Articles by kenli

LO 40.3: Describe the operational data governance process, including the use of scorecards in managing information risk.
Operational data governance refers to the collective set of rules and processes regarding data that allow an organization to have sufficient confidence in the quality of its data.
Specifically, a data governance program should exist that clarifies the roles and responsibilities in managing data quality. A data quality scorecard could be used to monitor the success of such a program.
In short, operational data governance aims to detect data errors early on and then set into motion the steps needed to sufficiently deal with the errors on a timely basis. As a result, there should be minimal or no subsequent impact on the organization.
Data Quality Inspection vs. Data Validation
Data validation is a one-time step that reviews and assesses whether data conforms to defined business specifications. In contrast, data quality inspection is an on-going set of steps aimed to: 1.
reduce the number of errors to a tolerable level,
2. spot data flaws and make appropriate adjustments to allow data processing to be
completed, and
3. solve the cause of the errors and flaws in a timely manner. The goal of data quality inspection is to catch issues early on before they have a substantial negative impact on business operations.
D a t a Q u a l
i t y S c o r e c a r d
A base-level metric is straightforward in that it is measured against clear data quality criteria. It is relatively easy to quantify whether the criteria is met in terms of arriving at a data quality score.
In contrast, a complex metric is a combined score that could be a weighted average of several different metrics (customized to the specific user(s)). Such a combined metric allows for a qualitative reporting of the impact of data quality on the organization. A data quality scorecard could report the metric in one of three ways: by issue, by business process, or by business impact.
Page 38
2018 Kaplan, Inc.
Topic 40 Cross Reference to GARP Assigned Reading – Tarantino and Cernauskas, Chapter 3
Complex Metric Scorecard Viewpoints
D ata quality issues view : Considers the impact of a specific data quality problem over multiple business processes. The scorecard shows a combined and summarized view of the impacts for each data
problem. By going into more detail, one can obtain further information on the sources of data problems. This allows for prioritization in terms of solving individual problems.
Business p rocess view : For each business process, the scorecard has complex metrics that quantify the impact of

