Operational Risk Management

Financial Risk and Regulation Series

Chapter 2 | Operational Risk: Identification and Assessment

Chapter 2 Outline – Operational Risk: Identification and Assessment

‣ Identifying Operational Risks

• Inherent, residual, and secondary risks?
• The Identification Process?
‣ Risk Registers
‣ Operational Risk Assessments
• Operational Risk Losses
‣ Risk and Control Self-Assessments (RCSA)
• Control Assessments
• Risk and control assessments
• RCSA questionnaire approach
• RCSA workshop approach
• Hybrid RCSA methods
• RCSA scoring methods
• RCSA Best practice

2 © 2020 Global Association of Risk Professionals. All rights reserved.

Chapter Focus

‣ Identifying the operational risk profile and the use of a structured approach

‣ The design and use of risk registers

‣ Assessing risks against controls

‣ The approaches to implementing Risk and Control Self Assessments

‣ RCSA best practice

3 © 2020 Global Association of Risk Professionals. All rights reserved.

Identifying Operational Risks

‣ Operational risk management starts with identifying the opportunities for failure

Mitigation and Monitoring and

Identification Assessment Measurement
control reporting

‣ The challenges of identifying operational risk are that it:

• is prevalent throughout the whole of a bank’s business
• crosses many different business disciplines and technical areas
• is made up of many diverse categories of risk, each with its own characteristics

4 © 2020 Global Association of Risk Professionals. All rights reserved.

Operational Risk Events
‣ Operational risk events are characterized by their frequency of occurrence and impact
on the business
‣ Frequency of occurrence
• High frequency or frequently occurring
• Low frequency or rarely occurring
‣ Impact on the business
• High impact affecting the organization significantly
• Low impact with minor impact on the organization

Low impact High impact

High frequency Credit card fraud Frequent, large scale robberies

Low frequency Jammed printers Terrorism

5 © 2020 Global Association of Risk Professionals. All rights reserved.

Inherent, Residual and Secondary Risks
‣ Inherent risks are risks that exist in a business in the absence of any action to control or
mitigate the circumstances.

‣ Residual risks are risks that remain once a control has been implemented.

‣ Secondary risks are a direct result of implementing a control to mitigate the risk.

‣ A bank should identify the true underlying risks within a business, the inherent risks.

‣ Often it is the residual risk, or secondary risk, that is identified.

‣ Unless the inherent risk is identified a bank can not understand the effectiveness of
its controls.

6 © 2020 Global Association of Risk Professionals. All rights reserved.

The Identification Process

‣ There are two main approaches to building an enterprise-wide operational risk profile:
• Top-down: first establish a general enterprise-level risk assessment and then refine it by assessing the key
processes identified during the first stage
• Bottom-up: assess all processes within each business unit and combine the information produced to
generate an enterprise-wide risk profile

‣ Whichever approach or framework is adopted it must be consistent and appropriate to:

• the risk profile of the bank, and
• the size, sophistication, nature and complexity of the bank’s activities.

7 © 2020 Global Association of Risk Professionals. All rights reserved.

The Identification Process - Techniques
‣ There are many different techniques used by banks to identify the risks within its
businesses.
• Process mapping and building flow charts
• Existing business experience
• Analysis of existing records and data (e.g. loss data)
• Brainstorming
• Scenario analysis
• Systems engineering techniques
• Risk and control self assessments

‣ The techniques used will depend on:

• The nature of the activities under review
• Types of risk
• The organizational context
• The objectives of the risk management function
8 © 2020 Global Association of Risk Professionals. All rights reserved.
The Identification Process – Multiple Events

‣ A bank should understand multiple events occurring simultaneously because

• The actual impact of the event on the business is not being properly assessed unless all of the
characteristics of the event are considered.

‣ Major events tend to be due to multiple control failures:

• Cascading failure is where a failure in one part of the infrastructure causes a failure in another
• Escalating failure is where the failure of a second part of the infrastructure exacerbates that of the first

9 © 2020 Global Association of Risk Professionals. All rights reserved.

The Risk Register

‣ A risk register or risk log is a repository of all risks identified within the bank
‣ It is used throughout the risk management process
‣ It provides a dynamic tool update on an on-going basis

10 © 2020 Global Association of Risk Professionals. All rights reserved.

Risk Register – Typical Content

‣ Risk ID ‣ Risk score (for example likelihood ×

‣ Risk name impact)
‣ Risk description ‣ Control/mitigation technique
description
‣ Risk type
‣ Risk owner
‣ Business unit/units generating the risk
‣ Status: for example, the risk is
‣ Likelihood of risk event occurring
current, an event has occurred and is
‣ Impact if risk event occurs being investigated, or is the risk no
longer relevant

11 © 2020 Global Association of Risk Professionals. All rights reserved.

