Learning objectives: Explain the Basel regulatory expectations for the governance of an operational risk management framework. Describe and compare the roles of different committees and the board of directors in operational risk governance. Describe the “three lines of defense” model for operational risk governance and compare roles and responsibilities for each line of defense. Explain best practices and regulatory expectations for the development of a risk appetite for operational risk and for a strong risk culture.
Questions:
23.2.1. Although operational risk was a concept of practical importance prior to 2004, that's the year Basel II introduced it formally into prudential regulation. Along with Basel II's three Pillars (i.e., regulatory capital, supervisory review, and market discipline), the BCBS Committee published Principles for the Sound Management of Operational Risk (PSMOR), which were revised in 2011 and again in March 2021. The most recent Principles, for example, added a 12th principle on information and communication technology (ICT) risk, in addition to high-level implementation guidance around tools and controls.
In regard to Basel's First Pillar, the original capital calculation allowed for a choice between two standardized approaches or an internal (aka, advanced) approach. However, few banks were able to successfully adopt the advanced approach, while the standardized approaches were criticized for the lack of risk sensitivity. Consequently, Basel III replaced them with a single approach that is now called the Standardized Approach (SA).
Which of the following best summarizes the Standardized Approach to the operational risk capital (ORC) charge under the Basel regulations?
a. The ORC is a multiple (i.e., 12x|15x|18x scalar multiplier) of the average annual losses incurred over the ten previous years
b. The ORC is a percentage (i.e., 12|15|18% marginal coefficient) of the Business Indicator (BI) scaled by the Internal Loss Multiplier (ILM), where the BI is the sum of various income statement and/or balance sheet items
c. The ORC is the minimum of either (i) 2.25% of interest-earning assets or (ii) the absolute value of the net interest income
d. The ORC is 15% +/- 3% of the Internal Loss Indicator (ILI) scaled by the Business Segment Multiplier (BSM), where the ILI is the sum of the absolute values of the trading and banking books
23.2.2. The three lines of defense model (3LoD) has existed in some variation for over 30 years, although it achieved more visibility in 2013 when the Institute of Internal Auditors (IIA) published its initial position paper on the 3LoD, which it updated in 2021 (The IIA's Three Lines Model, an update of the Three Lines of Defense). GARP recommends firms refer to this update because the IIA "has refined the model to reflect the evolution of risk management within organizations and aim to foster closer collaboration between business functions including internal audit."
In regard to the 3LoD model, each of the following is true EXCEPT which is false?
a. The first line defines the organization's risk appetite but should not attempt to directly influence its risk culture
b. The first line is responsible for implementing and maintaining effective controls to manage material operational risks
c. The second line is part of management (and owns the ORM methodology) but provides support to the first line in order to help the firm create and protect value
d. The third line has the clearest boundaries due to its independence
23.2.3. Steven is a new employee at a large publicly-traded financial services firm. He is learning about the firm's approach to operational risk, which is codified in an operational risk management framework. Before arriving, he had a rather straightforward view that risk is the possibility for bad things to happen. However, the firm's training material offers a more sophisticated perspective and includes specific vocabulary terms, including risk culture, risk appetite, risk tolerance, risk controls, and risk owners,
In regards to these risk concepts (culture, appetite, tolerance, controls, and owners), which of the following statements is TRUE?
a. Risk tolerance is a broader, more general concept than risk appetite which is more specific
b. An organization's risk appetite should be sufficiently stable that it does not respond to external events or changes in market conditions
c. Because a firm's risk culture is intangible, subjective, and difficult to discern, it cannot be managed directly
d. It is effective, good practice to cascade down the firm-wide risk appetite into controls, limits, and monitoring metrics via risk, control, and metrics owners
Answers here:
Questions:
23.2.1. Although operational risk was a concept of practical importance prior to 2004, that's the year Basel II introduced it formally into prudential regulation. Along with Basel II's three Pillars (i.e., regulatory capital, supervisory review, and market discipline), the BCBS Committee published Principles for the Sound Management of Operational Risk (PSMOR), which were revised in 2011 and again in March 2021. The most recent Principles, for example, added a 12th principle on information and communication technology (ICT) risk, in addition to high-level implementation guidance around tools and controls.
In regard to Basel's First Pillar, the original capital calculation allowed for a choice between two standardized approaches or an internal (aka, advanced) approach. However, few banks were able to successfully adopt the advanced approach, while the standardized approaches were criticized for the lack of risk sensitivity. Consequently, Basel III replaced them with a single approach that is now called the Standardized Approach (SA).
Which of the following best summarizes the Standardized Approach to the operational risk capital (ORC) charge under the Basel regulations?
a. The ORC is a multiple (i.e., 12x|15x|18x scalar multiplier) of the average annual losses incurred over the ten previous years
b. The ORC is a percentage (i.e., 12|15|18% marginal coefficient) of the Business Indicator (BI) scaled by the Internal Loss Multiplier (ILM), where the BI is the sum of various income statement and/or balance sheet items
c. The ORC is the minimum of either (i) 2.25% of interest-earning assets or (ii) the absolute value of the net interest income
d. The ORC is 15% +/- 3% of the Internal Loss Indicator (ILI) scaled by the Business Segment Multiplier (BSM), where the ILI is the sum of the absolute values of the trading and banking books
23.2.2. The three lines of defense model (3LoD) has existed in some variation for over 30 years, although it achieved more visibility in 2013 when the Institute of Internal Auditors (IIA) published its initial position paper on the 3LoD, which it updated in 2021 (The IIA's Three Lines Model, an update of the Three Lines of Defense). GARP recommends firms refer to this update because the IIA "has refined the model to reflect the evolution of risk management within organizations and aim to foster closer collaboration between business functions including internal audit."
In regard to the 3LoD model, each of the following is true EXCEPT which is false?
a. The first line defines the organization's risk appetite but should not attempt to directly influence its risk culture
b. The first line is responsible for implementing and maintaining effective controls to manage material operational risks
c. The second line is part of management (and owns the ORM methodology) but provides support to the first line in order to help the firm create and protect value
d. The third line has the clearest boundaries due to its independence
23.2.3. Steven is a new employee at a large publicly-traded financial services firm. He is learning about the firm's approach to operational risk, which is codified in an operational risk management framework. Before arriving, he had a rather straightforward view that risk is the possibility for bad things to happen. However, the firm's training material offers a more sophisticated perspective and includes specific vocabulary terms, including risk culture, risk appetite, risk tolerance, risk controls, and risk owners,
In regards to these risk concepts (culture, appetite, tolerance, controls, and owners), which of the following statements is TRUE?
a. Risk tolerance is a broader, more general concept than risk appetite which is more specific
b. An organization's risk appetite should be sufficiently stable that it does not respond to external events or changes in market conditions
c. Because a firm's risk culture is intangible, subjective, and difficult to discern, it cannot be managed directly
d. It is effective, good practice to cascade down the firm-wide risk appetite into controls, limits, and monitoring metrics via risk, control, and metrics owners
Answers here:
Last edited by a moderator:
