Professional Documents
Culture Documents
Stage 1: Identification of Hazards : This consists in establishing a conceptual model of the investigated site
defining contamination hot spots, types of chemical compounds present and its distribution within the ground,
transport mechanisms, routes of exposure and potential receptors.
Stage 2: Toxicological evaluation : The objective of the toxicological evaluation is to quantify the potential risk of
exposure from the toxic compounds detected
Stage 3: Exposure assessment :The objective is to establish the daily doses of exposure to the potential receptors
of chemical agents. This is based upon the concentration of each of the adverse chemical compounds identified
and the exposure routes contemplated for the analysis.
Stage 4: Risk characterization : This consists in combining the toxicological information with respect to the
chemical compounds identified and the exposure dosed to the potential receptors. The situation is integrated
into a program to determine the quantitative risk associated to the site in question. As the result of the risk is an
estimation, it is important to indicate the level of uncertainty.
Hazard risk management is concerned with issues such as health and safety at work, fire prevention, damage to
property and the consequences of defective products. Hazard risks can cause disruption to normal operations, as
well as resulting in increased costs and poor publicity associated with disruptive events.
Hazard risks are related to business dependencies, including IT and other supporting services. There is
increasing dependence on the IT infrastructure of most organizations and IT systems can be disrupted by
computer breakdown or fi re in server rooms, as well as virus infection and deliberate hacking or computer
attacks.
Theft and fraud can also be significant hazard risks for many organizations. This is especially true for
organizations handling cash or managing a significant number of financial transactions. Techniques relevant to
the avoidance of theft and fraud include adequate security procedures, segregation of financial duties, and
authorization and delegation procedures, as well as the vetting of staff prior to employment.
International Risk
1. Transaction – the exchange rate risk associated with the time delay between entering a contract and
settling it. Thus a company is subject to transaction risk whenever it imports goods from or exports
goods abroad to be paid at a later date or borrows or invests in a foreign currency.
2. Translation – currency exchange rate risk that affects the valuation of the balance sheet assets and
liabilities between financial reporting dates.
3. Economic – the risk that a company’s value may decline as a result of currency movements causing a loss
in competitive strength.
4. Political – the risk of politically motivated interference by a foreign government that adversely affects its
cash flows.
Casualty (liability) insurance covers third-party liability for injuries sustained while on a policyholder’s premises
or caused by the policyholder’s use of a vehicle, for example. In general, for P&C insurance companies, property
damage claims from natural
disasters, and liability insurance claims are subject to fluctuating payouts and are very challenging to predict.
Net Risk – the assessment of risk, taking into account the application of any controls, transfer or management
response to the risk under consideration.
Chapter 2
How does the Risk context impact on managing organisational risk?
Establishing context is a very important part of managing organisational risk, because it allows an organisation
to consider each risk in its own unique circumstances. Establishing context also helps an organisation to decide
on an action plan of how best to address the risks.
You may wish to have more than three rounds of questioning to reach a closer consensus.
Conclusion
Use the Delphi Technique for creating Work Breakdown Structures, identifying risks and opportunities,
compiling lessons learned and anytime you would usually conduct a brainstorming session.
Predicting the future is not an exact science, but the Delphi Technique can help you understand the likelihood of
future events and what impact they may have on your project.
These strategies include using Financial reserves, Staffing reallocations, and implementing Workarounds to
minimize the loss, repair the damage to the extent possible and prevent a recurrence.
• recognition of risks;
• ranking of risks;
• responding to significant risks;
• resourcing controls;
• reaction (and event) planning;
• reporting of risk performance;
• reviewing the risk management system.
Risk management is the process of identifying risks facing an organisation, assessing the scale of the risk (in
terms of likelihood and impact).
A risk response strategy is determined for each risk that takes into account the organisation’s risk appetite, and a
system of controls are put in place for reporting and management of risks. There needs to be a risk treatment or
response strategy whereby risks are managed by alternative courses of action:
• stopping an activity,
• influencing either or both the likelihood or impact of the risk;
• sharing through techniques such as insurance; or
• the risk may be accepted.
Whereas, in the case of the qualitative risk analysis, the probability and impact of the potential project risk that
can be there on the target of the project is evaluated against a pre-defined scale. It is a subjective approach, and
the primary purpose of qualitative risk analysis is increasing the awareness of the severe risk and creating risk
responses to deal and reduce the effect of these risks on the overall project.
Where does determining a Risk context fit into the risk management
process?
Determining the risk context is the very first step in the risk management process. It must be done before an
organisation begins to identify the risks which it faces. If risks were identified before a context was established
then they might not be evaluated using the correct context, and therefore the action plan which is devised may
not be suitable.
Risk Monitoring
Any monitoring and review process should also determine whether:
✓ Properly transmitting the RAF within the firm together with incorporating the RAF into making day-to-
day operating decisions.
✓ Establishing a clear connection between RAFs and risk culture.
✓ Communicating risk appetite in a manner that captures all relevant risks.
✓ The common view that risk appetite is mainly about setting limits.
✓ The lack of connection between risk appetite and the strategic and business planning processes.
✓ The role of stress testing in the RAF.
✓ Aggregation of risks at the group level and then down to the individual business units.
Risk management
Chapter 4
What is a Business contingency plan?
A contingency plan is developed within the broader risk management plan and details a pre-researched course
of action for management and staff to follow in an emergency or when an organization experiences an
unexpected event that has the potential to affect the financial position, business image or market share of an
enterprise. A contingency plan is also known as Plan B or the disaster recovery plan or the worst-case scenario
plan or simply as a backup plan.
1. The continuance of the day to day operations of the business with the minimum amount of interruption or
interference from the unexpected event.
2. The actionable steps taken in the contingency/backup plan will maintain functional long enough for a
suitable restoration of the main plan to take place.
3. The contingency plan activated in the emergency will ensure that customers are still able to purchase
goods and services from the business in an systematic and timely way.
2. Risk literacy: Are there training programs (that are attended) regarding risk? Do staff know the language
used to describe risks and the consequences of risk-taking?
3. The flow of risk information: Does information about risk flow across the firm? Are there clear links
between the discussions of risk and the decisions made by firm managers?
4. Risk/reward decisions of managers: Are managers consistent when it comes to risks and rewards in the
context of the firm’s risk appetite?
5. Risk management stature: Does the CRO and other risk managers have stature in the firm? Who hires and
fires risk managers?
6. Whistleblowing and escalation: Do staff understand the firm’s escalation process if they want to report
enterprise risks? Is there a method in place for whistle blowers to “blow the whistle?”
7. Priorities of the board: Can board members name the top 10 enterprise risks? Can members name
industry disasters associated with these risks?
8. Actions against offenders: Are employees who violate risk standards disciplined?
9. Identification of risk culture concerns/incidents: Can the firm identify risk incidents and the actions that
were taken in response to violations?
Quantitative approaches are generally more objective and offer better comparability of results. They include:
3. Indicator dashboards
• Combine a variety of indicators such as employee (e.g., number of sick days, number of resignations),
customer (e.g., number of complaints), and risk management (e.g., number of internal control breaches)
4. Validation
• Using benchmarks to compare changes or performance
Qualitative approaches are generally less objective and offer questionable comparability of results. They include:
1. A control environment.
2. Risk assessment.
3. Control activities.
4. Information and communication.
5. Monitoring activities.
Specific controls that should be in place in the organization to address operational risk include:
1. Clearly established lines of authority and approval processes for everything from new products to risk
limits.
2. Careful monitoring of risk thresholds and limits.
3. Safeguards to limit access to and protect bank assets and records.
4. An appropriately sized staff to manage risks.
5. An appropriately trained staff to manage risks.
6. A system to monitor returns and identify returns that are out of line with expectations (e.g., a product that
is generating high returns but is supposed to be low risk may indicate that the performance is a result of a
breach of internal controls).
7. Confirmation and reconciliation of bank transactions and accounts.
8. A vacation policy that requires officers and employees to be absent for a period not less than two
consecutive weeks.
1. be aware of risks which fall into their area of responsibility, the possible impacts these may have on other
areas and the consequences other areas may have on them.
2. have performance indicators which allow them to monitor the key business and financial activities,
progress towards objectives and identify developments which require intervention (e.g. forecasts and
budgets) .
3. have systems which communicate variances in budgets and forecasts at appropriate frequency to allow
action to be taken.
4. report systematically and promptly to senior management any perceived new risks or failures of existing
control measures.
Individuals should:
Risks cannot be considered outside the context that gave rise to the risks. It may appear that an organization is
being risk aggressive, when in fact, the board has decided that there is an opportunity that should not be missed.
However, the fact that the opportunity is high risk may not have been fully considered.
One of the major contributions from successful risk management is to ensure that strategic decisions that appear
to be high risk are actually taken with all of the information available. Improvement in the robustness of
decision-making processes is one of the key benefits of risk management.
Benefits
• Avoidance of losses
• Legal requirement (health & safety, information required for HMRC)
• Well being of employees – motivation, succession planning – important resource
• Preferred employer – better calibre staff – important resource
Costs
• Establishment of policies & procedures
• Administrative support
• Opportunity cost of not spending time on the delivery of organisational objectives
2. The operational risk framework (referred to as the “Framework” in this reading) must be developed and
fully integrated into the overall risk management processes of the bank.
3. The board should approve and periodically review the Framework. The board should also oversee senior
management to ensure that appropriate risk management decisions are implemented at all levels of the
firm.
4. The board must identify the types and levels of operational risks the bank is willing to assume as well as
approve risk appetite and risk tolerance statements.
5. Consistent with the bank’s risk appetite and risk tolerance, senior management must develop a well-
defined governance structure within the bank. The structure must be implemented and maintained
throughout the bank’s various lines of business, its processes, and its systems. The board of directors
should approve this governance structure.
6. Senior management must understand the risks, and the incentives related to those risks, inherent in the
bank’s business lines and processes. These operational risks must be identified and assessed by
managers.
7. New lines of business, products, processes, and systems should require an approval process that assesses
the potential operational risks. Senior management must make certain this approval process is in place.
8. A process for monitoring operational risks and material exposures to losses should be put in place by
senior management and supported by senior management, the board of directors and business line
employees.
9. Banks must put strong internal controls, risk mitigation, and risk transfer strategies in place to manage
operational risks.
10. Banks must have plans in place to survive in the event of a major business disruption. Business
operations must be resilient.
11. Banks should make disclosures that are clear enough that outside stakeholders can assess the bank’s
approach to operational risk management.
• Provide a sound foundation for a strong risk management culture within the bank. A strong risk
management culture will generally mitigate the likelihood of damaging operational risk events.
• Establish a code of conduct (or ethics policy) for all employees that outlines expectations for ethical
behavior. The board of directors should support senior managers in producing a code of conduct. Risk
management activities should reinforce the code of conduct. The code should be reflected in training and
compensation as well as risk management. There should be a balance between risks and rewards.
Compensation should be aligned not just with performance, but also with the bank’s risk appetite,
strategic direction, financial goals, and overall soundness.
• Provide risk training throughout all levels of the bank. Senior management should ensure training reflects
the responsibilities of the person being trained.
With respect to Principle 2, the board of directors and/or senior management should:
• Thoroughly understand both the nature and complexity of the risks inherent in the products, lines of
business, processes, and systems in the bank. Operational risks are inherent in all aspects of the bank.
• Ensure that the Framework is fully integrated in the bank’s overall risk management plan across all levels
of the firm (i.e., business lines, new business lines, products, processes, and/or systems). Risk assessment
should be a part of the business strategy of the bank.
With respect to Principle 3, the board of directors and/or senior management should:
• Establish a culture and processes that help bank managers and employees understand and manage
operational risks. The board must develop comprehensive and dynamic oversight and control
mechanisms that are integrated into risk management processes across the bank.
• Regularly review the Framework.
• Provide senior management with guidance regarding operational risk management and approve policies
developed by senior management aimed at managing operational risk.
• Ensure that the Framework is subject to independent review.
• Ensure that management is following best practices in the field with respect to operational risk
identification and management.
• Establish clear lines of management responsibility and establish strong internal controls.
With respect to Principle 4, the board of directors and/or senior management should:
• Consider all relevant risks when approving the bank’s risk appetite and tolerance statements. The board
must also consider the bank’s strategic direction. The board should approve risk limits and thresholds.
• Periodically review the risk appetite and tolerance statements. The review should specifically focus on:
a) Changes in the market and external environment.
b) Changes in business or activity volume.
c) Effectiveness of risk management strategies.
d) The quality of the control environment.
e) The nature of, frequency of, and volume of breaches to risk limits.
With respect to Principle 5, the board of directors and/or senior management should:
• Establish systems to report and track operational risks and maintain an effective mechanism for resolving
problems. Banks should demonstrate the effective use of the three lines of defense to manage operational
risk, as outlined by the Basel Committee.
• Translate the Framework approved by the board into specific policies and procedures used to manage
risk. Senior managers should clearly assign areas of responsibility and should ensure a proper
management oversight system to monitor risks inherent in the business unit.
• Ensure that operational risk managers communicate clearly with personnel responsible for market,
credit, liquidity, interest rate, and other risks and with those procuring outside services, such as insurance
or outsourcing.
