Book 3. Operational Risk

FRM Part 2

OR 5. Risk Mitigation

Presented by: Sudhanshu

Module 1. Risk Mitigation with Internal Controls and Process Design

Module 2. Operational Risk Mitigation Measures and Management

Module 1. Risk Mitigation with Internal Controls and Process Design

Topic 1. Risk Mitigation Characteristics

Topic 2. Risk Response

Topic 3. Types of Internal Controls

Topic 4. Key Controls

Topic 5. Automated Controls

Topic 6. Control Testing

Topic 7. Process Design and Human Errors

Topic 8. Lean Six Sigma and Quality Improvement

Topic 1. Risk Mitigation Characteristics

  • Definition: Risk mitigation involves identifying and applying measures to reduce operational risk to acceptable levels, while balancing costs and benefits (risk-return trade-off).

  • Types of Operational Risk:

    • External Risks: Result from events like regulatory changes, competition, geopolitical events (e.g., sanctions, wars). These cannot be prevented but can be minimized.

    • Internal Risks: Emerge from people, systems, and processes. Examples include human error, process failures, and system outages. Firms can rely on strong internal controls to prevent this risk, and they can optimize the level of acceptable risk exposure through optimizing the risk-return trade-off.

  • Risk Minimization Techniques:

    1. Establishing strong controls

    2. Buying insurance

    3. Reducing or completely eliminating certain activities

  • Holding a minimum level of capital is also one way in which firms are mandated by regulation to reduce operational risk.

  • Firms' response to operational risks depend on their risk appetites.

Topic 2. Risk Response 

  • Four Risk Response Approaches

    • Tolerate: Accept the risk and do nothing. Used for low-probability or low-impact risks.

    • Treat: Accept the risk but mitigate its impact risk via controls, automation, or scenario planning (e.g., installing fraud detection software).

    • Transfer: Implies initially accepting the risk, but subsequently transferring it to a third party that is willing to take on the risk. Shifting risk via insurance or outsourcing. However, accountability remains with the original entity.

    • Terminate: Completely eliminate the source of risk (e.g., exiting high-risk markets).

  • Note:

    • Tolerating = unhedged.

    • Treating/Transferring = hedged.

    • Terminating = risk avoidance.

Practice Questions: Q1

Q1. XYZ Bank just completed an internal reorganization in which it significantly improved its internal controls and management oversight of its businesses to address its operational risks. Which of the following risk responses best captures this scenario?
A. Treating risk.
B. Tolerating risk.
C. Transferring risk.
D. Terminating risk.

Practice Questions: Q1 Answer

Explanation: A is correct.

Treating risk involves accepting the risk but mitigating its impact through some action or remedy. These mitigants include a robust set of internal controls, automating processes, and planning for risk scenarios.

Topic 3. Types of Internal Controls

  • Preventive: Lower the chances of an event occurring in the first place; such controls are focused on the underlying causes and eliminating them. Example: Segregation of duties to prevent fraud.

  • Detective: Identify issues post-occurrence. Example: Cardholder alerts for unusual activity.

  • Corrective: Reduce the negative impacts of an incident. Example: Business continuity plans (BCPs) and data backups.

  • Directive: Provide guidance on performing a particular transaction or process. Example: Policies, procedures, training and supervision.

Q2. Business continuity planning (BCP) would most likely be described as a:
A. corrective control.
B. detective control.
C. directive control.
D. preventive control.

Practice Questions: Q2

Explanation: A is correct.

BCP is a corrective control that involves reducing the impact from an operational incident. In that regard, although BCPs do not reduce the likelihood of risks occurring, BCPs help reduce the negative impacts if they do. Specifically, a good BCP that is properly implemented with the onset of an operational incident helps ensure that the business continues to operate as normal or as close to normal.

Practice Questions: Q2 Answer

Topic 4. Key Controls

  • Definition: Key controls function solely on a stand-alone basis to prevent the risk from occurring.

    • ​Includes all four control types: preventive, detective, corrective and directive.

  • Examples:

    • Preventive: Automated trade limits.

    • Corrective: Robust data backup systems.

    • Directive: Clear escalation protocols.

  • Non-Key Controls: Provide support but cannot stand alone to mitigate risk.

Topic 5. Automated Controls

  • Advantages

    • More reliable, less prone to human error

  • Examples

    • Reconciliations

    • Data validation checks

    • Credit card fraud detection

  • Risks

    • Shift from human error to IT risk/model risk

    • Shift from high-likelihood/low-impact risks to low-likelihood/high-impact risks

    • False positives (Type I) and False negatives (Type II) errors  errors when analyzing unusual and potentially fraudulent transactions, loss of automated controls due to system downtime, or system overcapacity.

