{"id":580,"date":"2019-04-30T03:24:00","date_gmt":"2019-04-30T03:24:00","guid":{"rendered":"https:\/\/analystprep.com\/study-notes\/?p=580"},"modified":"2025-12-18T16:22:10","modified_gmt":"2025-12-18T16:22:10","slug":"oprisk-data-and-governance","status":"publish","type":"post","link":"https:\/\/analystprep.com\/study-notes\/frm\/part-2\/operational-and-integrated-risk-management\/oprisk-data-and-governance\/","title":{"rendered":"OpRisk Data and Governance"},"content":{"rendered":"<p><iframe loading=\"lazy\" src=\"\/\/www.youtube.com\/embed\/fB_E2Rsd9Zk\" width=\"611\" height=\"343\" allowfullscreen=\"allowfullscreen\"><\/iframe><\/p>\n<p><script type=\"application\/ld+json\">\n{\n  \"@context\": \"https:\/\/schema.org\",\n  \"@type\": \"QAPage\",\n  \"mainEntity\": {\n    \"@type\": \"Question\",\n    \"name\": \"As a manager of an organization, it is important to ask yourself questions during risk control self-assessment. Which of the following is not a necessary concern?\",\n    \"acceptedAnswer\": {\n      \"@type\": \"Answer\",\n      \"text\": \"The correct answer is C.\\n\\nInsofar as risk goes, it\u2019s important to ask important questions that can help mitigate the risk. A question such as \u201chow can we better handle customers\u2019 delivery?\u201d is not one of them. Asking questions on different risk scenarios and exposure is necessary for combating risks that are likely to occur.\"\n    },\n    \"suggestedAnswer\": [\n      {\n        \"@type\": \"Answer\",\n        \"text\": \"A. Risk scenario: Where are the potential weak points on each of these processes?\"\n      },\n      {\n        \"@type\": \"Answer\",\n        \"text\": \"B. Exposure: How big a loss could happen to my operation in the event of a failure?\"\n      },\n      {\n        \"@type\": \"Answer\",\n        \"text\": \"C. Delivery: How can we better handle customer delivery?\"\n      },\n      {\n        \"@type\": \"Answer\",\n        \"text\": \"D. Performance: How could failure change my organization\u2019s reputation or financial performance?\"\n      }\n    ],\n    \"answerCount\": 4\n  }\n}\n<\/script><br \/>\n<script type=\"application\/ld+json\">\n{\n  \"@context\": \"https:\/\/schema.org\",\n  \"@type\": \"ImageObject\",\n  \"url\": \"https:\/\/analystprep.com\/study-notes\/wp-content\/uploads\/2019\/04\/img_6.jpg\",\n  \"caption\": \"Strong Central Risk Management\",\n  \"width\": 1024,\n  \"height\": 441,\n  \"copyrightNotice\": \"\u00a9 2024 AnalystPrep\",\n  \"acquireLicensePage\": \"https:\/\/analystprep.com\/license-info\",\n  \"creditText\": \"AnalystPrep Design Team\",\n  \"creator\": {\n    \"@type\": \"Organization\",\n    \"name\": \"AnalystPrep\"\n  }\n}\n<\/script><\/p>\n<p><script type=\"application\/ld+json\">\n{\n  \"@context\": \"https:\/\/schema.org\",\n  \"@type\": \"ImageObject\",\n  \"url\": \"https:\/\/analystprep.com\/study-notes\/wp-content\/uploads\/2019\/04\/img_5.jpg\",\n  \"caption\": \"Solid Reporting Lines to Central Risk Management\",\n  \"width\": 1024,\n  \"height\": 441,\n  \"copyrightNotice\": \"\u00a9 2024 AnalystPrep\",\n  \"acquireLicensePage\": \"https:\/\/analystprep.com\/license-info\",\n  \"creditText\": \"AnalystPrep Design Team\",\n  \"creator\": {\n    \"@type\": \"Organization\",\n    \"name\": \"AnalystPrep\"\n  }\n}\n<\/script><\/p>\n<p><script type=\"application\/ld+json\">\n{\n  \"@context\": \"https:\/\/schema.org\",\n  \"@type\": \"ImageObject\",\n  \"url\": \"https:\/\/analystprep.com\/study-notes\/wp-content\/uploads\/2019\/04\/img_4.jpg\",\n  \"caption\": \"Matrix Reporting\",\n  \"width\": 1024,\n  \"height\": 441,\n  \"copyrightNotice\": \"\u00a9 2024 AnalystPrep\",\n  \"acquireLicensePage\": \"https:\/\/analystprep.com\/license-info\",\n  \"creditText\": \"AnalystPrep Design Team\",\n  \"creator\": {\n    \"@type\": \"Organization\",\n    \"name\": \"AnalystPrep\"\n  }\n}\n<\/script><\/p>\n<p><script type=\"application\/ld+json\">\n{\n  \"@context\": \"https:\/\/schema.org\",\n  \"@type\": \"ImageObject\",\n  \"url\": \"https:\/\/analystprep.com\/study-notes\/wp-content\/uploads\/2019\/04\/img_3.jpg\",\n  \"caption\": \"Central Risk Function as Coordinator\",\n  \"width\": 1024,\n  \"height\": 419,\n  \"copyrightNotice\": \"\u00a9 2024 AnalystPrep\",\n  \"acquireLicensePage\": \"https:\/\/analystprep.com\/license-info\",\n  \"creditText\": \"AnalystPrep Design Team\",\n  \"creator\": {\n    \"@type\": \"Organization\",\n    \"name\": \"AnalystPrep\"\n  }\n}\n<\/script><\/p>\n<p><script type=\"application\/ld+json\">\n{\n  \"@context\": \"https:\/\/schema.org\",\n  \"@type\": \"ImageObject\",\n  \"url\": \"https:\/\/analystprep.com\/study-notes\/wp-content\/uploads\/2019\/04\/img_2.jpg\",\n  \"caption\": \"Delphi Concept\",\n  \"width\": 1024,\n  \"height\": 1137,\n  \"copyrightNotice\": \"\u00a9 2024 AnalystPrep\",\n  \"acquireLicensePage\": \"https:\/\/analystprep.com\/license-info\",\n  \"creditText\": \"AnalystPrep Design Team\",\n  \"creator\": {\n    \"@type\": \"Organization\",\n    \"name\": \"AnalystPrep\"\n  }\n}\n<\/script><\/p>\n<p><script type=\"application\/ld+json\">\n{\n  \"@context\": \"https:\/\/schema.org\",\n  \"@type\": \"ImageObject\",\n  \"url\": \"https:\/\/analystprep.com\/study-notes\/wp-content\/uploads\/2019\/04\/img_1.jpg\",\n  \"caption\": \"Key Risk Indicators for an Equity Trading Firm\",\n  \"width\": 1024,\n  \"height\": 528,\n  \"copyrightNotice\": \"\u00a9 2024 AnalystPrep\",\n  \"acquireLicensePage\": \"https:\/\/analystprep.com\/license-info\",\n  \"creditText\": \"AnalystPrep Design Team\",\n  \"creator\": {\n    \"@type\": \"Organization\",\n    \"name\": \"AnalystPrep\"\n  }\n}\n<\/script><\/p>\n<p><strong>After completing this reading<\/strong>,<strong> you should be able to<\/strong>:<\/p>\n<ul>\n<li>Describe the seven Basel II event risk categories and identify examples of operational risk events in each category.<\/li>\n<li>Summarize the process of collecting and reporting internal operational loss data, including the selection of thresholds, the timeframe for recoveries, and reporting expected operational losses.<\/li>\n<li>Explain the use of a risk control self-assessment (RCSA) and key risk indicators (KRIs) in identifying, controlling, and assessing operational risk exposures.<\/li>\n<li>Describe and assess the use of scenario analysis in managing operational risk and identify biases and challenges that can arise when using scenario analysis.<\/li>\n<li>Compare the typical operational risk profiles of firms in different financial sectors.<\/li>\n<li>Explain the role of operational risk governance and explain how a firm\u2019s organizational structure can impact risk governance.<\/li>\n<\/ul>\n<h2>OpRisk Taxonomy: The Seven Basel II Event Risk Categories<\/h2>\n<p>OpRisk taxonomy refers to the process of identifying and classifying operational risks.<\/p>\n<p>To be able to build a robust risk management framework, a firm must successfully come up with a comprehensive risk classification structure. However, risk taxonomy in general is hardly an easy task, and firms usually make mistakes in the process. Risk classification mistakes made in the past years will have repercussions in risk management and on the communication of risks, at a minimum, to outside parties such as regulators. In fact, such mistakes might compromise any good work done elsewhere in the framework. There are roughly three ways through which firms drive this risk taxonomy exercise: cause-driven, impact-driven, and event-driven approaches.<\/p>\n<ul>\n<li><strong>Cause-driven classification<\/strong>: This risk classification is based on the reasons that cause operational losses.<\/li>\n<li><strong>Impact-driven classification<\/strong>: This risk classification is based on the financial impact of operational losses.<\/li>\n<li><strong>Even-driven classification<\/strong>: Risks are classified based on OpRisk events as outlined by the Basel Committee. It is by the far the most common classification approach.<\/li>\n<\/ul>\n<p>The table below summarizes the seven level 1 categories of OpRisk according to the Basel committee. These categories can be broken down further into level 2 subcategories which help to further classify the type of loss event.<\/p>\n<p>$$ \\textbf{Table 1 &#8211; Level 1 Categories of Operational Risk Events} $$<\/p>\n<p>$$ \\begin{array}{l|l} \\textbf{Event category} &amp; \\textbf{Definition} \\\\ \\hline {\\text{Execution, Delivery &amp; Process}\\\\ \\text{Management}} &amp; {\\text {Losses from failed transaction } \\\\ \\text {processing or process management, from } \\\\ \\text{relations with trade counterparties and} \\\\ \\text{vendors.}} \\\\ \\hline \\text{Clients, products and business practices} &amp; {\\text{Losses arising from an unintentional or } \\\\ \\text{negligent failure to meet a professional } \\\\ \\text{obligation to specific clients (including} \\\\ \\text{fiduciary and suitability requirements), } \\\\ \\text{or from the nature or design of a } \\\\ \\text{product.}} \\\\ \\hline \\text{Business disruption and system failures} &amp; {\\text{Losses arising from disruption of } \\\\ \\text{business or system failures.}} \\\\ \\hline \\text{Damage to physical assets} &amp; {\\text{Losses arising from loss or damage to} \\\\ \\text{physical assets from natural disaster or} \\\\ \\text{other events.}} \\\\ \\hline {\\text{Employment practices and workspace} \\\\ \\text{safety}} &amp; {\\text{Losses arising from acts inconsistent } \\\\ \\text{with employment, health or safety laws } \\\\ \\text{or agreements, from payment of personal} \\\\ \\text{injury claims or from} \\\\ \\text{diversity\/discrimination events.} } \\\\ \\hline \\text{External fraud} &amp; {\\text{Losses due to acts of a type intended to } \\\\ \\text{defraud, misappropriate property or } \\\\ \\text{circumvent the law, by a third party.}} \\\\ \\hline \\text{Internal fraud} &amp; {\\text{Losses due to acts of a type intended to } \\\\ \\text{defraud, misappropriate property or} \\\\ \\text{circumvent regulations, the law or } \\\\ \\text{company policy, excluding diversity\/ } \\\\ \\text{discrimination events, which involves at} \\\\ \\text{least one internal party} } \\end{array} $$<\/p>\n<p>Let\u2019s now look into each level 1 category in detail:<\/p>\n<h3>Execution, Delivery, and Process Management (EDPM)<\/h3>\n<p>These losses emanate from failed transaction processing or process management, and from relations with trade counterparties and vendors. Losses of this event type are quite frequent since they can be due to human errors, miscommunications, and so on. These losses are very common in an environment where banks have to process millions of transactions per day.<\/p>\n<p>EDPM is further split into 6 level 2 categories.<\/p>\n<p>$$ \\textbf{Table 2 &#8211; Level 2 Categories: EDPM} $$<\/p>\n<p>$$ \\begin{array}{l|l|l} \\textbf{Level 1 Category} &amp; \\textbf{Level 2 categories} &amp; \\textbf{Examples} \\\\ \\hline {\\text{Execution, Delivery &amp;} \\\\ \\text{Process Management} } &amp; { \\text{Transaction Capture,} \\\\ \\text{Execution and} \\\\ \\text{Maintenance}} &amp; {\\text{Miscommunication; data } \\\\ \\text{entry, missed deadline or } \\\\ \\text{responsibility; accounting } \\\\ \\text{error\/entity attribution } \\\\ \\text{error; delivery failure; }} \\\\ \\hline {} &amp; \\text{Monitoring and Reporting} &amp; { \\text{Failed mandatory } \\\\ \\text{reporting obligation;} \\\\ \\text{inaccurate external report } \\\\ \\text{(loss incurred)}} \\\\ \\hline {} &amp; {\\text{Customer Intake and } \\\\ \\text{Documentation} } &amp; {\\text{Client} \\\\ \\text{permissions\/disclaimers} \\\\ \\text{missing legal documents} \\\\ \\text{missing\/incomplete} }\\\\ \\hline {} &amp; {\\text{Customer\/Client Account} \\\\ \\text{Management} } &amp; {\\text{Unapproved access given } \\\\ \\text{to accounts; incorrect} \\\\ \\text{client records (loss} \\\\ \\text{incurred); negligent loss } \\\\ \\text{or damage of client assets} }\\\\ \\hline {} &amp; \\text{Trade Counterparties} &amp; {\\text{Nonclient counterparty } \\\\ \\text{misperformance; misc. } \\\\ \\text{nonclient counterparty } \\\\ \\text{disputes}} \\\\ \\hline {} &amp; \\text{Vendors and Suppliers} &amp; { \\text{Outsourcing; vendor } \\\\ \\text{disputes}} \\end{array} $$<\/p>\n<h3>Clients, Products, and Business Practices (CPBP)<\/h3>\n<p>This category has one of the highest numbers of loss events, particularly in the US. It encompasses losses, for example, from disputes with clients and counterparties, regulatory fines from improper business practices, or wrongful advisory activities.<\/p>\n<p>CPBP is further split into 5 level 2 categories.<\/p>\n<p>$$ \\textbf{Table 3 &#8211; Level 2 Categories: CPBP} $$<\/p>\n<p>$$ \\begin{array}{l|l|l} \\textbf{Level 1 Category} &amp; \\textbf{Level 2 categories} &amp; \\textbf{Examples} \\\\ \\hline {\\text{Clients, products and } \\\\ \\text{business practices} } &amp; { \\text{Suitability, Disclosure,} \\\\ \\text{and Fiduciary} } &amp; {\\text{Fiduciary } \\\\ \\text{breaches\/guideline } \\\\ \\text{violations; disclosure } \\\\ \\text{issues (e.g., KYC); retail } \\\\ \\text{customer disclosure} \\\\ \\text{violations; breach of } \\\\ \\text{privacy; misuse of} \\\\ \\text{confidential information} } \\\\ \\hline { } &amp; { \\text{Improper Business or } \\\\ \\text{Market Practices} } &amp; {\\text{Antitrust; improper trade } \\\\ \\text{practices; market } \\\\ \\text{manipulation; insider } \\\\ \\text{trading (on firm\u2019s } \\\\ \\text{account); unlicensed } \\\\ \\text{activity; money } \\\\ \\text{laundering} } \\\\ \\hline { } &amp; \\text{Product Flaws} &amp; {\\text{Product defects (e.g., } \\\\ \\text{unauthorised); model } \\\\ \\text{errors}} \\\\ \\hline { } &amp; { \\text{Selection, Sponsorship, } \\\\ \\text{and Exposure} } &amp; {\\text{Failure to investigate } \\\\ \\text{client per guidelines; } \\\\ \\text{exceeding client exposure } \\\\ \\text{limits} } \\\\ \\hline { } &amp; \\text{Advisory Activities} &amp; {\\text{Disputes over } \\\\ \\text{performance of advisory } \\\\ \\text{activities} } \\end{array} $$<\/p>\n<h3>Business Disruption and System Failures (BDSF)<\/h3>\n<p>Events under the BDSF category can be quite difficult to spot. For example, a system crash almost always comes with financial costs. However, these losses would most likely be classified as EDPM. To see how this might come about, consider the derivative department of a large bank that happens to experience a crash at 9:00 am. The IT department tries to do all it can, including turning to backup plans, all in vain. The system comes back online at 5:00 pm when money markets are already closed. On checking the transaction status, the bank learns that it needs to fund an extra USD 10 billion on that day. Since the markets are already closed, the bank is forced to negotiate for special conditions with its counterparties; but the rates at which the transactions are settled ultimately end up being higher than the daily average. Although this extra cost has actually come up due to a BDSF event &#8211; a system failure &#8211; it will most likely be categorized as part of EDPM, or fail to be captured at all.<\/p>\n<p>$$ \\textbf{Table 4 &#8211; Level 2 Categories: BDSF} $$<\/p>\n<p>$$ \\begin{array}{l|l|l} \\textbf{Level 1 Category} &amp; \\textbf{Level 2 categories} &amp; \\textbf{Examples} \\\\ \\hline {\\text{Business Disruption and } \\\\ \\text{System Failures} } &amp; \\text{Systems} &amp; {\\text{Hardware; software; } \\\\ \\text{telecommunications; } \\\\ \\text{utility outage\/disruptions} } \\\\ \\end{array} $$<\/p>\n<h3>Damage to Physical Assets (DPA)<\/h3>\n<p>The other risk event refers to damage to physical assets. This can result from natural disaster losses; or human losses from external sources (e.g., terrorism and vandalism). Only a few firms actively suffer losses from this risk type. This is because such losses are usually either too small or incredibly large.<\/p>\n<p>$$ \\textbf{Table 5 \u2013 Level 2 categories: DPA} $$<\/p>\n<p>$$ \\begin{array}{l|l|l} \\textbf{Level 1 Category} &amp; \\textbf{Level 2 categories} &amp; \\textbf{Examples} \\\\ \\hline {\\text{Damage to Physical } \\\\ \\text{Assets} } &amp; \\text{Disasters and other events} &amp; {\\text{Natural disaster losses; } \\\\ \\text{human losses from } \\\\ \\text{external sources (e.g., } \\\\ \\text{terrorism, vandalism)} } \\\\ \\end{array} $$<\/p>\n<h3>Employment Practices and Workplace Safety (EPWS)<\/h3>\n<p>EPWS has three subcategories: (1) employee relations, (2) safe environment, and (3) diversity and discrimination. It is more prominent in parts of the world where either labor laws are old-fashioned and\/or there is a culture of litigation against employers. This is, especially, the case in the Americas.<\/p>\n<p>$$ \\textbf{Table 6 \u2013 Level 2 categories: EPWS} $$<\/p>\n<p>$$ \\begin{array}{l|l|l} \\textbf{Level 1 Category} &amp; \\textbf{Level 2 categories} &amp; \\textbf{Examples} \\\\ \\hline {\\text{Employment Practices and } \\\\ \\text{Workplace Safety} } &amp; \\text{Employee relations} &amp; {\\text{Compensation, benefit, } \\\\ \\text{termination issues; } \\\\ \\text{organized labor activity} } \\\\ \\hline {} &amp; \\text{Safe environment} &amp; { \\text{General liability (e.g., slip} \\\\ \\text{and fall.); employee health } \\\\ \\text{and safety rules events; } \\\\ \\text{workers compensation} } \\\\ \\hline {} &amp; {\\text{Diversity and } \\\\ \\text{discrimination} } &amp; \\text{All discrimination types } \\\\ \\end{array} $$<\/p>\n<h3>External Frauds (EF)<\/h3>\n<p>External fraud includes all forms of fraud perpetrated by third parties or outsiders against a firm. In banking, good examples would be system hacking and cheque and credit card fraud. In recent years, external fraud has cost financial firms millions of dollars.<\/p>\n<p>$$ \\textbf{Table 7 \u2013 Level 2 categories: EF} $$<\/p>\n<p>$$ \\begin{array}{l|l|l} \\textbf{Level 1 Category} &amp; \\textbf{Level 2 categories} &amp; \\textbf{Examples} \\\\ \\hline \\text{External Fraud} &amp; \\text{Theft and fraud} &amp; {\\text{Theft\/robbery; forgery; } \\\\ \\text{check kiting }} \\\\ \\hline {} &amp; \\text{Systems security} &amp; { \\text{Hacking damage; theft of } \\\\ \\text{information (w\/monetary } \\\\ \\text{loss)} } \\\\ \\end{array} $$<\/p>\n<h3>Internal Fraud (IF)<\/h3>\n<p>Internal fraud includes any fraudulent activity perpetrated by a firm\u2019s employees. It is one of the less frequent types of opRisk loss mainly because institutions have over the years invested in sophisticated internal controls. However, cases of internal fraud still occur, and billions of dollars are still lost.<\/p>\n<p>Internal fraud is characterized by low-frequency\/high-severity events.<\/p>\n<p>$$ \\textbf{Table 8 \u2013 Level 2 categories: IF} $$<\/p>\n<p>$$ \\begin{array}{l|l|l} \\textbf{Level 1 Category} &amp; \\textbf{Level 2 categories} &amp; \\textbf{Examples} \\\\ \\hline \\text{External Fraud} &amp; \\text{Theft and fraud} &amp; {\\text{Transactions not reported } \\\\ \\text{(intentional); transaction type } \\\\ \\text{unauthorized (w\/monetary loss); } \\\\ \\text{mismarking of position } \\\\ \\text{(intentional)} } \\\\ \\hline {} &amp; \\text{Theft and fraud} &amp; { \\text{Fraud\/credit fraud\/worthless } \\\\ \\text{deposits; theft\/ } \\\\ \\text{extortion\/embezzlement\/robbery; } \\\\ \\text{misappropriation of assets, } \\\\ \\text{malicious destruction of assets; } \\\\ \\text{forgery; check kiting; } \\\\ \\text{smuggling; account take-} \\\\ \\text{over\/impersonation\/ etc.; tax } \\\\ \\text{noncompliance\/evasion (wilful); } \\\\ \\text{bribes\/ kickbacks; insider trading } \\\\ \\text{(not on firm\u2019s account)} } \\\\ \\end{array} $$<\/p>\n<h2>The Process of Collecting and Reporting Internal Operational Loss Data<\/h2>\n<p>Operational loss refers to a gross monetary loss (excluding insurance or tax effects) resulting from an operational loss event. It includes all expenses associated with an operational loss event except for opportunity costs, forgone revenue, and costs related to risk management and control enhancements put in place to prevent future operational losses.<\/p>\n<p>One of the hallmarks of the ideal OpRisk framework is a robust historical internal loss database. An institution must classify losses into the Basel categories and map them to its business units. The collection and maintenance of loss data are heavily regulated. Although Basel II regulations require firms to collect at least 5 years of data, (BCBS, 2006), most firms do not discard any data older than this limit. Losses are difficult to acquire and it may take years to build up a reliable and informative loss database. Consequently, most firms do not discard losses that they have suffered unless the business line in which this loss took place was sold and is no longer its constituent.<\/p>\n<p>Data collection can be quite an uphill task because the data has to be collected in <strong>different formats<\/strong> and from different<strong> geographical locations<\/strong>\u00a0and then channeled into a central repository. In addition, the firm must ensure that the data are secure and can be backed up and replicated in case of an accident.<\/p>\n<h3><strong>Setting a Collection Threshold and Possible Impacts<\/strong><\/h3>\n<p>Under Basel II regulations, financial institutions are allowed to select a loss threshold for loss of data collection. This means that for the loss event to be recorded and documented, it has to be <strong>at least as much<\/strong> as the threshold amount.<\/p>\n<p>As expected, the threshold amount an institution chooses has significant implications on the risk profile of business units within it. OpRisk managers have to be careful not to set a threshold that\u2019s either too low or too high. The following example illustrates this.<\/p>\n<p>Bank Y\u2019s loss experience in a given year is summarized in the table below. If the bank\u2019s OpRisk department had chosen USD 100,000 as the threshold, built around the belief that only tail events drive OpRisk capital, that firm would think that its total loss in that year was approximately USD 54 million. And if the threshold choice was USD 20,000, the total losses would be approximately USD 59 million.<\/p>\n<p>Notably, the sum of losses under USD 50,000 is about USD 24 million. That\u2019s almost equivalent to the losses above USD 5 million (USD 26 million). For this particular firm, setting the loss collection threshold at USD 100,000 would result in total losses of USD 54 million. With a threshold of $0, actual losses would be USD 80 million, a situation that paints a significantly different risk profile.<\/p>\n<h4>Example: The Impact of Threshold Choice: Losses in a Certain Year for the Asset Management Division of a Bank<\/h4>\n<p>$$ \\begin{array}{l|c|c|c} \\textbf{Loss brackets (USD)} &amp; { \\textbf{Number of } \\\\ \\textbf{losses} } &amp; \\textbf{Total (USD)} &amp; {\\textbf{Accumulated total } \\\\ \\textbf{(USD)}} \\\\ \\hline {&gt; 5,000,000} &amp; {4} &amp; {26,152,235} &amp; {26,152,235} \\\\ \\hline {1,000,000\u20135,000,000} &amp; {8} &amp; {12,520,500} &amp; {38,672,735} \\\\ \\hline {500,000\u20131,000,000} &amp; {12} &amp; {9,250,400} &amp; {47,923,135} \\\\ \\hline {100,000 \u2013500,000} &amp; {15} &amp; {5,975,233} &amp; {53,898,368} \\\\ \\hline {50,000 \u2013100,000} &amp; {25} &amp; {1,950,226} &amp; {55,848,594} \\\\ \\hline {20,000 \u201350,000} &amp; {85} &amp; {3,250,000} &amp; {59,098,594} \\\\ \\hline {&lt; 20,000} &amp; {1,402} &amp; {20,452,860} &amp; {79,551,454} \\end{array} $$<\/p>\n<h3>Recoveries<\/h3>\n<p>As per Basel II rules (BCBS, 2006), OpRisk loss calculation and capital calculation should consider gross losses without giving any room for recoveries. The argument for not considering recoveries is that in these calculations, the firm is dealing with an event that, in terms of probabilities, happens once every thousand years. As such, it would not make sense to start applying mitigating factors to reduce the losses and eventually reduce capital, too.<\/p>\n<h3>Near Miss<\/h3>\n<p>A firm may be allowed to consider recoveries only in situations where it is possible to <strong>rapidly recover <\/strong>loss\u00a0events. Rapidly recovered loss events are OpRisk events that lead to losses recognized in financial statements that are recovered over a short period. Consider the case of a bank that erroneously transfers money to a wrong party but recovers all or part of the loss soon thereafter. The bank may consider this to be a gross loss and a recovery. The actual loss is the gross loss less the recovered amount.<\/p>\n<p>In situations where a firm is able to <strong>recover losses in full<\/strong>, the event is considered to be a \u201c<strong>near miss<\/strong>\u201d.<\/p>\n<h3>Time Period for Resolution of Operational Losses<\/h3>\n<p>OpRisk events are usually complex and often have a large time gap between inception and final closure. Litigation cases arising from the 2007\/2008 financial crisis provide the perfect example, where some cases went on for more than 5 years. In almost all legal systems, cases involving OpRisk events have a rather long life cycle that starts with a discovery phase in which lawyers and investigators are asked to prove whether the other party has a proper case to answer. During the discovery phase, the firms involved find it difficult to come up with an estimate for eventual losses since it is difficult to predict whether the case will terminate or proceed to full trial.<\/p>\n<p>Even when a case \u201cgoes to trial,\u201d proper loss estimation might not be possible at the early stages. Firms that find themselves embroiled in such litigation cases may set up reserves for potential losses. However, they usually do that only for a few weeks before the case is settled to avoid disclosure issues. For example, if the counterparty finds out the amount reserved, they may use this information in their favor).<\/p>\n<p>In the latter stages of proceedings, a firm may be able to estimate its losses with a relatively greater degree of confidence. If the loss is large, setting up OpRisk capital can prove difficult because the inclusion of this settlement would cause some volatility in the capital. In some cases, the judge may end up ruling in the firm\u2019s favor even after it has set aside a large loss reserve of, say, $1 billion. That, too, would still cause volatility in capital. For this reason, there\u2019s need for firms to have a clear procedure on how to handle large, long-duration losses.<\/p>\n<h2>Provisioning Treatment of Expected Operational Losses<\/h2>\n<p>In a bid to have guidelines that firms can follow when dealing with OpRisk, accounting standards have been developed. IAS 37 \u2013 put together by the International Accounting Standards Board, defines and specifies the accounting for and disclosure of provisions, contingent liabilities, and contingent assets.<\/p>\n<p>IAS37 establishes three specific applications:<\/p>\n<ul>\n<li>For future operating losses, a provision <strong>cannot<\/strong> be recognized because there is <strong>no obligation at the end of the reporting period<\/strong>.<\/li>\n<li>For an onerous contract &#8212; a contract in which the <strong>unavoidable costs of meeting its obligations exceed the expected economic benefits<\/strong> \u2013 a provision should be recognized.<\/li>\n<li>A provision for restructuring costs is recognized only when the entity has a <strong>constructive obligation<\/strong> that has been announced and raised a <strong>valid expectation<\/strong> in the affected parties.<\/li>\n<\/ul>\n<p>According to IAS37, a firm must recognize a provision if, and only if:<\/p>\n<ul>\n<li>A present obligation (legal or constructive) has <strong>arisen<\/strong> as a result of a past event.<\/li>\n<li>Payment is <strong>probable<\/strong> (&#8216;more likely than not&#8217;).<\/li>\n<li>The amount can be estimated <strong>reliably<\/strong>.<\/li>\n<\/ul>\n<p>Balance sheet provisions should be measured at the best estimate of the expenditure required to settle the present obligation at the balance sheet date. Provisions may take any future changes, such as changes in the law or technology, into account. This applies to instances where there is sufficient objective evidence that they will occur.<\/p>\n<p>According to IAS37, the amount of the provision should not be reduced by gains from any of the following:<\/p>\n<ul>\n<li>Expected disposal of assets (even if the expected disposal is closely linked to the event giving rise to the provision).<\/li>\n<li>Expected reimbursements (arising from, for example, insurance contracts or indemnity clauses).<\/li>\n<\/ul>\n<p>Reimbursements received post-settlement should be recognized as separate assets.<\/p>\n<h2>Identifying, Controlling, and Assessing Operational Risk Exposures<\/h2>\n<p>OpRisk can be viewed as a function of the control environment. Provided the control environment is fair and under control, large operational loss events are unlikely to be experienced, effectively keeping OpRisk under control. To put an effective control environment in place, the OpRisk manager has to master the firm\u2019s business processes so as to be able to map the risks on these processes.<\/p>\n<p>Firms use several tools to assess risk and report the many steps of the settlement process. This includes the use of Risk Control Self-Assessment (RCSA) and Key Risk Indicators (KRIS).<\/p>\n<h3>Risk Control Self-assessment (RCSA)<\/h3>\n<p>A risk control self-assessment (RCSA) serves as the foundation of a robust OpRisk framework. It requires departmental heads and risk managers to document risks and provide a rating system and control identification process.<\/p>\n<p>Under RCSA, departmental heads and managers are seen as experts. The underlying argument is that they are the focal point of the flow of information and correspondence within a unit. As such, they are the persons best placed to understand the risks pertinent to their operations. Occasionally, a firm may also seek expert opinions from third parties.<\/p>\n<p>Once RCSA is well established, risk reviews are usually done every 12 or 18 months and color-rated Red\/Amber\/Green (RAG), according to the perceived status.<\/p>\n<p>A RCSA program is developed in three main steps:<\/p>\n<h4>Step 1: Identification<\/h4>\n<p>Managers identify and assess inherent risks by making no inferences about controls embedded in the process. In other words, managers assume that there are no risk controls in place and then proceed to assess how risk manifests within the activities in the processes. During this process, managers seek to establish:<\/p>\n<ul>\n<li>Risk scenarios, i.e. the potential failure points in each of these processes.<\/li>\n<li>Exposure, i.e. the extent of potential loss if a failure happens.<\/li>\n<li>Correlation to other risks. The manager seeks to establish whether a failure in one area could bring about failure in another aspect of the firm.<\/li>\n<\/ul>\n<p>Risk metrics such as key risk indicators (KRIs), internal loss events, and external events, all contribute to the risk identification process. They ensure that an organization has considered all readily available data. At the end of the identification process, managers are able to have a <strong>birds\u2019 eye view<\/strong> of the inherent risk of a firm\u2019s business processes.<\/p>\n<h4>Step 2: Adding Controls<\/h4>\n<p>Managers then re-assess risk in the presence of controls to establish how effective the controls are at mitigating risk. At this stage, <strong>residual risk is <\/strong>measured. Residual risk is the probability of loss that remains after security measures or controls have been implemented.<\/p>\n<h4>Step 3: Control Tests<\/h4>\n<p>Managers then embark on a control testing process to assess how effectively the controls in place mitigate potential operational risks.<\/p>\n<h4>An RCSA Program Comes With Several Challenges:<\/h4>\n<ul>\n<li>OpRisk managers may have an uphill task when interpreting the output data of the aggregated RCSA framework. If risks are controlled within tolerances (thresholds) that are set too high, the framework may give managers a false sense of security.<\/li>\n<li>OpRisk managers may overweight some risks and spend a lot of resources on them while neglecting other risks and variables that may have a significant overall impact on a firm\u2019s risk profile.<\/li>\n<li>Managers may not divulge information freely if they feel they are culpable or the risk is out of control.<\/li>\n<li>A manager\u2019s perception of risk and its potential rewards may not conform to the firm-wide assessment.<\/li>\n<\/ul>\n<p>For these reasons, there\u2019s a need for independent review of the RCSA framework.<\/p>\n<h3>Key Risk Indicators<\/h3>\n<p>Key risk indicators seek to identify firm-specific conditions that could expose a firm to operational risk. KRIs are meant to provide firms with a system capable of predicting losses, giving a firm ample time to make the necessary adjustments. Examples of KRIs include:<\/p>\n<ul>\n<li>Staff turnover.<\/li>\n<li>Number of vacant positions.<\/li>\n<li>Number of failed transactions over a specified time period.<\/li>\n<li>Percentage of employees that take up the maximum leave days on offer.<\/li>\n<\/ul>\n<p>The hope is that key risk indicators can identify potential problems and allow remedial action to be taken before losses are incurred.<\/p>\n<p>For example, let\u2019s consider the equity settlement process undertaken by an equity trading firm. An increase in the number of unsigned confirmations older than 30 days as a percentage of total confirmations above a certain threshold may be indicative of a developing underlying problem that needs to be addressed. Similarly, the number of disputed collateral calls may be a good KRI for the settlement process.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-9779\" src=\"https:\/\/analystprep.com\/study-notes\/wp-content\/uploads\/2019\/04\/img_1.jpg\" alt=\"Key Risk Indicators for an Equity Trading Firm\" width=\"1024\" height=\"528\" srcset=\"https:\/\/analystprep.com\/study-notes\/wp-content\/uploads\/2019\/04\/img_1.jpg 1024w, https:\/\/analystprep.com\/study-notes\/wp-content\/uploads\/2019\/04\/img_1-300x155.jpg 300w, https:\/\/analystprep.com\/study-notes\/wp-content\/uploads\/2019\/04\/img_1-768x396.jpg 768w, https:\/\/analystprep.com\/study-notes\/wp-content\/uploads\/2019\/04\/img_1-400x206.jpg 400w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><span style=\"font-size: 1rem;\">Collection of KRI data deserves special attention. To excel at unraveling the relationships between KRIs and losses, it is important that these data are absolutely reliable. One way to ensure data reliability is to automate the collection straight from a firm\u2019s operational systems. It is equally crucial to note that the establishment of links between KRIs and losses may require a firm to carry out extensive data analysis. Besides, the implementation of the KRI program comes with costs. However, KRIs are arguably some of the most powerful tools used to measure operational risk.<\/span><\/p>\n<p>When a firm wishes to implement the use of KRIs, it must make assumptions about the OpRisk profile of the business. In an equity trading department, we might assume that the number of execution errors can be linked to the trade volume on the day, the number of securities that failed to be received or delivered, the number of employees available on the trading desk, the back office, and system downtime as measured by minutes offline. Next, the firm must establish the organizational level at which this relationship will be measured. It has to decide whether to measure this relationship at the department level or break everything down into specific product lines such as cash equities, listed derivatives, and OTC derivatives. All these decisions are fundamental to the success of the analysis.<\/p>\n<p>In general, it is easier to find strong causal relationships at the lowest possible level. In our equity trading example, it may be easier to unearth local nuances, idiosyncrasies, and trends in the US cash equities department than modeling at the global equities division level.<\/p>\n<p>$$ \\begin{align*} \\textbf{Table 9 \u2013} &amp; \\textbf{Examples of Business Environment and Internal Control Environment} \\\\ &amp; \\textbf{Factors (BEICFs)} \\end{align*} $$<\/p>\n<p>$$ \\begin{array}{l|l|l} \\textbf{Business environment} &amp; \\textbf{Factor} &amp; \\textbf{Description} \\\\ \\hline \\text{Systems} &amp; {\\text{System downtime } \\\\ \\text{System slow time } \\\\ \\text{Software stability}} &amp; {\\text{Number of minutes a system is offline } \\\\ \\text{Number of minutes a system is slow } \\\\ \\text{Number of code lines changed in a program} } \\\\ \\hline \\text{Execution\/Processing} &amp; {\\text{Transactions } \\\\ \\text{Failed transactions } \\\\ \\text{Data quality } \\\\ \\text{Breaks} } &amp; {\\text{Number of transactions processed } \\\\ \\text{Number of transactions that failed to settle } \\\\ \\text{Ratio of transactions with errors } \\\\ \\text{Number of transactions breaks} } \\\\ \\hline \\text{People\/Organization} &amp; {\\text{Employees } \\\\ \\text{Employees} \\\\ \\text{experience} } &amp; {\\text{Number of employees } \\\\ \\text{Average experience of} \\\\ \\text{employees} } \\\\ \\hline \\text{Information Security} &amp; \\text{Malware attacks} &amp; \\text{Number of malware attacks } \\\\ \\hline {} &amp; \\text{Hacking attempts} &amp; \\text{Number of hacking attempts} \\end{array} $$<\/p>\n<p>There may also be a link between OpRisk and External factors such as equity indexes and interest rates. For instance, higher volatility on stock markets leads to higher trading volumes, a situation which in turn brings about an increase in execution losses.<\/p>\n<h2>The Use of Scenario Analysis in Managing Operational Risk<\/h2>\n<p>Scenario analysis is the process of evaluating a portfolio, project, or asset by changing various variables. These variables can be economic, market-based, industry-based, or company-specific. Scenario analysis is a useful tool in the operational risk framework since it helps a firm to explore the <strong>rare but plausible<\/strong> losses that could arise as a result of OpRisk events.<\/p>\n<p>Unlike RCSA analysis, scenario analysis focuses on low probability high-impact events or \u201cfat tail\u201d events. The occurrence of these types of events can put a firm at serious risk. Scenario analysis is particularly helpful in situations where the firm is faced with an emerging risk with no previous loss experience.<\/p>\n<p>Scenario analysis draws inputs from internal loss data, external data, expert opinions, or key risk indicators (KRIs). Large firms typically draw expert opinions from structured workshops. However, surveys and meetings with individual experts can also be used to gather expert advice. Studies have shown that most financial institutions analyze between 50 and 100 scenarios every year.<\/p>\n<p>Expert opinion gained through scenario workshops is useful for OpRisk measurement and quantification efforts as long as it can be converted into numbers. The most commonly used technique involves gathering estimates on the loss frequencies on predefined severity brackets. These numbers are then converted to empirical distributions to model the probability of losses based on the amount of loss on an annual basis. The distribution is then used to inform decisions with regard to OpRisk reserving and capital management.<\/p>\n<p>$$ \\textbf{Figure 2 &#8211; Scenario Analysis Model for Loss Frequencies} $$<\/p>\n<p>$$ \\begin{array}{l|c|c} \\textbf{Loss brackets (USD)} &amp; { \\textbf{Number of } \\\\ \\textbf{losses} } &amp; \\textbf{Frequency} \\\\ \\hline {&gt; 5,000,000} &amp; {5} &amp; {1.7\\%} \\\\ \\hline {1,000,000\u20135,000,000} &amp; {9} &amp; {3.1\\%} \\\\ \\hline {500,000\u20131,000,000} &amp; {13} &amp; {4.5\\%} \\\\ \\hline {100,000 \u2013500,000} &amp; {17} &amp; {5.9\\%} \\\\ \\hline {50,000 \u2013100,000} &amp; {27} &amp; {9.3\\%} \\\\ \\hline {20,000 \u201350,000} &amp; {89} &amp; {30.7\\%} \\\\ \\hline {&lt; 20,000} &amp; {130} &amp; {44.8\\%} \\\\ \\hline \\text{Total} &amp; {290} &amp; {100\\%} \\end{array} $$<\/p>\n<h3>Challenges That Can Arise When Using Scenario Analysis<\/h3>\n<p><strong>Presentation Bias<\/strong>: This arises when the order in which information is provided can skew or alter assessment from the experts.<\/p>\n<p><strong>Availability bias<\/strong>: The respondent may over\/underestimate loss events due to limited risk experience. For example, a respondent who has had a 30-year career in FX trading but has never incurred an individual loss of USD 1 billion or more may be unable to accept the risk that such a loss would take place.<\/p>\n<p><strong>Anchoring bias<\/strong>: The expert may limit the range of a loss estimate based on personal experiences or knowledge of prior loss events,<\/p>\n<p><strong>Huddle bias or anxiety bias<\/strong>: When getting information from a group of experts, some individuals may tend to avoid conflicts that stem from differences of opinion. Such a decision may be informed by the fear of disrupting the smooth functioning of a group through dissent. More often than not, people are unwilling to disagree openly with those who are senior to them, experts, or powerful people in a group.<\/p>\n<p><strong>Gaming<\/strong>: Respondents may have interests that are in conflict with the goals of the workshop and may, therefore, intentionally withhold information or seek to influence outcomes.<\/p>\n<p><strong>Over\/under confidence bias<\/strong>: This bias involves over\/underestimation of risk due to the available experience and\/or literature on the risk being limited.<\/p>\n<p><strong>Inexpert opinion<\/strong>: In many firms, scenario workshops do not attract the targeted expert. Such individuals may send in a more junior representative who has less expertise\/experience.<\/p>\n<h3>The Delphi Concept<\/h3>\n<p>As we have established, scenario analysis relies heavily on opinions gathered from experts. This poses a set of challenges:<\/p>\n<ul>\n<li>There may be no precise analytical technique to model the subject matter of the process, but through an iterative process, it may be possible to <strong>narrow down<\/strong> on the <strong>most compatible<\/strong> solution.<\/li>\n<li>Individuals involved in the process may have different backgrounds in terms of experience and expertise, and their opinions may have significant divergence.<\/li>\n<li>Frequent group meetings or workshops may prove costly and time-consuming.<\/li>\n<li>More individuals who can effectively interact in a face-to-face exchange are needed.<\/li>\n<\/ul>\n<p>The Delphi technique can solve all of these issues. But what exactly does it stand for?<\/p>\n<p>The Delphi technique (also known as Delphi procedure), is a method of congregating expert opinion through a series of <strong>iterative questionnaires<\/strong> in a bid to reach a group consensus. It is beneficial in situations where there is no true or definite answer to a problem.<\/p>\n<p>The Delphi technique is built around the idea that forecasts made by a group of experts are generally more accurate than those made by individuals. The technique aims at using structured iteration to reach a consensus. A facilitator \u2013 usually one of the managers in charge of OpRisk &#8211; takes charge of the process.<\/p>\n<p>The Delphi technique involves the following steps:<\/p>\n<ol type=\"1\">\n<li>The OpRisk manager assembles a panel of experts who may have diverse exposure and experience with particular risks (this is usually done virtually).<\/li>\n<li>Forecasting tasks\/challenges are set and distributed to the experts.<\/li>\n<li>Each expert returns their initial forecasts and justifications. The OpRisk manager then compiles the responses and sends out feedback to everybody.<\/li>\n<li>Each expert receives the group\u2019s feedback and is given an opportunity to modify their answers in light of the responses from other panel members. This step may be iterated until a satisfactory level of consensus is reached.<\/li>\n<li>Final forecasts are constructed by aggregating the experts\u2019 forecasts.<\/li>\n<\/ol>\n<h2><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-9780\" src=\"https:\/\/analystprep.com\/study-notes\/wp-content\/uploads\/2019\/04\/img_2.jpg\" alt=\"The Delphi Concept\" width=\"1590\" height=\"1765\" srcset=\"https:\/\/analystprep.com\/study-notes\/wp-content\/uploads\/2019\/04\/img_2.jpg 1024w, https:\/\/analystprep.com\/study-notes\/wp-content\/uploads\/2019\/04\/img_2-270x300.jpg 270w, https:\/\/analystprep.com\/study-notes\/wp-content\/uploads\/2019\/04\/img_2-768x853.jpg 768w, https:\/\/analystprep.com\/study-notes\/wp-content\/uploads\/2019\/04\/img_2-922x1024.jpg 922w, https:\/\/analystprep.com\/study-notes\/wp-content\/uploads\/2019\/04\/img_2-400x444.jpg 400w\" sizes=\"auto, (max-width: 1590px) 100vw, 1590px\" \/>Typical Operational Risk Profiles of Firms in Different Financial Sectors<\/h2>\n<p>Large financial institutions are usually made up of a number of business lines that have <strong>different OpRisk profiles<\/strong>. These include Corporate Finance, Trading and Sales, Retail Banking, Commercial Banking, Payment and Settlement, Agency Services, Asset Management, and Retail Brokerage.<\/p>\n<p>We will now look at the OpRisk profiles of 5 of the main business lines: Corporate Finance, Trading and Sales, Retail Banking, Asset Management, and Retail Brokerage. Figure 3 shows the frequency of OpRisk events broken down with respect to the 7 level 1 categories of OpRisk. Figure 4 shows severity percentages based on total dollar amount losses.<\/p>\n<p>$$ \\textbf{Figure 3 &#8211; OpRisk Profiles Showing Frequency (%)} $$<\/p>\n<p>$$ \\begin{array}{l|c|c|c|c|c} \\textbf{Event Type} &amp; { \\textbf{Trading } \\\\ \\textbf{&amp; Sales} } &amp; { \\textbf{Corporate } \\\\ \\textbf{Finance} } &amp; { \\textbf{Retail } \\\\ \\textbf{Banking} } &amp; { \\textbf{Asset } \\\\ \\textbf{Management} } &amp; { \\textbf{Retail} \\\\ \\textbf{Brokerage} } \\\\ \\hline \\text{Internal Fraud} &amp; {1.0} &amp; {1.6} &amp; {5.4} &amp; {1.5} &amp; {5.8}\\\\ \\hline \\text{External Fraud} &amp; {1.0} &amp; {5.4} &amp; \\textbf{40.3} &amp; {2.7} &amp; {2.3}\\\\ \\hline { \\text{Employment} \\\\ \\text{Practices} } &amp; {3.1} &amp; {10.1} &amp; {17.6} &amp; {4.3} &amp; {4.4}\\\\ \\hline { \\text{Clients, Products,} \\\\ \\text{&amp; Business Practices} } &amp; \\textbf{12.7} &amp; \\textbf{47.1} &amp; {13.1} &amp; \\textbf{13.7} &amp; \\textbf{66.9}\\\\ \\hline { \\text{Physical Asset} \\\\ \\text{Damage} } &amp; {0.4} &amp; {1.1} &amp; {1.4} &amp; {0.3} &amp; {0.1}\\\\ \\hline { \\text{Business Disruption } \\\\ \\text{and System Failures} } &amp; {5.0} &amp; {2.2} &amp; {1.6} &amp; {3.3} &amp; {0.5}\\\\ \\hline { \\text{Execution, Delivery } \\\\ \\text{&amp; Process } \\\\ \\text{Management} } &amp; \\textbf{76.7} &amp; \\textbf{32.5} &amp; \\textbf{20.6} &amp; \\textbf{74.2} &amp; \\textbf{20.0} \\end{array} $$<\/p>\n<p>$$ \\textbf{Figure 4 &#8211; OpRisk Profiles Showing Severity (%)} $$<\/p>\n<p>$$ \\begin{array}{l|c|c|c|c|c} \\textbf{Event Type} &amp; { \\textbf{Trading } \\\\ \\textbf{&amp; Sales} } &amp; { \\textbf{Corporate } \\\\ \\textbf{Finance} } &amp; { \\textbf{Retail } \\\\ \\textbf{Banking} } &amp; { \\textbf{Asset } \\\\ \\textbf{Management} } &amp; { \\textbf{Retail} \\\\ \\textbf{Brokerage} } \\\\ \\hline \\text{Internal Fraud} &amp; {11.0} &amp; {0.24} &amp; {6.3} &amp; {11.1} &amp; {18.1}\\\\ \\hline \\text{External Fraud} &amp; {0.3} &amp; {0.12} &amp; {19.4} &amp; {0.9} &amp; {1.4}\\\\ \\hline { \\text{Employment} \\\\ \\text{Practices} } &amp; {2.3} &amp; {0.59} &amp; {9.8} &amp; {2.5} &amp; {6.3}\\\\ \\hline { \\text{Clients, Products,} \\\\ \\text{&amp; Business Practices} } &amp; \\textbf{29.0} &amp; \\textbf{93.67} &amp; \\textbf{40.4} &amp; \\textbf{30.8} &amp; \\textbf{59.5}\\\\ \\hline { \\text{Physical Asset} \\\\ \\text{Damage} } &amp; {0.2} &amp; {0.004} &amp; {1.1} &amp; {0.2} &amp; {0.1}\\\\ \\hline { \\text{Business Disruption } \\\\ \\text{and System Failures} } &amp; {1.8} &amp; {0.02} &amp; {1.5} &amp; {0.1} &amp; {0.2}\\\\ \\hline { \\text{Execution, Delivery } \\\\ \\text{&amp; Process } \\\\ \\text{Management} } &amp; \\textbf{55.3} &amp; \\textbf{5.4} &amp; \\textbf{21.4} &amp; \\textbf{52.8} &amp; \\textbf{14.4} \\end{array} $$<\/p>\n<h3>Trading &amp; Sales<\/h3>\n<p>This category is dominated by EDPM in terms of both frequency and severity. The risk profile is reflective of a business model where traders perform trades on behalf of either their own firms or clients. These trades are settled by exchanging securities against some form of payment. However, products are diverse and complex and settlements deadlines and procedures vary significantly. As such, the major OpRisk is execution, and that\u2019s where most of the loss occurs.<\/p>\n<h3>Corporate Finance<\/h3>\n<p>Under corporate finance, the business basically provides consultancy services where it advises corporations on matters such as funding, capital structuring, mergers &amp; acquisitions, and investment decisions. Most of the losses are incurred in the form of \u201clitigation\u201d or disputes with clients for arguably poor advice when, for example, mergers go wrong.<\/p>\n<h3>Retail Banking<\/h3>\n<p>The OpRisk profile of retail banks bears a lot of semblance to that of the retail brokerage; External fraud constitutes the highest frequency of OpRisk events that tend to happen on a daily basis. Execution comes in a distant second. However, the most severe loss events come under litigation.<\/p>\n<h3>Asset Management<\/h3>\n<p>In the years leading up to the financial crisis of 2007\u20132009, asset management firms enjoyed steady increases in assets under management (AUM). The markets at the time were bullish and most assets registered good year-on-year profits. In that period, therefore, operational costs were largely an afterthought for many asset managers. Errors and high operating costs were obscured under the increased revenues from a larger asset base and big profits that came from high returns in the world markets.<\/p>\n<p>But after the crisis, AUM reduced by as much as 40%, in part because there were no risk controls. These losses prompted asset managers to focus on previously ignored product characteristics, including costs related to OpRisk. The recovery process for Asset Management has been extremely slow. So much so that even in 2012, most of the growth of asset management was down to market appreciation and not due to an increase in the flow of resources from clients. Many investors retiring in just a few more years lost their pensions because of (I) poor market conditions, and (II) a lack of caution and risk management from pension fund managers. Since then, OpRisk management has become a key part of asset management, with risk managers putting in place risk <strong>controls<\/strong> meant to reduce costs.<\/p>\n<p>Although asset managers are susceptible to all forms of risks, namely OpRisk, market, and credit risks, OpRisk is typically the largest risk exposure an asset manager has.<\/p>\n<p>Common OpRisk events include:<\/p>\n<ul>\n<li>Errors in processing transactions.<\/li>\n<li>system failure that can cause severe damage and impact the balance sheet of the asset manager.<\/li>\n<li>Legal Suits initiated by clients for poor performance.<\/li>\n<li>Consistently failing to comply with local regulations, or with very basic business ethics.<\/li>\n<\/ul>\n<p>Failure to comply with local regulations or basic business ethics can bring about large operational losses and serious reputational damage.<\/p>\n<p>The OpRisk profile for asset management firms reveals the largest frequency and severity percentage fall under the Execution, Delivery, and Process Management risk category.<\/p>\n<h3>Retail Brokerage<\/h3>\n<p>Generally, risk profiles tend to vary significantly between institutions because each institution adopts its own unique business strategies. This notwithstanding, the risk profile of broker-dealers is usually dominated by OpRisk. Research shows OpRisk accounts for at least 60\u201370% of the total risk capital in retail brokerage firms.<\/p>\n<p>In recent years, more and more brokerage firms have ditched brick-and-mortar establishments in favor of <strong>online business<\/strong>. This has enabled them to offer clients the convenience of trading from home or work. It has also paved way for more competitive pricing and other creative products designed to give a firm a competitive edge, e.g. free online research tools. Most of the surviving brick-and-mortar brokers are part of larger financial institutions, which tend to focus on wealthier customers that are prepared to pay higher fees in exchange for personalized services.<\/p>\n<p>The move to the online business model has coincided with the invention of sophisticated, high-speed trading technology that has changed the way broker-dealers trade for their own accounts and as agents for their customers. Under the new model, hedge funds, mutual funds, banks, insurance companies, as well as individual customers are able to use the broker-dealer\u2019s <strong>market participant identifier<\/strong> (MPID) to electronically access the exchange. This has greatly increased the <strong>operational risk<\/strong> for broker-dealers as they bear responsibility for all transactions executed with their MPID. If the broker-dealer does not make use of <strong>pre-trade risk management controls,<\/strong> commonly referred to as <strong>filters<\/strong>, then the risks are even greater.<\/p>\n<p>How sensitive is the online model to OpRisk? You might ask. With today\u2019s advanced technology, broker-dealer systems can accommodate more than <strong>1000 orders per second.<\/strong> Even a short-lived system malfunction can result in financially devastating effects. For example, let\u2019s assume a bug triggers an algorithm malfunction that erroneously places repetitive orders with an average size of 200 shares and an average price of USD 50. If that happens, just a two-minute delay in the detection of the problem could result in the entry of, say, 120,000 orders valued at USD120 million.<\/p>\n<h3>A Note on Insurance Business<\/h3>\n<p>Compared to other business lines, insurers are still in the early stages of the development of their OpRisk frameworks. This is surprising somewhat because, in recent years, insurers have suffered several large, highly publicized operational losses:<\/p>\n<ul>\n<li>A large US-based insurer suffered a $250 million loss after they were found to have practiced discriminatory pricing (offering different premium rates depending on one\u2019s race).<\/li>\n<li>A large US auto insurer lost USD 1 billion for using low-quality auto parts in vehicle repairs.<\/li>\n<li>A large US life insurer lost USD 2 billion for abusive sales practices and illegal sales of securities.<\/li>\n<\/ul>\n<p>Given these and many more high-profile loss events, it is not surprising that insurers have been more diligent with regard to OpRisk. There has been significant progress in their attempts to come up with robust OpRisk management frameworks to catch up with banks. However, the insurance business still lags far behind compared to banking on matters OpRisk management.<\/p>\n<h2>The Role of Operational Risk Governance<\/h2>\n<p>Governance and organizational design play a critical role toward the development and success of an OpRisk framework at a firm. The development of OpRisk controls, scenario analysis, key risk indicators, and other tools are important, but for all these to be implemented and work as envisioned, there has to be a support all the way from the firm\u2019s top brass. The board of directors and senior management have to take the initiative and ensure that everyone buys into the OpRisk framework and knows what\u2019s expected of them.<\/p>\n<p>Let\u2019s now look at a few organizational designs and the beliefs that firms need to have to make them work:<\/p>\n<h3>Design 1: Central Risk Function as Coordinator<\/h3>\n<p>In this organizational design, the risk manager acts as more of a facilitator or coordinator of risk management. The risk manager gathers information and reports directly to the CEO or the Board of directors. OpRisk management is carried out by a small central risk group.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-9781\" src=\"https:\/\/analystprep.com\/study-notes\/wp-content\/uploads\/2019\/04\/img_3.jpg\" alt=\"Design 1: Central Risk Function as Coordinator\" width=\"1590\" height=\"650\" srcset=\"https:\/\/analystprep.com\/study-notes\/wp-content\/uploads\/2019\/04\/img_3.jpg 1024w, https:\/\/analystprep.com\/study-notes\/wp-content\/uploads\/2019\/04\/img_3-300x123.jpg 300w, https:\/\/analystprep.com\/study-notes\/wp-content\/uploads\/2019\/04\/img_3-768x314.jpg 768w, https:\/\/analystprep.com\/study-notes\/wp-content\/uploads\/2019\/04\/img_3-400x164.jpg 400w\" sizes=\"auto, (max-width: 1590px) 100vw, 1590px\" \/>Regulators are generally not comfortable with this structure because they believe that there are conflicts of interest in any arrangement that requires risk managers to report to senior management or other stakeholders tasked with the maximization of shareholder wealth.<\/p>\n<p>In order for this structure to be successful, business units have to be responsive to the demands of the Central Risk Group <strong>without being influenced<\/strong> by senior management who have control over employee remuneration and other compensation packages.<\/p>\n<h3>Design 2: Matrix reporting\u2014the \u201cdotted lines\u201d<\/h3>\n<p>In this organizational design, there exists a dotted line between risk managers and the Central Risk function. However, risk managers are appointed by senior management who retain control over compensation decisions.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-9782\" src=\"https:\/\/analystprep.com\/study-notes\/wp-content\/uploads\/2019\/04\/img_4.jpg\" alt=\"Design 2: Matrix reporting\u2014the \u201cdotted lines\u201d\" width=\"1590\" height=\"685\" srcset=\"https:\/\/analystprep.com\/study-notes\/wp-content\/uploads\/2019\/04\/img_4.jpg 1024w, https:\/\/analystprep.com\/study-notes\/wp-content\/uploads\/2019\/04\/img_4-300x129.jpg 300w, https:\/\/analystprep.com\/study-notes\/wp-content\/uploads\/2019\/04\/img_4-768x331.jpg 768w, https:\/\/analystprep.com\/study-notes\/wp-content\/uploads\/2019\/04\/img_4-400x172.jpg 400w\" sizes=\"auto, (max-width: 1590px) 100vw, 1590px\" \/>In order for this to be successful, the business units should nurture a strong risk culture and work closely with the Central Risk function. This design is preferred when there is a culture of distrust of the central risk function based on historical events.<\/p>\n<h3>Design 3: Solid Reporting Lines to Central Risk Management<\/h3>\n<p>In this structure, risk managers still maintain a physical presence in the business units but report to the Central Risk function, usually based in the headquarters. It is a considerably popular design within large firms.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-9783\" src=\"https:\/\/analystprep.com\/study-notes\/wp-content\/uploads\/2019\/04\/img_5.jpg\" alt=\"Design 3: Solid Reporting Lines to Central Risk Management\" width=\"1590\" height=\"685\" srcset=\"https:\/\/analystprep.com\/study-notes\/wp-content\/uploads\/2019\/04\/img_5.jpg 1024w, https:\/\/analystprep.com\/study-notes\/wp-content\/uploads\/2019\/04\/img_5-300x129.jpg 300w, https:\/\/analystprep.com\/study-notes\/wp-content\/uploads\/2019\/04\/img_5-768x331.jpg 768w, https:\/\/analystprep.com\/study-notes\/wp-content\/uploads\/2019\/04\/img_5-400x172.jpg 400w\" sizes=\"auto, (max-width: 1590px) 100vw, 1590px\" \/>The design gives the Central Risk function the ability to prioritize risk management efforts across different initiatives. This solid line reporting helps to establish a more homogenous risk culture and consistent approach across the enterprise.<\/p>\n<h3>Design 4: Strong Central Risk Management<\/h3>\n<p>This design is built around the central chief risk officer who is in charge of risk management across a firm. The central chief risk officer is tasked with monitoring and managing all of the firm\u2019s risks. They report to senior management and Board.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-9784\" src=\"https:\/\/analystprep.com\/study-notes\/wp-content\/uploads\/2019\/04\/img_6.jpg\" alt=\"Design 4: Strong Central Risk Management\" width=\"1590\" height=\"685\" srcset=\"https:\/\/analystprep.com\/study-notes\/wp-content\/uploads\/2019\/04\/img_6.jpg 1024w, https:\/\/analystprep.com\/study-notes\/wp-content\/uploads\/2019\/04\/img_6-300x129.jpg 300w, https:\/\/analystprep.com\/study-notes\/wp-content\/uploads\/2019\/04\/img_6-768x331.jpg 768w, https:\/\/analystprep.com\/study-notes\/wp-content\/uploads\/2019\/04\/img_6-400x172.jpg 400w\" sizes=\"auto, (max-width: 1590px) 100vw, 1590px\" \/>In recent years, this has been the preferred design for most large firms, either by internal agreement or through regulatory pressure. It gives the regulator an easy time as they supervise the implementation of the established risk management requirements. Rather than working with multiple business units scattered across many business units, the regulator is able to focus on one particular group based in a single geographical area.<\/p>\n<blockquote>\n<h2>Practice Question<\/h2>\n<p>As a manager of an organization, it is important to ask yourself questions during risk control self-assessment. Which of the following is <strong>not<\/strong> a necessary concern?<\/p>\n<p>A. Risk scenario: Where are the potential weak points on each of these processes?<\/p>\n<p>B. Exposure: How big a loss could happen to my operation in the event of a failure?<\/p>\n<p>C. Delivery: How can we better handle customer delivery?<\/p>\n<p>D. Performance: How could failure change my organization\u2019s reputation of financial performance?\u00a0<\/p>\n<p>The correct answer is <strong>C<\/strong>.<\/p>\n<p>Insofar as risk goes, it\u2019s important to ask important questions that can help mitigate the risk. A question such as \u201chow can we better handle customers&#8217; delivery?\u201d is not one of them. Asking questions on different risk scenarios and exposure is necessary for combating risks that are likely to occur:<\/p>\n<p>Risk scenario: Where are the potential weak points on each of these processes?<\/p>\n<p>Exposure: How big a loss could happen to my operation in the event of a failure?<\/p>\n<p>Performance: How could a failure change my organization&#8217;s reputation and financial performance?