each data quality problem. It allows for the ability to determine exactly where in the business process the data problem is originating. This will assist in solving the problem efficiently.
Business im p a ct view : The scorecard provides a high-level understanding of the risks embedded in data quality
problems (i.e., a combined and summarized view). It considers various data quality problems that occur in various business processes.
By going into more detail, one can identify the business processes where the problems occur. An even more detailed examination will reveal the specific problems within each business process.
Motivation
Business managers may wish to take advantage of an opportunity to assess the relationship between the impacts of flawed data versus the pre-defined parameters of acceptable data quality. Such an assessment could occur with a data quality scorecard, with data being measured against the benchmark (acceptable data quality). The scorecard, therefore, serves as a strong management technique if it can summarize important organizational information as well as provide warning signs to management when corrective actions are required.
Mechanics
Regardless of the preferred view, a data quality scorecard is comprised of a hierarchy of base-level and complex metrics that tie into different levels of accountability within the organization. With regard to metrics, the same measurement might be used in different contexts, which allows for different error tolerances and weights. Finally, scorecards can be customized to present varying levels of detail depending on the intended user(s).
2018 Kaplan, Inc.
Page 39
Topic 40 Cross Reference to GARP Assigned Reading – Tarantino and Cernauskas, Chapter 3
Ke y C o n c e pt s
LO 40.1 Data errors (e.g., missing data, inconsistent data, nonstandard formats) whether they are accidental or not, may lead to inconsistent reporting, incorrect product pricing, or failures in trade settlement.
LO 40.2 Key dimensions that characterize acceptable data include: accuracy, completeness, consistency, reasonableness, currency, and uniqueness.
LO 40.3 Operational data governance refers to the collective set of rules and processes regarding data that allow an organization to have sufficient confidence in the quality of its data.
Three different viewpoints regarding scorecards include: data quality issues view, business process view, and business impact view.
Data quality scorecards serve as a strong management technique if they are able to summarize important organizational information as well as provide warning signs to management when corrective actions are required.
Page 40
2018 Kaplan, Inc.
Topic 40 Cross Reference to GARP Assigned Reading – Tarantino and Cernauskas, Chapter 3
C o n c e pt C h e c k e r s
1.
2.
3.
4.
3.
Ryan Vail is a corporate manager who recently made a series of incorrect business decisions as a result of faulty data obtained internally. Which of the following negative business impacts best describes his incorrect decisions? A. Compliance impact. B. Confidence-based impact. C. Financial impact. D. Risk impact.
Data consistency is important to ensure that there are no clear conflicts in data values between data sets. Which of the following types of data consistency refers to consistency between one set of data values and another set of data values in different records? A. Record level. B. Temporal level. C. Cross-record level. D. Cross-temporal level.
Which of the following data issues is least likely to increase risk for an organization? A. Duplicate records. B. Data normalization. C. Nonstandard formats. D. Data transformations.
Which of the following statements regarding data quality inspection is correct? It attempts to: A. catch errors early in the process. B. reduce the number of errors to zero. C. solve the cause of any errors immediately. D. review and assess whether data conforms with defined business specifications.
Which of the following viewpoints regarding data quality scorecards is best described as providing a high-level understanding of the risks embedded in data quality problems? A. Business impact view. B. Business process view. C. Data quality issues view. D. Data process issues view.
2018 Kaplan, Inc.
Page 41
Topic 40 Cross Reference to GARP Assigned Reading – Tarantino and Cernauskas, Chapter 3
C o n c e pt Ch e c k e r A n s w e r s
1. B An example of a confidence-based (negative) impact would be a manager who makes
incorrect business decisions based on faulty data.
2. C Record level consistency is consistency between one set of data values and another set within the same record. Cross-record level consistency is consistency between one set of data values and another set in different records.
3. B Data normalization is a process to better organize data in order to minimize redundancy
and dependency, so it is least likely to increase risk. All of the other data issues are likely to increase risk, especially complex data transformations.
4. A Data quality inspection is intended to catch issues early on before they have a substantial negative impact on business operations. The idea is to reduce the number of errors to a tolerable level, not necessarily to zero. In addition, it aims to solve the cause of the errors in a timely manner, not necessarily immediately.
5. A With the business impact view, the scorecard provides a high-level understanding of the risks
embedded in data quality problems (i.e., a combined and summarized view). It considers various data quality problems that occur in various business processes.
Page 42
2018 Kaplan, Inc.
The following is a review of the Operational and Integrated Risk Management principles designed to address the learning objectives set forth by GARP. This topic is also covered in:
O p Ri s k Da t a a n d G o v e r n a n c e
Topic 41
E x a m F o c u s
This topic discusses the seven level 1 categories of operational risk (OpRisk) events defined in Basel II and describes level 2 examples of operational risk events for each category. For the exam, understand how the collection and reporting of loss data, the risk control self assessment (RCSA), identification of key risk indicators (KRIs), and scenario analysis are all important elements of a firms OpRisk process. Also, be familiar with the OpRisk profiles across various financial sectors with emphases on the highest frequency percentages and severity percentages. Finally, be prepared to describe the typical progression through four organizational risk designs for large firms.
E v e n t – D r i v e n R i s k C a t e g o r i e s

LO 40.2: Explain how a firm can set expectations for its data quality and describe some key dimensions of data quality used in this process.
A fundamental step in managing risks due to flawed data would be to set user expectations for data quality and then establish criteria to monitor compliance w ith such expectations. In order to define and measure these expectations, they can be categorized into key dimensions of data quality. The important (but not complete) set of dimensions that characterize acceptable data include accuracy, completeness, consistency, reasonableness, currency, and uniqueness.
Accuracy
The concept of accuracy can be described as the degree to which data correctly reflects the real world object. Measurement of accuracy can occur by m anually comparing the data to an authoritative source of correct information for example, the temperature recorded in a thermometer compared to the real temperature.
Page 36
2018 Kaplan, Inc.
Topic 40 Cross Reference to GARP Assigned Reading – Tarantino and Cernauskas, Chapter 3
Completeness
Completeness refers to the extent to which the expected attributes of data are provided. There may be mandatory and optional aspects of completeness. For example, it may be mandatory to have a customers primary phone number, but if the secondary phone number (optional) is not available, then the data requirement for the phone number is still considered complete.
Note that although data may be complete, it may not necessarily be accurate. For example, customers may have moved and their mailing addresses may not have been updated yet.
Consistency
Consistency refers to reasonable comparison of values between multiple data sets. The concept of consistency is broad and could require that data values from each data set do not conflict (e.g., a bank account is closed but the statement still shows account activity) or that they meet certain pre-defined constraints.
Note that consistency does not necessarily imply accuracy.
There are three types of consistency: 1. Record level: consistency between one set of data values and another set within the same
record.
2. Cross-record level: consistency between one set of data values and another set in different
records.
3. Temporal level: consistency between one set of data values and another set within the
same record at different points in time.
Reasonableness
Reasonableness refers to conformity with consistency expectations. For example, the income statement value for interest expense should be consistent or within an acceptable range when compared to the corresponding balance sheet value for long-term debt.
Currency
Currency of data refers to the lifespan of data. In other words, is the data still considered relevant and useful, given that the passage of time will gradually render it less current and less correct? Measurement of currency would consist of determining the frequency in which the data needs to be updated, and determining whether the existing data is still up-to-date.
Uniqueness
Uniqueness of data is tied into the data error involving duplicate records. Uniqueness suggests that there can only be one data item within the data set. For example, within a
2018 Kaplan, Inc.
Page 37
Topic 40 Cross Reference to GARP Assigned Reading – Tarantino and Cernauskas, Chapter 3
client list, there should only be one Mr. Jack Lee with a date of birth of January 1, 1970 living at 1234 Anywhere Street in New York City.
O p e r a t i o n a l D a t a G o v e r n a n c e

LO 40.1: Identify the most common issues that result in data errors.
The most common data issues that increase risk for an organization are as follows: Data entry errors. Missing data. Duplicate records.
Inconsistent data. Nonstandard formats. Complex data transformations. Failed identity management processes. Undocumented, incorrect, or misleading metadata (description of content and context
of data files).
>From a financial perspective, such data errors (accidental or not) may lead to inconsistent reporting, incorrect product pricing, and failures in trade settlement.
Examples of risks arising out of data errors include: Fraudulent payroll overpayments to fictitious employees or those who are no longer
Underbilling for services rendered. Underestimating insurance risk due to missing and inaccurate values (e.g., insured
employed by the firm.
value).
A c c e p t a b l e D a t a

LO 39.6: Explain the challenges and best practices related to data aggregation at an organization.
The existence of several IT systems being operated simultaneously within a firm results in a lack of integrated IT systems. This, in turn, requires a significant amount of manual data entry to allow for proper aggregation of risk data. Best practices related to data aggregation at an organization are explained as follows: To increase efficiency and accuracy, minimize the amount of manual intervention and manual data manipulation (i.e., spreadsheets) by automating the risk data aggregation process.
Aggregated risk data needs to be accurate, timely, and comprehensive in order to have

value. Therefore, there must be standards, cutoff times, and timelines regarding the production of internal risk reports. Single platform centralized databases with single identifiers and/or consistent naming conventions could allow for the timely retrieval of multiple records of risk data across the firm. They also permit data segmentation when required to produce specific data (i.e., risk concentrations).
Create data warehouses that will take information from various subsystems and store
them in a warehouse. The data is then filtered and reorganized so that customized reports can be created using specific data from the warehouse.
Automated reconciliation will reduce the risk of manual errors and incomplete
information. For example, off-balance sheet data should not be omitted.
Periodic reconciliation of risk and financial data will ensure the accuracy and proper
operation of the IT system.
For merger and acquisition transactions, ensuring that legacy IT systems are integrated
into the chosen IT system as soon as possible.
When obtaining approvals for new IT purchases, involve the appropriate technical staff to ensure that the existing systems can process and aggregate data from these new items.
Page 30
2018 Kaplan, Inc.
Topic 39 Cross Reference to GARP Assigned Reading – Senior Supervisors Group
Ke y C o n c e pt s
LO 39.1 A risk appetite framework (RAF) sets in place a clear, future-oriented perspective of the firms target risk profile in a number of different scenarios and maps out a strategy for achieving that risk profile. An RAF should start with a risk appetite statement that is essentially a mission statement from a risk perspective. Benefits of a well-developed RAF include assisting firms in preparing for the unexpected and greatly improving a firms strategic planning and tactical decision-making.
LO 39.2 The chief risk officer (CRO) should be easily available to the board of directors (board) and there should be a strong alliance between the CRO and the chief financial officer (CFO).
The chief executive officer (CEO) should strongly support the RAF and give the CRO the final word on risk decisions.
The board should: be willing to challenge management to operate the firm consistent with the RAF, actively work with senior management to continually revise the RAF, have sufficient technical and business understanding of the risks facing the firm, be proactive in stating the nature and frequency of the information they need, and set up a reputational risk committee.
LO 39.3 The RAF helps to ensure that each business lines strategies are congruent with the firms desired risk profile. It also considers the integrated nature of the business lines within the firm.
Many metrics can be monitored as part of an effective RAF. Risk metrics should be divided into classes, depending on who is receiving the information within the firm.
LO 39.4 A robust data infrastructure results in management being able to make proper decisions regarding a firms strategy, risk appetite, and risk management. Additionally, it allows for the ability to sufficiently document and convey the firms risk reporting requirements.
Key elements of an effective IT risk management policy include: clearly defined standards and internal risk reporting requirements, sufficient funding to develop IT systems, assessing IT infrastructure and capacity prior to approving new products, timely post implementation reviews of IT systems, and sufficient governance for outsourced IT activities.
2018 Kaplan, Inc.
Page 31
Topic 39 Cross Reference to GARP Assigned Reading – Senior Supervisors Group
LO 39.3 Poor or fragmented IT infrastructures result from a lack of common understanding of long term business strategies between business lines and IT management, managers thinking only about short-term profits, significant turnover in IT roles, insufficient data governance, and merger and acquisition activities.
LO 39.6 The lack of integrated IT systems is the major challenge related to data aggregations. Many best practices regarding data aggregations exist including: minimizing the amount of manual data processes, using single platform centralized databases, creating data warehouses, automated and periodic data reconciliations, and timely integration of legacy IT systems.
Page 32
2018 Kaplan, Inc.
Topic 39 Cross Reference to GARP Assigned Reading – Senior Supervisors Group
C o n c e pt C h e c k e r s
1.
2.
3.
4.
3.
Which of the following statements regarding the risk appetite framework (RAF) is correct? A. The RAF represents the firms core risk strategy. B. The RAF should be amended to take advantage of all profitable opportunities. C. The RAF focuses on which risks the firm is willing to take and under what
conditions.
D. The RAF begins with the risk appetite statement that contains many elements,
including examining the composition of the income statement.
As a best practice, which of the following members of senior management should have the final word on significant risk decisions at a firm? A. Chief executive officer. B. Chief financial officer. C. Chief operating officer. D. Chief risk officer.
Which of the following statements regarding the role of a risk appetite framework (RAF) in managing the risk of individual business lines within a firm is correct? A. Individual business lines may collectively cause the firms RAF to drift when
market conditions change.
B. Sensitivity analysis is a robust tool to assist senior management and/or the board
to determine consistency with the RAF.
C. Each individual business lines risk appetite allotment according to the RAF is
independent of the others to ensure objectivity in the process.
D. The business line managers submit long-term business plans to senior
management and/or the board to determine if they are consistent with the RAF.
Which of the following statements is incorrect regarding the key elements of an effective IT risk management policy? A. Having a single person in charge of the project management office. B. Comparable funding for IT projects and revenue-generating projects. C. Post-implementation reviews of IT systems at least 24 months after
D. Outsourced and in-house IT activities being subjected to the same level of
implementation.
monitoring.
Which of the following items is a best practice related to data aggregation at an organization? A. Integrating legacy IT systems into the new IT system immediately. B. The use of one master spreadsheet to accumulate all of the data in one place. C. Periodic manual reconciliations to reduce the risk of errors and incomplete
information.
D. Allowing individual departments as much time as they require to produce
internal reports that are accurate, timely, and comprehensive.
2018 Kaplan, Inc.
Page 33
Topic 39 Cross Reference to GARP Assigned Reading – Senior Supervisors Group
C o n c e pt Ch e c k e r A n s w e r s
1. A The RAF represents the firms core risk strategy. The RAF does not necessarily need to be
amended every time there is a profitable opportunity; doing so would cause the RAF to lose its value. The RAF also focuses on which risks the firm is unwilling to take. The risk appetite statement would not likely include an examination of the composition of the income statement; it would more likely be the balance sheet (i.e., debt, equity).
2. D The willingness of the CEO to give the CRO the final word on many risk decisions is a best
practice, which has strengthened the importance of the risk management function.
3. A
Individual business lines may collectively cause the firms RAF to drift when market conditions change. Sensitivity analysis only examines one change in a variable at a time. More robust tools would be stress tests and scenario analyses, for example. Each business lines risk appetite allotment according to the RAF may be amended if another business line encounters an opportunity that requires more capital. The business line managers submit medium-term business plans to senior management and/or the board.
4. C Post-implementation reviews should be performed 618 months after implementation;
24 months or more would likely be too long. Having one person in charge of the project management office seems to have resulted in stronger coordination and communication between project staff.
5. A For merger and acquisition transactions, it is best that legacy IT systems are integrated into the chosen IT system as soon as possible. Spreadsheets are a form of manual data manipulation and, because they are not automated, they would not be a best practice. Automated reconciliations should be performed, not manual. One of the key points about internal risk reports is that they should be produced on a timely basis, therefore, there must be standards, cutoff times, and timelines regarding their production.
Page 34
2018 Kaplan, Inc.
The following is a review of the Operational and Integrated Risk Management principles designed to address the learning objectives set forth by GARP. This topic is also covered in:
In f o r ma t i o n Ri s k a n d Da t a Q u a l i t y Ma n a g e me n t
E x a m F o c u s
This topic is a qualitative examination of data quality issues. Organizations must understand the risks involved with data issues and be able to identify ways to protect one of their most valuable resources, their data. For the exam, focus on the important features of acceptable data as well as details surrounding data quality scorecards.
Topic 40
P o o r D a t a Q u a l
i t y
The following is a list of negative impacts on a business from poor data quality.
Financial impacts: Businesses may experience lower revenues (e.g., lost sales), higher expenses
(e.g., penalties, re-work costs), and lower cash flows as a result of inaccurate or incomplete data.
Confidence-based impacts: Managers may make incorrect business decisions based on faulty data. Poor forecasting may result due to input errors.
Satisfaction impacts: Customers may become dissatisfied when the business processes faulty data (e.g., billing
Inaccurate internal reporting may occur with unreliable information.
Employees may become dissatisfied when they are unable to properly perform their job
errors).
due to flawed data.
Productivity impacts: Additional (corrective) work may be required, thereby reducing production output. Delays or increases in processing time. Risk impacts: Underestimating credit risks due to inaccurate documentation, thereby exposing a lender
to potential losses (e.g., Basel II Accords for quantifying credit risk).
Underestimating investment risk, thereby exposing an investor to potential losses. Compliance impacts: A business may no longer be in compliance with regulations (e.g., Sarbanes-Oxley) if
financial reports are inaccurate.
2018 Kaplan, Inc.
Page 35
Topic 40 Cross Reference to GARP Assigned Reading – Tarantino and Cernauskas, Chapter 3
D a t a E r r o r s