• Ensure that CORF managers should have sufficient stature in the bank, commensurate with market,
credit, liquidity, interest rate, and other risk managers.
• Ensure that the staff is well trained in operational risk management. Risk managers should have
independent authority relative to the operations they oversee.
With respect to Principle 6, the board of directors and/or senior management should:
• Consider both internal and external factors to identify and assess operational risk.
With respect to Principle 7, the board of directors and/or senior management should:
• Maintain a rigorous approval process for new products and processes. The bank should make sure that
risk management operations are in place from the inception of new activities because operational risks
typically increase when a bank engages in new activities, new product lines, enters unfamiliar markets,
implements new business processes, puts into operation new technology, and/or engages in activities
that are geographically distant from the main office.
• Thoroughly review new activities and product lines, reviewing inherent risks, potential changes in the
bank’s risk appetite or risk limits, necessary controls required to mitigate risks, residual risks, and the
procedures used to monitor and manage operational risks.
With respect to Principle 8, the board of directors and/or senior management should:
• Continuously improve the operational risk reporting. Reports should be manageable in scope but
comprehensive and accurate in nature.
• Ensure that operational risk reports are timely. Banks should have sufficient resources to produce reports
during both stressed and normal market conditions. Reports should be provided to the board and senior
management.
With respect to Principle 10, the board of directors and/or senior management should:
• Establish continuity plans to handle unforeseen disruptive events (e.g., disruptions in technology,
damaged facilities, pandemic illnesses that affect personnel, and so on). Plans should include impact
analysis and plans for recovery. Continuity plans should identify key facilities, people, and processes
necessary for the business to operate. The plan must also identify external dependencies such as utilities,
vendors, and other third-party providers.
• Periodically review continuity plans. Personnel must be trained to handle emergencies and, where
possible, the bank should perform disaster recovery and continuity tests.
With respect to Principle 11, the board of directors and/or senior management should:
• Write public disclosures such that stakeholders can assess the bank’s operational risk management
strategies.
• Write public disclosures that are consistent with risk management procedures.
• The disclosure policy should be established by the board of directors and senior management and
approved by the board of directors. The bank should also be able to verify disclosures.
Risk limits
Chapter 6
Comparison Between Counterparty Risk and Credit Risk
Particulars Counterparty Risk Credit Risk
Meaning This also originates from inability or Credit risk is the possibility of loss on
failure to make a payment; however, account of default due to the inability or
the amount of exposure is not unwillingness of a borrower to meet its
predetermined. liability. In this case, the amount of loss is
predetermined.
Scope It is most relevant in derivatives Credit risk finds its relevance in loans and
markets and especially OTC trades. advances given by banks and financial
institutions.
Subset This is a subset of credit risk. It includes counterparty risk as well.
Exposure Risk Exposure on account varies based Credit risk exposure is mostly
on the MTM position on the date of predetermined and doesn’t vary.
default.
Advantages of CDS
1. Spur innovation: Conceptually, CDS buyers are protected from credit risk. This enables them to fund
riskier opportunities than they otherwise might comfortably support. This access to capital could spur
innovation and boost economic growth.
2. Cash-flow potential: CDS sellers create a stream of payments that could be a significant source of cash
flow. Theoretically, they can diversify the CDS contracts across industries and geographies such that
defaults in one area should be offset by fees from CDSs that have not been triggered through default.
3. Risk price discovery: The use of a CDS enables price discovery of a specific credit risk. Bonds also provide
credit risk price discovery, but this service is blurred because their prices also include other risks, such as
interest rate risk. A CDS is a pure play on pricing a given borrower’s credit risk.
Disadvantages of CDS
1. Historically weak regulation: CDS contracts were unregulated until after the financial crisis of 2007–2009.
Lack of regulation meant that counterparty risk existed because CDS buyers were not guaranteed that the
CDS seller could make good on the promise of credit risk mitigation.
2. False sense of security: The presence of a CDS contract creates a false sense of security for fixed income
buyers, who could support an issuer that is far riskier than they would support without the presence of
credit risk transfer. This can be both an advantage (access to capital) and a disadvantage (excessive risk-
taking behavior), depending upon one’s vantage point.
Advantages of CDO
1. Increased profit potential: Banks have the ability to source loans, repackage them into a structured
product, and then use the proceeds from selling the repackaged loans to source new loans. This cycle
enables banks to increase loan turnover and therefore increase profit potential.
2. Direct risk transfer: Through the securitization process, banks will effectively transfer credit risk to
investors.
3. Loan access: Since the bank is repackaging and selling the loans, individuals who otherwise might not be
able to access a loan may now have access.
Disadvantages of CDO
1. Encourages increased risk taking: Since banks have the ability to transfer credit risk, they may source
loans that are riskier than they otherwise would accept. This behaviour could result in unexpected risk
for investors.
2. Risk concentration potential: These structured products could unknowingly (on the part of investors)
concentrate exposure to high-risk borrowers, who may default and cause investors to experience
unexpected losses.
3. High complexity: Structured products are very complex. They may be difficult for an investor, a rating
agency, or a regulator to fully understand.
Computation of RAROC
Assume the following information for a commercial loan portfolio:
1. $1.5 billion principal amount
2. 7% pre-tax expected return on loan portfolio
3. Direct annual operating costs of $10 million
4. Loan portfolio is funded by $1.5 billion of retail deposits; interest rate = 5%
5. Expected loss on the portfolio is 0.5% of principal per annum
6. Unexpected loss of 8% of the principal amount, or $120 million of economic capital required
7. Risk-free rate on government securities is 1% (based on the economic capital required)
8. 25% effective tax rate
Answer:
First, calculate the following RAROC components:
Expected revenue = 0.07 × $1.5 billion = $105 million
Interest expense = 0.05 × $1.5 billion = $75 million
Expected loss = 0.005 × $1.5 billion = $7.5 million
Return on economic capital = 0.01 × $120 million = $1.2 million
Then, apply the RAROC equation:
= 8.56%
Adjusted RAROC
RAROC should be adjusted to consider systematic risk and a consistent hurdle rate. Adjusted RAROC = RAROC −
βE (RM − RF)
where:
RF= risk-free rate = hurdle rate
RM= expected return on market portfolio
βE= firm’s equity beta
(RM − RF) = excess return over risk-free rate to account for the nondiversifiable
Banks and their regulators may have different views about how much capital is sufficient in light of the risks a
bank faces. Regulatory capital refers to the minimum amount required and is determined by bank regulators.
Economic capital refers to the amount of capital that a bank believes is adequate based on its own risk models.
Both regulatory and economic capital refer to funds that are set aside to be used to cover unexpected losses. The
amount of required capital will correspond to the amount of potential losses.
Identify the major risks faced by a bank and explain ways in which these
risks can arise
The main risks faced by a bank include credit risk, market risk, and operational risk.
1. Credit Risk: Credit risk refers to the risk that borrowers do not repay their loans or that counterparties
to contracts such as derivatives may default on their obligations when the contract has negative value to
the counterparty (and positive value to the bank). The bank’s trading of derivatives also introduces
market risk since the derivatives contract is dependent on the price of the underlying asset. Regarding
loans, the interest rate charged by banks on loans takes into account the expected losses; for example,
assuming a 2% differential in average interest rate charged and cost of funds, expected losses of 0.6%
would leave 1.4% remaining for operating costs and profit.
2. Market risk: Market risk refers to the risk of losses from a bank’s trading activities, such as declines in
the value of securities the bank owns. Specific examples of market risk factors include changes in interest
rates, exchange rates, and stock prices. Banks allow their larger investors to trade in a variety of financial
contracts where the bank acts as a market maker. In those instances, the bank has controlled (but not
zero) exposures to market risk factors.
3. Operational risk: Operational risk refers to the possibility of losses arising from external events (e.g.,
cyber attacks or physical asset damage) or failures of a bank’s internal controls (e.g., employee
defalcation, business interruption, IT failures, and human error). Operationally, banks are most exposed
to legal, compliance, and cyber risks.
Chapter 7
Audit Committees Assessment of Internal Control
Risk Assessment
• Does the company have clear objectives with measurable targets and indicators that have been
communicated so as to provide effective direction to employees on risk assessment and control issues?
• Are the significant internal and external operational, financial, compliance and other risks identified and
assessed on an ongoing basis?
• Is there a clear understanding by management and others within the company of what risks are
acceptable to the board?
• Does the Board have clear strategies for dealing with the significant risks that have been identified? Is
there a policy on how to manage these risks?
• Does the company’s culture, code of conduct, human resources policy and performance reward systems
support the business objectives and risk management and internal control systems?
• Does senior management demonstrate, through actions and policies, the necessary commitment to
competence, integrity and fostering a climate of trust within the company?
• Are authority, responsibility and accountability defined clearly such that decisions are made and actions
taken by the appropriate people? Are the decisions and actions of different parts of the company
appropriately co-ordinated?
• Does the company communicate to employees what is expected of them and the scope of their freedom to
act?
