What's new

P2.T7.702. Risk appetite framework (RAF), enterprise risk management (ERM) & Three Lines of Defense

Nicole Seaman

Director of FRM Operations
Staff member
Concept: These on-line quiz questions are not specifically linked to learning objectives, but are instead based on recent sample questions. The difficulty level is a notch, or two notches, easier than bionicturtle.com's typical question such that the intended difficulty level is nearer to an actual exam question. As these represent "easier than our usual" practice questions, they are well-suited to online simulation.


702.1. Acebase International Bank is a new international financial services firm that is the product of a merger between two different banks with very different geographical footprints, cultures and a somewhat different mix of business lines. Acebase has just designed a risk appetite framework (RAF) as the foundational element of its NEW operational risk framework (ORF). Each of the following features of Acebase's RAF comports with best practice(s)--or is at least plausible--EXCEPT FOR which of these features is unlikely to be a key feature of its operational risk appetite framework?

a. The bank defines its operational risk appetite as the amount of operational risk the bank is willing or not willing ("chooses or not chooses") to assume
b. The board has chief responsibility: the board approves the risk appetite and tolerance; the board reviews the appropriateness of limits, considering many factors; and the board monitors management’s adherence to the operational risk appetite and tolerance
c. The bank's primary risk appetite metric is Operational Losses as a Percentage of Gross Revenue (OLAPGR); to avoid over-reacting to extraordinary one-time losses, OLAPGR is measured on a cumulative, trailing three-year basis; and to avoid ex post manipulation the target OLAPGR level will not be revised until the end of the three-year period
d. The bank distinguishes between (i) risk appetite, (ii) risk tolerance and (iii) risk capacity because in regard to certain categories of operational risk, the bank has a very low--or even zero--risk appetite for operational losses yet realistically will need to have some non-zero level of risk tolerance and non-zero level of risk capacity

702.2. Gogogreen International Bank has a well-developed Operational Risk Governance framework that utilizes three lines of defense:

Assuming Gogogreen employs good or "best practices," which of the following is TRUE about its three lines of defense?

a. The third line of defense is required to be an entity that is external to the firm; e.g., external auditor and/or regulatory
b. The first line of defense includes the compliance function that reports directly to risk committee of the board and implements a quality assurance (QA) program
c. A key function of the CORF (second line of defense) is an "independent challenge" to the business lines’ inputs to--and outputs from--the bank’s risk management, measurement and reporting systems
d. The second line of defense is responsible for identifying and managing the operational risks inherent in all products, activities, processes and systems for which line management is accountable; and for providing adequate resources, tools and training to business line management to ensure awareness of all operational risks and effectiveness of assessments

702.3. Techitrax Corporation has implemented an enterprise risk management (ERM) program by following these four steps (endorsed by Nooco and Stulz which happens to be an assigned FRM reading!):

I. Management determined the firm’s risk appetite including chose the probability of financial distress expected to maximize firm value; in this case, credit ratings were used as the primary indicator of financial risk, so management determined a target (optimal) credit rating based on this risk appetite and the cost of reducing its probability of financial distress and calibrated the firm's target rating at AA3 (Moody's) or AA- (S*P)
II. Given this target rating, management estimated the amount of capital required to support the risk of its operations.
III. Management determined the optimal combination of capital and risk expected to yield its target rating.
IV. Management decentralized the risk-capital tradeoff with the help of a capital allocation and performance evaluation system that motivates managers throughout the organization to make investment and operating decisions that optimize this tradeoff.

Each of the following is true about this ERM program EXCEPT which is false?

a. The company faces a inherent trade-off between risk and required capital: as VaR or volatility increase, the firm requires more capital (i.e., the size of its buffer stock of equity capital) to achieve the same probability of default
b. In this endorsed ERM approach, the company should manage economic without regard to accounting earnings volatility (because is not cash flow), and the company's level of equity capital should be calibrated at the lesser of regulatory and economic capital; i.e. optimal equity = minimum[regulatory capital, economic capital]
c. The company should look beyond value at risk (VaR) because the ERM adds value by optimizing the probability and expected costs of financial distress (as distinct from default) which refers to any situation where the company is likely to feel compelled to pass up positive net present value (NPV) activities
d. Risk management can be viewed as a substitute for (some portion of) equity capital, and the company should position its combination of risk management and capital "at the margin" where it is indifferent between decreasing risk and increasing capital: this is the theoretically optimal level of risk where such that spending another $X million dollars to decrease risk by Y% will save the firm roughly $X million in equity capital costs.

Answers here:
Last edited by a moderator: