Nicole Seaman

Director of CFA & FRM Operations
Staff member
Subscriber
Learning objectives: Explain different ways firms address their operational risk exposures. Describe and provide examples of different types of internal controls, and explain the process of internal control design and control testing. Describe methods to improve the quality of an operational process and reduce the potential for human error. Explain how operational risk can arise with new products, new business initiatives, or mergers and acquisitions, and describe ways to mitigate these risks. Identify and describe approaches firms should use to mitigate the impact of operational risk events. Describe methods for the transfer of operational risks and the management of reputational risk, and assess their effectiveness in different situations.

Questions:

23.6.1. Sarah is a senior risk manager at MetroBank tasked with a mission-critical project to create a new risk mitigation system for the bank. She began by conducting a comprehensive risk assessment in order to identify the bank's vulnerabilities, categorizing them into internal and external operational risks. After much work, she drafted and proposed the following elements:

I. To combat employee fraud, an internal risk, Sarah designed a system with segregation of duties and authorization levels for high-value transactions.
II. For external risks like cyber threats, she proposed an intrusion detection system and real-time network monitoring. She also recommended partnering with a cybersecurity firm for additional protection, (e.g., firewalls, anti-phishing tools).
III. She recommended corrective controls, (i.e., designed to lessen the impact if an adverse event occurs), including IT system redundancies and crisis communication strategies.
IV. She drafted new policies and procedures (P&P) with plans to implement them through internal training sessions.
V. She collaborated with the IT department to automate the controls (as many as possible) with the aim of increasing reliability and liberating some human resources for more complex tasks.

Sarah presented her comprehensive risk mitigation system to the board of directors. The head of the audit committee noted that her plan included each of the major control types: preventive, detective, corrective and directive. They were impressed and approved her plan. Each of the following is true EXCEPT which is false?

a. In regard to (I.), the segregation of duties is a preventative control
b. In regard to (II.), the intrusion detection system is an example of a detective control
c. In regard to (IV.), the policies and procedures are directive controls
d. In regard to (V.), control automation transforms model risk into human error risk


23.6.2. MetroScape Bank prides itself on its modern banking solutions and customer-centric approach. During the last quarter, however, a series of events occurred that suggest the bank's controls should (or at least can) be improved. Specifically, each of the four major types of human error was observed:
  • I. Jane, a seasoned cashier at MetroScape, had been handling cash transactions for years. One busy Friday afternoon, while multitasking between customer queries and cash handling, she inadvertently gave out $500 more to a customer than he had withdrawn. Her muscle memory, developed from years of handling similar transactions, failed her in that moment of distraction.
  • II. MetroScape recently redesigned its compensation and incentive programs. The incentive program rewards cross-selling, especially when a valuable customer adds an additional account and/or utilizes a new program. Due to this incentive plan, some branches aggressively cross-sold products to existing customers without sufficient regard for product suitability. Several customers called headquarters to complain about the sales tactics.
  • III. A new investment product was introduced at MetroScape, and the bank's financial advisors were tasked with guiding interested clients. Tom, one of the advisors, faced a unique situation where a client wanted to merge this new product with another existing one. Unsure and without prior experience or training in this scenario, Tom made an educated guess. Unfortunately, his decision led to significant tax implications for the client.
  • IV. Lucy, a senior executive at MetroScape, was aware of the bank's policy against insider trading. However, tempted by the prospect of significant personal gain, she used confidential information about an upcoming merger to buy shares in a company that MetroScape was about to acquire. Her actions, driven by personal greed, were a clear violation of both the bank's policy and federal regulations.
In regard to these events and their associated control implications, each of the following statements is true EXCEPT which is false?

a. The fourth (IV.) is a violation which is best mitigated by supervisory controls
b. The third (III.) is a type of knowledge-based (KB) mistake which can be mitigated by directive controls
c. The second (II.) is a quality-based (QB) mistake where the best mitigation is typically lean Six Sigma response
d. The first (I.) is a skill-based (SB) mistake, and root-cause analysis may imply process re-engineering, environmental factors, and/or workflow changes


23.6.3. According to GARP, the four types of risk responses are tolerated (aka, accept, retain), treat (i.e., mitigate), transfer, and terminate. Treatment includes risk mitigation, and internal controls are the bedrock of risk mitigation. Transfer includes hedging, insurance, and outsourcing.

Further, operational risk controls play an important role in protecting a company's reputation. Reputation management includes both preventative and corrective elements. Although traditionally, reputational risk was excluded from the definition of operational risk, as GARP explains, "[R]eputation can be dramatically affected by internal and external operational events. Therefore, prevention and mitigation strategies are essential to build a solid reputation and to react quickly and appropriately in times of crisis to limit reputational damage following operational risk incident"--(GARP, Chapter 5, FRM Part 2, Operational Risk and Resilience).

In regard to treatment, transfer, and the management of reputational damage, which of the following statements is TRUE?

a. Outsourcing reduces operational risk
b. The three R's of crisis communication are retract, refrain, and redirect
c. The four typical phases of a major operational risk event are crisis, response, recovery, and restoration
d. External insurance policies make the most sense for risks that are both unpredictable and non-transferable

Answers here:
 
Last edited by a moderator:
Top