RSK4801-Operational Risk

Exam Pack For Jan/Feb 2018 Exams

Compiled By Jabu (060 3943 010)

Question 1

Analyse the current structure of the risk department and recommend a re-structuring in
order for the operational risk section to be more effective. Concentrate on the typical
functions of an operational risk manager and the type of risks he/she would typically
deal with. Indicate how you would restructure the current risk department according to
typical operational risk management functions. (10 Marks)

Solution

The current risk structure is a combination of various risk types such as market risk,
operational risk and credit risk. People risk is also a separate issue, while it should be part
of operational risk according to a definition of operational risk, namely: losses due to failed
or inadequate internal processes, systems, people and external events. This includes legal
risk, but excludes strategic and reputational risk (Basel 2003).

Typical operational risk management functions are reflected by an operational risk

management process, namely:
• Risk identification.
• Risk evaluation.
• Risk control.
• Risk financing.
• Risk monitoring (Young 2006).
A group risk organisational structure should include specialists in risk management and
should therefore be the centre of an organisation’s knowledge on risk management. As
such, a group risk function should ensure a continuous research and development ability
that would provide knowledge on leading and best practices regarding risk management.
Furthermore, the group risk function should be the hub for risk management training for all
involved role-players to be able to perform their risk management functions.
Another primary responsibility of a group risk management function is to coordinate all risk
management information on a centralised basis. This would ensure a central repository for
risk information that is accessible by all the role-players (Journal: Corporate Ownership &
Control, 2008 Volume 5)

Based on the above, a suggested operational risk management structure for the mine is as
follows:

Question 2

Identify and distinguish between the primary risks types for the mine. Indicate the main risk
factors for operational risk. (15 Marks).

Solution

Operational risk is a primary risk type and is defined as the risk of losses due to inadequate
or failed internal process, systems, people or external events (Basel 2003). Other risk types
for the mine could include:
• Legal risk – employees could take legal action should the mine fail to provide
adequate working environment

• Reputational risk – the hazardous water being pumped into the river could have a
negative effect on the reputation of the mine.
• Financial risk – should the mine not have enough workers due to inadequate
working conditions, it could have a negative effect on the mining operations and
reduce the gross profit.

For operational risk the main risk factors for the mine are as follows:

Question 4

Insurance for mining equipment is very expensive when using a third party (Insurer).
Investigate the possibility for the mine to establish a captive and identify the benefits of
using a captive as an alternative risk financing technique. (10 Marks).

Solution
According to Valsamakis et al (2010), a captive is an insurance company that is owned by a
parent company and that writes the insurance business of its parent.
In this instance the mine would be a parent company for its own insurance company. They
also state that the modern trend is to form captives not only due to financial benefits, but
also for management and control purposes, for example: improved risk control, improved
ability to manage total cost-of-risk, access to reinsurance markets, investments and the
provision of insurance which is not readily available.

Due to the high level of risk in mining, adequate 3rd party insurance would be very
expensive and forming a captive as an alternative risk financing technique would be a
viable option for the mine.

Question 5

Analyse the case study and identify 5 major operational risk exposures for the mining
company and identify possible control measures to minimise the risk for each risk
exposure/threat. (15 Marks)

Solution

Question 6
Determine 5 management principles for operational risk that you would like to be
implemented for the mining company to ensure the embedding of a sound risk
management culture. (5 Marks)

Solution

The following operational risk management principles could be implemented:

Involve senior management in the operational risk management process.
Develop a comprehensive definition for operational risk aligned with the business of the
organisation.
The operational risk management process must be easy to understand and practical.
Total involvement in operational risk management must be established.

Training and awareness must be emphasised as a means of driving behavioural change

throughout the organisation and strengthening the risk management culture.
Incorporate the operational risk process in other day-to-day processes.
(Adapted from Young 2006)

Question 7

You decide to brief the group risk manager on the typical components of an operational
risk management framework, concentrating on the operational risk management process.
Identify and explain the components of a typical operational risk management framework for a
Bank. Analyse a typical operational risk management process which could be incorporated
for the Bank (Make use of diagrams where possible). (20 Marks)

Solution

The aim of an operational risk management framework is to identify and establish a structured
approach to manage operational risk and to serve as a guideline on how to achieve the following
goals:
Establishing an integrated operational risk management environment;
Developing a cultural awareness of operational risk management;
Developing roles and responsibilities linked to risks and controls; and
Providing a common understanding of operational risk (for example a common language).
The components of a typical operational risk management framework are:
Strategy. This sets the overall mission, goals and objectives for managing operational risk that
will link the operational risks to shareholder value.
Operational risk management process. This entails the components of an operational risk
management process.
Governance structure for operational risk management. This includes the governance structures
for operational risk management as well as specific roles and responsibilities for managing
 operational risk within a specific business environment.
Environment and culture for managing operational risk. This entails the value-adding activities
and the main principles for managing operational risk.
The operational risk management process is an important component of the ORM framework and
forms the basis of implementing risk management methodologies.

As organisations come under increasing pressure to improve shareholder value, they need to
consider a business and risk management model. A model that links the business strategies to the
components of the risk management process is required. This will ensure an awareness of
significant risks that must be addressed during the management of the business strategy. However,
this integrated approach needs to be managed on a daily basis to ensure the effectiveness of risk
management as well as the continued profitability and viability of the organisation. This could be
achieved by following a formal risk management process.
A risk management process is a structured cycle of activities that provides management with
assurance that all risks within the organisation are being effectively managed. Every organisation will
have its own unique approach to an operational risk management process, which will depend on the
potential effect of risk on its business. Risk management is a process of identifying exposures to risk,
choosing the best method of handling each exposure and implementing it accordingly. This usually
leaves the risk manager with four basic alternatives from which to choose when deciding how to
manage risk, namely:
Risk avoidance. An activity that may lead to a high-risk exposure is identified and subsequently
avoided. For example, in the 1980s many companies decided not to extend their operations to
South Africa in order to avoid the risk of political instability.
Risk acceptance. A specific risk is identified and accepted as part of daily activities. This usually
is the case when the odds are strongly against an event happening or when the potential loss is
low.
Risk transfer. A risk exposure is identified and is subsequently transferred to a third party who is
prepared to take the risk, for example, insurance companies. When an insurance company
agrees to pay the losses of an insured, the effect of the risk, faced by the insured, is transferred.

Risk reduction. A risk is identified and actions are taken to reduce the potential effect thereof. For
example, many companies go to great lengths to promote worker safety to avoid not only the
financial costs of injury, but also the down time and disruption of work that would accompany it.
Risk reduction can be achieved in different ways, for example, hazard reduction and loss
reduction. Hazard reduction involves reducing the odds that a loss will occur and loss reduction
involves reducing the severity of the loss.

Although the above points refer to alternatives on how to manage risk exposure, they do not indicate
specific steps within a risk management process. It is usually up to the management of an
organisation to determine and implement a risk management process that will be appropriate to their
specific business.
There are various views on the elements of a typical operational risk management process. The
Basel Committee (2003), for example, states that it includes risk identification, assessment,
monitoring and mitigation/controls. According to COSO (1992), the components of an operational
risk management are: objective setting, event identification, risk assessment, risk response, control
activities, information and communication and monitoring. According to Young (2006), the
components are: risk identification, risk evaluation, risk control, risk financing and monitoring. This is
illustrated by the following:

The operational risk management process can be defined as the systematic application of risk
policies, procedures and practices by means of identifying, evaluating, controlling, financing and
monitoring of operational risks. Risk identification is regarded as the first step of an operational risk
management process
Risk identification. This step refers to the need for an organisation to define and understand the
nature of the risk that it faces. It is, furthermore, a commitment to risk management that
acknowledges the exposure and risk impact of each business initiative on the overall risk profile of
the organisation.
Risk evaluation. This activity entails the assessment and measurement of the identified risk
exposures. Measurement entails quantifying risk to determine the types and extent of risk. Risk
measurement also serves as a basis for control mechanisms. Risk assessments aim to measure the
potential frequency and severity of the exposures that have been identified. Any risk management
system must enable a firm to assess and manage the risk that it faces. In order to do this, a risk
measurement methodology should be in place that allows comparisons to be made across the
different risk types.
Risk control. Risk control concerns the application of techniques to reduce the probability of loss
and it aims to eliminate or minimise the potential effect of the identified risk exposures.
Risk financing. This step entails the financial provision for losses that may occur. It therefore,
selects
the most efficient method of financially providing for the consequences of risk. Thus, risk financing
refers to the provision of sufficient funds to meet loss situations as they occur. Funding can be
accomplished by, for example, a variety of internal and external financial resources including
insurance and risk-based pricing

Risk monitoring. The final component of a risk management process is to ensure the effectiveness
ofthe risk management system and techniques which the organisation is using are effective. As such,
risk monitoring is the operational process whereby the organisation ensures that it is operating within
its defined risk policies and procedures and to ensure the effectiveness of all the activities of the
operational risk management process. Ongoing monitoring is an important aspect of any risk
management process, which can, for example, be achieved by system testing and auditing.

Question 8

Argue why the third party insurance for legal claims is inadequate. What step would you
suggest to minimise the losses for the Bank. (10 Marks)

Solution

Losses due to legal claims increased by 30% since year 1. The company pays R1m per annum for
insurance premiums and in return received R2m per annum. Therefore the company suffered the
following actual losses after taking into account the cost of the risk (premium) and the payment
received from the Insurance Company:

Actual loss = Legal claims + Insurance Premium – Insurance Claim

Year 1: R10m + R1m – R2m = R9m
Year 2: R11m + R1m – R2m = R10m
Year 3: R13m + R1m – R2m = R12m
The % increase from year 1 to year 2 = R1m/R9M * 100 = 11%
The % increase from year 2 to year 3 = R2m/R10M * 100 = 20%
Therefore on average over two years the losses due to legal claims are increasing at a rate of
15.5% (11 = 20 = 31/2 = 15.5)
Due to the increasing trend of 15.5% it is recommended that management must negotiate an
increase in the 3rd party insurance to reduce the actual losses for the company for year 4.
An average increase of 15.5% is expected on R13m = R2m. As such a total loss due to legal
claims of R15m is expected for year 4.

An R1m premium insures an R2m loss. Therefore it is recommended to increase the premium
for legal claims against the company to R7.5m which will insure the R15m loss. As such, if the
R15m loss realises, the company would in effect suffer an actual loss of R7.5m (R15m Loss +
R7.5m Premium = R22.5 – R15m Insurance Claim = R7.5M).

Question 9

Briefly explain the importance of operational risk reporting. (10 Marks)

Solution

An effective risk-reporting framework focuses on generating risk management information that meets
the objectives and needs of different target audiences.
The main objectives of risk reporting are, for example:

Increases awareness and transparency of risk exposures;

Provides qualitative and quantitative risk information; and

Generates risk management information for decision-making.

The timing of reports as well as the target group of the reports is the two variables which must be
considered during risk reporting. For example, daily risk reports usually concerns information on a
risk exposure or incident that requires immediate action. The recipient of the report must be close to
the exposure to take immediate remedial or control decisions. As the reporting period becomes
longer, the management information becomes less critical for immediate action, but becomes more
important to make strategic business decisions that could involve the total organisation. This, again,
proves the importance of accurate risk reporting at all management levels.
It is evident that risk reporting plays an important role in an organisation’s operational risk
management process. It is imperative that the reports should include accurate information to ensure
that management may make correct decisions based on information regarding the management of
risks.

Question 10

Prepare a briefing on the typical role and responsibilities of the board of directors in
terms of risk management. (20 Marks)

Solution

In the area of risk governance a clear description of the role of the board of directors and its
committees in setting the risk appetite for the organisation, overseeing the risk management
framework and organisational chart of the risk management function along with a description of the
risk communication patterns within the organisation, is required (Mongiardoino and Geny 2007).
Effective risk management is one of the main responsibilities of the board and should provide an
oversight function with regard to risk management. According to COSO (1992), the board should:
ƒ know the extent to which management has established effective risk management in the
organisation;

be aware of and concurring with the organisation’s risk appetite;

review the organisation’s portfolio view of risk and considering it against the risk appetite; and
be apprised of the most significant risks and whether management is responding appropriately.
The board of directors has a major role to fulfil in defining what it expects from senior management at
all levels in the organisation regarding risk management. According to Swenson (2003), the board of
directors and senior management must be actively involved in the oversight of the operational risk
management process. The board also plays a role in setting the organisation’s strategy, high-level
objectives and the corresponding high-level allocation of resources. These factors can be regarded
as the basic requirements to enable management to manage the potential risks involved.
The Basel Committee on Banking Supervision (2003) has structured a paper on sound practice and
principles for risk management. Of these principles also address the role and responsibilities of the
board of directors, for example:

the board of directors should be aware of the major aspects of the bank’s operational risks as a
distinct risk category that should be managed, and it should approve and periodically review the
bank’s operational risk management framework.

The framework should provide a firm-wide definition of operational risk and lay down the principles of
how operational risk is to be identified, assessed, monitored and controlled/mitigated.
The board of directors should ensure that the bank’s operational risk management framework is
subject to effective and comprehensive internal audit by operationally independent, appropriately
trained and competent staff. The internal audit function should not be directly responsible for
operational risk management.
The board of directors must support the proactive management of operational risk.
Furthermore, every board should have a charter setting out its responsibilities which encompasses:
adoption of strategic plans;
effective control and monitoring of operational performance and management;
determination of policy and procedures to ensure the integrity of the organisation’s risk
management and internal controls; and
communications policy and director selection.

In addition, the Basel Committee (2004) states that for a bank to qualify to use the Standardised
Approach to calculate a capital charge for operational risk, the bank must ensure that its board of
directors and senior management are actively involved in the oversight of the operational risk
management framework.
The organisation’s board should define and document its policy for managing risk, including the
objectives for and its commitment to risk management. The policy may include the following:The
objectives and rationale for managing risk.
The links between the policy and the organisation’s strategic plans.
The extent and types of risk the organisation will take and the ways it will balance threats and
opportunities.

The processes to be used to manage risk.

Accountabilities for managing particular risks.
A statement on how risk management performance will be measured and reported.
Details of the support and expertise available to assist those accountable for managing risks.
A commitment to the periodic review of the risk management system.
A statement of commitment to the policy by directors and the organisation’s executives (ANZ
Standards 2004).
It is important to establish accountability and authority for risk management. The directors and senior
executives are ultimately responsible for managing risk in the organisation, although, all staff is
responsible for managing risks in their areas of control. This may be facilitated by:
specifying those accountable for the management of particular risks or categories of risk, for
implementing treatment strategies and for the maintenance of risk controls;
establishing performance measurement and reporting processes; and
ensuring appropriate levels of recognition, reward, approval and sanction (ANZ Standards 2004).

According to the Basel Committee (2004), a sound risk management process is the foundation for an
effective assessment of the adequacy of a bank’s capital position. Bank management is responsible
for understanding the nature and level of risk being taken by the bank and how this risk relates to
adequate capital levels. As such, the board and senior management should thus view capital
planning as a crucial element in being able to achieve its desired strategic objectives and to achieve
this has the following responsibilities:
to set the bank’s tolerance for risks;
to ensure that management establishes a framework for assessing the various risks; to develop a
system to relate risks to the bank’s capital level;
to establish a method for compliance with internal policies;
to adopt and support strong internal controls and written policies and procedures; and
to ensure that management effectively communicate these policies and procedures throughout
the organisation.
In addition, banks should have a formal disclosure policy approved by the board of directors that
addresses the bank’s approach for determining what disclosures it will make and the internal controls
over the disclosure process (Basel 2004).
A previous King Report (King I) dated 1994, spells out 15 important principles of corporate
governance for boards of directors and persons responsible for the direction of a business enterprise.
Of these principles, the following mention the role of the board and state that the board
should:
determine the corporation’s purpose and values, determine the strategy to achieve its purpose
and to implement its values in order to ensure that it survives and thrives and ensure that
procedures and practices are in place that protect the corporation’s assets and reputation;
monitor and evaluate the implementation of strategies, policies, management performance
criteria and business plans;
ensure that the corporation complies with all relevant laws, regulations and codes of best
business practice;
ensure that the corporation communicates with shareholders and other stakeholders effectively;
identify the corporation’s internal and external stakeholders and agree on policy, or policies,
determining how the corporation should relate to them;
ensure that all technology and systems used in the corporation are adequate to properly run the
business and for it to remain a meaningful competitor; and
identify key risk areas and key performance indicators of the business enterprise and monitor the
factors (Valsamakis et al 2004).
It is recognised that for practical purposes, it is sometimes necessary for a board to delegate certain
of its responsibilities and functions to one or more committees to carry out the identified overseeing
responsibilities regarding risk management.
According to Ernst and Young (2005), to promote an active dialogue between executive
management levels and a consistent approach to risk assessments, organisations should form a risk
committee. This committee should meet often enough to ensure that key risk issues could be
communicated and discussed on a timely basis.

Question 11

Perform a gap analysis between the roles and responsibilities of the Main Board of
Benchmark Bank Ltd and its sub-committees and the requirements as stipulated in the King III
Report for risk management and internal audit.

Solution

Students were requested to perform a gap analysis and using a table with three columns to (King III

Requirements, Benchmark Bank, Gap) prepare and present the answer in a structured format. Areas

That should have been discussed are:

• The role that the board is supposed to play and how this requirement was enacted by

Benchmark’s board and whether it was appropriate.

• The role that the Audit Committee fulfilled in Benchmark in the absence of a Board Risk

Committee and whether that was appropriate and effective. Additional points to discuss were:

filtering of information to the main board

Allocating time to risk management issues

Understanding of the committee members of the governance and risk weaknesses and

Issues correcting of audit (internal and external audit) findings and findings reported by the

Regulators

• The role of the Board Risk Committee in terms of the King III report.

Question 12

Evaluate Benchmark Bank’s culture in terms of the King III report and the role Benchmark
Bank’s culture played on the loss event.

Solution

The comparison is again more structured when presented in a table format. Items that should have
been included and discussed in the gap analysis are:

• Culture of secrecy

• Filtering of information by the Audit Committee to the main board

• CIB’s attitude towards internal audit

• CIB’s attitude towards the findings of the regulation

Question 13

Argue the exclusion of strategic and reputational risk from the Basel definition of Operational
risk.

Solution

The Basel definition for operational risk specifically excludes reputational and strategic risk. The
reason being that both risks are difficult to quantify. Reputational risk is also regarded as the risk of
risks, as it is quite often the result of other risks that materialised.

Question 14

You have decided to improve the monitoring of operational risk and introduce Key Risk
Indicators (KRI) to assist in the process. As a starting point, you decided to focus on the five
losses with the highest impact and frequency. Indicate the KRIs you will introduce and
motivate their inclusion.
Solution

The analysis if the operational risk losses indicated that losses contributed by people amounted to
R4.472m over 35 incidents, external R41.016m and 6 incidents, process R1.507 and 5 incidents and
systems R600k with 1 incident. The next step would be to further analyse the incidents to determine
where it happened (the department, when (to determine trends) and what the underlying causes were
management can then decide on thresholds for reporting and intervention purposes. The reports can
be in the form of a heat map with colours (Red, Amber, Green) allocated to incidents that breached
the upper level threshold (Red), incidents that are trending towards the upper threshold (Amber) and
incidents that are within the lower threshold (Green).

Management can then focus on the red and amber indicators to either improve controls where
necessary or adjust the thresholds where appropriate. It is also important to consider the risk appetite
of the organisation when setting thresholds as strictly speaking, the thresholds should be aligned with
the risk appetite.

Question 15

You have studied the report issued by the South African Banking Supervision Division on the
currency options losses experienced by Benchmark Bank. As agreed with the CRO and the
Risk Committee of XYZ Bank, it was decided to introduce operational risk scenario analysis
for XYZ. Motivate the process that you will follow to develop operational risk management
scenarios for XYZ Bank and indicate the factors that you will use to develop the scenarios.

Solution

Brief description of scenario assessment

Scenario analysis typically involves the examination of rare, significant, but plausible future events,
by considering the alternative possible outcomes for those events, and assigning probabilities to the
various scenarios (Crapp 2007:17).

The developer of the scenario needs to answer the following questions:

• Where are we?

• How to respond?

• What could hurt the organisation?

Scenario analysis require the following information:

Historic information

Past performance
Loss data

Cycle reoccurrence

Historic information tells us about the future

• Present

Metrics

MIS

This serves as a ‘warning gauge’ as to what needs to be fixed

• Future

Risk Assessment (short-term)

Scenario Analysis (long-term

Major concern over its qualitative nature and the potential for bias.

Categories of biases

According to a number of studies (Spetzler & Von Holstein 1975:345; Watchorn 2007:6), biases can
be grouped into two main categories namely subconscious or judgemental biases, and conscious or
motivational biases. Kruglanski & Gigerenzer (2011:98) however are also of the opinion that intuitive
(subconscious) and judgemental biases can be based on the same heuristics.

• Subconscious or judgemental biases

Subconscious or judgemental biases arise as a consequence of the limitations in one’s memory or

information processing capacity. The following are regarded as judgemental biases:

Availability bias

Representativeness bias

Adjustment and anchoring bias

framing bias

Confirmation bias

• Conscious or motivational biases

Conscious, or motivational, biases arise when the participant has an interest in influencing the results
of the analysis.
Motivational biases arising in scenario analysis can lead to the understatement of frequency and
impact assessments, overstatement of the effectiveness of controls, and understatement of the
uncertainty surrounding the assessments made. Hillson and Hullet (2004:3) note that motivational
biases are particularly evident among more senior managers.

It is important to understand the different risks affecting the organisation, to model scenarios on these
risks.

• Risk is interlinking pieces between audit, compliance and governance structure. The taxonomy is
the required common language between all these as it serves as the common classification structure
to tie everything together in order to make informed business decisions

Risk classification

Process classification

Control classification

For scenario analysis:

• Capital perspective - the unexpected (right-hand side) of the cumulative loss distribution
is important.
• Management perspective – between Expected Loss and Unexpected Loss.
Scenarios should not be run on reputation, but on factors that are affecting reputation – and
then manage accordingly.
• Having scenarios that tie together different risks types (across governance processes,
risk processes and audit processes) culture should also be considered:
Changing trends in consumption
Changing trends in business management
• Take exposure to series of scenarios
• Calculate some risk measure for those scenarios (VaR type figure)
• Place in front of management to make a decision of whether acceptable or not acceptable.
• Inputs
Top-Down Inputs
) Material Risks Profile
) Reputational Exposure Profile
ƒ Bottom-Up Inputs
) Risks Profiles
) Business Environment Assessments
) Loss Profiles
ƒ Scenario Library (set of scenarios)
• Bias & Subjectivity – should restrict from guiding people (participants) towards an
answer, as this limits the use of their own judgement.
• Output
Operational Risk Capital
Scenario Analysis require the following:
• Consistent structure

• Taxonomy

• Decent approach

• Very little guidance

• Regulatory compliance versus risk management

• Different programme objectives

Management versus measurement

• Number and nature of scenarios to use

Management want: many and complex scenarios

Measurement want: few scenarios

• Who should participate?

• How often should scenarios be performed?

• Avoidance of bias and subjectivity

Manner in which questions are placed determines how participants will respond

• Achieving consistency over time

• Get people to think outside the box (think the unthinkable)

• How to handle reputational impact

Model it implicitly in scenarios

Add it in afterwards

Simple measure (loss of customers, share price devaluation)

Question 16

Argue the case for the operational risk management strategy and process that you
want to implement.
Solution

Risk management should start with the analysis of the overall business strategy and objectives of the
organisation and subsequent changes to the strategy should also be considered and changes made
where necessary. An operational risk management framework also enables the practical
implementation governance. Governance provides an over-arching organisational structure within the
organisation’s culture and also establishes the three lines of defence i.e. line management, risk
management and the independent assurance providers.

The operational framework can take many forms and the frame most often used is:

Identify the risks

The first step in the process is to understand the business in order to identify the risks. Methods that
can be used to gain an understanding of the business and to identify risks are inter alia:

Workshops and interviews

Questionnaires

Risk process follow analyses

Checklists

Losses history

The purpose of the process should also be clear in order to ensure to raise awareness, track the risks
and assess the financial impact of the risks.

The risk identification can be continuous or once off.

Evaluate the risks

Risk evaluation is the assessment and measurement of the identified risk exposures with the aim to
manage and control the risks. In order to do this, the risks should be measured to enable
management to manage it.

Operational risk can be measured in quantitative and qualitative terms. The quantitative approach
aims to quantify risk in numerical terms. The qualitative approach aims to evaluate the risk exposures
that cannot be calculated. The risk exposure are analysed in terms of rating scales to determine the
possible impact and likelihood of the risk events.

Control the risks

Once the risks have been evaluated, strategies can be developed to control the risks. Risks can be
preventative, detective or contingent. The objectives of a risk control programme will be to reduce the
potential effect of the loss and to prevent the likelihood of the risk occurring.
The control strategies can be to avoid the risk, transfer the potential effect of the loss event, accept
the consequences or improve the internal control measures to manage the risk.

Finance

The aim of risk financing is to ensure that the cost of risk and the cost of the risk management
process do not exceed the potential benefits provided to the organisation. The risk management
process can therefore require a pre-financing or post-financing policy. The pre-financing of
operational risk can include methods such as insurance or self-insurance, while post-financing can
include the use of cash resources or debt.

Monitoring

The monitoring of risk includes regular management and supervisory activities and the other actions
employees undertake in their daily activities. It is important that senior management is involved in the
monitoring of risk. Reporting forms an integral part of the monitoring process.

Reports can be produced for different users e.g. the external stakeholders such as regulators and the
shareholders, internal stakeholders at strategic level such as the board and EXCO, senior
management and line management.

It is important that the risk is managed as close to the source as possible. The different levels of
users will have different objectives e.g. the board and EXCO will need less frequent reports to enable
them to manage trends and evaluate the strategies in contrast to line management that need more
frequent reports to rectify transactions. Line management requires daily/intra-day reports, senior
management monthly, the board quarterly and shareholders annually.

The risk strategy should consider various risk functions as it determines aspects such as risk
tolerance limits and capital allocation processes. A strategic planning process for operational risk
management consists of the following five steps:
Collate data
Collate the data with respect to the business strategy and objectives to determine the operational
risk management requirements in terms of resources and risk mitigation tools. The information will
also assist with the operational risk management planning process.
Evaluate data
Assists to determine the current operational risk profile. Quantitative and qualitative data are
used to determine the likelihood and impact of potential events on the business. Control self-
assessments, key risk indicators and the loss history (internal and external) can be used to
develop the operational risk profile.
Formulate risk management objectives
It is important to determine the short-, medium and long term objectives of managing operational
risk. The short-term action plans must be formulated for the short-term objectives, including the
tools that will be used to execute the plans. The operational risk policy is also important to
support the organisation in achieving its business objectives. It is therefore important that the
policy is approved by the board. Components of the operational risk policy are:
 The operational risk definition
It is important that the organisation should use the same terminology with regard to the
definition and classification of risks, report of direct and indirect losses/cost and near
misses and that it is used consistently throughout the organisation.
 Statement on the operational risk appetite
it is important to determine the tolerance of the organisation for a potential loss. This will form
the basis for the formulation of operational risk objectives and should be included in the
operational risk policy.
Monitoring and reporting
Purpose is to monitor the execution of risk management action plans. The use of the operational
risk management tools will enable the risk manager to continuously identify and evaluate
operational risk management exposures and determine the adequacy and effectiveness of the
controls and ultimately ensure the success of the business strategy.

Question 17

Evaluate the following alternatives:

Multiple peril
Multiple trigger
Options

It is clear that WWNLYD would not be able to claim if the loss is more than R25m.Furthermore,
each claim will also be subjected to the R5m deductible. It can therefore be expensive to increase
the current policy.
A multi-risk product combines various exposures into a single contract. This gives the organisations
an efficient and more cost-effective risk solution. Multi-risk products provide post-loss financing
based on the occurrence of one event or several perils. The effects of correlation and joint
probabilities therefore result in risk protection that is cheaper than the sum of the individual parts.
Multi-risk products can be regarded as a subclass of enterprise risk management or integrated
programmes as it often features multiple instruments, programmes or structures that covers multiple
risk exposures. Multi-risk products embed risk transfer features into a single contract.
Multiple peril
multiple peril policies can be used to consolidate different policies and combine it into a single,
multiyear policy with an aggregate premium, deductible and cap. Benefits of multiple peril contracts
include:
Lower transaction cost
Lower premium
Less change of over insurance. To cover organisations against underinsurance, multiple risk
products quite often include a provision for reinstatement, which allows limits to be renewed in the
event it is fully used prior to maturity.
Multiple trigger
In contrast to multiple peril products that provides coverage against any named peril in the policy,
multiple trigger products are only effective if more than one event occur. An example is where a
property or contingency in conjunction with a financial event occur, or a catastrophic and a financial
event. If only one of the events occurs and the cedent still suffers a loss, no payment is made.
Dual triggers are contracts that require the onset of two events before pay-out.Multiple trigger
products are developed as multi-year contracts with annual trigger resets.The form of triggers are:
A fixed trigger is a barrier used to determine if an event has occurred or not.
Variable triggers are used to determine the value of the pay-out by the level of the trigger in
relation to a defined event.

