eBook - ePub

Operational Risk Management

Name: Operational Risk Management
Author: Ariane Chapelle

Best Practices in the Financial Services Industry

Ariane Chapelle

Share book

English
ePUB (mobile friendly)
Available on iOS & Android

eBook - ePub

Operational Risk Management

Best Practices in the Financial Services Industry

Ariane Chapelle

Book details

Book preview

Table of contents

Citations

About This Book

OpRisk Awards 2020 Book of the Year Winner! The Authoritative Guide to the Best Practices in Operational Risk Management

Operational Risk Management offers a comprehensive guide that contains a review of the most up-to-date and effective operational risk management practices in the financial services industry. The book provides an essential overview of the current methods and best practices applied in financial companies and also contains advanced tools and techniques developed by the most mature firms in the field.

The author explores the range of operational risks such as information security, fraud or reputation damage and details how to put in place an effective program based on the four main risk management activities: risk identification, risk assessment, risk mitigation and risk monitoring. The book also examines some specific types of operational risks that rank high on many firms' risk registers.

Drawing on the author's extensive experience working with and advising financial companies, Operational Risk Management is written both for those new to the discipline and for experienced operational risk managers who want to strengthen and consolidate their knowledge.

Frequently asked questions

How do I cancel my subscription?

Simply head over to the account section in settings and click on “Cancel Subscription” - it’s as simple as that. After you cancel, your membership will stay active for the remainder of the time you’ve paid for. Learn more here.

Can/how do I download books?

At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.

What is the difference between the pricing plans?

Both plans give you full access to the library and all of Perlego’s features. The only differences are the price and subscription period: With the annual plan you’ll save around 30% compared to 12 months on the monthly plan.

What is Perlego?

We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, we’ve got you covered! Learn more here.

Do you support text-to-speech?

Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.

Is Operational Risk Management an online PDF/ePUB?

Yes, you can access Operational Risk Management by Ariane Chapelle in PDF and/or ePUB format, as well as other popular books in Business & Financial Risk Management. We have over one million books available in our catalogue for you to explore.

Information

Publisher

Wiley

Year

2018

ISBN

9781119549079

Edition

Topic

Business

Subtopic

Financial Risk Management

Index

Business

PART One
Risk Identification

“Forewarned is forearmed.”

CHAPTER 1
Risk Identification Tools

TOP‐DOWN AND BOTTOM‐UP RISK IDENTIFICATION

The most dangerous risks are those we ignore, as they can lead to nasty surprises. Before organizing risks in a register, it is important to identify the risks that are specific to your own business, not just those based on an external list, and then assess, mitigate and monitor them.

Risk identification in an organization should take place both top‐down, at senior management level, looking at the large exposures and threats to the business, and bottom‐up, at business process level, looking at local or specific vulnerabilities or inefficiencies. These procedures are different but complementary, and both are vital because it is not sufficient to have one without the other. My favorite analogy for top‐down and bottom‐up risk management is the crow's nest versus the engine room of a boat, both of which are necessary for a complete view of an organization (see Figure 1.1).

Picture of a boat depicting top-down and bottom-up risk management using the boat analogy. — **FIGURE 1.1** Top‐down and bottom‐up risk management: the boat analogy

Top‐down risk analysis should be performed between one and four times a year, depending on the growth and development of the business and the level of associated risks. The aim is to identify key organizational risks, the major business threats that could jeopardize strategic objectives. Top‐down risk identification sessions will typically include senior risk owners, members of the executive committee and heads of business lines. Sessions are best organized as brainstorming workshops with supporting techniques and tools, such as review of exposures and vulnerabilities, risk wheel, and causal analysis of potential impacts and expected revenues. These are explained in the next sections. Top‐down risk identification exercises are similar to scenario generation, which is the first phase of scenario analysis. For small to medium‐sized firms, I recommend conducting these meetings with both risk identification and scenario generation in mind in order to save time. The results can then be used as inputs to both the risk and control self‐assessment (RCSA) exercises and scenario analysis. The links between RCSA and scenario analysis will be explained in Part 2.

CASE STUDY: FTSE 100 INSURANCE COMPANY – TOP‐DOWN RISK IDENTIFICATION

A large insurer in the UK calls its top‐down risk analysis TDRA. It was set up by the chief risk officer (CRO) several years ago and provides a quarterly platform for the executive committee to review principal risks and emerging threats to the business, and to implement any required changes to the firm's risk profile. The insurer calls bottom‐up risk identification RCSA, which focuses on the business process level and is the abbreviation for the more classic risk and control self‐assessment technique.

Top‐down risk analysis is one of the most efficient ways to identify important threats to a business. However, bottom‐up risk analysis is still more common in the industry. Bottom‐up risk identification is the only type of risk identification in many firms, especially among firms new to the discipline, where the practice is the least mature. In such firms, risk and control self‐assessments are carried out as a first step to risk management, at a granular level. If the scope of the bottom‐up risk identification exercise is too restricted, too granular, the output will be a disparate collection of small risks, such as manual errors and process risks, which are not always of much value to senior management. In the same way that we might fail to see a beach because we are too busy observing the grains of sand, we may miss the big picture when it comes to risks and their interactions because identification takes place at a level that is too low in the organization. The most common bottom‐up risk identification techniques are process mapping and interviews, which we explore in this chapter.

CASE STUDY: TRADING FIRM – COMPLEMENTING TOP‐DOWN AND BOTTOM‐UP RISKS

Reconciling top‐down and bottom‐up risks is a goal for many firms and consultants. However, I don't believe it is a useful or even correct approach. Rather than reconciling, I would recommend informing one type of identification with the other, and adding the results of both exercises to obtain a comprehensive view of the operational risks in an organization. This is what we did during an ICAAP (Internal Capital Adequacy Assessment Process) in a trading group in the UK. After performing two risk identification workshops with top management, we compared the results with the findings of the bottom‐up risk identification and assessment process. The findings were similar for some risks, but there were also some differences. The sum of both results provided the firm with its first risk universe, which was subsequently organized in a risk register and properly assessed.

EXPOSURE AND VULNERABILITIES

Risk exposure is inherent in every business and relates to key clients, principal distribution channels, central systems, primary sources of revenue and main regulatory authorities. In particular, large company projects and critical third parties are among the typical large exposures for a business. Operational risks related to projects and to outsourcing practices are an increasing focus in operational risk management, and rightly so. Large exposures to certain activities or counterparties aggravate the impact of possible incidents should a failure materialize for one of those activities. We will revisit exposure in Part 4, when we review the key risk indicators (KRIs) of impacts.

Vulnerabilities are the weakest links in an organization. They include inadequate or outdated products and processes, systems overdue for maintenance and testing, pockets of resistance to risk management and remote businesses left unmonitored. Large exposure typically relates to high impact/low probability risks, whereas vulnerabilities relate to higher frequency or more likely risks, hopefully with low impacts, but not necessarily. If vulnerabilities relate to large exposures, you have a heightened threat to the business. Examples of exposures and vulnerabilities are displayed in Figure 1.2.

Illustration listing out some examples of exposures and vulnerabilities as a risk identification tool. — **FIGURE 1.2** Exposures and vulnerabilities as a risk identification tool

There are two significant benefits to the risk identification method of exposure and vulnerabilities: it's business‐driven and it's specific. Discussing exposures and v...