LO 37.6: Explain the Basel Committees suggestions for managing technology risk and outsourcing risk.
Technology can be used to mitigate operational risks. For example, automated procedures are generally less prone to error than manual procedures. However, technology introduces its own risks. The Basel Committee recommends an integrated approach to identifying, measuring, monitoring, and managing technology risks.
Technology risk management tools are similar to those suggested for operational risk management and include: Governance and oversight controls. Policies and procedures in place to identify and assess technology risks. Written risk appetite and tolerance statements.
Establish risk transfer strategies to mitigate technology risks. Monitor technology risks and violations of thresholds and risk limits. Create a sound technology infrastructure (i.e., the hardware and software components,
Implement a risk control environment.
data and operating environments).
Page 8
2018 Kaplan, Inc.
Topic 37 Cross Reference to GARP Assigned Reading – Basel Committee on Banking Supervision
Outsourcing involves the use of third parties to perform activities or functions for the firm. Outsourcing may reduce costs, provide expertise, expand bank offerings, and/or improve bank services. The board of directors and senior management must understand the operational risks that are introduced as a result of outsourcing. Outsourcing policies should include: Processes and procedures for determining which activities can be outsourced and how
the activities will be outsourced.
Processes for selecting service providers (e.g., due diligence).
Structuring the outsourcing agreement to describe termination rights, ownership of data, and confidentiality requirements.
Monitor risks of the arrangement including the financial health of the service provider.
Implement a risk control environment and assess the control environment at the service provider.
Develop contingency plans. Clearly define responsibilities of the bank and the service provider.
2018 Kaplan, Inc.
Page 9
Topic 37 Cross Reference to GARP Assigned Reading – Basel Committee on Banking Supervision
Ke y C o n c e pt s
LO 37.1 The Basel Committee on Banking Supervision defines operational risk as, the risk of loss resulting from inadequate or failed internal processes, people, and systems or from external events.
The Basel Committee recognizes three common lines of defense used to control operational risks. These lines of defense are: (1) business line management, (2) independent operational risk management function, and (3) independent reviews of operational risks and risk management.
LO 37.2 The 11 fundamental principles of operational risk management suggested by the Basel Committee are: 1. The maintenance of a strong risk management culture led by the banks board of
directors and senior management.
2. The operational risk framework (i.e., the Framework) must be developed and fully
integrated in the overall risk management processes of the bank.
3. The board should approve and periodically review the Framework. The board should also oversee senior management to ensure that appropriate risk management decisions are implemented at all levels of the firm.
4. The board must identify the types and levels of operational risks the bank is willing to
assume as well as approve risk appetite and risk tolerance statements.
3. Consistent with the banks risk appetite and risk tolerance, senior management must
develop a well-defined governance structure within the bank.
6. Operational risks must be identified and assessed by managers. Senior management must understand the risks, and the incentives related to those risks, inherent in the banks business lines and processes.
7. New lines of business, products, processes, and systems should require an approval
process that assesses the potential operational risks.
8. A process for monitoring operational risks and material exposures to losses should be
put in place by senior management and supported by senior management, the board of directors, and business line employees.
9. Banks must put strong internal controls and risk mitigation and risk transfer strategies
in place to manage operational risks.
Page 10
2018 Kaplan, Inc.
Topic 37 Cross Reference to GARP Assigned Reading – Basel Committee on Banking Supervision
10. Banks must have plans in place to survive in the event of a major business disruption.
Business operations must be resilient.
11. Banks should make disclosures that are clear enough that outside stakeholders can assess
the banks approach to operational risk management.
LO 37.3 The board of directors and senior management must be engaged with operational risk assessment related to all 11 of the fundamental principles of operational risk management. The operational risk management framework must define, describe, and classify operational risk and operational loss exposure. The Framework must be documented in the board of directors approved policies.
LO 37.4 There are several tools that may be used to identify and assess operational risk. The tools include business process mappings, risk and performance indicators, scenario analysis, using risk assessment outputs as inputs for operational risk exposure models, audit findings, analyzing internal and external operational loss data, risk assessments, and comparative analysis.
LO 37.3 An effective control environment should include the following five components: (1) a control environment, (2) risk assessment, (3) control activities, (4) information and communication, and (3) monitoring activities.
LO 37.6 Technology can be used to mitigate operational risks but it introduces its own risks. The Basel Committee recommends an integrated approach to identifying, measuring, monitoring, and managing technology risks. Technology risk management tools are similar to those suggested for operational risk management.
Outsourcing involves the use of third parties to perform activities or functions for the firm. Outsourcing may reduce costs, provide expertise, expand bank offerings, and/or improve bank services. The board of directors and senior management must understand the operational risks that are introduced as a result of outsourcing.
2018 Kaplan, Inc.
Page 11
Topic 37 Cross Reference to GARP Assigned Reading – Basel Committee on Banking Supervision
C o n c e pt Ch e c k e r s
1.
2.
3.