  • Useful for settings involving large dollar amounts and/or high transaction speeds

Topic 6. Control Testing

  • Purpose: Ensure controls work as intended and are consistently applied.

  • Ineffective controls may become vulnerability. Examples of poorly designed controls:

    • ​Optimistic controls: Over-reliance on human effort.

    • Collective controls: Diffused accountability.

    • More of the same: Simply adding more of the same type doesn't improve risk posture.

  • Four main categories of control testing:

    1. Self-Assessment: Done by the control owner (low objectivity).

    2. Examination: Reviewing documentation and logs (used for automated controls).

    3. Observation: Watching the control in action (sampling approach).

    4. Reperformance: Re-running a process with test data (e.g., stress test).

  • ​​Control testing should also consider:
    • Independence Requirement: Control testing should be performed by individuals independent from control designers, with self-certification as notable exception
    • Risk-Based Frequency: Higher severity risks require more frequent control testing; unstable risk situations also demand increased testing frequency
    • Representative Sampling: Testing samples must mirror true population with sufficient size for robust, repeatable results while avoiding bias that overstates control effectiveness

  • Best Practice: Third line (internal audit) performs testing; ORM (second line) ensures controls are designed and operational.

Topic 7. Process Design and Human Errors

  • Prevention Through Design (PtD)
    • Use of checklists, protocols, standardization
    • Goal: Minimize process errors and improve efficiency
    • Related to the Swiss Cheese Model — errors result from multiple process weaknesses
  • Categories of Human Error & Remedies
    • Slips
      • Description: Involuntary mistakes due to fatigue, distraction, or inattention (e.g., fat finger errors)
      • Remedies: Improve workspace design, redesign processes, ensure accountability
    • Rule-based Mistakes
      • Description: Voluntary errors due to flawed or conflicting rules
      • Remedies: Review and revise rules, strengthen internal controls
    • Knowledge-based Mistakes
      • Description: Errors in unfamiliar situations using outdated or misapplied knowledge
      • Remedies: Enhance training, improve documentation, establish clear escalation procedures
  • Violations
    • Description: Intentional disregard of known rules or protocols
    • Remedies: Enforce supervision, monitor actions (e.g., cameras, recorded calls)

Practice Questions: Q3

Q3. A trader whose daily trading limit in a particular stock is 10,000 shares mistakenly enters a client order to sell 3,000 shares as an order to sell 30,000 shares. The trader’s action is most likely an example of which of the following operational risk types?
A. Slip.
B. Violation.
C. Rule-based mistake.
D. Knowledge-based mistake.

Practice Questions: Q3 Answer

Explanation: A is correct.

Slips refer to involuntary errors, and include inadvertent typos such as mistakenly entering incorrect trade instructions. The trader’s daily limit is irrelevant in determining the type of human error.
Violations are not a type of human error but are voluntary misdeeds. Rule-based mistakes arise due to badly designed or flawed rules. Knowledge-based mistakes arise due to incorrect choices of action in a new environment.

Topic 8. Lean Six Sigma and Quality Improvement

  • Lean Six Sigma

    • Lean techniques: Eliminating the eight kinds of waste—or process

      ineffectiveness—including resource under-utilization, time loss, and unnecessary tasks.

    • Six Sigma: Minimizing variability, including variability of extreme outcomes and improving output quality.

    • The Lean Six Sigma is based on the DMAIC Cycle:

      • Define, measure, analyze, improve and control the processes

    • Focuses on consistency, speed, and customer satisfaction.

  • Quality Improvement (PDSA)

    • Plan: Define objective and who is responsible.

    • Do: Implement and record problems.

    • Study: Analyze data and outcomes.

    • Act: Improve and restart the cycle.

Module 2. Operational Risk Mitigation Measures and Management

Topic 1. Assessing New Products and Initiatives

Topic 2. Mergers and Acquisitions

Topic 3. Contingency Planning

Topic 4. Business Continuity Management

Topic 5. Event and Crisis Management

Topic 6. Risk Transfer

Topic 7. Managing Reputational Risk

Topic 1. Assessing New Products and Initiatives

  • Frameworks

    • NPAP (New Product Approval Process).

    • NIRAP (New Initiative Risk Assessment Process).

