Two Separate Assignment

Open Posted By: surajrudrajnv33 Date: 18/10/2020 Graduate Proofreading & Editing

Due October 20th anytime

Category: Engineering & Sciences Subjects: Electrical Engineering Deadline: 12 Hours Budget: $120 - $180 Pages: 2-3 Pages (Short Assignment)

Attachment 1


Operational Risk Management

Lecture 5


Session 4 Summary

• What are the Elements of Operational Risk Framework? • Why collect Loss Events? • How do we create a Loss Data Collection (LDC) program?

• What are Operational Risk Metrics? • What are Key Risk Indicators (KRIs)?


Session 5 Overview

• Tools to help in managing Operational Risk

• Identify emerging operational risks • Identify and prioritize firm’s top ORs • Assess current controls for managing top ORs • Set action plans for additional controls for

managing top ORs


Managing Operational Risk – This Session

Context Risk Management Tools Roles Culture and Governance

Operational Risk Frameworks to identify, assess and monitor • RCSA • LDC • KRI Etc.

Operational Risk Capital • Economic

Capital • Stress


Three lines of defense:

First: Business Units

Second: Corp Risk Management

Third: Internal Audit

Risk Mitigation Functions • Business Continuity

Mgmt. • Vendor Risk Mgmt. • Model Risk Mgmt. Etc.

Policies and Procedures

Regulations and Supervisory bodies


Operational Risk Framework Elements


• Risk and control self-assessments (RCSA) identify and assess current and potential risks—and associated controls—within the business unit

• RCSAs are a cornerstone of the COSO* approach • COSO is a joint initiative of five accounting organizations that provide

guidance and thought leadership on ERM • COSO RCSAs begin with a comprehensive survey of the business unit to

identify, define, and assess the full spectrum of risks that could prevent the unit from meeting its goals

• After identifying the risks, determine the responses or controls to mitigate the risks that threaten the unit from achieving its objectives

• Responses or controls should include action plans with date of completion and person responsible

*COSO = Council of Sponsoring Organizations of the Treadway Commission

RCSAs (1 of 2)

• Unlike risk event data collection (a backward view), the RCSA results will be forward-looking

• Provides insight into risks that exist but might not have occurred

• Provides a repeatable process for business units to identify and assess their OR

• Can be used to identify and report business unit’s ORs to the Risks committees and board

• Evidences business unit discipline for managing risk to regulators

• Used by Internal Audit to plan their upcoming audits

RCSAs (2 of 2)


• Emerging risks are newly identified or newly occurring risks in the internal or external environment

• could have a significant impact on the risk profile or long term value of the firm

• Emerging risks could involve litigation, regulation, social developments, market changes and new technologies

• Some characteristics of emerging risk • There is little (if any) loss experience • Financial losses difficult to assess • Frequency/severity unknown

Emerging Risks


Creating an RCSA Program

Various methodologies must be considered and decision made:

• Standards: • Taxonomy – a common language across the firm • Risk, control and process libraries –

• who maintains it and • who administers controls around it?

• Risk rating scales

• Process • Top Down or Bottom up? • Workshops/Questionnaires/Interviews?

• Frequency and Roles and responsibilities


Standards: Taxonomy

• A Risk Taxonomy provides a common language for an organization

• No industry standard; however, can be created using the 7 Basel categories

• (A) Identification, measurement, control and monitoring all require risk taxonomy

• (B) A risk taxonomy ensures completeness and consistency.

• (C) Streamlining risk appetite frameworks, polices, procedures, risk assessments, KRIs, inherent and residual risk – all require a common categorization standard i.e. the Risk Taxonomy


Standards: Risk Library


Standards: Risk Rating Scales

Insert sample table for non financial impacts


Standards: Sample RCSA Structure

• Inherent risk - is the level of risk in the absence of controls (or measures) caused by a loss in one or more Basel type categories

• Residual risk - a level of risk with controls (or measures) in place

Insert slide for Sample control strength ratings


Process: Top Down or Bottoms Up?

• Top down approach: this RCSA process focuses only on the top risks of that business unit (up to ten?) Ø Number of people involved: 10-15, the business leader and direct

reports Ø Relatively less resources Ø Produces Top risks to be reported up to management and committees Ø Does not provide a comprehensive view of the process and


• Bottoms up approach: alternative RCSA process identifies all risks: small, medium, large (at least 200?) Ø leader and direct reports along with their respective teams Ø Exhaustive list of processes and risks identified Ø Resource intensive Ø Produces comprehensive view of the process and operational

vulnerabilities Ø Difficult to Aggregate information and report to senior management


Process: Options

Options of conducting RCSA

1. Facilitate sessions with the right audience(s) 2. Interview key personnel 3. Use questionnaires/surveys

• Difficult to collate/aggregate if questions are open- ended

• Narrow and incomplete if survey is limited • Can miss risks or controls that are not included

4. Hybrid approach—combination of these


One potential RCSA Approach


RCSA Workshop Best practices • Challenge participants with the following as evidence:

• External data: Narrow potential events for the Business Unit and pose a question if that can happen here

• Internal Data: Can these happen again and if so how large could they get • Other assessments : SOX, Audit, Compliance, Privacy etc. Create

potential Risks assuming these controls fail

• During workshop, agree on and prioritize the top risks • Discuss current controls during or after workshop • Assign a business leader to develop further, needed controls and action plans

for each of the prioritized risks • ** Impact is the size of the loss and the frequency is how often the loss occurs

Have a common template that is used by all business units to document the top risks

Slide 24 session 2


Risk controls (1 of 3)

• The control is the element within the process which will mitigate or eliminate the likelihood or the impact of a risk event

• Types of controls: • Directive—goal is to mitigate risk through directions

(e.g., policies and procedures)

• Preventative—goal is to prevent risk from happening (e.g., prior approval, segregation of duties, passwords)

• Corrective—goal is to minimize the risk once it occurs (e.g. Sprinklers)

• Detective—finds errors after the risk event has occurred (e.g.,, reconciliations, physical inventories)


Risk controls (2 of 3)

• If preventative controls are failing it’s a leading indicator of problems

• Action Plan • If preventative controls fail – solidify controls

• e.g., if password was hacked, make stronger password rules

• The corrective control has to mitigate risk to acceptable level • e.g., sprinkler should keep building from burning down

• For each detective control must have a corrective control • e.g., combine fire alarm with sprinkler


Risk controls (3 of 3)

• Assess controls for each of the top risks

• What additional controls can be implemented?

• Practicality • Cost vs. benefit • Preventative controls should be used, when possible • Additional controls to be put in place must include action

plans, deadline, and owner • For risks shared with board, the board should be notified if

action plans are substantially changed or deadlines are not met


Post Workshop best practices

• Executive business leader presents results to Risk committee or the board of directors (disclose everything!)

• Functions also undergo the RCSA process periodically

• Periodic refresh of RCSAs • Second line function oversees and runs the RCSA

process to ensure consistency and efficiency



Session 5 Overview

• Tools to help in managing Operational Risk

• Identify emerging operational risks • Identify and prioritize firm’s top ORs • Assess current controls for managing top ORs • Set action plans for additional controls for

managing top ORs