Operational Risk Management

Discussion class
28 September 2015
Dr A. Mutezo
 Agenda
• Assignment 02
• Risk profile
• Loss distribution curve
• Business Continuity Management
• Scenarios
• Approach to the exam
 Assignment 02
Identification of events, causes and impact of risk
based on question 02 of assignment 01.

• Operational risk – not the other main risk types

• Confuse cause and events
• Loss distribution curve
• Risk financing strategies
 Events
Event

Hard Soft

Less
Direct expenses Indirect cost to
Direct loss of sales growth/opportunity
related to event repair/recover
cost

Considered when
assessing the
impact
 Impact…
IMPACT

BUSINESS UNIT GROSS VALUES (MILLIONS)

INCOME
1 2 3 4 5

Group R 1 690 < R169 < R423 < R845 ≤ R1 268 >R1 268

Operational Can easily High profile loss Will take a number of Substantial threat to
recover years to recover survival of business

Regulatory Major internal Written warning Breach of code/stock Serious breach of

breach of by regulator exchange requirements code/stock exchange
procedures requirements/loss of
license

Reputational Minor negative Major negative Adverse press Major publicity Adverse publicity
media media coverage coverage damaging brand damaging brand
coverage
 Likelihood…
LIKELIHOOD

The likelihood of occurrence over a 1 2 3 4 5

12 month planning cycle

Highly Unlikely Likely Highly Likely Certainty

Unlikely

0%-20% 21%-40% 41%-60% 61%-80% 81% - 100%

 Link with BCM
Gap - proactive v
reactive
Level of capacity

With BCM
Normal
Without BCM

Time
 Risk appetite and tolerance
• What is risk appetite and tolerance?
• Is it necessary?
 Risk appetite framework
• A few definitions…
– Risk appetite statement
– Risk capacity
– Risk appetite
– Risk limits
– Risk profile
 Risk appetite statement
The articulation in written form of the aggregate level and
types of risk that a firm is willing to accept in order to
achieve its business objectives.

• It includes qualitative statements as well as quantitative

measures expressed relative to earnings, capital, risk
measures, liquidity and other relevant measures as
appropriate.
• It should also address more difficult to quantify risks such
as reputation and money laundering and financing of
terrorism risks, as well as business ethics and conduct.
 Risk capacity
The maximum level of risk the firm can assume
before breaching constraints determined by
regulatory capital and liquidity needs and its
obligations, also from a conduct perspective, to
depositors, policyholders, other customers, and
shareholders.
 Risk appetite
The aggregate level and types of risk a firm is willing
to assume within its risk capacity to achieve its
strategic objectives and business plan.
 Risk limits
Quantitative measures based on forward looking
assumptions that allocate the firm’s aggregate risk
appetite statement (e.g. measure of loss or negative
events) to business lines, legal entities, specific risk
categories, concentrations, and as appropriate,
other levels.
 Risk profile
Point in time assessment of the firm’s net risk
exposures (after taking into account mitigants)
aggregated within and across each relevant risk
category based on forward looking assumptions.
 Risk profile

Impact

Likelihood
 The framework
Should…
• establish a process for communicating the RAF across and within
the firm and, and to some extent, to external stakeholders;
• be driven by both top down board leadership and bottom up
involvement of management at all levels, and embedded and
understood across the firm;
• facilitate embedding risk appetite into the firm’s risk culture;
• act as a brake against excessive risk-taking;
 The framework
• Risk appetite statement used as a tool to promote robust
discussions of risk and as a basis upon which the board, risk
management and internal audit functions can effectively and
credibly debate and challenge management recommendations and
decisions;
• Adaptable to changing business and market conditions so that,
subject to approval by senior management and the board as
appropriate, opportunities that require an increase in the risk limit
of a business line or legal entity may be counterbalanced by a
reduction in the risk appetite allotment of another business line or
legal entity, or by an allocation of an excess in a risk limit, in order
for the firm to remain within the agreed firm-wide risk appetite
 Elements of a risk appetite
statement…
• Linked to the firm’s short- and long-term strategic, capital and
financial plans, and compensation programs;
• Establish the amount of risk the firm is prepared to accept in
pursuit of its strategic objectives and business plan, taking into
account the interests of its customers and shareholders, capital and
other regulatory requirements;
• Determine for each material risk the maximum level of risk willing
to operate within, based on its risk appetite, risk capacity, and risk
profile;
 Elements of a risk appetite
statement…
• Include quantitative measures that can be translated into risk limits
applicable to business lines, legal entities and groups, which in turn
can be aggregated and disaggregated to enable measurement of
the risk profile against risk appetite and risk capacity;
• Include qualitative statements for risks that are not easy to
measure, including reputational and financial consequences of poor
management of conduct risks, and establish some form of
boundaries or indicators to enable monitoring of these risks;
 Elements of a risk appetite
statement…
• Ensure that the strategy and risk limits of each business line and
legal entity align with the firm-wide risk appetite statement as
appropriate; and
• Forward looking and subject to scenario and stress testing to
ensure that the firm understands what events might push the firm
outside its risk appetite and/or risk capacity.
 Scenarios
• Scenario analysis is an important component in
the estimation of operational risk exposure and in
creating more effective operational risk
management processes.
• Scenario analysis may be used to supplement the
lack of internal or appropriate external data.
 What to
consider in Historical
developing
scenarios

Must answer -
External
• Where are we?
Information needed
• How do we respond?
• What can hurt us?

Internal

Future Present
 Problems with scenarios
Expertise in a business area is not the same as expertise in Probability
and Statistics.
Subject matter experts, may possess the requisite knowledge, and
have a good feel for how often a scenario may occur, and how severe
it could be.
Trouble translating their beliefs into probabilistic terms, such as
frequency, impact, percentiles, conditional distributions, and
confidence intervals.
Scenario assessments that are poorly calibrated or internally
inconsistent, do not reflect the underlying beliefs of the expert.
 Problems?
Ability to process data and information
Lead to assessments that are poorly calibrated or
internally inconsistent – i.e. biases.
 Biases

Types of biases

Judgemental Motivational

Adjustment or
Availability Representativeness Framing Confirmation
anchoring
 Mitigation?
• Well prepared participants
• Independent facilitator
• Outside experts
• Challenge and dissent
• Perspective on external and internal data
• Time for reflection
• Scope
• Structured template & taxonomy
• Auditable – four eye principle
• Statisticians
• Documentation
 Examination
• 4 February 2016
• 100 marks
• Case study
• Knowledge of theory necessary
• Set exam and memorandum
– Reviewed by External examiner
• Marking
– 20 – 50 and adjust memo if necessary
– External marker scripts moderated
– Moderated by external examiner
 Why case studies?
• An effective way for students to demonstrate their
learning
• Assists in preparing students for professional work
– Develop critical thinking skills
– Extraction of valuable information from a ‘noisy’
environment
 What is a case study?
• A case study is a scenario in which students are
guided by specific questions to analyse and
respond to the scenario
• The scenario or case study involves a number of
issues or problems that must be dealt with in the
workplace
What NOT to expect...
 Suggested approach
• Know the theory
• Read wider than only the text book and study
guide
• Watch the news and read magazines and
newspapers
• Read annual reports
 Suggested approach
• Holistic approach (big picture)
 Suggested approach
• Ask yourself the following questions when reading
the articles/watching news. If I were the
operational risk manager ...
– Is the problem properly defined?
– What happened?
– Why did it happen?
– Who are involved
– Where did it happen?
– When did it happen?
– Will the suggested solutions fix it?
How will you be assessed?
• Identify the events and causes for the operational
risk of XXX Ltd
• Identify the events and causes and classify the
risks of XXX Ltd

What is the difference between the two questions?

How would that change your answer?
• Assess the risks and indicate the top three
operational risks
• Argue the controls that you will recommend for
the top three operational risks
What would the impact be on your marks if you
discussed the controls for risks other than
operational risks in the question – especially if we
were testing the learning outcome regarding the
definition and description of operational risk?
 Tips for the exam
• Scan the case study
• Read the questions
• Analyse the questions
• Read the case study
– Follow the story line
– Tables and other information is given on purpose
– Look out for red herrings
We hope you enjoy your studies and good
luck with the exam!