Switching triggers varies on the basis of how individual risk exposures in the cedant’s portfolio is
performing.
Since pay-outs will only be made once the second event occurred, the likelihood of a pay-out is
significantly reduced.This can mean that the cedant can achieve cheaper protection. However,
the cost for bespoke product development can be significant.
Another alternative is to put a dual trigger structure in place, with a loss of production as a fixed
trigger and the variable trigger, the power price is above e.g. R65 MWh. WWLNYD can negotiate for
a deductible of the maximum number of hours it can afford to be off-line in terms of the service level
agreements with its customers, minus a safety margin, to make the policy more affordable.
Options
another alternative is to purchase American call options, at a strike of approximately
R65MHh. WWNLYD can then exercise the option when the strike price is R65MWh or above.
WWNLYD can purchase enough contracts to cover the potential loss.

Operational risk definition

Operational risk is the risk of losses due to inadequate or failed internal

processes, systems and

People and external events. This can include legal risk, but excludes
reputational and strategic

Risk. The factors for ops risk are clear in order to make it possible to be
measured. As soon as it
can be measured it can be managed effectively. It includes legal risk as legal risk can be
measured in terms of losses suffered in terms of penalties and fines as a result of breaches of
contracts and regulations for example. It usually excludes reputational and strategic risks as
these risks are difficult to measure and thus to manage as a specific risk type.

Benefits of operational risk

The benefits of operational risk management are discussed in Chapter 2 of the prescribed book.
Operational risk framework
Risk management should start with the analysis of the overall business strategy and objectives
of the organisation and subsequent changes to the strategy should also be considered and
changes made where necessary. An operational risk management framework also enables the
practical implementation governance. Governance provides an over-arching organisational
structure within the organisation’s culture and also establishes the three lines of defence i.e. line
management, risk management and the independent assurance providers.
The operational framework can take many forms and the frame most often used is:
Identify the risks
The first step in the process is to understand the business in order to identify the risks. Methods
that can be used to gain an understanding of the business and to identify risks are inter alia:
Workshops and interviews
Questionnaires
Risk process follow analyses
Checklists
Losses history
The purpose of the process should also be clear in order to ensure to raise awareness, track the
risks and assess the financial impact of the risks.

Evaluate the risks

Risk evaluation is the assessment and measurement of the identified risk exposures with the
aim to manage and control the risks. In order to do this, the risks should be measured to enable
management to manage it.
Operational risk can be measured in quantitative and qualitative terms. The quantitative
approach aims to quantify risk in numerical terms. The qualitative approach aims to evaluate the
risk exposures that cannot be calculated. The risk exposure are analysed in terms of rating
scales to determine the possible impact and likelihood of the risk events.
Control the risks
Once the risks have been evaluated, strategies can be developed to control the risks. Risks can
be preventative, detective or contingent. The objectives of a risk control programme will be to
reduce the potential effect of the loss and to prevent the likelihood of the risk occurring.
The control strategies can be to avoid the risk, transfer the potential effect of the loss event,
accept the consequences or improve the internal control measures to manage the risk.

Finance
The aim of risk financing is to ensure that the cost of risk and the cost of the risk management
process do not exceed the potential benefits provided to the organisation. The risk management
process can therefore require a pre-financing or post-financing policy. The pre-financing of
operational risk can include methods such as insurance or self-insurance, while post-financing
can include the use of cash resources or debt.
Monitoring
The monitoring of risk includes regular management and supervisory activities and the other
actions employees undertake in their daily activities. It is important that senior management is
involved in the monitoring of risk. Reporting forms an integral part of the monitoring process.
Reports can be produced for different users e.g. the external stakeholders such as regulators
and the shareholders, internal stakeholders at strategic level such as the board and EXCO,
senior management and line management.
It is important that the risk is managed as close to the source as possible. The different levels of
users will have different objectives e.g. the board and EXCO will need less frequent reports to
enable them to manage trends and evaluate the strategies in contrast to line management that
need more frequent reports to rectify transactions. Line management requires daily/intra-day
reports, senior management monthly, the board quarterly and shareholders annually.

The risk strategy should consider various risk functions as it determines aspects such as risk
tolerance limits and capital allocation processes. A strategic planning process for operational
risk management consists of the following five steps:
Collate data
Collate the data with respect to the business strategy and objectives to determine the
operational risk management requirements in terms of resources and risk mitigation tools. The
information will also assist with the operational risk management planning process.
Evaluate data
Assists to determine the current operational risk profile. Quantitative and qualitative data are
used to determine the likelihood and impact of potential events on the business. Control self
assessments, key risk indicators and the loss history (internal and external) can be used to
develop the operational risk profile.
Formulate risk management objectives
It is important to determine the short-, medium and long term objectives of managing operational
risk. The short-term action plans must be formulated for the short-term objectives, including the
tools that will be used to execute the plans. The operational risk policy is also important to
support the organisation in achieving its business objectives. It is therefore important that the
policy is approved by the board. Components of the operational risk policy are:

 The operational risk definition

It is important that the organisation should use the same terminology with regard to the definition
and classification of risks, report of direct and indirect losses/cost and near misses and that it is
used consistently throughout the organisation.
 Statement on the operational risk appetite
It is important to determine the tolerance of the organisation for a potential loss. This will form
the basis for the formulation of operational risk objectives and should be included in the
operational risk policy.
Monitoring and reporting
Purpose is to monitor the execution of risk management action plans. The use of the operational
risk management tools will enable the risk manager to continuously identify and evaluate
operational risk management exposures and determine the adequacy and effectiveness of the
controls and ultimately ensure the success of the business strategy.
This question was the most theoretical question of the assignment. Most of the
information is available in the prescribed book. What was important is the structure of the answer to
ensure completeness of the framework, but also to argue or explain why you
recommended a specific framework as there are different frameworks in the prescribed
book.

