What's new

P2.T7.801. Principles for the sound management of operational risk: Tools

Nicole Seaman

Chief Admin Officer
Staff member
Thread starter #1
Learning objectives: Describe tools and processes that can be used to identify and assess operational risk. Describe features of an effective control environment and identify specific controls that should be in place to address operational risk. Explain the Basel Committee’s suggestions for managing technology risk and outsourcing risk


801.1. Principle Six (6) among the Principles for Sound Management of Operation Risk advises that "Senior management should ensure the identification and assessment of the operational risk inherent in all material products, activities, processes and systems to make sure the inherent risks and incentives are well understood." Among the tools promoted, the following four are discussed:

I. Losses in excess of a threshold are subjected to an exhaustive root cause analysis by the first line of defense, which in turn is subject to an independent review and challenge by the second line of defense
II. These metrics and/or statistics are used to monitor the main drivers of exposure associated with key risks. They also provide insight insight into the status of operational processes, which may in turn provide insight into operational weaknesses, failures, and potential loss. They are often paired with escalation triggers to warn when risk levels approach or exceed thresholds or limits and prompt mitigation plans
III. This tool identifies the key steps and risk points in business activities and organisational functions. It can reveal individual risks, risk interdependencies, and areas of control or risk management weakness. It can also can help prioritize subsequent management action
IV. A process of obtaining expert opinion of business line and risk managers to identify potential operational risk events and assess their potential outcome. This is an effective tool to consider potential sources of significant operational risk and the need for additional risk management controls or mitigation solutions. However, given its subjectivity, a robust governance framework is essential to ensure the integrity and consistency of the process

Which of the following correctly MATCHES the name of a tool to its corresponding DESCRIPTION above?

a. I = Internal loss data; II = Key Risk Indicators (KRIs); III = Business Process Mapping; IV= Scenario Analysis
b. I = Internal loss data; II = Scenario Analysis; III = Key Risk Indicators (KRIs); IV= Business Process Mapping
c. I = External loss data; II = Scenario Analysis; III = Key Risk Indicators (KRIs); IV= Business Process Mapping
d. I = External loss data; II = Business Process Mapping; III = Scenario Analysis; IV= Key Risk Indicators (KRIs)

801.2. The following section 39(d) of the Principles for the Sound Management of Operational Risk contains two blanks where there should be key vocabulary terms: "Risk Assessments: In a risk assessment, often referred to as a Risk Self Assessment (RSA), a bank assesses the processes underlying its operations against a library of potential threats and vulnerabilities and considers their potential impact. A similar approach, Risk Control Self Assessments (RCSA) evaluates [_____Blank #1_____] risk (the risk before controls are considered), the effectiveness of the control environment, and [_____Blank #2_____] risk (the risk exposure after controls are considered). Scorecards build on RCSAs by weighting residual risks to provide a means of translating the RCSA output into metrics that give a relative ranking of the control environment;"

In order of their appearance, which two vocabulary terms should fill-in-the-blanks above?

a. Latent, Surplus
b. Inherent, Residual
c. Obvious, Contingent
d. Indigenous, Vestigial

801.3. Principle Nine (9) of the Principles for Sound Management of Operation Risk concerns Control and Mitigation and advises that "Banks should have a strong control environment that utilizes policies, processes and systems; appropriate internal controls; and appropriate risk mitigation and/or transfer strategies." In regard to the Committee's suggestions for managing technology risk and outsourcing risk, which of the following statements is TRUE?

a. In most cases, outsourcing should be avoided because it introduces uncontrollable risks
b. Risk transfer tools are a replacement (aka, substitute) for internal operational risk control
c. The need for insurance against operational loss events is a red flag which indicates insufficient internal controls
d. The use of technology related products, activities, processes and delivery channels exposes a bank to strategic, operational, and reputational risks and the possibility of material financial loss.

Answers here: