Class 12 - Operational Risk

How was Operational Risk traditionally viewed before the 1990s?

Considered a "residual category" (anything not credit or market risk).

What initial technological factor made banks highly susceptible to costly operational failures (e.g., system outages, miscalculated trades)?

Banks became major investors in IT systems, where errors can be extremely costly.

What structural factor resulting from corporate activity left bank infrastructures fragile in the early days?

M&A-driven system integration.

What external factor emerged as a threat given the nature of electronic money and delayed fraud detection?

Banks emerged as prime targets for hackers and fraud.

What major regulatory event in 2004 formally recognized Operational Risk as a distinct risk type and established dedicated capital requirements?

Basel II (2004).

What is the defining characteristic of OpRisk's scope in the 2010s, leading to a "broadened scope"?

The scope was broadened to include cyber risk, third-party/service provider risk, model risk, and challenges related to business continuity.

How is Operational Risk fundamentally viewed in the financial industry today?

As a comprehensive resilience challenge, embedded in all products and activities, and central to financial stability and regulatory agendas.

What is the official Basel Definition of Operational Risk?

The risk of loss resulting from inadequate or failed internal processes, people, and systems or from external events.

What specific business decision risk is explicitly excluded from the Basel definition of Operational Risk?

Strategic risk (risk arising from poor strategic business decisions).

How many distinct categories of operational loss events are defined by the Basel framework?

Seven (7) categories.

Which event type covers losses from acts intended to defraud, misappropriate assets, or circumvent regulations by internal parties (e.g., unauthorized activity or rogue trading)?

Internal Fraud.

Which event type covers losses from acts committed by a third party (e.g., hacking, theft, check forgery)?

External Fraud.

Which event type covers losses arising from actions inconsistent with employment, health, or safety laws/agreements (e.g., discrimination claims, employee benefits issues)?

Employment Practices and Workplace Safety (EPWS).

Which event type covers losses from unintentionally or negligently failing to meet a professional obligation to specific clients or from the nature/design of a product (e.g., fiduciary breaches, mis-selling)?

Clients, Products & Business Practices (CPBP).

Which event type covers losses from damage to physical assets from natural disasters or other external events (e.g., terrorism, fire, or earthquakes)?

Damage to Physical Assets (DPA).

Which event type covers losses from disruption of business or system failures (e.g., hardware/software failure, telecom issues)?

Business Disruption and System Failures (BD&SF).

Which event type covers losses from failed transaction processing or process management, including data entry errors, settlement failures, or poor vendor relations in outsourcing?

Execution, Delivery, and Process Management (EDPM).

What is the core difference in risk-generating activity between Financial Risks (Credit, Market) and Operational Risk?

Financial Risks arise from risk-taking (active business decisions), while Operational Risk arises from inadequate risk management (the failure of the bank's own processes).

What is the focus of Principle 1 (Governance) in OpRisk Management, and what is the key responsibility of the Board of Directors?

It focuses on establishing a clear, independent OpRisk Management Function. The Board is responsible for approving and periodically reviewing the framework.

What is the core activity associated with Principle 2 (Risk Assessment), and what are two common tools used to identify and measure risk?

It involves identifying, measuring, and assessing operational risks using tools like Risk and Control Self-Assessments (RCSA) and Key Risk Indicators (KRI).

Which is Principle 3 in OpRisk Management, focused on implementing policies, processes, and systems to reduce risk?

Control and Mitigation.

Which is Principle 4 in OpRisk Management, focusing on regular checking and communication?

Monitoring and Reporting.

Who are the primary recipients of regular OpRisk monitoring and reports?

The Board and Senior Management.

Which is Principle 5 in OpRisk Management, focused on solvency requirements?

Capital Allocation.

What does the Capital Allocation principle require of the bank?

It requires the bank to hold sufficient capital to cover its operational risk exposure, in line with regulatory requirements.

What are the three roles (or Lines of Defense) responsible for Operational Risk Management?

First Line of Defense (Business Units/Management), Second Line of Defense (Risk Management/Compliance), and Third Line of Defense (Internal Audit).

Which Line of Defense owns the risk and is responsible for daily management and implementing controls?

The First Line of Defense (Business Units/Management).

Which Line of Defense is responsible for setting the risk framework (policies and limits) and monitoring compliance with it?

The Second Line of Defense (Risk Management/Compliance).

Which Line of Defense provides independent assurance to the Board and Senior Management that the risk management framework is effective and complied with?

The Third Line of Defense (Internal Audit).

Under the EU's CRR 3 regulatory change, what single capital calculation approach must all banks now use for Operational Risk?

The single risk-sensitive Standardised Approach (SA), replacing all previous models.

What are the two main aims of implementing the single Standardised Approach (SA)?

Simplification of the framework and an increase in comparability across institutions.

What is the practical effect of the Internal Loss Multiplier (ILM) being set to 1 for all banks in the EU under CRR 3?

It means that a bank's own historical losses are disregarded as a direct multiplier in the calculation of the final operational risk capital requirement.

What is the empirical rationale for disregarding a bank's historical operational loss data in the capital calculation (setting ILM=1)?

The events causing the largest operational losses are less amenable to prediction based on historical loss data than for other types of risks.

What is the minimum disclosure requirement for a bank's annual gross operational loss data?

Disclosure of loss data for each of the three years used in the Business Indicator (BI) calculation window.

What additional disclosure requirement applies to banks with a Business Indicator (BI) exceeding EUR 1 billion or those using internal loss data in their calculation?

They must disclose annual loss data for each of the 10 years in the ILM calculation window