LO 41.6: Explain the role of operational risk governance and explain how a firms organizational structure can impact risk governance.
A key factor in creating a successful OpRisk framework is the organizational design of the risk management framework. Developing an understanding of reporting lines is just as important as developing good measurement tools and key risk indicators. All stakeholders for the organization should be informed of the OpRisk framework to help ensure that data is collected accurately and reflects the systems in place. The way in which risk is managed in an organization and the internal governance is an important aspect of OpRisk management.
There are four main organizational designs for integrating the OpRisk framework within the organization. Most large firms start at design 1 and progress to design 4 over time. The four organizational designs are illustrated in Figure 11 and summarized below.
Design 1: Central Risk Function Coordinator
In the first risk organizational design, the risk manager is viewed more as a coordinator or facilitator of risk management. This risk management design typically involves only a small Central Risk group who is responsible for OpRisk management. The risk manager gathers all risk data and then reports directly to the Chief Executive Officer (CEO) or Board of Directors. Regulators believe there exists a conflict of interest for reporting risk data directly to management or stakeholders that are primarily concerned with maximizing profits. Thus, this design can only be successful if business units are responsive to the Central Risk function without being influenced by upper management who controls their compensation and evaluates their performance.
Design 2: Dotted Line or Matrix Reporting
Creating a link or dotted line from the business risk managers to the Central Risk function of the organization is the next natural progression in risk organizational design. The dotted line implies that business unit managers are still directly under the influence of the CEO who controls their compensation and evaluates their performance. Thus, this type of framework is only successful if there is a strong risk culture for each business unit that
Page 56
2018 Kaplan, Inc.
Topic 41 Cross Reference to GARP Assigned Reading – Cruz, Chapter 2
encourages collaboration with the Central Risk function. Furthermore, this dotted line structure is preferred when there is a culture of distrust of the Central Risk function based on some historical events.
Design 3: Solid Line Reporting
For larger firms that have centralized management, the solid line reporting is more popular. The solid line indicates that each business unit has a risk manager that reports directly to the Central Risk function. This design enables the Central Risk function to more effectively prioritize risk management objectives and goals for the entire firm. The solid line reporting also creates a more homogeneous risk culture for the entire organization.
Design 4: Strong Central Risk Management
Many large firms have evolved into a strong central risk management design either voluntarily or from regulatory pressure. Under this design, there is a Corporate Chief Risk Officer who is responsible for OpRisk management throughout the entire firm. The Central Risk Manager monitors OpRisk in all business units and reports directly to the CEO or Board of Directors. Regulators prefer this structure as it centralizes risk data which makes regulatory supervision easier for one direct line of risk management as opposed to numerous risk managers dispersed throughout various business units of the firm.
Figure 11: Risk Department Organizational Designs
1. Central Risk Function Coordinator
2. Matrix Reporting (Dotted Line)
3. Central Risk Management (Solid Line)
4. Strong Central Risk Management
2018 Kaplan, Inc.
Page 57
Topic 41 Cross Reference to GARP Assigned Reading – Cruz, Chapter 2
Ke y C o n c e pt s
LO 41.1 Basel II classifies loss events into seven categories. Loss events in the Execution, Delivery, and Process Management category have a small dollar amount but a very large frequency of occurrence. Losses are more infrequent but very large in the Clients, Products, and Business Practices category.
LO 41.2 Thresholds for collecting loss data should not be set too low if there are business units that have a very large number of smaller losses. Another important issue to consider in the process of collecting loss data is the timeframe for recoveries. Time horizons for complex loss events can stretch out for as much as five years or longer.
The International Accounting Standards Board (IASB) prepared IAS37, which states that loss provisions: (1) are not recognized for future operating losses, (2) are recognized for onerous contracts where the costs of fulfilling obligations exceed expected economic benefits, and (3) are only recognized for restructuring costs when a firm has a detailed restructuring plan in place.
LO 41.3 Risk control self-assessment (RCSA) requires the assessment of risks that provides a rating system and control identification process for the OpRisk framework. Key risk indicators (KRIs) are used to quantify the quality of the control environment with respect to specific business unit processes.
