Articles by kenli

LO 38.5: Distinguish between regulatory and economic capital, and explain the use of economic capital in the corporate decision making process.
Regulatory capital requirements may differ significantly from the capital required to achieve or maintain a given credit rating (economic capital). If regulatory requirements are less than economic capital requirements, then the firm will meet the regulatory requirements as part of its ERM objectives, and there will be no effect on the firms activities. However, if regulatory capital requirements are greater than economic capital requirements, then the firm will have excess capital on hand. If competitors are subject to the same requirements, this excess capital will amount to a regulatory tax. If competing firms are not subject to the excess capital requirement, they will have a competitive advantage. Because regulatory capital requirements are typically based on accounting capital, rather than economic capital, a firm with economic values in excess of accounting values may be penalized, and may have to maintain higher amounts in liquid assets to cover the shortfall.
The economic capital of the firm must be put to productive use. If a firm accumulates excess economic capital that is not employed productively, investors will reduce the value of the firm. This reduction will be consistent with the failure of existing management to earn the cost of capital on the excess amount.
As a firm takes on new projects, the probability of financial distress increases. One way to offset this increased risk is to raise enough additional capital to bring the risk of financial distress back to the level that existed prior to the new project.
For example, assume that a firm has a value at risk (VaR) measure of $ 1 billion. As a result of a new expansion project, assume the VaR figure increases to $1.1 billion. In order to offset the risk of the new project, the firm would need to do the following: 1. Raise additional capital of $ 100 million.
Invest this additional capital without increasing the overall risk of the firm. 2. If the cost of the additional capital is 6%, and the new project is expected to last one year, then the new project would need to generate an additional $6 million to maintain the economic capital of the firm. Looked at another way, the expected benefit of the new project should be reduced by $6 million to compensate for the incremental risk to the firm.
These decisions regarding how the risk of new projects will affect the total risk of the firm are further complicated by the correlations of the expected returns of the projects. If two new projects are less than perfectly correlated, the incremental increase in total risk will be less. One way to account for any possible diversification benefits is to reduce the cost of capital of projects that are expected to have lower correlations with existing operations.
2018 Kaplan, Inc.
Page 19
Topic 38 Cross Reference to GARP Assigned Reading – Nocco & Stulz
R i s k s t o R e t a i n a n d R i s k s t o L a y o f f
Many risks can be hedged inexpensively with derivatives contracts. Examples include exposures to changes in exchange rates, interest rates, and commodities prices. Rather than face the risk that unexpected cash shortfalls due to these exposures might negatively affect the ability of the firm to carry out its strategic plan, the firm should hedge these exposures.
Other risks cannot be inexpensively hedged. These are risks where the firms management either has an informational advantage over outsiders or the ability to manage the outcome of the risk-taking activity. A counterparty to a transaction that hedges such risks would require very high compensation to be willing to take on the transferred risks. The firms business risks fall into this category.
The guiding principle in deciding whether to retain or layoff risks is the comparative advantage in risk bearing. A company has a comparative advantage in bearing its strategic and business risks, because it knows more about these risks than outsiders do. Because of this informational advantage, the firm cannot transfer these risks cost effectively. Moreover, the firm is in the business of managing these core risks. On the other hand, the firm has no comparative advantage in forecasting market variables such as exchange rates, interest rates, or commodities prices. These noncore risks can be laid off. By reducing noncore exposures, the firm reduces the likelihood of disruptions to its ability to fund strategic investments and increases its ability to take on business risks.
Page 20
2018 Kaplan, Inc.
Topic 38 Cross Reference to GARP Assigned Reading – Nocco & Stulz
Ke y C o n c e pt s
LO 38.1 Enterprise risk management (ERM) is the process of managing all a corporations risks within an integrated framework.
The macro benefit of ERM is that hedging corporate diversifiable risk improves managements ability to invest in value-creating projects in a timely manner and improves the firms ability to carry out the strategic plan.
The micro benefit of ERM requires decentralizing risk management to ensure that each projects total risk is adequately assessed by project planners during the initial evaluation of the project. The two main components of decentralizing the risk-return tradeoff are consideration of the marginal impact of each project on the firms total risk and a performance evaluation system that considers unit contributions to total risk.
LO 38.2 The goal of risk management is to optimize (not eliminate) total risk by trading off the expected returns from taking risks with the expected costs of financial distress. Financial distress in this case is defined as circumstances where the firm is forced to forego positive NPV projects.
LO 38.3 The conceptual framework of ERM is a four-step process: Determine the firms risk appetite. Estimate the amount of capital needed to support the desired level of risk. Determine the optimal combination of capital and risk that achieves the target credit
rating.
Decentralize the management of risk.
LO 38.4 Due to diversification effects of aggregating market, credit, and operational risk, firm-wide VaR will be less than the sum of the VaRs from each risk category. This suggests that the correlation among risks is some value less than one.
2018 Kaplan, Inc.
Page 21
Topic 38 Cross Reference to GARP Assigned Reading – Nocco & Stulz
LO 38.3 Regulatory capital requirements may differ significantly from the capital required to achieve or maintain a given credit rating (economic capital). Because regulatory capital requirements are typically based on accounting capital, rather than economic capital, a firm with economic values in excess of accounting values may be penalized, and may have to maintain higher amounts in liquid assets to cover the shortfall. The economic capital of the firm must be put to productive use. If a firm accumulates excess economic capital that is not employed productively, investors will reduce the value of the firm.
Page 22
2018 Kaplan, Inc.
Topic 38 Cross Reference to GARP Assigned Reading – Nocco & Stulz
C o n c e pt C h e c k e r s
1.
2.
3.
4.
3.
Reducing diversifiable risk creates value: A. only when markets are perfect. B. because it is costly for shareholders to eliminate diversifiable risk through their
own actions.
C. because reducing diversifiable risk mitigates the underinvestment problem that can occur when investors have imperfect information about the firms projects.
D. only when it results in a permanent reduction in cash flow.
Effective enterprise risk management includes all of the following except: A. centralized evaluation of every projects risk. B. a project is only accepted if its return is adequate after considering the cost of
the projects contribution to total firm risk.
C. the projects planners perform the initial evaluation of project risk. D. periodic evaluations of the performance of business units consider each units
contribution to total risk.
The goal of enterprise risk management (ERM) can best be described as maximizing firm value by: A. eliminating the total risk of the firm. B. minimizing the total risk of the firm. C. optimizing the total risk of the firm. D. eliminating the probability of financial distress.
In determining the relative importance of economic value compared to accounting performance in its enterprise risk management program, a firm should: A. rely on accounting performance because it will be more accurate. B. rely on economic value because it will be more accurate. C. base its decision on the input of project-level managers. D. base its decision on the objective of the ERM program.
Which risk is least likely to be beneficial for a company to layoff? A. Currency exchange rate risk. B. Business risk. C. Commodities price risk. D. Interest rate risk.
2018 Kaplan, Inc.
Page 23
Topic 38 Cross Reference to GARP Assigned Reading – Nocco & Stulz
C o n c e pt Ch e c k e r A n s w e r s
1. C When markets are not perfect (i.e., investors information about project values is
incomplete), the firm may not be able to raise funds on fair terms. For a firm faced with an unexpected drop in operating cash flow, this can lead to the underinvestment problem, where the company passes up valuable strategic investments rather than raise equity on onerous terms. The inability to fund strategic investments can result in a permanent reduction in shareholder value even if the cash shortfall is temporary. Hedging diversifiable risk mitigates the underinvestment problem and creates value, even though shareholders can eliminate diversifiable risk at low cost by diversifying their portfolios.
2. A Central to ERM is the idea that a decentralized approach to the evaluation of project risks focuses managers throughout the firm on the importance of properly considering the risk and return implications of projects.
3. C The goal of ERM is to optimize the total risk of the firm. Eliminating total risk is not
possible. Minimizing total risk would preclude accepting risky projects that would allow the firm to expand and maximize value. These risky projects will increase the probability of financial distress. The goal of ERM is to optimize the risk of distress relative to the potential returns from the risky projects.
4. D There are certain situations where either accounting values or economic values will more
accurately reflect the firms situation. The determining factor in choosing between economic values and accounting values is the objective of the program. For example, if the objective is maintaining a rating, based in large part on accounting numbers, then accounting numbers will assume more relative importance.
5. B A company has a comparative advantage in bearing its strategic and business risks because it knows more about these risks than outsiders do. The firm is in the business of managing these core risks. The firm has no comparative advantage in forecasting market variables such as exchange rates, interest rates, or commodities prices. These noncore risks can be laid off.
Page 24
2018 Kaplan, Inc.
The following is a review of the Operational and Integrated Risk Management principles designed to address the learning objectives set forth by GARP. This topic is also covered in:
O b se r v a t i o n s o n D e v e l o pme n t s in Ri s k A ppe t i t e Fr a m e w o r k s a n d IT In f r a st r u c t u r e
Topic 39
E x a m F o c u s
This topic discusses the concept of a risk appetite framework (RAF). For the exam, understand the elements and benefits of an RAF, and be familiar with best practices for an effective RAF. Also, be able to identify metrics that can be monitored as part of an effective RAF. Finally, understand the elements and benefits of a robust risk data infrastructure as well as best practices relating to data aggregation.
R i s k A p p e t
i t e F r a m e w o r k

LO 38.4: Describe the role of and issues with correlation in risk aggregation, and describe typical properties of a firms market risk, credit risk, and operational risk distributions.
Firms that use value at risk (VaR) to assess potential loss amounts will ultimately have three different VaR measures to manage. Market risk, credit risk, and operational risk will each produce their own VaR measures. The trick to accurately measuring and managing firm wide risk, and in turn firm-wide VaR, is to understand how these VaR measures interact. Market risks will typically follow a normal distribution; however, the distributions for credit risks and operational risks are usually asymmetric in shape, due to the fat-tail nature of these risks.
Due to diversification effects of aggregating market, credit, and operational risk, firm-wide VaR will be less than the sum of the VaRs from each risk category. This suggests that the correlation among risks is some value less than one. It can be difficult to determine this correlation amount, so firms typically use average correlation values within their respective industry. However, firms should recognize that correlations can be influenced by firm- specific actions as well as external events such as a financial crisis.
Page 18
2018 Kaplan, Inc.
Topic 38 Cross Reference to GARP Assigned Reading – Nocco & Stulz
C a p i t a l A l
l o c a t i o n

LO 38.3: Describe the development and implementation of an ERM system, as well as challenges to the implementation of an ERM system.
In developing an ERM, management should follow this framework: Determine the firm s acceptable level o f risk. The critical component of this determination
is selecting the probability of financial distress that maximizes the value of the firm. Financial distress in this context means any time the firm must forego projects with positive net present values, due to inadequate resources. The likelihood of financial distress could be minimized by investing all funds into U.S. Treasury securities, but this should not be the firms objective. The objective should be maximizing firm value by selecting an appropriate probability of distress. For many firms, the proxy used for measuring the probability of distress is the firms credit rating assigned by external agencies. Thus, the firm may determine that the objective under ERM is to avoid a minimum credit rating below BBB. If the firm is currently rated AA, for example, the likelihood of falling below BBB can be estimated by average data supplied by the rating agency.
Based on the firm s target debt rating, estimate the capital (i.e., buffer) required to support
the current level o f risk in the firm s operations. In other words, how much capital does the firm need to have (on hand or available externally) to ensure that it can avoid financial distress. A company with liquid assets sufficient to fund all of its positive NPV projects would not be exposed to the underinvestment problem when it encountered cash flow deficits. Thus, risk management can be viewed as a substitute for investing equity capital in liquid assets. Keeping a large amount of equity in the form of liquid assets is costly. Instead of maintaining a large liquid asset buffer, a company can institute a risk management program to ensure (at some level of statistical significance) that its operating cash flow will not fall below the level needed to fund valuable projects. That is, the firm can take actions to limit the probability of financial distress to a level that maximizes firm value. The goal of ERM is to optimize (not eliminate) total risk by trading off the expected returns from taking risks with the expected costs of financial distress.
Determine the ideal mix o f capital and risk that will achieve the appropriate debt rating. At this level of capital, the firm will be indifferent between increasing capital and decreasing risk.
Decentralize the risk/capital tradeoff by giving individual managers the information and the
incentive they need to make decisions appropriate to maintain the risk/capital tradeoff.
The implementation steps of ERM are as follows: Step 1: Identify the risks o f the firm. For many banks, risks are classified as falling into one of three categories: market, credit, or operational. Other financial institutions broaden the list to include asset, liability, liquidity, and strategic risks. Identification of risks should be performed both top-down (by senior management) and bottom-up (by individual managers of business units or other functional areas).
2018 Kaplan, Inc.
Page 17
Topic 38 Cross Reference to GARP Assigned Reading – Nocco & Stulz
Step 2: Develop a consistent method to evaluate the firm s exposure to the risks identified above. If the methodology is not consistent, the ERM system will fail because capital will be mis-allocated across business units.
Implementation of an ERM system is challenging, and it is important that the entire organization supports the system. Thus, it is critical for all levels of the organization to understand how the system is designed and how it can create value. Monitoring the ERM system may be neglected due to its time-consuming nature. However, the inability to identify relevant risks on a regular basis could lead to corporate failures.
E c o n o m i c V a l u e v s . A c c o u n t i n g V a l u e
Credit ratings are typically based on accounting data, combined with some level of subjective assessment by analysts. Economic value, as determined by management, may very well be a more accurate reflection of the true value of the firm.
In determining whether accounting value or economic value is more relevant, the firm must consider its objective. If the objective is to manage the probability of default, the question of how default is determined becomes important. If default is determined by failure to meet certain accounting measures (e.g., debt ratio, interest coverage), then accounting measures will be a critical component of meeting the objectives.
If the objective is to manage the present value of future cash flows, then economic measures may be more appropriate than accounting measurements that do not accurately capture economic reality. Management must consider that managing economic value may lead to more volatile accounting earnings, which may ultimately affect economic value as well.
R i s k A g g r e g a t i o n

LO 38.2: Explain how a company can determine its optimal amount of risk through the use of credit rating targets.

LO 38.1: Define enterprise risk management (ERM) and explain how implementing ERM practices and policies can create shareholder value, both at the macro and the micro level.
A business can manage its risks separately, one at a time, or all together in a cohesive framework. Enterprise risk management (ERM) is the process of managing all of a corporations risks within an integrated framework.
The benefit of ERM is that a comprehensive program for managing risk allows the business to achieve its ideal balance of risk and return.
Macro Level
At the macro level, ERM allows management to optimize the firms risk/return tradeoff. This optimization assures access to the capital needed to execute the firms strategic plan.
The perfect markets view of finance implies that a companys cost of capital is unrelated to its diversifiable risk. Rather, the cost of capital is determined by the firms systematic risk (also referred to as nondiversifiable, market, or beta risk). According to this view, efforts to hedge diversifiable risk provide no benefit to shareholders, who can eliminate this risk by diversifying their portfolios.
However, reducing diversifiable risk can be beneficial when markets are imperfect. Suppose a firm experiences a large and unexpected drop in its operating cash flow and does not have
2018 Kaplan, Inc.
Page 15
Topic 38 Cross Reference to GARP Assigned Reading – Nocco & Stulz
funds sufficient to fund valuable investment opportunities. In perfect markets, the firm would be able to raise funds on fair terms to fund all of its value-creating projects. When markets are not perfect (i.e., investors information about project values is incomplete), the firm may not be able to raise the needed funds on fair terms. This can lead to the underinvestment problem, where the company passes up valuable strategic investments rather than raise equity on onerous terms. The inability to fund strategic investments on a timely basis can result in a permanent reduction in shareholder value, even if the cash shortfall is temporary. By hedging diversifiable risks, the company reduces the likelihood of facing the underinvestment problem. Thus, the primary function of corporate risk management is to protect the companys strategic plan by ensuring timely investment. The ability to carry out the strategic plan in a timely manner confers an advantage over competitors who are unable to do so.
Micro Level
In order for ERM to achieve the objective of optimizing the risk/return tradeoff, each project must be evaluated not only for the inherent risk of the project but also for the effect on the overall risk of the firm. Thus, ERM requires that managers throughout the firm be aware of the ERM program. This decentralization of evaluating the risk/return tradeoff has two components: Any managers evaluating new projects must consider the risks of the project in the
context of how the project will affect the firms total risk.
Business units must be evaluated on how each unit contributes to the total risk of the
firm. This gives the individual managers an incentive to monitor the effect of individual projects on overall firm risk.
There are three reasons why decentralizing the risk-return tradeoff in a company is important: 1. Transformation o f the risk management culture: A consistent, systematic assessment of risks by all business units ensures that managers consider the impact of all important risks.
2. Every risk is owned: Because performance evaluations are based on risk, managers have
an incentive to consider important risks in their decision making.
3. Risk assessment by those closest to the risk: Managers in the individual business units have the knowledge and expertise needed to assess and manage the risks of the business unit.
Page 16
2018 Kaplan, Inc.
Topic 38 Cross Reference to GARP Assigned Reading – Nocco & Stulz
D e v e l o p m e n t a n d I m p l e m e n t a t i o n

LO 37.6: Explain the Basel Committees suggestions for managing technology risk and outsourcing risk.
Technology can be used to mitigate operational risks. For example, automated procedures are generally less prone to error than manual procedures. However, technology introduces its own risks. The Basel Committee recommends an integrated approach to identifying, measuring, monitoring, and managing technology risks.
Technology risk management tools are similar to those suggested for operational risk management and include: Governance and oversight controls. Policies and procedures in place to identify and assess technology risks. Written risk appetite and tolerance statements.
Establish risk transfer strategies to mitigate technology risks. Monitor technology risks and violations of thresholds and risk limits. Create a sound technology infrastructure (i.e., the hardware and software components,
Implement a risk control environment.
data and operating environments).
Page 8
2018 Kaplan, Inc.
Topic 37 Cross Reference to GARP Assigned Reading – Basel Committee on Banking Supervision
Outsourcing involves the use of third parties to perform activities or functions for the firm. Outsourcing may reduce costs, provide expertise, expand bank offerings, and/or improve bank services. The board of directors and senior management must understand the operational risks that are introduced as a result of outsourcing. Outsourcing policies should include: Processes and procedures for determining which activities can be outsourced and how
the activities will be outsourced.
Processes for selecting service providers (e.g., due diligence).
Structuring the outsourcing agreement to describe termination rights, ownership of data, and confidentiality requirements.
Monitor risks of the arrangement including the financial health of the service provider.
Implement a risk control environment and assess the control environment at the service provider.
Develop contingency plans. Clearly define responsibilities of the bank and the service provider.
2018 Kaplan, Inc.
Page 9
Topic 37 Cross Reference to GARP Assigned Reading – Basel Committee on Banking Supervision
Ke y C o n c e pt s
LO 37.1 The Basel Committee on Banking Supervision defines operational risk as, the risk of loss resulting from inadequate or failed internal processes, people, and systems or from external events.
The Basel Committee recognizes three common lines of defense used to control operational risks. These lines of defense are: (1) business line management, (2) independent operational risk management function, and (3) independent reviews of operational risks and risk management.
LO 37.2 The 11 fundamental principles of operational risk management suggested by the Basel Committee are: 1. The maintenance of a strong risk management culture led by the banks board of
directors and senior management.
2. The operational risk framework (i.e., the Framework) must be developed and fully
integrated in the overall risk management processes of the bank.
3. The board should approve and periodically review the Framework. The board should also oversee senior management to ensure that appropriate risk management decisions are implemented at all levels of the firm.
4. The board must identify the types and levels of operational risks the bank is willing to
assume as well as approve risk appetite and risk tolerance statements.
3. Consistent with the banks risk appetite and risk tolerance, senior management must
develop a well-defined governance structure within the bank.
6. Operational risks must be identified and assessed by managers. Senior management must understand the risks, and the incentives related to those risks, inherent in the banks business lines and processes.
7. New lines of business, products, processes, and systems should require an approval
process that assesses the potential operational risks.
8. A process for monitoring operational risks and material exposures to losses should be
put in place by senior management and supported by senior management, the board of directors, and business line employees.
9. Banks must put strong internal controls and risk mitigation and risk transfer strategies
in place to manage operational risks.
Page 10
2018 Kaplan, Inc.
Topic 37 Cross Reference to GARP Assigned Reading – Basel Committee on Banking Supervision
10. Banks must have plans in place to survive in the event of a major business disruption.
Business operations must be resilient.
11. Banks should make disclosures that are clear enough that outside stakeholders can assess
the banks approach to operational risk management.
LO 37.3 The board of directors and senior management must be engaged with operational risk assessment related to all 11 of the fundamental principles of operational risk management. The operational risk management framework must define, describe, and classify operational risk and operational loss exposure. The Framework must be documented in the board of directors approved policies.
LO 37.4 There are several tools that may be used to identify and assess operational risk. The tools include business process mappings, risk and performance indicators, scenario analysis, using risk assessment outputs as inputs for operational risk exposure models, audit findings, analyzing internal and external operational loss data, risk assessments, and comparative analysis.
LO 37.3 An effective control environment should include the following five components: (1) a control environment, (2) risk assessment, (3) control activities, (4) information and communication, and (3) monitoring activities.
LO 37.6 Technology can be used to mitigate operational risks but it introduces its own risks. The Basel Committee recommends an integrated approach to identifying, measuring, monitoring, and managing technology risks. Technology risk management tools are similar to those suggested for operational risk management.
Outsourcing involves the use of third parties to perform activities or functions for the firm. Outsourcing may reduce costs, provide expertise, expand bank offerings, and/or improve bank services. The board of directors and senior management must understand the operational risks that are introduced as a result of outsourcing.
2018 Kaplan, Inc.
Page 11
Topic 37 Cross Reference to GARP Assigned Reading – Basel Committee on Banking Supervision
C o n c e pt Ch e c k e r s
1.
2.
3.
Griffin Riehl is a risk manager at Bluegrass Bank and Trust, a small, independent commercial bank in Kentucky. Riehl has recently read the Basel Committee on Banking Supervisions recommendations for sound operational risk management and would like to put several controls in place. He would like to start with the three lines of defense suggested by the committee. Which of the following is not one of the three common lines of defense suggested by the Basel Committee for operational risk governance? A. Business line management. B. Board of directors and senior management risk training programs. C. Creating an independent operational risk management function in the bank. D. Conducting independent reviews of operational risks and risk management
operations.
Garrett Bridgewater, a trader at a large commercial bank, has continued to increase his bonus each year by producing more and more profit for the bank. In order to increase profits, Bridgewater has been forced to increase the riskiness of his positions, despite the written risk appetite and tolerance statements provided to all employees of the bank. The bank seems happy with his performance so Bridgewater takes that as a sign of approval of his methods for improving profitability. Which of the following pairs of the 11 fundamental principles of risk management has the bank most clearly violated in this situation? A. Principle 1 (a strong risk management culture) and Principle 11 (the bank
should make clear disclosures of operational risks to stakeholders).
B. Principle 2 (develop an integrated approach to operational risk management) and Principle 7 (establish a rigorous approval process for new lines of business). C. Principle 3 (approve and review the operational risk framework) and Principle 4
(develop risk appetite and tolerance statements).
D. Principle 3 (develop a well-defined governance structure) and Principle 6
(understand the risk and incentives related to risk inherent in the banks business lines and processes).
Gary Hampton is providing descriptions of the operational risk management assessment tools, reporting lines, and accountabilities to the board of directors. Hampton is most likely working on: A. Framework documentation. B. A corporate operational risk function (CORF) handbook of operations. C. An outline of the fundamental principles of operational risk management. D. An open group operational framework diagram.
Page 12
2018 Kaplan, Inc.
Topic 37 Cross Reference to GARP Assigned Reading – Basel Committee on Banking Supervision
4.
3.
George Mathis works in risk analysis and management at a large commercial bank. He uses several tools to identify and assess operational risk. He has asked several business line managers to identify some risk events that would disrupt business. Each manager has also provided their thoughts on what would happen given worst case operational failures. The risk assessment tool Mathis is most likely using in this case is (are): A. risk indicators. B. comparative analysis. C. scenario analysis. D. business process mappings.
A risk management officer at a small commercial bank is trying to institute strong operational risk controls, despite little support from the board of directors. The manager is considering several elements as potentially critical components of a strong control environment. Which of the following is not a required component of an effective risk control environment as suggested by the Basel Committee on Banking Supervision? A. Information and communication. B. Monitoring activities. C. A functionally independent corporate operational risk function. D. Risk assessment.
2018 Kaplan, Inc.
Page 13
Topic 37 Cross Reference to GARP Assigned Reading – Basel Committee on Banking Supervision
C o n c e pt Ch e c k e r A n s w e r s
1. B The three common lines of defense suggested by the Basel Committee on Banking
Supervision and employed by firms to control operational risks are: (1) business line management, (2) an independent operational risk management function, and (3) independent reviews of operational risks and risk management.
2. D Based on the choices provided, the best match for the scenario is a violation of Principles 5
and 6. It is clear that the bank has not considered the incentives that are related to risk taking in the bank. Bridgewater has been given the risk appetite and tolerance statements but senior managers keep rewarding Bridgewater for high returns and seem to be ignoring the fact that they are the result of higher risks. Thus, there are incentives linked to increasing risk. The governance structure may or may not be well defined, but regardless, is not being adhered to.
3. A The operational risk management framework (i.e., the Framework) must define, describe, and classify operational risk and operational loss exposure. Hampton is likely working on Framework documentation. Framework documentation is overseen by the board of directors and senior management.
4. C Mathis is asking for managers to identify potential risk events, which he will use to assess
potential outcomes of these risks. This is an example of scenario analysis. Scenario analysis is a subjective process where business line managers and risk managers identify potential risk events and then assess potential outcomes of those risks.
5. C A functionally independent corporate operational risk function is desirable in a bank but is not necessary for an effective control environment. This is especially true for a small bank, which might roll all risk management activities into one risk management group (i.e., not segregated by type of risk). An effective control environment should include the following five components: (1) a control environment, (2) risk assessment, (3) control activities, (4) information and communication, and (5) monitoring activities.
Page 14
2018 Kaplan, Inc.
The following is a review of the Operational and Integrated Risk Management principles designed to address the learning objectives set forth by GARP. This topic is also covered in:
En t e r pr i se Ri s k Ma n a g e me n t : Th e o r y a n d Pr a c t i c e
Topic 38
E x a m F o c u s
Enterprise risk management (ERM) is the process of managing all of a corporations risks within an integrated framework. This topic describes how ERM can be implemented in a way that enables a company to manage its total risk-return tradeoff in order to better carry out its strategic plan, gain competitive advantage, and create shareholder value. Key issues include why it may be optimal to hedge diversifiable risk and how to differentiate between core risks the firm should retain and noncore risks the firm should layoff. Also discussed is the determination of the optimal amount of corporate risk and the importance of ensuring that managers at all levels take proper account of the risk-return tradeoff. For the exam, understand the framework for developing and implementing ERM.
C r e a t i n g V a l u e W i t h ERM

LO 37.3: Describe features of an effective control environment and identify specific controls that should be in place to address operational risk.
An effective control environment must include the following five components: 1. A control environment.
2. Risk assessment.
2018 Kaplan, Inc.
Page 7
Topic 37 Cross Reference to GARP Assigned Reading – Basel Committee on Banking Supervision
3. Control activities.
4.
Information and communication.
3. Monitoring activities. Senior managers should conduct top-level reviews of progress toward stated risk objectives, verify compliance of standards and controls, review instances of non-compliance, evaluate the approval system to ensure accountability, and track reports of exceptions to risk limits and management overrides and deviations from risk policies and controls. Managers should also ensure that duties are segregated and conflicts of interest are identified and minimized.
Specific controls that should be in place in the organization to address operational risk include: Clearly established lines of authority and approval processes for everything from new
products to risk limits.
Safeguards to limit access to and protect bank assets and records. Careful monitoring of risk thresholds and limits.
An appropriately sized staff to manage risks. An appropriately trained staff to manage risks. A system to monitor returns and identify returns that are out of line with expectations
(e.g., a product that is generating high returns but is supposed to be low risk may indicate that the performance is a result of a breach of internal controls).
Confirmation and reconciliation of bank transactions and accounts. A vacation policy that requires officers and employees to be absent for a period not less
than two consecutive weeks.
Ma n a g in g Te c h n o l o g y Ris k a n d O u t s o u r c in g Ris k

LO 37.4: Describe tools and processes that can be used to identify and assess operational risk.
Tools that may be used to identify and assess operational risk include: Business process mappings, which do exactly that, map the banks business processes.
Maps can reveal risks, interdependencies among risks, and weaknesses in risk management systems.
Risk and performance indicators are measures that help managers understand the banks risk exposure. There are Key Risk Indicators (KRIs) and Key Performance Indicators (KPIs). KRIs are measures of drivers of risk and exposures to risk. KPIs provide insight into operational processes and weaknesses. Escalation triggers are often paired with KRIs and KPIs to warn when risk is approaching or exceeding risk thresholds. Scenario analysis is a subjective process where business line managers and risk managers identify potential risk events and then assess potential outcomes of those risks. Measurement involves the use of outputs of risk assessment tools as inputs for operational risk exposure models. The bank can then use the models to allocate economic capital to various business units based on return and risk.

Audit findings identify weaknesses but may also provide insights into inherent

operational risks. .Analysis of internal operational loss data. Analysis can provide insight into the causes of large losses. Data may also reveal if problems are isolated or systemic.
Analysis of external operational loss data including gross loss amounts, dates, amount of
recoveries and losses at other firms.
Risk assessments, or risk self assessments (RSAs), address potential threats. Assessments
consider the banks processes and possible defenses relative to the firms threats and vulnerabilities. Risk Control Self-Assessments (RCSA) evaluate risks before risk controls are considered (i.e., inherent risks). Scorecards translate RCSA output into metrics that help the bank better understand the control environment.
Comparative analysis combines all described risk analysis tools into a comprehensive
picture of the banks operational risk profile. For example, the bank might combine audit findings with internal operational loss data to better understand the weaknesses of the operational risk framework.
Fe a t u r e s o f a n Ef f e c t iv e C o n t r o l En v ir o n me n t

LO 37.3: Explain guidelines for strong governance of operational risk, and evaluate the role of the board of directors and senior management in implementing an effective operational risk framework.
The attitudes and expectations of the board of directors and senior management are critical to an effective operational risk management program.
With respect to Principle 1, the board of directors and/or senior management should: Provide a sound foundation for a strong risk management culture within the bank. A strong risk management culture will generally mitigate the likelihood of damaging operational risk events.
2018 Kaplan, Inc.
Page 3
Topic 37 Cross Reference to GARP Assigned Reading – Basel Committee on Banking Supervision
Establish a code of conduct (or ethics policy) for all employees that outlines
expectations for ethical behavior. The board of directors should support senior managers in producing a code of conduct. Risk management activities should reinforce the code of conduct. The code should be reflected in training and compensation as well as risk management. There should be a balance between risks and rewards. Compensation should be aligned not just with performance, but also with the banks risk appetite, strategic direction, financial goals, and overall soundness.
Provide risk training throughout all levels of the bank. Senior management should
ensure training reflects the responsibilities of the person being trained.
With respect to Principle 2, the board of directors and/or senior management should: Thoroughly understand both the nature and complexity of the risks inherent in the products, lines of business, processes, and systems in the bank. Operational risks are inherent in all aspects of the bank.
Ensure that the Framework is fully integrated in the banks overall risk management
plan across all levels of the firm (i.e., business lines, new business lines, products, processes, and/or systems). Risk assessment should be a part of the business strategy of the bank.
With respect to Principle 3, the board of directors and/or senior management should: Establish a culture and processes that help bank managers and employees understand
and manage operational risks. The board must develop comprehensive and dynamic oversight and control mechanisms that are integrated into risk management processes across the bank.
Regularly review the Framework. Provide senior management with guidance regarding operational risk management and
approve policies developed by senior management aimed at managing operational risk.
Ensure that the Framework is subject to independent review. Ensure that management is following best practices in the field with respect to
operational risk identification and management.
Establish clear lines of management responsibility and establish strong internal
controls.
With respect to Principle 4, the board of directors and/or senior management should: Consider all relevant risks when approving the banks risk appetite and tolerance statements. The board must also consider the banks strategic direction. The board should approve risk limits and thresholds.
Periodically review the risk appetite and tolerance statements. The review should Changes in the market and external environment.Effectiveness of risk management strategies.The nature of, frequency of, and volume of breaches to risk limits. specifically focus on:
Changes in the market and external environment.
Changes in business or activity volume.
Effectiveness of risk management strategies.
The quality of the control environment.
The nature of, frequency of, and volume of breaches to risk limits.
With respect to Principle 3, the board of directors and/or senior management should: Establish systems to report and track operational risks and maintain an effective
mechanism for resolving problems. Banks should demonstrate the effective use of the three lines of defense to manage operational risk, as outlined by the Basel Committee.
Page 4
2018 Kaplan, Inc.
Topic 37 Cross Reference to GARP Assigned Reading – Basel Committee on Banking Supervision
Translate the Framework approved by the board into specific policies and procedures used to manage risk. Senior managers should clearly assign areas of responsibility and should ensure a proper management oversight system to monitor risks inherent in the business unit.
Ensure that operational risk managers communicate clearly with personnel responsible
for market, credit, liquidity, interest rate, and other risks and with those procuring outside services, such as insurance or outsourcing.
Ensure that CORF managers should have sufficient stature in the bank, commensurate
with market, credit, liquidity, interest rate, and other risk managers.
Ensure that the staff is well trained in operational risk management. Risk managers
should have independent authority relative to the operations they oversee. Committee structure’, for large, complex banks, a board-created firm level risk Develop a governance structure of the bank that is commensurate with the size and complexity of the firm. Regarding the governance structure, the bank should consider: Committee structure’, for large, complex banks, a board-created firm level risk
committee should oversee all risks. The management-level operational risk committee would report to the enterprise level risk committee.
Committee composition’, committee members should have business experience,
financial experience, and independent risk management experience. Independent, non-executive board members may also be included.
Committee operation’, committees should meet frequently enough to be productive
and effective. The committee should keep complete records of committee meetings.
With respect to Principle 6, the board of directors and/or senior management should: Consider both internal and external factors to identify and assess operational risk.
Examples of tools that may be used to identify and assess risk are described in LO 37.4.
With respect to Principle 7, the board of directors and/or senior management should: Maintain a rigorous approval process for new products and processes. The bank should make sure that risk management operations are in place from the inception of new activities because operational risks typically increase when a bank engages in new activities, new product lines, enters unfamiliar markets, implements new business processes, puts into operation new technology, and/or engages in activities that are geographically distant from the main office.
Thoroughly review new activities and product lines, reviewing inherent risks, potential changes in the banks risk appetite or risk limits, necessary controls required to mitigate risks, residual risks, and the procedures used to monitor and manage operational risks.
With respect to Principle 8, the board of directors and/or senior management should: Continuously improve the operational risk reporting. Reports should be manageable in
scope but comprehensive and accurate in nature.