Griffin Riehl is a risk manager at Bluegrass Bank and Trust, a small, independent commercial bank in Kentucky. Riehl has recently read the Basel Committee on Banking Supervisions recommendations for sound operational risk management and would like to put several controls in place. He would like to start with the three lines of defense suggested by the committee. Which of the following is not one of the three common lines of defense suggested by the Basel Committee for operational risk governance? A. Business line management. B. Board of directors and senior management risk training programs. C. Creating an independent operational risk management function in the bank. D. Conducting independent reviews of operational risks and risk management
operations.
Garrett Bridgewater, a trader at a large commercial bank, has continued to increase his bonus each year by producing more and more profit for the bank. In order to increase profits, Bridgewater has been forced to increase the riskiness of his positions, despite the written risk appetite and tolerance statements provided to all employees of the bank. The bank seems happy with his performance so Bridgewater takes that as a sign of approval of his methods for improving profitability. Which of the following pairs of the 11 fundamental principles of risk management has the bank most clearly violated in this situation? A. Principle 1 (a strong risk management culture) and Principle 11 (the bank
should make clear disclosures of operational risks to stakeholders).
B. Principle 2 (develop an integrated approach to operational risk management) and Principle 7 (establish a rigorous approval process for new lines of business). C. Principle 3 (approve and review the operational risk framework) and Principle 4
(develop risk appetite and tolerance statements).
D. Principle 3 (develop a well-defined governance structure) and Principle 6
(understand the risk and incentives related to risk inherent in the banks business lines and processes).
Gary Hampton is providing descriptions of the operational risk management assessment tools, reporting lines, and accountabilities to the board of directors. Hampton is most likely working on: A. Framework documentation. B. A corporate operational risk function (CORF) handbook of operations. C. An outline of the fundamental principles of operational risk management. D. An open group operational framework diagram.
Page 12
2018 Kaplan, Inc.
Topic 37 Cross Reference to GARP Assigned Reading – Basel Committee on Banking Supervision
4.
3.
George Mathis works in risk analysis and management at a large commercial bank. He uses several tools to identify and assess operational risk. He has asked several business line managers to identify some risk events that would disrupt business. Each manager has also provided their thoughts on what would happen given worst case operational failures. The risk assessment tool Mathis is most likely using in this case is (are): A. risk indicators. B. comparative analysis. C. scenario analysis. D. business process mappings.
A risk management officer at a small commercial bank is trying to institute strong operational risk controls, despite little support from the board of directors. The manager is considering several elements as potentially critical components of a strong control environment. Which of the following is not a required component of an effective risk control environment as suggested by the Basel Committee on Banking Supervision? A. Information and communication. B. Monitoring activities. C. A functionally independent corporate operational risk function. D. Risk assessment.
2018 Kaplan, Inc.
Page 13
Topic 37 Cross Reference to GARP Assigned Reading – Basel Committee on Banking Supervision
C o n c e pt Ch e c k e r A n s w e r s
1. B The three common lines of defense suggested by the Basel Committee on Banking
Supervision and employed by firms to control operational risks are: (1) business line management, (2) an independent operational risk management function, and (3) independent reviews of operational risks and risk management.
2. D Based on the choices provided, the best match for the scenario is a violation of Principles 5
and 6. It is clear that the bank has not considered the incentives that are related to risk taking in the bank. Bridgewater has been given the risk appetite and tolerance statements but senior managers keep rewarding Bridgewater for high returns and seem to be ignoring the fact that they are the result of higher risks. Thus, there are incentives linked to increasing risk. The governance structure may or may not be well defined, but regardless, is not being adhered to.
3. A The operational risk management framework (i.e., the Framework) must define, describe, and classify operational risk and operational loss exposure. Hampton is likely working on Framework documentation. Framework documentation is overseen by the board of directors and senior management.
4. C Mathis is asking for managers to identify potential risk events, which he will use to assess
potential outcomes of these risks. This is an example of scenario analysis. Scenario analysis is a subjective process where business line managers and risk managers identify potential risk events and then assess potential outcomes of those risks.
5. C A functionally independent corporate operational risk function is desirable in a bank but is not necessary for an effective control environment. This is especially true for a small bank, which might roll all risk management activities into one risk management group (i.e., not segregated by type of risk). An effective control environment should include the following five components: (1) a control environment, (2) risk assessment, (3) control activities, (4) information and communication, and (5) monitoring activities.
Page 14
2018 Kaplan, Inc.
The following is a review of the Operational and Integrated Risk Management principles designed to address the learning objectives set forth by GARP. This topic is also covered in:
En t e r pr i se Ri s k Ma n a g e me n t : Th e o r y a n d Pr a c t i c e
Topic 38
E x a m F o c u s
Enterprise risk management (ERM) is the process of managing all of a corporations risks within an integrated framework. This topic describes how ERM can be implemented in a way that enables a company to manage its total risk-return tradeoff in order to better carry out its strategic plan, gain competitive advantage, and create shareholder value. Key issues include why it may be optimal to hedge diversifiable risk and how to differentiate between core risks the firm should retain and noncore risks the firm should layoff. Also discussed is the determination of the optimal amount of corporate risk and the importance of ensuring that managers at all levels take proper account of the risk-return tradeoff. For the exam, understand the framework for developing and implementing ERM.
C r e a t i n g V a l u e W i t h ERM