Book 4. Liquidity and Treasury Risk

FRM Part 2

LTR 13. Managing Non-Deposit Liabilities

Presented by: Sudhanshu

Module 1. Non-Deposit Liabilities and Available Funds Gap

Module 2. Choice and Cost of Non-Deposit Sources of Funds

Module 1. Operational Risk Categories

Topic 1. Operational Risk Management (ORM) Framework

Topic 2. Event-Driven Risk Categories (Basel II)

Topic 3. Types of Risks Within ORM Framework

Topic 1. Operational Risk Management (ORM) Framework

• Definition (Basel Committee): Operational risk is “the risk of loss resulting from inadequate or failed internal processes, people, systems, or from external events.”
• ORM Framework – Four-Step Cycle:
  1. Risk Identification: Identifying all risks negatively impacting firm's business goals. Techniques: group brainstorming and interviewing staff.
  2. Risk Assessment: Assessing probability and severity of identified risks. Tools:

     • Scenario analysis

     • Stress testing

  3. Risk Mitigation: Reducing high-probability/severity risks. Methods:

     • Internal controls

     • Insurance

     • Exposure minimization​

  4. ​​Risk Monitoring: Tracking and verifying ORM performance. Tools:
     • ​Key Risk Indicators (KRIs)
     • Incident reporting
• ​The cycle is iterative—restarts with remedial actions after monitoring.

Practice Questions: Q1

Q1. During which step of the risk management process would scenario analysis most likely be used?
A. Risk mitigation.
B. Risk monitoring.
C. Risk assessment.
D. Risk identification.

Practice Questions: Q1 Answer

Explanation: C is correct.

Risk assessment involves determining the probability and severity of the risks
identified as a means of prioritization. It must also be considered that both
probability and severity will likely change over time and depend on the situation.
Tools such as stress testing and scenario analysis would be used in this step.

Topic 2. Event-Driven Risk Categories (Basel II)

Seven Basel II Level 1 Categories:

Risk classification must be consistent to maintain ORM effectiveness.

Topic 3.  Types of Risks Within ORM Framework

Expanded Risk Types:

• Legal Risk: Loss due to unenforceable contracts. Linked to EPWS & EDPM.
• Compliance Risk: Violations of internal/external rules. Seen in CPBP.
• Reputational Risk: Indirect loss from operational events affecting public image.
• Strategic Risk: Loss from bad strategic choices or poor implementation.

 Strategic & reputational risks are increasingly embedded within ORM frameworks.

Practice Questions: Q2

Q2. Which of the following Basel II event risk categories most likely results in the greatest loss severity
for a financial institution?
A. External fraud (EF).
B. Client, products, and business pracces (CPBP).
C. Employment practices and workplace safety (EPWS).
D. Execution, delivery, and process management (EDPM).

Practice Questions: Q2 Answer

Explanation: B is correct.

Based on bank operational loss data for 2014–2019, CPBP accounted for 52% of loss severity (very high loss severity), which was by far the greatest of the seven types. It was followed by EDPM, which accounted for 27% of loss severity (high loss severity).

Module 2. Operational Risk Characteristics

Topic 1.  Characteristics of Operational Risks

Topic 2. Types of Risks Within the ORM Framework

Topic 3. Operational Resilience – Framework Overview

Topic 4. Operational Resilience – Regulatory Expectations

Topic 5. Global Regulatory Extensions

Topic 1.  Characteristics of Operational Risks

1. Heterogeneous:

• Risks vary widely—minor typos vs. major asset loss.

• Distribution of losses is non-uniform.

Requires careful categorization.

2. Idiosyncratic:

• Decentralized: each employee influences risk level.

• Cannot be fully hedged; residual risk remains.

3. Heavy-Tailed:

• Frequent small losses, few massive losses (e.g., rogue trading).

• Left-skewed distribution with high kurtosis.

Makes modeling and measurement difficult.

4. Interconnected:

• Risks are linked via shared causes (human error, macroeconomic factors).