Risk Assessment (1)
‣ The analysis of the risks a bank faces in achieving the following objectives:
• Financial performance
• Information provision
• Regulatory compliance.
‣ Forms the basis for determining how risks should be managed and should operate at all
levels within the bank
‣ Key success factor: consistent, comprehensive assessment of risk across the
whole business
‣ To assess operational risk banks use:
• Risk and control self assessments
• Key risk indicators
• Historical loss data
• Stress tests/scenario analysis

12 © 2020 Global Association of Risk Professionals. All rights reserved.

Risk Assessment (2)

‣ Assessment involves rating the risk and the control using some system of scoring.
Which should identify:
• Likelihood: frequency of occurrence if no controls
• Impact: potential financial losses, regulatory sanctions, impact on shareholder value, and impact on the
bank’s reputation
• Risk Score: the product of likelihood and impact
• Current Exposure Level: the quality of the current controls and mitigation

13 © 2020 Global Association of Risk Professionals. All rights reserved.

Operational Risk Loss
‣ An operational risk event can have different impacts
‣ Financial loss
‣ Non-financial loss: reputation, regulatory
‣ Direct losses result from the risk event itself.
• Bank A suffers a GBP 50,000 loss due to fraud. The GBP 50,000 is a direct loss.
‣ Indirect losses result as a consequence of the event’s occurrence.
• A system crashes during a key time and had a detrimental effect on a group of Bank A’s customers. A
number of these customers decide to close their accounts and transfer their business to other banks. The
reduction of income to Bank A due to the customers taking their business elsewhere is an indirect loss.
‣ Indirect losses are far more difficult to quantify than direct losses.

14 © 2020 Global Association of Risk Professionals. All rights reserved.

Operational Risk Loss – Types of Loss
‣ Loss of:
• Revenue
• Capital
• Reputation
• Market share
• Customer confidence
• Employee confidence
• Shareholder confidence
• Management control
‣ Breach of compliance with:
• Regulations
• Legal requirements
‣ Near Misses and Gain Events
• Events can result in no loss (near miss) or make a profit (gain event).

15 © 2020 Global Association of Risk Professionals. All rights reserved.

Risk and Control Self Assessments (1)

‣ In the operational risk framework it provides

• Consistency and transparency in reporting, mitigating and escalating these risks

‣ Risk and control assessments

• Can quickly add value by providing a way for a department to articulate its risks

‣ Basel II
• … a bank’s firm-wide risk assessment methodology must capture key business environment and internal
control factors that can change its operational risk profile. These factors will make a bank’s risk
assessments more forward-looking, more directly reflect the quality of the bank’s control and operating
environments, help align capital assessments with risk management objectives, and recognize both
improvements and deterioration in operational risk profiles in a more immediate fashion.

16 © 2020 Global Association of Risk Professionals. All rights reserved.

Risk and Control Self Assessments (2)

‣ Control assessments
• Tests a control’s effectiveness against set criteria
• Issues a pass/fail or level of effectiveness score
• Done to the department by a third party
• Audit, Compliance or the Sarbanes-Oxley team

‣ Risk and control assessments

• Similar to control assessments
• Addition of risk assessment

17 © 2020 Global Association of Risk Professionals. All rights reserved.

Risk and Control Self Assessments (3)
‣ Risk and control self assessments (RCSAs)
• Distinguished from a control assessment and from a risk and control assessment by its subjective nature
• Conducted by the department and reflects the view of the department itself
• Advantages
• Embeds the culture of operational risk management
• The department can prioritize mitigating actions and escalate risks that require higher authority
• Disadvantages
• A subjective view, can be considered less accurate than an objective view

‣ Should be included in the audit cycle

‣ There are several RCSA methods

• The questionnaire approach
• The workshop approach
• The hybrid approach

18 © 2020 Global Association of Risk Professionals. All rights reserved.

RCSA Questionnaire Approach (1)
‣ Uses a template to present standard risk and control questions to participants
• The content is designed by the operational risk team
• Each risk category or business process is analyzed
• For each risk, expected controls are identified

‣ The questionnaire is distributed to each department

• Provides self assessed scores for each expected control
• Risk levels
• High, medium or low
• Risk probabilities
• High, medium or low

19 © 2020 Global Association of Risk Professionals. All rights reserved.

RSCA Questionnaire Approach (2)
‣ Advantages
• Standardized risks and controls:
• Make it easier to consolidate reporting and identify cross-firm themes and trends
• Ensure that a consistent approach is being taken across the firm
• Ensure consistent identification of operational risk
• Technology can distribute and collect questionnaires and analyze the data
• Efficient and is highly effective

‣ Disadvantages
• If a firm does not have standard branches or repeated processes then a standard RCSA might be more frustrating
than useful
• The outcome of this subjective process is dependent on the individual managing the process
• The design might be missing a key risk or control, and participants might not have an opportunity, or may be reluctant, to
raise new items
• The “check all” mentality, where the participants simply check the boxes that are likely to result in the least follow up
work, or that express an average score or the middle ground.
• Supporting training and facilitation needs can be sizable

20 © 2020 Global Association of Risk Professionals. All rights reserved.

RCSA Workshop Approach
‣ Requires facilitation from the operational risk department
• Each risk is discussed and related controls are scored for effectiveness.
• The residual risks are scored
• High, medium, low scale
• Probabilities
• High, medium, low scale
• The exposure might be expressed in financial terms
‣ Advantages
• Provides a forum for an in-depth discussion of the operational risks
• Full participation in the scoring and not a single view
• New risks and controls can be identified
• Appropriate for firms without consistent businesses or processes
• Offers flexibility for different business lines
‣ Disadvantages
• The flexibility can also result in inconsistency
• Different terminology
• Consolidating the results as output may look very different to the others
• Extremely burdensome

21 © 2020 Global Association of Risk Professionals. All rights reserved.

RCSA Hybrid Approach
‣ Many firms use both the questionnaire and workshop approaches
• To maximize the effectiveness of the RCSA program
• Alternate questionnaire and workshop approaches

‣ JP Morgan Chase describes its risk assessment approach in its annual report as follows:
• Risk identification and measurement
• “Risk identification is the recognition of the operational risk events that management believes may give rise to
operational losses. All businesses utilize the Firm’s standard self-assessment process and supporting architecture as a
dynamic risk management tool. The goal of the self-assessment process is for each business to identify the key
operational risks specific to its environment and assess the degree to which it maintains appropriate controls. Action
plans are developed for control issues identified, and businesses are held accountable for tracking and resolving these
issues on a timely basis.”

22 © 2020 Global Association of Risk Professionals. All rights reserved.

RCSA Scoring Methods

Low Medium High

The design provides The design provides The design provides
Design only limited protection some protection when excellent protection
when used correctly used correctly when used correctly

The control rarely The control is The control is always

Performance
performed. sometimes performed performed.

H M H H

Design
M L M H

L L L M

L M H
Performance

23 © 2020 Global Association of Risk Professionals. All rights reserved.

RCSA Scoring Methods – Risk Impact Score

Impact type Low Medium High

Financial Less than USD 100,000 Between USD 100,000 and USD 1 million Over USD 1 million

Negative reputational impact is global

Reputational Negative reputational impact is local Negative reputational impact is regional

Breach of contractual or regulatory

Breach of contractual or regulatory Breach of contractual or regulatory
Legal or Regulatory obligations leading to major litigation,
obligations, with no costs obligations with some costs or censure
fines or severe censure

Minor service failure to critical client(s) or Moderate service failure to critical

Minor service failure to non-critical
Clients moderate service failure to non-critical clients or major service failure to
clients
clients. non-critical clients.

Serious injury or loss of life

Life Safety An employee is slightly injured or ill. More than one employee is injured or ill.

24 © 2020 Global Association of Risk Professionals. All rights reserved.

RCSA Scoring Methods – Probability or Frequency

Low Medium High

Length of Time
Greater than 5 years Between 1 and 5 years Less than 1 year
Between Events

25 © 2020 Global Association of Risk Professionals. All rights reserved.

RCSA Scoring Methods – Risk Severity

H M H H

Impact
M L M H

L L L M

L M H
Frequency

26 © 2020 Global Association of Risk Professionals. All rights reserved.

RCSA Best Practices (1)
‣ Interview participants beforehand
• Important to spend time interviewing participants, stakeholders and support functions prior to launching
the RCSA.
‣ Review available background data from other functions
• Information in recent audit reports, compliance reviews and Sarbanes-Oxley assessments
• Can provide insight into existing and recently remediated operational risks
‣ Review past RCSAs and related RCSAs
• Past RCSAs should be reviewed
• Related RCSAs from departments
• May raise risks where the controls are owned by this department
• May have raised risks which the department needs to be aware of

‣ Review internal loss data

• Events that have been captured in the firm’s operational risk event database
• Demonstrate the possible impact and frequency of risk events

27 © 2020 Global Association of Risk Professionals. All rights reserved.