  • Five Components of NIRAP Busines Case

    1. Objective

    2. Alternatives

    3. Expected benefits and downsides

    4. Commercial aspects (costs, funding)

    5. Risks and mitigation

  • ORM’s role varies based on a project's life

    • ​Initial stage (prior to the kickoff)

    • Project life

    • Project closure

Practice Questions: Q4

Q4. In which of the New Initiative Risk Assessment Process (NIRAP) business case topics would you most likely find an analysis of project costs and funding arrangements?
A. Initial stage.
B. Alternatives.
C. Expected benefits.
D. Commercial aspects.

Practice Questions: Q4 Answer

Explanation: D is correct.

An analysis of costs and funding arrangements would be included under the commercial aspects component of the NIRAP model. The other four components include:

  1. Objective (analysis of product rationale),
  2. Alternatives (analysis of other options),
  3. Expected benefits (analysis of benefits and disadvantages of the product), and
  4. Risks (analysis of risks).

Topic 2. Mergers and Acquisitions

  • The acquiring firm takes on (i.e., inherits) the risks of the acquired firm,

    • Inherits operational, credit, and market risks.

    • Hidden operational risks emerge post-deal.

  • Integration Risks

    • Systems, accounts, payroll, and customer service alignment.

  • Mitigation

    • ORM-driven operational risk profiles.

    • Pre- and post-merger assessments and controls.

  • Financial institutions understand that even with very strong controls, losses and defaults will occur. As a result, reducing the impact of operational risk events and minimizing credit risk is critical.
  • There are four measures of impact reduction:
    1. Contingency planning,
    2. Resilience measurement,
    3. Crisis management, and
    4. Communication.

Topic 3. Contingency Planning

  • Definition: Backup strategies if expected outcomes fail

  • Part of business continuity or disaster recovery playbook

  • Examples

    • Simple example: Spare charger as backup

    • Complex example: Alternate IT data centers

  • Two forms of contingency planning are business continuity management (BCM) and a disaster recovery plan (DRP)

  • SIFIs often use BCM and DRP

Practice Questions: Q5

Q5. A disaster recovery plan (DRP) is generally considered to be a form of:
A. event management.
B. contingency planning.
C. business continuity planning (BCP).
D. business continuity management (BCM).

Practice Questions: Q5 Answer

Explanation: B is correct.

DRP and BCM are considered specific forms of contingency planning.

Topic 4. Business Continuity Management

  • Definition: Tactical plan to continue operations during a crisis.

  • Part of a firm’s business continuity plan (BCP).

  • Steps

    • Senior management support

    • Designate a BCM team and budget

    • Identify operational risks (tech, reputational, environmental)

    • Create and implement recovery strategy

  • Business Impact Analysis: Identify time-critical functions and set recovery timelines.

Topic 5. Event and Crisis Management

  • Success Factors

    • Speed: Immediate recognition and response.

    • Competence: Experts assigned to appropriate tasks.

    • Transparency: Timely and honest communication.

  • Teams

    • Technical: IT/security.

    • Communications: Media/public/staff messaging.

    • Report to senior leadership.

  • Phases

    • Crisis → Emergency Response → Recovery (RPO & RTO) → Restoration.

Topic 6. Risk Transfer 

  • Risk transfer reduces loss volatility but incurs costs and potential new risks, with external insurance and outsourcing being the primary methods used by financial institutions.
  • Insurance: Insurance provides financial compensation for specific losses in exchange for ongoing premiums, making it most effective for predictable, quantifiable risks with transferable exposure to the insurer.
    • Large banks often self-insure for small losses but purchase coverage for significant tail events like cyberattacks or business interruption that could cause major profit volatility.
    • Insurance doesn't fully eliminate risk since compensation depends on the insurer's ability and willingness to pay, potentially creating liquidity issues during claim processing delays.
  • Outsourcing: Outsourcing transfers operational duties to specialized third parties but creates incremental risks including service delays, reduced supervision, and dependency on external controls.
    • The risk mitigation from outsourcing varies significantly by case - it may increase risks when done purely for cost savings or reduce them when leveraging superior specialist capabilities, making it often more accurately described as risk sharing rather than complete transfer.

Topic 7. Managing Reputational Risk 

  • Preventive Strategies

    • Strong due diligence.

    • Building customer trust and stakeholder confidence.

    • Reward transparency and ethical behavior.

  • Mitigation Strategies

    • Transparent communication post-event.

    • The "Three Rs" of Crisis Communication:

      • Regret: Acknowledge the issue.

      • Reason: Explain causes.

      • Remedy: Propose resolution.

  • Stakeholder Focus

    • Regulators, investors, customers.

    • Relationship building provides reputational capital in crises.