LO 39.5: Describe factors that can lead to poor or fragmented IT infrastructure at an organization.
There are five major factors to consider with regard to poor or fragmented IT infrastructures. 1. No common understanding o f long-term business strategy between business lines and IT
management. This factor often results due to internal competition for funding, thereby not permitting important IT infrastructure projects to be completed.
2. Management only makes decisions based on short-term profits. As a result of this factor,
many IT infrastructure projects are scaled back, delayed, or eliminated.
3. Significant turnover in important IT roles within the firm. This factor has resulted in
delays in completing IT projects.
4.
Insufficient data governance and insufficient data management plan within the firm. This factor results in inconsistency across business lines in how to upgrade systems; this is costly if the systems end up being incompatible because of the inconsistencies.
5. Merger and acquisition activities. This factor results in multiple systems running
simultaneously within the recently merged firm. Data aggregation across products and business lines becomes a significant challenge.
2018 Kaplan, Inc.
Page 29
Topic 39 Cross Reference to GARP Assigned Reading – Senior Supervisors Group
D a t a A g g r e g a t i o n B e s t P r a c t
i c e s

LO 39.4: Explain the benefits to a firm from having a robust risk data infrastructure, and describe key elements of an effective IT risk management policy at a firm.
A benefit of a robust risk data infrastructure is the ability to aggregate timely and accurate data to report on credit, market, liquidity, and operational risks. This, in turn, allows management to make proper decisions regarding the firms strategy, risk appetite, and risk management during periods of constant and frequent changes. Another benefit is the ability to sufficiently document and convey the firms risk reporting requirements. Such requirements include: specific metrics, data accuracy expectations, element definitions, time frames, supervisory expectations, and regulatory reporting requirements.
Key elements of an effective IT risk management policy at a firm are described as follows: Clearly defined standards and internal risk reporting requirements to ensure a proper IT
infrastructure and internal reporting. Sufficient funding is provided to develop IT systems for the purpose of internal risk reporting; they compete equally with proposals that are revenue generating, for example.