• Boundary events cross over into other risk types (e.g., trading error → market loss).

5. Dynamic:

• Evolving with tech, regulation, and market changes.

• Example: rise in cyber risk with WFH & digital banking.

 These features increase modeling complexity and need for adaptive risk strategies.

Topic 2.  Types of Risks Within the ORM Framework

1. Legal risk:

• Refers to the potential losses suffered by a firm due to the enforcement or
  nonfulfillment of contracts. Most of the legal risks originate from EPWS events (Type 3) and EDPM events (Type 7). Compliance risk CPBP events (Type 4)

2. Reputational risk:

• Can be viewed as a more indirect and subjective type of risk; it is the reputational loss to a irm that arises from a signiicant operational event

3. Strategic risk:

• It could refer to losses occurring because of incorrect or poor strategic decisions.

• It could refer to losses occurring because of inadequate implementation of a good strategy.

Practice Questions: Q1

Q1. Which of the following characteristics of operational risk best identifies the concept that operational risk cannot be fully eliminated through traditional methods, such as hedging?
A. Dynamic.
B. Idiosyncratic.
C. Heterogeneous.
D. Interconnected.

Practice Questions: Q1 Answer

Explanation: B is correct.

Idiosyncratic risk refers to the idea that operational risk cannot be fully eliminated through traditional methods such as avoidance, hedging, or insurance and that there will always be some residual risk.

Topic 3. Operational Resilience – Framework Overview

Definition:
The ability of firms to anticipate, withstand, recover, and adapt to disruptions.

Key Components:

• Business Continuity: Minimize operational disruptions.

• Key Services: Identify and protect critical services.

• Impact Tolerance: Acceptable recovery timelines.

• Disruption Processes: Response planning, stakeholder confidence.

• Feedback Loops: Post-incident learning and enhancement.

Focus is not just on prevention but adaptive response.

Topic 4. Operational Resilience – Regulatory Expectations

U.K. Approach:

• FCA, PRA, BoE regulations since 2018.

• Emphasis: IT continuity, especially post-COVID.

U.S. Approach:

• Federal Reserve (2020): ORM → Operational Resilience.

Basel Committee on Banking Supervision (BCBS) 2021:

1. Governance
2. Operational risk management
3. Business continuity planning and testing
4. Mapping interconnections and interdependencies
5. Third-party dependency management
6. Incident management
7. Information and communications technology (ICT), including cybersecurity

Principles integrate with ORM and respond to systemic and cyber disruptions.

Practice Questions: Q2

Q2. To date, which of the following entities is least likely to be considered a key regulator to have issued official guidance for operational resilience?
A. Bank of England.
B. U.S. Federal Reserve.
C. European Central Bank.
D. Basel Commitiee on Banking Supervision.

Practice Questions: Q2 Answer

Explanation: C is correct.

To date, the United Kingdom (Bank of England, or BoE), the United States (Federal Reserve), and the BCBS are the three key regulators to have provided official guidance regarding operational resilience.

Topic 5. Global Regulatory Extensions

• ECB (2020): Digital Operational Resilience Act (DORA)
  → EU-wide digital risk framework.

• Singapore (MAS, 2021):
  → WFH operational risk guidance post-pandemic.
  → Emphasis: employee awareness, IT controls, fraud prevention.

Global regulators are aligning ORM with digital transformation and cyber risk realities.

Practice Questions: Q3

Q3. Which of the following pairs of resilience principles directly address the issue of providing critical services with minimal or no disrupion?
A. Third-party dependency management; incident management.
B. Mapping interconnections and interdependencies; incident management.
C. Business continuity planning and testing; third-party dependency management.
D. Business continuity planning and testing; mapping interconnections and interdependencies.

Practice Questions: Q3 Answer

Explanation: B is correct.

Both Principle 4 (mapping interconnections and interdependencies) and Principle 6 (incident management) of the BCBS principles on operational resilience are directly concerned with the delivery of critical operations with minimal or no disruption.