Ensure that operational risk reports are timely. Banks should have sufficient resources to
produce reports during both stressed and normal market conditions. Reports should be provided to the board and senior management.
Ensure that operational risk reports include: Breaches of the banks risk appetite and tolerance statement.Details of recent operational risk events and/or losses.Both internal and external factors that may affect operational risk.
Breaches of the banks risk appetite and tolerance statement.
Breaches of the banks thresholds and risk limits.
Details of recent operational risk events and/or losses.
External events that may impact the banks operational risk capital.
Both internal and external factors that may affect operational risk.
2018 Kaplan, Inc.
Page 5
Topic 37 Cross Reference to GARP Assigned Reading – Basel Committee on Banking Supervision
With respect to Principle 9, the board of directors and/or senior management should have a sound internal control system as described in LO 37.3 (an effective control environment) and LO 37.6 (managing technology and outsourcing risks).
Banks may need to transfer risk (e.g., via insurance contracts) if it cannot be adequately managed within the bank. However, sound risk management controls must be in place and thus risk transfer should be seen as a complement to, rather than a replacement for, risk management controls. New risks, such as counterparty risks, may be introduced when the bank transfers risk. These additional risks must also be identified and managed.
With respect to Principle 10, the board of directors and/or senior management should: Establish continuity plans to handle unforeseen disruptive events (e.g., disruptions in
technology, damaged facilities, pandemic illnesses that affect personnel, and so on). Plans should include impact analysis and plans for recovery. Continuity plans should identify key facilities, people, and processes necessary for the business to operate. The plan must also identify external dependencies such as utilities, vendors, and other third party providers.
Periodically review continuity plans. Personnel must be trained to handle emergencies
and, where possible, the bank should perform disaster recovery and continuity tests. With respect to Principle 11, the board of directors and/or senior management should: Write public disclosures such that stakeholders can assess the banks operational risk
management strategies.
Write public disclosures that are consistent with risk management procedures. The
disclosure policy should be established by the board of directors and senior management and approved by the board of directors. The bank should also be able to verify disclosures.
O pe r a t io n a l Ris k Ma n a g e me n t Fr a me w o r k
The operational risk management framework (i.e., the Framework) must define, describe, and classify operational risk and operational loss exposure. The Framework helps the board and managers understand the nature and complexities of operational risks inherent in the banks products and services. The components of the Framework should be fully integrated into the banks overall risk management plan. The Framework must be documented in the board of directors approved policies. Framework documentation, which is overseen by the board of directors and senior management, should: Describe reporting lines and accountabilities within the governance structure used to
manage operational risks.
Describe risk assessment tools. Describe the banks risk appetite and tolerance. Describe risk limits. Describe the approved risk mitigation strategies (and instruments). With respect to inherent and residual risk exposures, describe the banks methods for
establishing risk limits and monitoring risk limits.
Establish risk reporting processes and management information systems. Establish a common language or taxonomy of operational risk terms to create
consistency of risk identification and management.
Page 6
2018 Kaplan, Inc.
Topic 37 Cross Reference to GARP Assigned Reading – Basel Committee on Banking Supervision
Establish a process for independent review of operational risk. Require review of established policies and procedures.
To o l s f o r Id e n t if y in g a n d A s s e s s in g O pe r a t io n a l Ris k

LO 37.2: Summarize the fundamental principles of operational risk management as suggested by the Basel committee.
Operational risks must be proactively managed by a banks board of directors and senior managers as well as its business line managers and employees. The 11 fundamental principles of operational risk management suggested by the Basel Committee are: 1. The maintenance of a strong risk management culture led by the banks board of
directors and senior managers. This means that both individual and corporate values and attitudes should support the banks commitment to managing operational risks.
2. The operational risk framework (referred to as the Framework in this topic) must
be developed and fully integrated into the overall risk management processes of the bank.
3. The board should approve and periodically review the Framework. The board should also oversee senior management to ensure that appropriate risk management decisions are implemented at all levels of the firm.
Page 2
2018 Kaplan, Inc.
Topic 37 Cross Reference to GARP Assigned Reading – Basel Committee on Banking Supervision
4. The board must identify the types and levels of operational risks the bank is willing to
assume as well as approve risk appetite and risk tolerance statements.
3. Consistent with the banks risk appetite and risk tolerance, senior management must
develop a well-defined governance structure within the bank. The structure must be implemented and maintained throughout the banks various lines of business, its processes, and its systems. The board of directors should approve this governance structure.
6. Senior management must understand the risks, and the incentives related to those
risks, inherent in the banks business lines and processes. These operational risks must be identified and assessed by managers.
7. New lines of business, products, processes, and systems should require an approval
process that assesses the potential operational risks. Senior management must make certain this approval process is in place.
8. A process for monitoring operational risks and material exposures to losses should be put in place by senior management and supported by senior management, the board of directors and business line employees.
9. Banks must put strong internal controls, risk mitigation, and risk transfer strategies in
place to manage operational risks.
10. Banks must have plans in place to survive in the event of a major business disruption.
Business operations must be resilient.
11. Banks should make disclosures that are clear enough that outside stakeholders can
assess the banks approach to operational risk management.
The Role of the Board and Senior Management