Assessing IT infrastructure and capacity prior to approving new products. Post-implementation reviews of IT systems performed anywhere from 618 months
afterward as a check that the systems meet the risk personnels needs.
Page 28
2018 Kaplan, Inc.
Topic 39 Cross Reference to GARP Assigned Reading – Senior Supervisors Group
The level of governance for outsourced IT activities is the same as if they were done
in-house. There are no impediments to implementation or access to data due to outsourcing.
The existence of effective project management offices (PMOs) to ensure that timelines and deliverables are met. Specifically, one person is in charge of the PMO, which seems to result in stronger coordination and communication between project staff.
There is a data administrator as well as a data owner, and the data owner must ensure a sufficiently high level of data accuracy, integrity, and availability. This helps to ensure that IT projects are meeting the users needs.
The board is able to implement relevant internal audit programs to allow for periodic
reviews of data maintenance processes and functions. The monitoring could be continuous or specific to a product or business line. This would allow for the quick correction of any weaknesses detected by internal audit.
P o o r o r F r a g m e n t e d IT I n f r a s t r u c t u r e

LO 39.3: Explain the role of an RAF in managing the risk of individual business lines within a firm, and describe best practices for monitoring a firms risk profile for adherence to the RAF.
Generally speaking, the RAF helps to ensure that each business lines strategies are congruent with the firms desired risk profile. The various business line managers each submit a medium-term business plan to senior management and/or the board to determine if it is consistent with the RAF. Such determinations are often made with stress tests or scenario analyses. Afterward, the RAF will set the risk limits allocated to each business line based on its desired risk profile.
Additionally, the RAF considers the integrated nature of the business lines within the firm. For example, the RAF can help determine how much a given business lines medium-term business plans has to be amended in order to allow another business lines proposal to be approved. In other words, there may be some borrowing of the risk appetite allotment from a business line in order to take advantage of the current opportunity in another business line. Familiarity with the RAF by business line managers would dramatically decrease the number of plans that fall well outside acceptable bounds. A clear RAF assists the firm in preventing risk appetite drift when economic conditions change.
2018 Kaplan, Inc.
Page 27
Topic 39 Cross Reference to GARP Assigned Reading – Senior Supervisors Group
RAF M e t r i c s f o r M o n i t o r i n g R i s k P r o f i l e
Examples of metrics that can be monitored as part of an effective RAF are as follows:

Capital targets (economic capital, tangible common equity, total leverage) or capital-at- risk amounts. Liquidity ratios, terms, and survival horizons.
Risk sensitivity limits. Risk concentrations by internal and/or external credit ratings.
Net interest income volatility or earnings-at-risk calculations. Value at risk (VaR) limits.
Expected loss ratios.
Asset growth ceilings by business line or exposure type.
Economic value added.
Post-stress-test targets for capital, liquidity, and earnings.
Performance of internal audit ratings.
The firms own credit spreads.
It is important to ensure that the metrics used to monitor risk are appropriate to the users of the information. Therefore, the risk metrics should be divided into classes, depending on who is receiving the information w ithin the firm. For example:
Directors should receive high-level metrics (less detail) that reflect the firms key risks.
CEO, CFO, CRO should receive more detailed metrics than directors. CEO, CFO, CRO should receive more detailed metrics than directors. Business line leaders should receive very detailed metrics, especially in relation to their respective business lines.
R i s k D a t a I n f r a s t r u c t u r e

