Near misses
occurrences that might have led to a loss but did not as a result of good fortune or action outside an organization’s control
Risk Wheel
Brainstorming tools in risk identification. Shows domino effect
Horizon scanning
Tools To spot new risk. Like PESTEL.
RCSA
The process through which an organization or business line assesses the possibility and impact of its operational risks. RCSAs result in a self-evaluation of a business unit’s primary inherent risks, the key controls reducing those risks, and the effectiveness of those controls
Process mapping
Process -> step -> controls -> identify the risks mitigating -> what might go wrong
Taxonomies
structured manner of expressing causes, risks, impacts, and controls in progressively more detailed ways
Boundary events
Occurrences that arise in a different risk category compared to their cause
Impact scale (RCSA)
The four most common scales used to measure impact are financial, regulatory, customer, and reputation impacts
Increase in the consideration of the continuity of services as a scale due to the regulatory attention
Fault Tree Analysis (FTA)
Analysis used to identify the root causes and potential consequences of operational risks. It is a top-down approach, examines the different ways an event or failure can occur, allowing organizations to visualize the sequence of events that lead to an incident.
Fault tree diagram
Graphical representation used to depict all of the possible failures that could contribute to an event (FTA)
Extreme Value Theory (EVT)
statistical method of analyzing extreme events in data sets
Block Maxima
examines the behavior of maxima values which are equally spaced in time (e.g., maximum operational loss per period of time and per unit of measure).
This allows for the identification and analysis of maxima patterns that occur over time and their severity level for determining potential risk levels
Peak-over-threshold
works by focusing on observations that lie above a certain high threshold set to be sufficiently large
RPO - Recovery Point Objectives
How much data lost / to be recovered after outage. Data bakup frequency determine RPOs
RTO - Recovery Time Objectives
How much downtime a business can tolerate
Types of stress testing
3 types: parameter, macroeconomic, reverse stress test
Parameter/Model Stress Testing
A model parameter is stressed to see how a model, bank, or portfolio fares under stressed conditions.
Macroeconomic Stress Testing
its focus is on how changes in macroeconomic factors affect their output.
Reverse Stress Testing
12 fundamental principles of operational risk management (ORM)
- Culture directed by the board of directors (board) and put in place by senior
management - Maintaining a robust operational risk management framework (ORMF)
- Board analysis and validation of the ORMF
- Board to regularly assess and sign off on operational risk appetite and operational
risk tolerance statements - Clear description of senior management’s responsibilities regarding ORM policies
and systems development and implementation - Thorough description and evaluation of operational risk for key business activities
- Thorough preparation and communication of the change management process
- Ongoing review of operational risk proϐile and exposures9. Secure and stable controls (e.g., internal controls, risk mitigation, training, risk
transfer methods) - Reliable information and communication technology (ICT) that is consistent with
the ORMF - Established business continuity plans that are consistent with the ORMF
- External disclosures on the ORM approach and risk exposures
Myopia
Placing too much more importance on recent events than the past
TPRM life cycle
5 stages:
1) Business model decision
2) Evaluation, risk rating, due diligence
3) RFPs (requests for proposal) and contracts
4) Monitoring (continuous and ongoing)
5) Remediation or termination
CCAR effectiveness principles
1) sound foundational risk management
2) effective loss-estimation methodologies
3) solid resource-estimation methodologies
4) sufficient capital adequacy impact assessment
5) capital planning & policy
6) robust internal controls
7) effective governance
