ERM Chapter 29

Question 1

Having sufficient controls is the key to managing operational risk. What are eight desirable characteristics of controls in this context?

Answer 1

1. Focused on results
2. In place for both measurable and non-measurable events
3. Standardised for efficient communication
4. High quality, so as to improve management
5. Few, rather than many
6. Meaningful and appropriate
7. Timely, so as to give sufficient warning
8. Simple, so they are easily understood

Question 2

Outline the risks associated with outsourcing.

Answer 2

Outsourcing can bring business benefits (such as transferring some risks to a third party) but also has its own risks that need to be managed, such as:

• the possible failure of the third party to deliver its commitments
• the reduced control it has over the processes and people in the third party

Question 3

What five considerations should a company make before entering into an outsourcing agreement with a third party.

Answer 3

1. Its regulatory environment and the status of the third party
2. The financial standing of the third party
3. The competency, business continuity plans and risk processes of the third party
4. Its legal agreement with the third party including the right to terminate, and the third party’s right to sub-contract
5. How it will monitor the third party

Question 4

List seven external event risks that are known to have impacted on businesses, in order of frequency of occurrence.

Answer 4

1. Loss of IT or telephone capacity
2. Loss of people and skills
3. Bad PR or negative publicity
4. Disruption to supply chain
5. Fire/flooding/high winds
6. Protest from pressure groups e.g. animal rights
7. Terrorist damage

Question 5

Outline business continuity and crisis management.

Answer 5

• business continuity includes safeguarding a company’s reputation, brand and other value-creating activities
• a company should develop a Business Continuity Plan and test it regularly to reassure stakeholders that business interruptions can be managed
• pre-emptive actions may include taking period backups of data incase of hard drive failures
• having a crisis management plan can ensure a clear and organised response in the event of a significant incident
• the company may also purchase consequential loss insurance to compensate for losses during a period of business disruption

Question 6

List types of operational risk that require management.

Answer 6

• outsourcing risk
• external events
• business continuity
• regulatory and legal risks
• technology risk
• crime risk
• people risk
• bias
• process risk
• model risk and data risk

Question 7

Outline regulatory and legal risk

Answer 7

• impact can be significant, including fines, reputational damage and loss of authorisation to trade
• these risks can be managed via:
  > keeping abreast of changes in regulation and laws and be aware of impending changes and their likely impact
  > it may be possible to influence changes through lobbying groups

Question 8

Provide examples of how technology risk can be controlled.

Answer 8

• keeping systems up to date
• routine maintenance
• thorough testing when introducing new IT systems
• quick response IT helpdesks to deal with minor IT issues
• training staff
• restrictions on employees use of social media applications or use of devices that might circumvent IT security
• implementing and testing security software and routines, such as firewalls, back-ups and regular password changes, to prevent cyber attacks and ensure data can be rapidly recovered in the event of loss

Question 9

Outline crime risk.

Answer 9

• crime risk covers a wide spectrum from petty theft to major fraud, and the management of the risk should reflect the severity
• a balance should be met regarding the cost of controls and the amount saved by these controls

Question 10

Outline the types of people risk, and how they can be managed.

Answer 10

Employment related:
- refers to the behaviour of a business towards its people, and the behaviour of people towards the business
- it can be managed through:
> recruitment processes - cost-effective recruitment of the right people, and enforceable contracts of employment
> competency management process - training requirements and risk training
> appraisals and performance management processes - talent management, retention of the right employees, identification of poor performers, and regular appraisal of NED’s in particular
> relationship management - with employee related collective bodies e.g. unions

Adverse Selection:

• the need to distinguish between customers who present different risks in order to prevent being selected against e.g. banks that offer free banking run the risk of being adversely selected against by low-balance, high-activity customers
• managed by careful underwriting and product design and pricing

Moral hazard:

• the risk that the insured, having obtained cover, will act in a way that is of detriment to the insurer
• more generally, any situation where a person makes the decision about how much risk to take, while someone else bears the cost if things go wrong
• can be managed by making the consequences unattractive (e.g. offence to make a fraudulent claim) and by prevention (e.g. ensuring an insurable interest exists in a life policy)

Agency risk:

• difference of interests
• managed by corporate governance policies or by aligning interests, perhaps through share-based remuneration

Question 11

How is bias avoided?

Answer 11

• checks and balances should be build into the system
• assessments should be subjected to competent and genuinely independent checking
• consider introducing an optimism bias into the appraisal of capital projects
• educate people about the problem of unintentional bias

Question 12

Outline process risk and how it can be managed.

Answer 12

• risk through the introduction of changes into business processes or IT systems where new processes or systems may fail or be poorly implemented
• can be managed via:
  > undertaking pilot studies
  > precise definition of the requirements of any new solution to best meet the needs of the whole enterprise
  > designing systems that can be easily maintained, enhanced and upgraded
  > careful deployment of the new systems with user education

Question 13

How can model risk and data risk be managed?

Answer 13

Model risk can be managed via:

• having documented processes for model building and testing
• having clear audit trails and change-management routines
• using models only for their intended purpose

Data risk can be managed via:

• limit what can be entered to what is valid
• check data entry
• re-check data on transfer and, in particular, de-duplicate

Question 14

How is reputational risk managed?

Answer 14

• a sound ERM framework
• business continuity and crisis management plans and processes
• strong relationships with key stakeholders

Question 15

Describe a seven step enterprise wide process for transferring operational risk.

Answer 15

1. identify operational risk exposures
2. quantify their probabilities, severities and capital requirements
3. integrate the operational risk with credit and market risk to establish an enterprise wide risk profile
4. establish operational risk limits
5. implement internal controls
6. develop risk transfer and financing strategies
7. evaluate alternative providers and structures based on a cost/benefit analysis

Question 16

Describe three methods for managing market liquidity risk, and three methods for managing funding liquidity risk.

Answer 16

Market liquidity risk:

• varying investment strategy
• using swaps
• having a contingency fund consisting of high quality liquid assets

Funding liquidity risk:

• diversifying sources of funding (by type and term)
• continuously monitoring the ability to raise additional capital
• contingency sources of funding from their bank to draw upon in times of stress

Question 17

Describe examples of activities designed to reduce or eliminate feedback risk (systemic risk).

Answer 17

• investing only in exchange-traded instruments, so as to pool counterparty risk
• suspension of trading in the stock exchange by circuit breakers if there is a large market movement
• governments or central banks intervening to prop up a bank or reduce financial consequences
• regulations that require establishment of additional reserves e.g. Basel III
• avoiding regulations that increase pro-cyclicality e.g. solvency regulations that encourage all similar organisations to adopt similar investment and risk-mitigation strategies
• physically separating types of businesses

Question 18

How are demographic, non-life insurance and environmental risks managed?

Answer 18

• before the risk is accepted through underwriting
• after the risk is accepted:
  > by transferring the risk
  > through reduced risk concentration
  > through improved diversification
  > through improved hedging