LO 41.4 Expert opinions are drawn from structured workshops and used as inputs in scenario analysis models. A challenge for scenario analysis is that these expert opinions may contain the following biases: presentation, context, availability, anchoring, huddle, gaming, confidence, and inexpert opinion.
LO 41.3 In general, the Clients, Products, and Business Practices unit and the Execution, Delivery, and Process Management unit have the largest losses based on OpRisk profiles across financial sectors in terms of severity and frequency of losses.
LO 41.6 There are four main organizational designs for integrating an OpRisk framework. Most large firms evolve from design 1 to design 4 over time. The primary difference in the designs is how risk is reported and the link between separate business unit risk managers and the Central Risk function.
Page 58
2018 Kaplan, Inc.
Topic 41 Cross Reference to GARP Assigned Reading – Cruz, Chapter 2
C o n c e pt C h e c k e r s
1.
2.
3.
4.
3.
Suppose a broker-dealer has a loss that occurs from a failure in properly processing and settling a transaction. According to Basel II operational risk categories, this type of event loss would be categorized as: A. Business Disruption and System Failures. B. Clients, Products, and Business Practices. C. Execution, Delivery, and Process Management. D. Employment Practices and Workplace Safety.
There are typically four steps used in designing the risk control self-assessment (RCSA) program for a large firm. Which of the following statements is least likely to be a step in the design of that program? A. Identify and assess risks associated with each business units activities. B. Controls are added to the RCSA program to mitigate risks identified for the
firm.
C. Risk metrics and all other OpRisk initiatives are linked to the RCSA program. D. Reports to regulators are prepared that summarize the degree of OpRisk.
Scenario analysis is often used by financial institutions in determining the amount and frequency of losses. Because historical data is often limited for all possible losses, the opinions of experts are often obtained from workshops. These expert opinions are often subject to biases. Which of the following biases refers to the problem that can arise in this group setting where an expert may not be willing to share a conflicting opinion? A. Huddle bias. B. Context bias. C. Availability bias. D. Anchoring bias.
Based on OpRisk profiles across financial sectors, which of the following loss event type categories have the highest frequency and severity of losses? A. Business Disruption and System Failures. B. Clients, Products, and Business Practices. C. External Fraud. D. Internal Fraud.
Which of the following risk organizational design frameworks is preferred by regulators? A. Central risk function coordinator. B. Matrix reporting using dotted lines. C. Solid line reporting to central risk management. D. Strong central risk management.
2018 Kaplan, Inc.
Page 59
Topic 41 Cross Reference to GARP Assigned Reading – Cruz, Chapter 2
C o n c e pt Ch e c k e r A n s w e r s
1. C Basel II classifies losses from failed transaction processing or process management from
relations with trade counterparties and vendors under the Execution, Delivery, and Process Management category.
2. D The last step in the design of a risk control self-assessment (RCSA) program involves control
tests to assess how well the controls in place mitigate potential risks.
3. A Huddle bias suggests that groups of individuals tend to avoid conflicts that can result from
different viewpoints or opinions. Availability bias is related to the experts experience in dealing with a specific event or loss risk. Anchoring bias occurs when an expert limits the range of a loss estimate based on personal knowledge. Context bias occurs when questions are framed in a way that influences the responses of those being questioned.
4. B From the choices listed the Clients, Products, and Business Practices unit has the highest
frequency percentages and severity of loss percentages across business units. The Execution, Delivery, and Process Management unit also has large losses across business units in terms of frequency and severity of losses, however, this category was not listed as a possible choice.
5. D Regulators prefer the strong central risk management design because they can streamline their supervision over one direct line of risk management as opposed to numerous risk managers throughout the firm.
Page 60
2018 Kaplan, Inc.
The following is a review of the Operational and Integrated Risk Management principles designed to address the learning objectives set forth by GARP. This topic is also covered in:
Ex t e r n a l Lo s s Da t a
Topic 42
E x a m F o c u s
This topic examines the motivations for using external operational loss data and compares characteristics of loss data from different sources. For the exam, understand why firms are motivated to use external data in their internal operational risk framework development and the types of data that are available. Also, understand the differences in construction methodologies between the ORX and FIRST databases and be able to cite examples of how these differences manifest themselves in the data. Finally, be able to describe the Societe Generale operational loss event.
C o l
l e c t i n g E x t e r n a l L o s s D a t a