RCSA Best Practices (2)
‣ Review of external events
• External events are helpful in informing about potential risks
‣ Carefully select participants
• Selected with care and trained in the method beforehand
‣ Document results
• The output should be consistently and carefully documented
‣ Score appropriately
• The scoring methodology should be appropriate for the firm
• Include non-financial impacts such as reputational, legal, regulatory, client and life safety
‣ Identify mitigating actions
• Identification of agreed actions during the assessment

28 © 2020 Global Association of Risk Professionals. All rights reserved.

RCSA Best Practices (3)
‣ Appropriate technology should be implemented
• Manage the process and report on the outcome
‣ Themes identified
• The program should be reviewed for the identification of firm-wide themes that may require further analysis
‣ Leverage existing assessments
• Risks and controls may have been assessed in business continuity planning or Sarbanes-Oxley
• These assessments should be used in the operational risk RCSA
‣ Schedule appropriately
• Conduct on an annual basis
• Sometimes monthly, quarterly, annually, or ad-hoc in response to a certain trigger event
• The schedule should ensure that the information is not stale

29 © 2020 Global Association of Risk Professionals. All rights reserved.

Wells Fargo - Accounts and Insurance Cases
‣ Wells Fargo bank has been through two separate scandals in its consumer business in recent years, one
relating to unauthorized account opening and another relating to unauthorized auto insurance policies.

‣ After the 1998 acquisition by Norwest Bancorporation, the Norwest CEO, Richard Kovacevich, became the CEO
of Wells Fargo, where he continued the strategy of organic growth through cross selling of retail financial
products. In the first decade of the 2000s Wells avoided moving into securities trading and when the 2008
crisis happened, the bank was left comparatively unscathed.

‣ During the 2008 crisis, Wells Fargo acquired Wachovia Corporation for USD 14.8 billion, about 7 times more
than a rival offer from Citigroup. This acquisition made Wells Fargo the third largest bank in the United States,
a position it has enjoyed since.

‣ The CEO of Wells made way for his successor, John Stumpf, in 2007 and retired as Chairman at the end of
2009. The new CEO continued the cross selling strategy of his predecessor, but changed the incentive
structure for retail branch managers, as well as the style of sales target reporting, where public humiliation
awaited branch staff that failed to open a satisfactory number of new accounts.

30 © 2020 Global Association of Risk Professionals. All rights reserved.

Wells Fargo - Unauthorized Account Opening
‣ On September 8, 2016, the US Consumer Financial Protection Bureau (CFPB) fined
Wells Fargo USD 100 million for widespread illegal practice of secretly opening unauthorized accounts.

‣ The fine came as a result of an investigation and subsequent consent order no. 2016-CFPB-0015 finding that
Wells Fargo Bank engaged in the following activities during the period from January 1, 2011 to September 4,
2016:
• Opened unauthorized deposit accounts for existing customers and transferred funds to those accounts from their owners’
other accounts, all without their customers’ knowledge or consent
• Submitted applications for credit cards in consumers’ names using consumers’ information without their knowledge or
consent
• Enrolled consumers in online banking services that they did not request
• Ordered and activated debit cards using consumers’ information without their knowledge or consent

‣ The activities were found to have been conducted against 2 million Wells Fargo customers

31 © 2020 Global Association of Risk Professionals. All rights reserved.

Wells Fargo - Auto-Loan Administration and Mortgage Practices
‣ On April 20, 2018, the US Consumer Financial Protection Bureau (CFPB) fined Wells Fargo USD 1 billion for
how it charged certain borrowers for mortgage interest rate-lock extensions and for the way it administered a
mandatory insurance program related to its auto loans.
• Respondent unfairly failed to follow the mortgage-interest-rate-lock process it explained to some prospective borrowers
• Wells Fargo expressly charged mortgage customers a rate-lock premium to cover any type of delay, including due to the
bank’s own actions.
• Respondent operated its Force-Placed Insurance program in an unfair manner
• Wells Fargo had failed to try to communicate with auto-loan customers and imposed Force-Placed Insurance (FPI)
policies on 2 million such customers, even when the customer was already fully covered with another insurance
company. This practice had started in 2005.

‣ The Wells Fargo case illustrates an element of operational risk, which is rarely seen at this scale. The Office of
the Comptroller of the Currency (OCC) referred to the actions of staff, managers and directors at Wells Fargo
as “reckless, unsafe or unsound practices and resulted in violations of the unfair acts or practices provision of
Section 5 of the Federal Trade Commission Act”.

32 © 2020 Global Association of Risk Professionals. All rights reserved.

