financial Risk Manager (FRM) recently hired by a large publicly traded financial services company. The company's governance structure includes the usual board committees, i.e., executive, audit, risk, and compensation. With respect to the operational risk function, there also exists an operational risk committee, business line managers, and risk champions. The primary operational risk management (ORM) report is published internally. Peter notices that this ORM report contains five components:
1. Top-10 risks and risk outlook
2. Heatmap and risk register
3. Risk appetite metrics
4. KRIs and issue monitoring
5. Action plans and follow-up
Peter further observes that two components are missing from the company's ORM report. Which of the following best describes the two missing components?
a. Combined assurance map; and Inherent plus residual risk plot
b. Conduct metric dashboard; and Risk champions horse race status
c. Actual losses plus near-miss incidents; and horizon scan's emerging risks
d. Cyberattack domain registry; and Three-layer "decide-act-monitor" cake
23.7.3. Reporting on operational risks presents a unique set of challenges. As GARP explains, "Unlike other risk factors, assessing the volatility of operational risk is especially challenging given this is a relatively new discipline. Credit and market risk metrics often have over a hundred years of historical trend information. Operational risk measurement is relatively new, requiring more attention to the qualitative and quantitative tracking measures used to evaluate changes in risk profiles."(†)
Let's assume the organization's central operational risk function (ORF) has primary responsibility for operational risk reporting. In regard to the challenges to reporting operational risks, each of the following statements is true EXCEPT which is false?
a. The ORF should focus scarce resources on preventing and addressing major incidents rather than getting distracted by daily volatility
b. When the purpose is benchmarking across business units, losses should be reported in dollar terms (i.e., rather than percentage or basis points) because low percentages could mask high dollar losses
c. The ORF should regularly review small, frequent losses to spot potential control breaches or process flaws; if these losses are consistent and random, consider including their average cost in the service price
d. The ORF can address the challenge of compiling qualitative risk data through either (i) conversion and summation, (ii) categorization, and (iii) worst-case reporting.
Answers here:
(†) GARP Chapter 6, Risk Reporting, 2023 FRM Part 2, Topic 7.
Questions:
23.7.1. Sally has just started her new job as Chief Risk Officer (CRO) at a large bank with operations in several major cities on five continents. The board of directors includes an executive committee, an audit committee, and a risk committee. External stakeholders, as usual, include regulators and the public. With respect to risk management, the bank utilizes a traditional three lines of defense (3LoD) model. In terms of risk reporting. However, the bank's risk reporting function is a bit disorganized because various leaders, over the years, have requested various types of reports. Sally wants to unify (e.g., introduce greater coherence) and, if possible, streamline the risk reporting function.
In regard to risk reporting best practices, which of the following statements is TRUE?
a. Risk reports should be condensed to just a few pages to avoid overwhelming the readers.
b. Averages are better than medians because outliers should be incorporated into summary statistics rather than reported separately
c. Different management levels and decision-making bodies should receive the same operational risk information (i.e., identical in type and level of detail) to avoid conflicts
d. The central operational risk function collects and synthesizes operational risk information for the operational risk committee and provides feedback to the business lines based on aggregated operational risk reporting
23.7.2. Peter is a certified Financial Risk Manager (FRM) recently hired by a large publicly traded financial services company. The company's governance structure includes the usual board committees, i.e., executive, audit, risk, and compensation. With respect to the operational risk function, there also exists an operational risk committee, business line managers, and risk champions. The primary operational risk management (ORM) report is published internally. Peter notices that this ORM report contains five components:
1. Top-10 risks and risk outlook
2. Heatmap and risk register
3. Risk appetite metrics
4. KRIs and issue monitoring
5. Action plans and follow-up
Peter further observes that two components are missing from the company's ORM report. Which of the following best describes the two missing components?
a. Combined assurance map; and Inherent plus residual risk plot
b. Conduct metric dashboard; and Risk champions horse race status
c. Actual losses plus near-miss incidents; and horizon scan's emerging risks
d. Cyberattack domain registry; and Three-layer "decide-act-monitor" cake
23.7.3. Reporting on operational risks presents a unique set of challenges. As GARP explains, "Unlike other risk factors, assessing the volatility of operational risk is especially challenging given this is a relatively new discipline. Credit and market risk metrics often have over a hundred years of historical trend information. Operational risk measurement is relatively new, requiring more attention to the qualitative and quantitative tracking measures used to evaluate changes in risk profiles."(†)
Let's assume the organization's central operational risk function (ORF) has primary responsibility for operational risk reporting. In regard to the challenges to reporting operational risks, each of the following statements is true EXCEPT which is false?
a. The ORF should focus scarce resources on preventing and addressing major incidents rather than getting distracted by daily volatility
b. When the purpose is benchmarking across business units, losses should be reported in dollar terms (i.e., rather than percentage or basis points) because low percentages could mask high dollar losses
c. The ORF should regularly review small, frequent losses to spot potential control breaches or process flaws; if these losses are consistent and random, consider including their average cost in the service price
d. The ORF can address the challenge of compiling qualitative risk data through either (i) conversion and summation, (ii) categorization, and (iii) worst-case reporting.
Answers here:
(†) GARP Chapter 6, Risk Reporting, 2023 FRM Part 2, Topic 7.