LO 39.2: Describe best practices for a firms Chief Risk Officer (CRO), Chief Executive Officer (CEO), and its board of directors in the development and implementation of an effective RAE
Chief Risk Officer (CRO) Best Practices
Board members involved with risk issues should be able to directly contact the CRO and engage in frequent communication about on-going key risk issues. A best practice could be to create a board risk committee that is directly involved in performance review and compensation decisions regarding the CRO. A strong alliance between the CRO (risk management function) and the CFO (budgetary considerations) is key to spreading the use of the RAF throughout the organization. Specifically, a best practice would be for the CRO and CFO to report to the board at every meeting by commenting on the firms risk profile in comparison to the RAF. The CRO discussion could be broad and strategic in nature, and the CFO discussion could discuss financial impacts.
Chief Executive Officer (CEO) Best Practices
The CEO should strongly support the RAF and refer/use it to support challenging risk and strategic decisions. The willingness of the CEO to give the CRO the final word on many risk decisions is a best practice since it strengthens the importance of the risk management function. Where any instances of non-compliance with the RAF exist, a best practice would be for the CRO and/or the CEO to advise the board of directors on the corrective measures that will be undertaken.
Board of Directors (Board) Best Practices
The board needs to spend a considerable amount of time conveying the firms risk appetite statement throughout the firm to ensure it is properly implemented. In challenging management to operate the firm in a way that is congruent with the RAF, the board must focus on strategic and forward-looking issues rather than dwelling on past actions. A best practice would be for the board to state its expectations to management in advance so that management can establish appropriate strategic plans.
When a board challenges management and requires a thorough vetting of the RAF, the end product is more complete and relevant. A best practice is to have the active involvement of the board with senior management in continually revising the RAF until everyone
Page 26
2018 Kaplan, Inc.
Topic 39 Cross Reference to GARP Assigned Reading – Senior Supervisors Group
is satisfied. Additionally, another best practice is the development of a concrete way of assessing when the RAF needs to be amended to reflect a changing environment.
With regard to technical knowledge of members, there should be a sufficient balance in board composition to ensure all members have a reasonable and congruent understanding of the firms risks and to avoid situations where there are marked divisions between experts and non-experts. A best practice is to provide detailed technical training to board members on relevant concepts. Additionally, requiring cross-membership amongst the major committees helps ensure that those functions have members with a strong technical base. The training and cross-membership practices should serve as supplements to existing expertise.
Boards must be proactive in stating the nature and frequency of the information they need. As a best practice, reporting to the board should be thorough and broad in scope and not overly simplified. Additionally, communication from management should include a business aspect and not be focused on just technical aspects. Finally, as another best practice, the board should be willing to push back to management if they feel the information provided is not sufficient for their needs.
Reputation risk needs to have a significant amount of the boards attention. As a best practice, the board should set up a reputational risk committee to analyze marketplace changes and approve transactions on the basis of geography or product line. Attempting qualitative measures of reputation risk should also be done via monitoring industry headlines and reporting trends to the board as well as hiring external parties to conduct relevant surveys.
U s i n g RAF t o M a n a g e B u s i n e s s L i n e s

LO 39.1: Describe the concept of a risk appetite framework (RAF), identify the elements of an RAF, and explain the benefits to a firm of having a well-developed RAF.
A risk appetite framework (RAF) is a strategic decision-making tool that represents the firms core risk strategy. It sets in place a clear, future-oriented perspective of the firms target risk profile in a number of different scenarios and maps out a strategy for achieving that risk profile. It also specifies which types of risk the firm is willing to take and under what conditions as well as which types of risk the firm is unwilling to take.
An RAF should start with a risk appetite statement that is essentially a mission statement from a risk perspective. This statement should cover some or all of the following elements: Desired business mix and balance sheet composition (i.e., capital structuretrade-off
between debt and equity).
Risk preferences (i.e., how much credit or market risk to take on or hedge) Acceptable trade-off between risk and reward. Acceptable limits for volatility (based on standard deviation). Capital thresholds (i.e., regulatory and economic capital). Tolerances for post-stress losses. Target credit ratings. Optimum liquidity ratios. The benefits of a well-developed RAF are as follows:
The inherent flexibility allows firms to adapt to market changes, especially if appropriate
It improves a firms strategic planning and tactical decision-making.
opportunities arise that require adjustments to the RAF.
2018 Kaplan, Inc.
Page 25
Topic 39 Cross Reference to GARP Assigned Reading – Senior Supervisors Group

It assists firms in preparing for the unexpected; requires business line strategy reviews and maintains an open dialogue regarding the management of unexpected economic or market events in particular geographies or products. It focuses on the future and sets expectations regarding the firms consolidated risk profile after performing relevant stress tests and scenario analyses. Thus, it helps the firm set up a plan for risk taking, loss mitigation, and use of contingency measures.
D e v e l o p i n g a n d I m p l e m e n t
i n g a n E f f e c t i v e RAF