Summary (1)
‣ Identifying Operational Risks
• Identifying the opportunities for failure is the starting point to managing operational risk.
• Inherent risk: the risks that exist in a business, in the absence of any action to control or mitigate the circumstances.
• Residual risk: the risk that remains once a control has been implemented.
• Secondary risk: a risk that is a direct result of the control implemented to mitigate the risk.
• A bank faces a significant challenge in attempting to identify inherent risks because operational risk:
• Is prevalent throughout the whole of a bank’s business
• Crosses many different business disciplines and technical areas
• Is made up of many diverse categories of risk each with its own characteristics
• To build a better understanding of its operational risk profile a bank should identify risks that may occur due to multiple
control failures.
‣ Risk Registers
• A bank uses a risk register, also known as a risk log, to record information about individual operational risks.
• The risk register is a repository of all risks identified within the bank and is used throughout the risk management process.
• There is no standard content for risk registers and consequently they can contain a wide variety of information.
• The risk register is a dynamic management tool that should be updated on an ongoing basis.

33 © 2020 Global Association of Risk Professionals. All rights reserved.

Summary (2)
‣ Operational Risk Assessment
• Once the risks and controls have been identified the next step is to assess the current level of controls, identifying any
weaknesses and understanding the likelihood of an event occurring.
• Operational risk losses can be financial or non-financial such as regulatory penalties and a loss of good reputation.
• When an operational risk event occurs losses may be either direct or indirect. Indirect losses are far more difficult to
quantify than direct losses
• Losses can be financial, e.g. loss of revenue and loss of capital
• Losses can also be non-financial, e.g. loss of reputation and breach of regulations
• Operational risk events may result in no loss (near miss) or a profit (gain event).
‣ Risk and Control Self-Assessment (RCSA)
• RCSA is an evaluation of Control Assessment and Risk and Control Assessment, because the process relies on self-
assessment and as such reflects the view of the department conducting its internal review.
• By analyzing individual risk categories or business process, an RSCA program gives insight into risks that exist in the bank
by providing consistency and transparency in operational risk management activities.
• RCSA further embeds the culture of operational risk management as it allows each department to control and assess the
risks that may exist in its own operational and business area.

34 © 2020 Global Association of Risk Professionals. All rights reserved.

Summary (3)
‣ Risk and Control Self-Assessment (RCSA)
• RCSA is subjective in nature and can be less accurate than an objective external assessment.
• There are three different approaches for RSCA:
• A questionnaire approach uses a standardized template to present commonly accepted risk and control questions.
• Workshops are facilitated group exercises where each risk and related control is discussed, scored, and evaluated.
• Hybrid RCSA methods combine these approaches.
• RCSA scoring methods focus on control effectiveness, risk-impact scores, probability or frequency scores, and risk-severity
scores to ensure that each operational risk event that a bank faces is managed, measured, and monitored.
• The scoring approach is typically a matrix focusing on the severity and frequency of the processes.
• For an operational risk department, successful RCSA program implementation requires that close attention be paid to
adequate preparation through review of available background data from other functions, the results of past RCSAs and
existent RCSAs from related operational lines, and internal and external loss data.
• In addition, consistent documentation of results, outcomes, scores and discussion and engaged participants that
understand the scoring and analysis process all contribute to a successful operational risk department.

35 © 2020 Global Association of Risk Professionals. All rights reserved.

About GARP | The Global Association of Risk Professionals is a non-partisan, not-for-profit membership organization
focused on elevating the practice of risk management. GARP offers role-based risk certification – the Financial Risk
Manager® and Energy Risk Professional® – as well as the Sustainability and Climate Risk™ certificate and on-going
educational opportunities through Continuing Professional Development. Through the GARP Benchmarking Initiative and
GARP Risk Institute, GARP sponsors research in risk management and promotes collaboration among practitioners,
academics and regulators.

Founded in 1996, governed by a Board of Trustees, GARP is headquartered in Jersey City, NJ, with offices in London,
Washington, D.C., Beijing, and Hong Kong. Find more information on garp.org or follow GARP on LinkedIn, Facebook,
and Twitter.

Headquarters London Washington D.C. Beijing Hong Kong

111 Town Square Place 17 Devonshire Square 1001 19th Street North 1205E, Regus Excel Centre, The Center
14th Floor 4th Floor #1200 No. 6 Wudinghou Road 99 Queen’s Road Central
Jersey City, New Jersey London, EC2M 4SQ Arlington, Virginia Xicheng District Office No. 5510
07310 USA UK 22209 USA Beijing 100011, China 55th Floor
+1 201.719.7210 +44 (0) 20.7397.9630 +1 703.420.0920 +86 (010) 5737.9835 Central, Hong Kong

garp.org

36 © 2020 Global Association of Risk Professionals. All rights reserved.