Characteristics of risk indicators

Many organisations err in identifying too many indicators and classifying it

also as key risk

Indicator.

The following can be regarded as characteristics of good risk indicators:

Relevance
The risk indicator must be linked to the organisation’s operational risk exposures and provide
management with a quantum regarding the levels of exposure and degree to which such
exposures are changing over time. It is also important to review indicators periodically for
relevance as it can also change over time from the perspective of the users of the indicator.
Three criteria can be used to determine relevance:
 Specific focus indicators: Focused on a single exposure area.
 General focus indicators: Cover a specific area of activity and provide a general
impression of current exposure levels or activity.
 Common or generic indicators: Can be used anywhere in the business, usually by
adding specific context.

Measurable
Risk indicators must be capable of being measured repeatedly and with certainty. To be
measurable, it should meet the following criteria:
 Must be quantifiable as an amount, percentage, ratio, number or count.
 Must have values which a reasonably precise and a definite quantity
 Must be comparable over time

 Must be reported with primary values and be meaningful without interpretation or

some subjective measure.
Predictive
Indicators can provide a leading, lagging or current perspective of the operational risk exposures
of the organisation.
Although there is a need for leading indicators, this is the most difficult to develop as a simple
projection of the future based on historical events will most probably sacrifice accuracy and
therefore reliability. For an indicator to be fully predictive requires significantly more context,
which implies that single indicators by themselves are of little use. To overcome this challenge,
practitioners are moving towards the development of composite or index indicators. An
important requirement to develop a composite or index indicators is to understand both the
causal and underlying relationship with specific datasets to ensure the appropriate groupings of
related indicators.
Lagging indicators provide useful information regarding the historical causes of loss or
exposure. It can also be useful where losses are initially hidden or where changes in historical
trends may reflect changes in circumstances that may have some predictive qualities.
Current indicators provide a current view of operational risk exposures and may identify a
situation that requires attention to reduce an exposure or minimise a loss.
Easy to monitor
Organisations often find it difficult to source the data that can be used for risk indicators,
especially where the data architecture of the organisation is complex. The requirements to ease
the monitoring are:
 The data should be simple and relatively cost effective to collect, quality assured and
distribute.
 The data should be relatively easy to interpret, understand and monitor.
Auditable
Management will place significant reliance on risk indicators and it is therefore important that it is
accurate (sourced and calculated), complete and timely. The operational risk management
department must be satisfied with the quality and as a governance measure, the internal audit
function should include it as part of their audit coverage.

Comparability
The indicator identification and selection process of an organisation should assess the level of
comparability with benchmarks in and across the industry to ensure that the users for the
indicators have a better understanding of the exposure levels that the indicator relates to.
Establishing KRIs and KCIs
Identifying KRIs and KCIs can be difficult as each organisation is unique and although industry
benchmarks are available, it still needs to be adapted to suit the individual organisation. The
prescribed book discusses a number of ways that can be used to identify indicators.
To make the use of indicators more effective, organisations establish targets or thresholds to
link indicators with the risk appetite of the organisation and to prioritise indicators for
management purposes. This enables management to focus their efforts where necessary.
It is also important to determine the frequency of recording and reporting the indicator. There is
a direct link between the frequency of the event and the recording and reporting thereof.
Few students referred to the GARP Article. The article illustrate the danger in using only
one metric, especially if the metric is not properly defined. Furthermore, too much
emphasis on one component can lead to the wrong behaviour as experienced by
Walmart/SAMS CLUB and even Benchmark Bank.

Question 17
a. Argue the three lines of defence model and make a recommendation of whether SPEND Ltd
should adopt the model. (10)

Solution

Three lines of defence (Refer to Figure 3.1 in Blunden and Thirlwell, 2013:45 for more details)
First line of defence: Business line management
Management is responsible for the day-to-day operations of the company. Risk management should
be embedded in the processes and daily activities.
Second line of defence: Oversight (Risk management, HR, Finance, IT, Compliance)
Risk management should be independent of the day-to-day operations and should assist
management
with the identification, evaluation, control, financing, monitoring, and reporting of risk. Responsible for
the
development of centralised policies and standards, risk management processes and controls; and
monitor and report on risk.

Third line of defence: Independent assurance

the assurance providers should be independent from the business and management functions. The
assurance providers consist of internal audit and external audit (You also need to explain briefly the
role played by internal and external audit in order to score more marks). One of the benefits of
adopting the three lines of defence model is that it is aligned with leading international risk
management practice, complies with codes on corporate governance.

Question 18

Argue an appropriate risk management process for implementation by SPEND Ltd. (15)

Solution

Risk management should start with the analysis of the overall business strategy and objectives of the
organisation and subsequent changes to the strategy should also be considered and made where
necessary.

An operational risk management framework also enables the practical implementation of

governance. Corporate governance provides an over-arching organisational structure within the
organisation’s culture and also establishes the three lines of defence i.e. line management, risk
management and the independent assurance providers.

The operational process can take many forms and the frame most often used is:

The purpose of the identification process should be clearly communicated in order to raise
awareness overall of the business operations, track and assess the financial impact of the risks. Risk
identification is a continuous process as new risks arise every time.
2. Evaluate the risks
Risk evaluation is the assessment and measurement of the identified risk exposures with the aim to
manage and control the risks. In order to do this, the risks should be measured to enable
management to manage it.
Operational risk can be measured in quantitative and qualitative terms. The quantitative approach
aims to quantify risk in numerical terms. The qualitative approach aims to evaluate the risk exposures
that cannot be calculated. The risk exposures are analysed in terms of rating scales to determine the
possible impact and likelihood of the risk events.
3. Control the risks
once the risks have been evaluated, strategies can be developed to control the risks. Risks can be
preventative, detective or contingent. The objectives of a risk control programme will be to reduce the
potential effect of the loss and to prevent the likelihood of the risk occurring.
The control strategies which can be implemented are either to avoid the risk, transfer the potential
effect of the loss event, accept the consequences or improve the internal control measures to
manage the risk.
4. Finance
The aim of risk financing is to ensure that the cost of risk and the cost of the risk management
process do not exceed the potential benefits provided to the organisation. The risk management
process can therefore require a pre-financing or post-financing policy. The pre-financing of
operational risk can include methods such as insurance or self-insurance, while post-financing can
include the use of cash resources or debt.

5. Monitoring and reporting

The monitoring of risk includes regular management and supervisory activities and the other actions
employees undertake in their daily activities. It is important that senior management is involved in the
monitoring of risk. Reporting forms an integral part of the monitoring process.
Reports can be produced for different users e.g. the external stakeholders such as regulators and the
shareholders, internal stakeholders at strategic level such as the board and EXCO, senior
management and line management.
It is important that the risk is managed as close to the source as possible. The different levels of
users will have different objectives e.g. the board and EXCO will need less frequent reports to enable
them to manage trends and evaluate the strategies in contrast to line management that need more
frequent reports to rectify transactions. Line management requires daily/intra-day reports, senior
management monthly, the board quarterly and shareholders annually.
Question 19

Explain the concepts of risk appetite and risk tolerance with examples.
Solution

Risk appetite is the risk of loss that a firm is willing to accept for a given risk-reward ratio (over a
specified time horizon, at a given level of confidence). A risk appetite statement could consist of the
following financing mechanisms:
• Internal funding to develop and implement control measures.
• Insurance that will cover any losses that the organisation is prepared to pay for in order to relieve
the burden of carrying the total loss by itself.
• Capital allocation to a reserve, which can absorb a loss due to a catastrophic event, such as fire or
flood.
Risk Tolerance can be explained by reference to theft of a firm’s assets. There may be no appetite for
theft in a firm but a certain level of theft is expected by senior management. This level is tolerated
even though there is no appetite for allowing theft itself.
Different industries will have different levels of appetite and tolerance (e.g. the banking industry has
different risk appetite and tolerance levels compared to the construction industry). (Students can earn
additional marks if they illustrated with examples from the SPEND case study).
Question 20

You have considered all the available information and decided to present the information in
the following sub-headings per event. (20)
Solution

• Event: A description of the event with the consequence or possible consequence.

• Cause: The cause(s) of the event.
• Impact and likelihood: Argue the values allocated for the impact and likelihood of the event.
The purpose of this assignment was to give students the opportunity to classify risks in terms of the
risk definitions and to demonstrate how difficult it sometimes is to classify risks, as the consequence
of the event can be caused by a number of different factors.
Question 21

Identify and evaluate the operational risks for SPEND Ltd and plot the risks on an
Operational Risk Profile. Use the Risk Evaluation Matrix as provided. (10)
Solution
Question 22

The CRO had a meeting with Hotshot Consultants Ltd. The consultant modelled the losses
for presentation to the Risk Committee. [20]

You were requested to explain the graph to the Risk Committee, by covering the following aspects:
• Interpretation of the graph
• Control strategy
• Risk financing strategy

Solution

Interpretation of the graph (Refer to Young, 2014:99-101)

The loss distribution curve can be divided into three parts.
• The first part of the graph indicates a large number of small losses i.e. expected losses
characterised by low frequency and low severity such as pilferage and theft.
• The second part is where the number of losses reduces and, the value of the losses
increases but are still what can be expected as part of the business, and
• The last part illustrates limited available data i.e. unlikely but plausible events and significant
losses thus, unexpected losses. E.g. the PE warehouse fire.

The control strategy for the first part is:

• If the losses in this category are within the risk tolerance of the business, management can
accept the losses or improve the preventative controls to reduce the likelihood or the detective
controls, should management decide the losses are breaching the risk tolerance levels. The firm
can finance the risk by improving the controls, raising provisions to absorb the losses. Standard
insurance is not necessarily the most optimum option as the premiums may be prohibitive.
• The second part of the diagram also warrants an improvement of the control environment. The
firm can also consider transferring the risk by insuring against the events.
• The last part of the diagram requires contingency controls such as a business continuity plan
should an event occur with a low probability and a significant loss/impact occurrence. Although
insurance against such events can be purchased, the cost can be prohibitive and companies
can consider more advanced risk financing techniques such as captive insurance, finite
insurance, contingency finance such as capital reserves and contingency loans.
Question 23

Illustrate the business continuity concept by means of a diagram. (10)

Solution
Question 24

Evaluate SPEND’s actions with regard to the fire at the Port Elizabeth distribution centre and
what you would implement to mitigate the impact. (10)
Solution

The contingency plan for PE relied on a 10 minute response by the PE Fire Brigade and the sprinkler
system of the distribution centre to contain the fire until the Fire Brigade arrives. The contingency
plan did not provide for any action if the distribution centre was destroyed.
Staffs were slow to react when they noticed the fire as they underestimated the severity.
Management was only alerted to the fire after staff was not able to extinguish the fire with a garden
hose and fire buckets. By that time the fire started to spread into the building, management was only
able to alert the Fire Brigade after the distribution centre was burning out of control. Total damage to
the buildings and stock amounted to R300m. Additional loss in trade of R50m was incurred as it took
three months to rebuild the centre and an additional cost of R5m was incurred to supply stores from
other distribution centres.
The contingency measures need to address the following:
Contain the damage and to continue with normal business as early as possible. The following should
be considered as part of the contingency plan:
• Identification of an event i.e. the fire
• Escalation of the event i.e. staff should have reported the fire immediately
• Notify the fire brigade immediately
• Pre-arranged temporary distributing facilities or if not available consider dual distribution facilities in
the Eastern Cape
• Business interruption insurance