\u00a0<\/p>\n<\/blockquote>\n\n            <div \n                class=\"elfsight-widget-pricing-table elfsight-widget\" \n                data-elfsight-pricing-table-options=\"%7B%22layout%22%3A%22grid%22%2C%22skin%22%3A%22skin5%22%2C%22mainColor%22%3A%22rgb%2851%2C%20129%2C%20234%29%22%2C%22styleColumnBorderRadius%22%3Atrue%2C%22styleColumnBorderWidth%22%3Atrue%2C%22useHorizontalScroll%22%3Afalse%2C%22headTitle%22%3A%22Plan%20name%22%2C%22headFeatures%22%3A%5B%7B%22text%22%3A%22Feature%201%22%7D%2C%7B%22text%22%3A%22Feature%202%22%7D%5D%2C%22headTextColor%22%3A%22rgb%2823%2C%2025%2C%2026%29%22%2C%22headBackgroundColor%22%3A%22rgb%28247%2C%20247%2C%20247%29%22%2C%22toggleVisible%22%3Afalse%2C%22toggleItems%22%3A%5B%5D%2C%22toggleDefaultItem%22%3A%22%22%2C%22toggleColor%22%3A%22%22%2C%22columns%22%3A%5B%7B%22title%22%3A%22Practice%20Package%22%2C%22titleCaption%22%3A%22For%20FRM%20Part%20II%22%2C%22features%22%3A%5B%7B%22text%22%3A%22%22%2C%22icon%22%3A%22none%22%2C%22hint%22%3A%22%22%7D%2C%7B%22text%22%3A%22%22%2C%22icon%22%3A%22none%22%2C%22hint%22%3A%22%22%7D%2C%7B%22text%22%3A%22Question%20Bank%22%2C%22icon%22%3A%22none%22%2C%22hint%22%3A%222%2C300%20FRM%20Part%20II%20practice%20questions%20organized%20by%20chapter%22%7D%2C%7B%22text%22%3A%22Printable%20Mock%20Exams%22%2C%22icon%22%3A%22none%22%2C%22hint%22%3A%222%20mock%20exams%20for%20a%20total%20of%20160%20extra%20practice%20questions%22%7D%2C%7B%22text%22%3A%22Performance%20Tracking%20Tools%22%2C%22icon%22%3A%22none%22%2C%22hint%22%3A%22View%20your%20performance%20in%20attractive%20charts%22%7D%2C%7B%22text%22%3A%225%26nbsp%3BAsk-a-tutor%20Questions%22%2C%22icon%22%3A%22none%22%2C%22hint%22%3A%22Ask%20five%20questions%20to%20our%20tutors%20via%20live%20chat%22%7D%5D%2C%22price%22%3A%22249%22%2C%22priceCurrency%22%3A%22USD%22%2C%22button%22%3A%22Buy%20Now%22%2C%22buttonLink%22%3A%22https%3A%5C%2F%5C%2Fanalystprep.com%5C%2Fshop%5C%2Fpractice-package-for-frm-part-ii%5C%2F%22%2C%22buttonCaption%22%3A%22%22%2C%22mainColor%22%3A%22rgb%2851%2C%20129%2C%20234%29%22%2C%22priceOptions%22%3A%5B%5D%2C%22buttonOptions%22%3A%5B%5D%2C%22isFeatured%22%3Afalse%2C%22contentDivider%22%3Anull%2C%22pricePrefix%22%3A%22%22%2C%22pricePostfix%22%3A%22%22%2C%22priceCaption%22%3A%22for%20a%2012-month%20access%22%2C%22picture%22%3A%22https%3A%5C%2F%5C%2Felfsight.com%5C%2Fassets%5C%2Fpricing-table%5C%2Fexample-grid-1.jpg%22%2C%22buttonTargetBlank%22%3Afalse%2C%22ribbonText%22%3A%22%22%2C%22ribbonBackgroundColor%22%3A%22%22%2C%22ribbonTextColor%22%3A%22%22%7D%2C%7B%22title%22%3A%22Learn%20%2B%20Practice%20Package%22%2C%22titleCaption%22%3A%22For%20FRM%20Part%20II%22%2C%22features%22%3A%5B%7B%22text%22%3A%22%22%2C%22icon%22%3A%22none%22%2C%22hint%22%3A%22%22%7D%2C%7B%22text%22%3A%22%3Cb%3EStudy%20Notes%3C%5C%2Fb%3E%22%2C%22icon%22%3A%22none%22%2C%22hint%22%3A%22Over%201%2C000%20pages%20worth%20of%20study%20notes%20covering%20each%20chapter%22%7D%2C%7B%22text%22%3A%22%3Cb%3EQuestion%20Bank%3C%5C%2Fb%3E%22%2C%22icon%22%3A%22none%22%2C%22hint%22%3A%222%2C300%20FRM%20Part%20II%20practice%20questions%20organized%20by%20chapter%22%7D%2C%7B%22text%22%3A%22%3Cb%3EPrintable%20Mock%20Exams%3C%5C%2Fb%3E%22%2C%22icon%22%3A%22none%22%2C%22hint%22%3A%222%20mock%20exams%20for%20a%20total%20of%20160%20extra%20practice%20questions%22%7D%2C%7B%22text%22%3A%22%3Cb%3EPerformance%20Tracking%20Tools%3C%5C%2Fb%3E%22%2C%22icon%22%3A%22none%22%2C%22hint%22%3A%22View%20your%20performance%20in%20attractive%20charts%22%7D%2C%7B%22text%22%3A%22%3Cb%3E5%26nbsp%3BAsk-a-tutor%20Questions%3C%5C%2Fb%3E%22%2C%22icon%22%3A%22none%22%2C%22hint%22%3A%22Ask%20five%20questions%20to%20our%20tutors%20via%20live%20chat%22%7D%5D%2C%22price%22%3A%22399%22%2C%22priceCurrency%22%3A%22USD%22%2C%22button%22%3A%22Buy%20Now%22%2C%22buttonLink%22%3A%22https%3A%5C%2F%5C%2Fanalystprep.com%5C%2Fshop%5C%2Fpractice-package-for-frm-part-ii-2%5C%2F%22%2C%22buttonCaption%22%3A%22%22%2C%22mainColor%22%3A%22rgb%2851%2C%20129%2C%20234%29%22%2C%22priceOptions%22%3A%5B%5D%2C%22buttonOptions%22%3A%5B%5D%2C%22isFeatured%22%3Atrue%2C%22contentDivider%22%3Anull%2C%22pricePrefix%22%3A%22%22%2C%22pricePostfix%22%3A%22%22%2C%22priceCaption%22%3A%22for%20a%2012-month%20access%22%2C%22buttonTargetBlank%22%3Afalse%2C%22picture%22%3A%22https%3A%5C%2F%5C%2Felfsight.com%5C%2Fassets%5C%2Fpricing-table%5C%2Fexample-grid-2.jpg%22%2C%22ribbonText%22%3A%22Most%20Popular%22%2C%22ribbonBackgroundColor%22%3A%22%22%2C%22ribbonTextColor%22%3A%22%22%7D%2C%7B%22title%22%3A%22Unlimited%20Package%22%2C%22titleCaption%22%3A%22For%20FRM%20Part%20I%20%26%20Part%20II%22%2C%22features%22%3A%5B%7B%22text%22%3A%22FRM%20Part%20I%20%26amp%3B%20Part%20II%20Video%20Lessons%22%2C%22icon%22%3A%22none%22%2C%22hint%22%3A%2296%20hours%5Cu2019%20worth%20of%20video%20lessons%20by%20Prof.%20James%20Forjan%2C%20Ph.D.%22%7D%2C%7B%22text%22%3A%22FRM%20Part%20I%20%26amp%3B%20II%26nbsp%3BStudy%20Notes%22%2C%22icon%22%3A%22none%22%2C%22hint%22%3A%22Over%202%2C000%20pages%20worth%20of%20study%20notes%20covering%20each%20chapter%22%7D%2C%7B%22text%22%3A%22FRM%20Part%20I%20%26amp%3B%20II%26nbsp%3BQuestion%20Banks%22%2C%22icon%22%3A%22none%22%2C%22hint%22%3A%224%2C100%20practice%20questions%20organized%20by%20chapter%22%7D%2C%7B%22text%22%3A%22FRM%20Part%20I%20%26amp%3B%20II%26nbsp%3BPrintable%20Mock%20Exams%22%2C%22icon%22%3A%22none%22%2C%22hint%22%3A%224%20mock%20exams%20for%20a%20total%20of%20360%20extra%20practice%20questions%22%7D%2C%7B%22text%22%3A%22Performance%20Tracking%20Tools%22%2C%22icon%22%3A%22none%22%2C%22hint%22%3A%22View%20your%20performance%20in%20attractive%20charts%22%7D%2C%7B%22text%22%3A%22Unlimited%26nbsp%3BAsk-a-tutor%20Questions%22%2C%22icon%22%3A%22none%22%2C%22hint%22%3A%22Ask%20questions%20to%20our%20tutors%20via%20live%20chat%22%7D%5D%2C%22price%22%3A%22699%22%2C%22priceCurrency%22%3A%22USD%22%2C%22button%22%3A%22Buy%20Now%22%2C%22buttonLink%22%3A%22https%3A%5C%2F%5C%2Fanalystprep.com%5C%2Fshop%5C%2Funlimited-package-for-frm-part-i-part-ii%5C%2F%22%2C%22buttonCaption%22%3A%22%22%2C%22mainColor%22%3A%22rgb%2851%2C%20129%2C%20234%29%22%2C%22priceOptions%22%3A%5B%5D%2C%22buttonOptions%22%3A%5B%5D%2C%22isFeatured%22%3Afalse%2C%22contentDivider%22%3Anull%2C%22pricePrefix%22%3A%22%22%2C%22pricePostfix%22%3A%22%22%2C%22priceCaption%22%3A%22for%20lifetime%20access%22%2C%22buttonTargetBlank%22%3Afalse%2C%22picture%22%3A%22https%3A%5C%2F%5C%2Felfsight.com%5C%2Fassets%5C%2Fpricing-table%5C%2Fexample-grid-3.jpg%22%2C%22ribbonText%22%3A%22%22%2C%22ribbonBackgroundColor%22%3A%22%22%2C%22ribbonTextColor%22%3A%22%22%7D%5D%2C%22elements%22%3A%5B%7B%22complexGroup%22%3A%22picture%22%2C%22name%22%3A%22Picture%22%2C%22pictureEnable%22%3Atrue%7D%2C%7B%22complexGroup%22%3A%22title%22%2C%22name%22%3A%22Title%22%2C%22titleEnable%22%3Atrue%2C%22titleCaptionColor%22%3A%22%22%2C%22titleTextColor%22%3A%22%22%2C%22titleFontSize%22%3A24%2C%22titleFontWeight%22%3A400%7D%2C%7B%22complexGroup%22%3A%22features%22%2C%22name%22%3A%22Features%22%2C%22featuresEnable%22%3Atrue%2C%22featuresStyle%22%3A%22striped%22%2C%22featuresIconColor%22%3A%22%22%2C%22featuresTextColor%22%3A%22%22%2C%22featuresAlign%22%3A%22center%22%2C%22featuresFontSize%22%3A13%7D%2C%7B%22complexGroup%22%3A%22price%22%2C%22name%22%3A%22Price%22%2C%22priceEnable%22%3Atrue%2C%22priceCaptionColor%22%3A%22%22%2C%22priceTextColor%22%3A%22%22%2C%22priceFontSize%22%3A32%2C%22priceFontWeight%22%3A600%7D%2C%7B%22complexGroup%22%3A%22button%22%2C%22name%22%3A%22Button%22%2C%22buttonEnable%22%3Atrue%2C%22buttonType%22%3A%22outline%22%2C%22buttonColor%22%3A%22%22%2C%22buttonTextColor%22%3A%22%22%2C%22buttonSize%22%3A%22medium%22%2C%22buttonCaptionColor%22%3A%22%22%7D%5D%2C%22widgetId%22%3A%222%22%7D\" \n                data-elfsight-pricing-table-version=\"2.6.1\"\n                data-elfsight-widget-id=\"elfsight-pricing-table-2\">\n            <\/div>\n            \n","protected":false},"excerpt":{"rendered":"<p>After completing this reading, you should be able to: Describe the seven Basel II event risk categories and identify examples of operational risk events in each category. Summarize the process of collecting and reporting internal operational loss data, including the&#8230;<\/p>\n","protected":false},"author":3,"featured_media":1543,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[12,9],"tags":[],"class_list":["post-580","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-operational-and-integrated-risk-management","category-part-2","blog-post","animate"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v26.9 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>OpRisk Data and Governance | AnalystPrep - FRM Part 2 Study Notes<\/title>\n<meta name=\"description\" content=\"The applications of a Risk Control Self Assessment (RCSA) and Key Risk Indicators (KRIs) in the identification, controlling, and assessment of operational exposures will also be explained.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/analystprep.com\/study-notes\/frm\/part-2\/operational-and-integrated-risk-management\/oprisk-data-and-governance\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"OpRisk Data and Governance | AnalystPrep - FRM Part 2 Study Notes\" \/>\n<meta property=\"og:description\" content=\"The applications of a Risk Control Self Assessment (RCSA) and Key Risk Indicators (KRIs) in the identification, controlling, and assessment of operational exposures will also be explained.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/analystprep.com\/study-notes\/frm\/part-2\/operational-and-integrated-risk-management\/oprisk-data-and-governance\/\" \/>\n<meta property=\"og:site_name\" content=\"CFA, FRM, and Actuarial Exams Study Notes\" \/>\n<meta property=\"article:published_time\" content=\"2019-04-30T03:24:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-12-18T16:22:10+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/analystprep.com\/study-notes\/wp-content\/uploads\/2018\/09\/rawpixel-252130-unsplash-1024x683.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1024\" \/>\n\t<meta property=\"og:image:height\" content=\"683\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Nicolas Joyce\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Nicolas Joyce\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"32 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/analystprep.com\/study-notes\/frm\/part-2\/operational-and-integrated-risk-management\/oprisk-data-and-governance\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/analystprep.com\/study-notes\/frm\/part-2\/operational-and-integrated-risk-management\/oprisk-data-and-governance\/\"},\"author\":{\"name\":\"Nicolas Joyce\",\"@id\":\"https:\/\/analystprep.com\/study-notes\/#\/schema\/person\/393e8b0a7757cde1d197fb0c060af25f\"},\"headline\":\"OpRisk Data and Governance\",\"datePublished\":\"2019-04-30T03:24:00+00:00\",\"dateModified\":\"2025-12-18T16:22:10+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/analystprep.com\/study-notes\/frm\/part-2\/operational-and-integrated-risk-management\/oprisk-data-and-governance\/\"},\"wordCount\":7231,\"commentCount\":0,\"image\":{\"@id\":\"https:\/\/analystprep.com\/study-notes\/frm\/part-2\/operational-and-integrated-risk-management\/oprisk-data-and-governance\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/analystprep.com\/study-notes\/wp-content\/uploads\/2018\/09\/rawpixel-252130-unsplash.jpg\",\"articleSection\":[\"Operational and Integrated Risk Management\",\"Part 2\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/analystprep.com\/study-notes\/frm\/part-2\/operational-and-integrated-risk-management\/oprisk-data-and-governance\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/analystprep.com\/study-notes\/frm\/part-2\/operational-and-integrated-risk-management\/oprisk-data-and-governance\/\",\"url\":\"https:\/\/analystprep.com\/study-notes\/frm\/part-2\/operational-and-integrated-risk-management\/oprisk-data-and-governance\/\",\"name\":\"OpRisk Data and Governance | AnalystPrep - FRM Part 2 Study Notes\",\"isPartOf\":{\"@id\":\"https:\/\/analystprep.com\/study-notes\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/analystprep.com\/study-notes\/frm\/part-2\/operational-and-integrated-risk-management\/oprisk-data-and-governance\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/analystprep.com\/study-notes\/frm\/part-2\/operational-and-integrated-risk-management\/oprisk-data-and-governance\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/analystprep.com\/study-notes\/wp-content\/uploads\/2018\/09\/rawpixel-252130-unsplash.jpg\",\"datePublished\":\"2019-04-30T03:24:00+00:00\",\"dateModified\":\"2025-12-18T16:22:10+00:00\",\"author\":{\"@id\":\"https:\/\/analystprep.com\/study-notes\/#\/schema\/person\/393e8b0a7757cde1d197fb0c060af25f\"},\"description\":\"The applications of a Risk Control Self Assessment (RCSA) and Key Risk Indicators (KRIs) in the identification, controlling, and assessment of operational exposures will also be explained.\",\"breadcrumb\":{\"@id\":\"https:\/\/analystprep.com\/study-notes\/frm\/part-2\/operational-and-integrated-risk-management\/oprisk-data-and-governance\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/analystprep.com\/study-notes\/frm\/part-2\/operational-and-integrated-risk-management\/oprisk-data-and-governance\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/analystprep.com\/study-notes\/frm\/part-2\/operational-and-integrated-risk-management\/oprisk-data-and-governance\/#primaryimage\",\"url\":\"https:\/\/analystprep.com\/study-notes\/wp-content\/uploads\/2018\/09\/rawpixel-252130-unsplash.jpg\",\"contentUrl\":\"https:\/\/analystprep.com\/study-notes\/wp-content\/uploads\/2018\/09\/rawpixel-252130-unsplash.jpg\",\"width\":5837,\"height\":3896},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/analystprep.com\/study-notes\/frm\/part-2\/operational-and-integrated-risk-management\/oprisk-data-and-governance\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/analystprep.com\/study-notes\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"OpRisk Data and Governance\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/analystprep.com\/study-notes\/#website\",\"url\":\"https:\/\/analystprep.com\/study-notes\/\",\"name\":\"CFA, FRM, and Actuarial Exams Study Notes\",\"description\":\"Question Bank and Study Notes for the CFA, FRM, and Actuarial exams\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/analystprep.com\/study-notes\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/analystprep.com\/study-notes\/#\/schema\/person\/393e8b0a7757cde1d197fb0c060af25f\",\"name\":\"Nicolas Joyce\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/analystprep.com\/study-notes\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/684508c19e959bb01da12a9dc741428f559e4e5df43fc41ed68efa7f2d3b2b9d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/684508c19e959bb01da12a9dc741428f559e4e5df43fc41ed68efa7f2d3b2b9d?s=96&d=mm&r=g\",\"caption\":\"Nicolas Joyce\"},\"url\":\"https:\/\/analystprep.com\/study-notes\/author\/kajal\/\"}]}<\/script>\n<meta property=\"og:video\" content=\"https:\/\/www.youtube.com\/embed\/fB_E2Rsd9Zk\" \/>\n<meta property=\"og:video:type\" content=\"text\/html\" \/>\n<meta property=\"og:video:duration\" content=\"2770\" \/>\n<meta property=\"og:video:width\" content=\"480\" \/>\n<meta property=\"og:video:height\" content=\"270\" \/>\n<meta property=\"ya:ovs:adult\" content=\"false\" \/>\n<meta property=\"ya:ovs:upload_date\" content=\"2019-04-30T03:24:00+00:00\" \/>\n<meta property=\"ya:ovs:allow_embed\" content=\"true\" \/>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"OpRisk Data and Governance | AnalystPrep - FRM Part 2 Study Notes","description":"The applications of a Risk Control Self Assessment (RCSA) and Key Risk Indicators (KRIs) in the identification, controlling, and assessment of operational exposures will also be explained.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/analystprep.com\/study-notes\/frm\/part-2\/operational-and-integrated-risk-management\/oprisk-data-and-governance\/","og_locale":"en_US","og_type":"article","og_title":"OpRisk Data and Governance | AnalystPrep - FRM Part 2 Study Notes","og_description":"The applications of a Risk Control Self Assessment (RCSA) and Key Risk Indicators (KRIs) in the identification, controlling, and assessment of operational exposures will also be explained.","og_url":"https:\/\/analystprep.com\/study-notes\/frm\/part-2\/operational-and-integrated-risk-management\/oprisk-data-and-governance\/","og_site_name":"CFA, FRM, and Actuarial Exams Study Notes","article_published_time":"2019-04-30T03:24:00+00:00","article_modified_time":"2025-12-18T16:22:10+00:00","og_image":[{"width":1024,"height":683,"url":"https:\/\/analystprep.com\/study-notes\/wp-content\/uploads\/2018\/09\/rawpixel-252130-unsplash-1024x683.jpg","type":"image\/jpeg"}],"author":"Nicolas Joyce","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Nicolas Joyce","Est. reading time":"32 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/analystprep.com\/study-notes\/frm\/part-2\/operational-and-integrated-risk-management\/oprisk-data-and-governance\/#article","isPartOf":{"@id":"https:\/\/analystprep.com\/study-notes\/frm\/part-2\/operational-and-integrated-risk-management\/oprisk-data-and-governance\/"},"author":{"name":"Nicolas Joyce","@id":"https:\/\/analystprep.com\/study-notes\/#\/schema\/person\/393e8b0a7757cde1d197fb0c060af25f"},"headline":"OpRisk Data and Governance","datePublished":"2019-04-30T03:24:00+00:00","dateModified":"2025-12-18T16:22:10+00:00","mainEntityOfPage":{"@id":"https:\/\/analystprep.com\/study-notes\/frm\/part-2\/operational-and-integrated-risk-management\/oprisk-data-and-governance\/"},"wordCount":7231,"commentCount":0,"image":{"@id":"https:\/\/analystprep.com\/study-notes\/frm\/part-2\/operational-and-integrated-risk-management\/oprisk-data-and-governance\/#primaryimage"},"thumbnailUrl":"https:\/\/analystprep.com\/study-notes\/wp-content\/uploads\/2018\/09\/rawpixel-252130-unsplash.jpg","articleSection":["Operational and Integrated Risk Management","Part 2"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/analystprep.com\/study-notes\/frm\/part-2\/operational-and-integrated-risk-management\/oprisk-data-and-governance\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/analystprep.com\/study-notes\/frm\/part-2\/operational-and-integrated-risk-management\/oprisk-data-and-governance\/","url":"https:\/\/analystprep.com\/study-notes\/frm\/part-2\/operational-and-integrated-risk-management\/oprisk-data-and-governance\/","name":"OpRisk Data and Governance | AnalystPrep - FRM Part 2 Study Notes","isPartOf":{"@id":"https:\/\/analystprep.com\/study-notes\/#website"},"primaryImageOfPage":{"@id":"https:\/\/analystprep.com\/study-notes\/frm\/part-2\/operational-and-integrated-risk-management\/oprisk-data-and-governance\/#primaryimage"},"image":{"@id":"https:\/\/analystprep.com\/study-notes\/frm\/part-2\/operational-and-integrated-risk-management\/oprisk-data-and-governance\/#primaryimage"},"thumbnailUrl":"https:\/\/analystprep.com\/study-notes\/wp-content\/uploads\/2018\/09\/rawpixel-252130-unsplash.jpg","datePublished":"2019-04-30T03:24:00+00:00","dateModified":"2025-12-18T16:22:10+00:00","author":{"@id":"https:\/\/analystprep.com\/study-notes\/#\/schema\/person\/393e8b0a7757cde1d197fb0c060af25f"},"description":"The applications of a Risk Control Self Assessment (RCSA) and Key Risk Indicators (KRIs) in the identification, controlling, and assessment of operational exposures will also be explained.","breadcrumb":{"@id":"https:\/\/analystprep.com\/study-notes\/frm\/part-2\/operational-and-integrated-risk-management\/oprisk-data-and-governance\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/analystprep.com\/study-notes\/frm\/part-2\/operational-and-integrated-risk-management\/oprisk-data-and-governance\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/analystprep.com\/study-notes\/frm\/part-2\/operational-and-integrated-risk-management\/oprisk-data-and-governance\/#primaryimage","url":"https:\/\/analystprep.com\/study-notes\/wp-content\/uploads\/2018\/09\/rawpixel-252130-unsplash.jpg","contentUrl":"https:\/\/analystprep.com\/study-notes\/wp-content\/uploads\/2018\/09\/rawpixel-252130-unsplash.jpg","width":5837,"height":3896},{"@type":"BreadcrumbList","@id":"https:\/\/analystprep.com\/study-notes\/frm\/part-2\/operational-and-integrated-risk-management\/oprisk-data-and-governance\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/analystprep.com\/study-notes\/"},{"@type":"ListItem","position":2,"name":"OpRisk Data and Governance"}]},{"@type":"WebSite","@id":"https:\/\/analystprep.com\/study-notes\/#website","url":"https:\/\/analystprep.com\/study-notes\/","name":"CFA, FRM, and Actuarial Exams Study Notes","description":"Question Bank and Study Notes for the CFA, FRM, and Actuarial exams","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/analystprep.com\/study-notes\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/analystprep.com\/study-notes\/#\/schema\/person\/393e8b0a7757cde1d197fb0c060af25f","name":"Nicolas Joyce","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/analystprep.com\/study-notes\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/684508c19e959bb01da12a9dc741428f559e4e5df43fc41ed68efa7f2d3b2b9d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/684508c19e959bb01da12a9dc741428f559e4e5df43fc41ed68efa7f2d3b2b9d?s=96&d=mm&r=g","caption":"Nicolas Joyce"},"url":"https:\/\/analystprep.com\/study-notes\/author\/kajal\/"}]},"og_video":"https:\/\/www.youtube.com\/embed\/fB_E2Rsd9Zk","og_video_type":"text\/html","og_video_duration":"2770","og_video_width":"480","og_video_height":"270","ya_ovs_adult":"false","ya_ovs_upload_date":"2019-04-30T03:24:00+00:00","ya_ovs_allow_embed":"true"},"_links":{"self":[{"href":"https:\/\/analystprep.com\/study-notes\/wp-json\/wp\/v2\/posts\/580","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/analystprep.com\/study-notes\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/analystprep.com\/study-notes\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/analystprep.com\/study-notes\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/analystprep.com\/study-notes\/wp-json\/wp\/v2\/comments?post=580"}],"version-history":[{"count":51,"href":"https:\/\/analystprep.com\/study-notes\/wp-json\/wp\/v2\/posts\/580\/revisions"}],"predecessor-version":[{"id":41481,"href":"https:\/\/analystprep.com\/study-notes\/wp-json\/wp\/v2\/posts\/580\/revisions\/41481"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/analystprep.com\/study-notes\/wp-json\/wp\/v2\/media\/1543"}],"wp:attachment":[{"href":"https:\/\/analystprep.com\/study-notes\/wp-json\/wp\/v2\/media?parent=580"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/analystprep.com\/study-notes\/wp-json\/wp\/v2\/categories?post=580"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/analystprep.com\/study-notes\/wp-json\/wp\/v2\/tags?post=580"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}