• Do people in the company (and its outsourced service providers) have the knowledge skills and tools to
support the achievement of the company‟s objectives and to manage effectively risks to their
achievement?
• How are processes/controls adjusted to reflect new or changing risks, or operational deficiencies?
Step 1: Identify the risks of the firm. For many banks, risks are classified as falling into one of three categories:
market, credit, or operational. Other financial institutions broaden the list to include asset, liability, liquidity, and
strategic risks. Identification of risks should be performed both top-down (by senior management) and bottom-
up (by individual managers of business units or
other functional areas).
Step 2: Develop a consistent method to evaluate the firm’s exposure to the risks identified above. If the
methodology is not consistent, the ERM system will fail because capital will be misallocated across business
units. Implementation of an ERM system is challenging, and it is important that the entire organization supports
the system. Thus, it is critical for all levels of the organization to understand how the system is designed and how
it can create value. Monitoring the ERM system may be neglected due to its time-consuming nature. However, the
inability to identify relevant risks on a regular basis could lead to corporate failures.
The micro benefit of ERM requires decentralizing risk management to ensure that each project’s total risk is
adequately assessed by project planners during the initial evaluation of the project.
The two main components of decentralizing the risk-return trade off are consideration of the marginal impact of
each project
on the firm’s total risk and a performance evaluation system that considers unit contributions to total risk.
Conceptual Framework of ERM
The conceptual framework of ERM is a four-step process:
1. Volume: The scale of information which can now be created and stored is staggering. Advancing
technology has allowed embedded sensors to be placed in every day items such as cars, video games and
refrigerators. Mobile devices have led to an increasingly networked world where peoples’ consumer
preferences, spending habits, and even their movements can be recorded. Advances in data storage
technology as well as a fall in price of this storage has allowed for the captured data to be stored for
further analysis.
2. Velocity: Timeliness is a key factor in the usefulness of financial information to decision makers, and it is
no different for the users of Big Data. One source of high-velocity data is Twitter, users of which are
estimated to generate nearly 100,000 tweets every 60 seconds.
3. Variety: Big Data consists of both structured and unstructured data. While the sources of data have
grown, the software tools for interpreting the data have not kept pace with this change. Structured data
consists of traditional data sets, such as financial transactions, while unstructured refers to the majority of
information created by social media sites. The challenge is bringing together both structured and
unstructured information to reveal new insights.
4. Veracity: Another challenge to users of Big Data is keeping the information 'clean' and free from so-called
noise, or bias. Due in part to the other three factors, it is not possible to 'cleanse' the data. While even
unstructured data such as tweets can give an accurate view as to how an event or product is perceived, it
may not be useful in predicting sales of a product. The age profile and location of the average twitter user
may act as a bias, therefore distorting the data collected.
• Mobile and contactless payments systems are attractive to criminals. One such system Apple Pay is likely
to be actively targeted.
• Cloud data breaches will remain a concern. To mitigate the risks the following are being developed:
• Big data - risks include ‘salami slicing’ techniques bringing together seemingly disparate data to from a
pattern for use in identity fraud.
• The Internet of Things (IoT) could provide detailed data of those living in a smart home, especially if
poorly conceived hardware and software provides a gateway for hackers.
2. Data Quality — It is rare for an organization to have a well-defined, coherent structure to their data. More
often, it rests in systems that don't communicate with each other. How this data is brought together is
critical. Auditors need to consider completeness, accuracy, and reliability.
3. Human Factor — AI relies on complex algorithms produced by humans. How do natural human biases
factor into AI design? How can AI effectively be tested to ensure the results reflect the original objective?
How are privacy and security ensured? Is adequate transparency possible given the complexity?
4. Measuring Performance — AI is developed to achieve certain objectives. Given the potential complexity,
how does an organization know the objectives are being achieved in the best way possible? How are
performance metrics established and how does one effectively compare results to alternatives?
5. Reemphasize Cybersecurity — Imagine a situation where your AI has been hacked and is now doing the
bidding of some outside malevolent force. Consider the four R's of cyber resilience: resist, react, recover,
reevaluate.
6. Filling the Understanding Gap — To start with, the potential impact associated with AI-related risks will
be huge and on the top of the list for boards to consider. How can internal audit help to make sure boards
and audit committees are prepared to discuss these risks and make good decisions based on the right
information? On top of that, how do you begin to improve your audit function's skills, recognizing that
new skills may be required?
7. Ethical Issues With AI — Most importantly, AI causes us to refocus on ethics. I already mentioned the
Human Factor above, which is important enough to treat separately. With data privacy and the ethical use
of personal data already a big concern, AI will only complicate things further. Beyond that, check out the
top nine ethical issues in AI from the World Economic Forum.
Categories of disruption
1. Data processing: Usage of not only structured but also unstructured data in massive amounts;
combinations of datasets and updating patterns.
2. Improving efficiency: Reducing cost by automating day-to-day assistance and guidance in the risk
management processes.
3. Real-time and predictive: Awareness of new exposures, increasing preventative risk advices, faster
response time in critical situations.
4. Business decisions: Better decision-making through greater (predictive) insights and visibility of risk
(also for top management).
1. Algorithmic bias: Machine-learning algorithms identify patterns in data and codify them in predictions,
rules and decisions. If those patterns reflect some existing bias, the algorithms are likely to amplify that
bias and may produce outcomes that reinforce existing patterns of discrimination.
2. Overestimating the capabilities of AI: Since AI systems do not understand the tasks they perform, and rely
on their training data, they are far from infallible.
3. Programmatic errors: Where errors exist, algorithms may not perform as expected and may deliver
misleading results that have serious consequences.
4. Risk of cyber attacks: Hackers who want to steal personal data or confidential information about a
company are increasingly likely to target AI systems.
5. Legal risks and liabilities: At present, there is little legislation governing AI, but that is set to change.
Systems that analyze large volumes of consumer data may not comply with existing and imminent data
privacy regulations, especially the EU’s General Data Protection Regulation.
6. Reputational risks: AI systems handle large amounts of sensitive data and make critical decisions about
individuals in a range of areas including credit, education, employment and health care. So any system
that is biased, error-prone, hacked or used for unethical purposes poses significant reputational risks to
the organization that owns it.
1. Does the board understand the potential impact of AI on the organization’s business model, culture,
strategy and sector?
2. How is the board challenging management to respond strategically to both the opportunities presented
by AI and the risks associated with it?
3. How is the organization using AI technology and new data sets for governance and risk management?
How are the dashboards of the board and the audit committee changing?
4. Does the organization have a talent strategy for recruiting and retaining people with the necessary
skillsets to manage and staff AI-related projects?
5. Has the board asked management to assess how the adoption of AI impacts the integrity of its finance
function or its financial statements?
2. Reduction in loan management time: Financial organizations and banks take up to three weeks to
physically verify each application. Scoring software powered with AI cut the time to minutes. For instance,
modern solutions like GiniMachine verify 1,000 applications in ten seconds.
3. Error-free: Traditional methods do not guarantee a low percentage of scoring errors. While AI can
process a huge amount of information and detect patterns as much error-free as possible.
4. Decline in credit losses: Prediction of delinquencies before they actually occur is one of the main goals of
risk management software. As was mentioned above, traditional solutions can make predictions for
several months. While AI credit score software significantly increases the prediction time for a year in
advance.
5. Accuracy in predictions: Traditional risk management software functions under clearly defined
parameters. Utilizing AI and ML, a user gets an intuitive solution that can analyze more databases and
learn during the process. Eventually, AI software comes up with more accurate predictions and declines
scoring mistakes.
6. Strong fraud-detection: Modern software is equipped with tech-savvy solutions strengthening fraud
detection mechanisms. This allows protecting banking operations and draws a more reliable picture of a
bank for liable borrowers.
The following risks could arise when a financial institution outsources its
operational functions to third-party service providers:
1. Compliance risk refers to a service provider not operating in compliance with the relevant local laws and
regulations.
2. Concentration risk refers to having very few service providers to choose from or that the service
providers are clustered in only a few geographic areas.
3. Reputational risk refers to a service provider executing its tasks in a substandard manner, resulting in a
negative public perception of the financial institution.
4. Country risk refers to using a service provider based in a foreign country and subjecting the financial
institution to potential economic and political risks in that country.
5. Operational risk refers to potential losses sustained by a financial institution as a result of internal control
breaches and human error caused by a service provider.
6. Legal risk refers to subjecting the financial institution to lawsuits and other costs due to potentially
negligent activities of a service provider.
The most common data issues that increase risk for an organization are as follows:
• Data-entry errors.
• Missing data.
• Duplicate records.
• Inconsistent data.
• Nonstandard formats.
• Complex data transformations.
• Failed identity management processes.
• Undocumented, incorrect, or misleading metadata (description of content and context of data files).
• Fraudulent payroll overpayments to fictitious employees or those who are no longer employed by the
firm.
• Underbilling for services rendered.
• Underestimating insurance risk due to missing and inaccurate values (e.g., insured value).
RCSA
A risk control self-assessment (RCSA) requires the documentation of risks and provides a rating system and
control identification process that is used as a foundation in the OpRisk framework. Once the RCSA is created, it
is commonly performed every 12–18 months to assess the business unit’s operational risks.
Steps in designing RCSA
The following four steps are commonly used in designing an RCSA program:
1. Identify and assess risks associated with each business unit’s activities. The manager first identifies key
functions in the firm and performs risk scenarios to assess potential losses, the exposure or potential loss
amount, and the correlation risk to other important aspects of the firm such as financial, reputation, or
performance.
2. Controls are then added to the RCSA program to mitigate risks identified for the firm. The manager also
assesses any residual risk which often remains even after controls are in place.
3. Risk metrics, such as key risk indicators or internal loss events, are used to measure the success of OpRisk
initiatives and are linked to the RCSA program for review. These risk metrics would also include all
available external data and risk benchmarks for operational risks.
4. Control tests are performed to assess how effective the controls in place mitigate potential operational
risks.
Outsourcing policies
Outsourcing policies should include:
1. Processes and procedures for determining which activities can be outsourced and how the activities will
be outsourced.
2. Processes for selecting service providers (e.g., due diligence).
3. Structuring the outsourcing agreement to describe termination rights, ownership of data, and
confidentiality requirements.
4. Monitor risks of the arrangement including the financial health of the service provider.
5. Implement a risk control environment and assess the control environment at the service provider.
6. Develop contingency plans.
7. Clearly define responsibilities of the bank and the service provider.
Operational Risk
Operational risk is inherent in banking activities
The three common “lines of defense” employed by firms to control operational risks are:
1. Business line management. Business line management is the first line of defense. Banks now, more than ever,
have multiple lines of business, all with varying degrees of operational risk. Risks must be identified and
managed within the various products, activities, and processes of the bank.
2. An independent operational risk management function. This is the second line of defense and is discussed in
the next section.
3. Independent reviews of operational risks and risk management. The review may be conducted internally with
personnel independent of the process under review or externally.
Tools that may be used to identify and assess operational risk include:
1. Business process mappings, which do exactly that, map the bank’s business processes. Maps can reveal
risks, interdependencies among risks, and weaknesses in risk management systems.
2. Risk and performance indicators are measures that help managers understand the bank’s risk exposure.
There are Key Risk Indicators (KRIs) and Key Performance Indicators (KPIs). KRIs are measures of
drivers of risk and exposures to risk. KPIs provide insight into operational processes and weaknesses.
Escalation triggers are often paired with KRIs and KPIs to warn when risk is
3. approaching or exceeding risk thresholds.
4. Scenario analysis is a subjective process where business line managers and risk managers identify
potential risk events and then assess potential outcomes of those risks.
5. Measurement involves the use of outputs of risk assessment tools as inputs for operational risk exposure
models. The bank can then use the models to allocate economic capital to various business units based on
return and risk.
6. Audit findings identify weaknesses but may also provide insights into inherent operational risks.
7. Analysis of internal operational loss data. Analysis can provide insight into the causes of large losses. Data
may also reveal if problems are isolated or systemic.
8. Analysis of external operational loss data including gross loss amounts, dates, amount of recoveries and
losses at other firms.
9. Risk assessments, or risk self-assessments (RSAs), address potential threats. Assessments consider the
bank’s processes and possible defenses relative to the firm’s threats and vulnerabilities. Risk Control Self-
Assessments (RCSA) evaluate risks before risk controls are considered (i.e., inherent risks). Scorecards
translate RCSA output into metrics that help the bank better understand the control environment.
10. Comparative analysis combines all described risk analysis tools into a comprehensive picture of the
bank’s operational risk profile. For example, the bank might combine audit findings with internal
operational loss data to better understand the weaknesses of the operational risk framework.
2. Poor return (market risk) on investments. Insurance companies often invest in fixed-income securities
and if defaults suddenly increase, insurance companies will incur losses. Diversification of investments by
industry sector and geography can help mitigate such losses.
3. Credit risk. By transacting with banks and reinsurance companies, insurance companies face credit risk if
the counterparty defaults on its obligations.
4. Operational risk. Similar to banks, an insurance company faces losses due to failure of its systems and
procedures or from external events outside the company’s control (e.g., computer failure and human
error).
Misc
Types of RM documentation
Risk administration
Risk response
Event reports
Risk performance