LO 37.4: Describe tools and processes that can be used to identify and assess operational risk.
Tools that may be used to identify and assess operational risk include: Business process mappings, which do exactly that, map the banks business processes.
Maps can reveal risks, interdependencies among risks, and weaknesses in risk management systems.
Risk and performance indicators are measures that help managers understand the banks risk exposure. There are Key Risk Indicators (KRIs) and Key Performance Indicators (KPIs). KRIs are measures of drivers of risk and exposures to risk. KPIs provide insight into operational processes and weaknesses. Escalation triggers are often paired with KRIs and KPIs to warn when risk is approaching or exceeding risk thresholds. Scenario analysis is a subjective process where business line managers and risk managers identify potential risk events and then assess potential outcomes of those risks. Measurement involves the use of outputs of risk assessment tools as inputs for operational risk exposure models. The bank can then use the models to allocate economic capital to various business units based on return and risk.
Audit findings identify weaknesses but may also provide insights into inherent
operational risks. .Analysis of internal operational loss data. Analysis can provide insight into the causes of large losses. Data may also reveal if problems are isolated or systemic.
Analysis of external operational loss data including gross loss amounts, dates, amount of
recoveries and losses at other firms.
Risk assessments, or risk self assessments (RSAs), address potential threats. Assessments
consider the banks processes and possible defenses relative to the firms threats and vulnerabilities. Risk Control Self-Assessments (RCSA) evaluate risks before risk controls are considered (i.e., inherent risks). Scorecards translate RCSA output into metrics that help the bank better understand the control environment.
Comparative analysis combines all described risk analysis tools into a comprehensive
picture of the banks operational risk profile. For example, the bank might combine audit findings with internal operational loss data to better understand the weaknesses of the operational risk framework.
Fe a t u r e s o f a n Ef f e c t iv e C o n t r o l En v ir o n me n t