Operational Risk Appetite
Paul Rosen
Operational Risk
Having provided an introduction to operational risk and the key concepts within operational risk, in this video Paul Rosend discusses risk appetite and risk identification and how they help start the operational risk cycle.
Having provided an introduction to operational risk and the key concepts within operational risk, in this video Paul Rosend discusses risk appetite and risk identification and how they help start the operational risk cycle.
Subscribe to watch
Access this and all of the content on our platform by signing up for a 7-day free trial.
Operational Risk Appetite
7 mins 38 secs
Key learning objectives:
Understand how institutions set risk appetite and how it helps in managing operational risk
Understand risk identification and how it helps in managing operational risk
Overview:
Risk appetite is the first stage of the operational risk cycle and it involves setting a tolerance for a particular type of risk. Without operational resilience, institutions are likely to exceed that tolerance if an event occurs. Risk identification involves capture of key and critical messages prior to evaluating and responding to the risk.
Subscribe to watch
Access this and all of the content on our platform by signing up for a 7-day free trial.
What is risk appetite and and its purpose in operational risk management?
For financial institutions to have a licence to operate, management must determine and report how much exposure to risk they accept. This includes capital, liquidity, credit or any other risks. It is clear that delivery of operational risk activities and processes supports management of other risks. Firms need to set an appetite for the material risks they face. As we said, this appetite guides employees in making the decision on how to address a risk. Most firms set appetite by reference to a tolerable impact, considering regulatory and other matters.
As an example to show different appetites for different type of risks, institutions typically have some form of moderate appetite for financial reporting risk whereas business and IT resilience is an area of regulatory focus and can be a significant threat. Thus, entities will likely have a low appetite towards this risk.
Risk appetites are highly governed, subject to periodic review and are typically co-ordinated through the second line of defence in the three lines of defence model.
What is risk identification and its purpose in operational risk management?
The goal of risk identification is the capture of the critical process steps, identification of the controls over those steps and key metadata such as system and data dependencies. With comprehensive capture and mapping information, we can then start to evaluate.
When you have this level of understanding, often with the support of a control team or via work conducted with other lines of defence, you will also likely understand what risks the process is trying to address. For example, it’s obvious that the preparation of a Business Continuity Plan seeks primarily to address resilience risk. But other processes can cover multiple risks, for example Financial Reporting processes may sometimes also address internal fraud, e.g., through suspense account controls.
Typically, you will not have completed your process review and risk identification on an ad-hoc basis. All Banks and most other firms have a range of tooling to comprehensively bring risk identification processes together. Typically the approach that can be right sized for most organisations is the ‘Risk & Control Self-Assessment’ (RCSA) process.
Subscribe to watch
Access this and all of the content on our platform by signing up for a 7-day free trial.
Paul Rosen
There are no available Videos from "Paul Rosen"