Contact us

Risk Identification - User's blog

Instructor  Micky Midha
Updated On

Learning Objectives

  • Compare different top-down and bottom-up approaches and tools for identifying operational risks.
  • Describe best practices in the process of scenario analysis for operational risk.
  • Describe and apply an operational risk taxonomy and give examples of different taxonomies of operational risks.
  • Describe and apply the Level 1, 2, and 3 categories in the Basel operational risk taxonomy.
  • Video Lecture
  • |
  • PDFs
  • |
  • List of chapters

Risk Identification

  • The most dangerous risks can turn out to be the ones that are often ignored. Such ignored or unintended risks can pose significant threats to a firm. Risk identification is crucial for determining an organization’s level of preparedness for adverse events. It is the first step in the risk management framework, which includes
    • identification,
    • assessment,
    • mitigation, and
    • monitoring.
  • Once risks are identified, they can either be accepted or mitigated, but the risk assessment must consider the cost of controls compared to the potential for loss.
  • The risk identification process begins with top-down direction from the board/executive level and extends to business units, departments, and individual business processes. It is complemented by a bottom-up approach where businesses and divisions evaluate their own operational risk. The combination of both approaches results in a comprehensive view of the firm’s operational risk profile, known as a consolidation of the two methods.

Top-Down Risk Identification

  • Top-down risk identification focuses on identifying major organizational risks that could hinder strategic goals. For example, in a FinTech bank, any operational risk that hinders growth and market share should be prioritized in risk management. Identifying enterprise-level risks is crucial for maintaining operational resilience and a sustainable business model.
  • Risk prioritization and ranking is an important aspect of top-down risk identification. This process involves senior risk owners, executive committee members, and business line heads in brainstorming workshops. Tools such as exposure and vulnerability review, risk wheels, and impact and revenue analysis can aid in this process.
  • Executive-level risk identification exercises occur 2-4 times a year, depending on business growth and development, as well as new risks generated by business activities. A rapidly growing or innovative business requires more frequent risk assessments compared to a stable, mature business. Technology-intensive businesses or startups with unproven models may need a more frequent risk assessment cycle.
  • Advanced enterprises evaluate scenarios to anticipate future risks. Top-down identification informs scenario identification and inputs into the risk and control self-assessment (RCSA) process. When performed effectively with senior manager input, it can effectively highlight key risks and enhance performance while avoiding surprises. A resilient control environment with proper risk ownership is crucial for success.

Bottom-Up Risk Identification

  • Bottom-up risk identification complements top-down risk identification. This approach is conducted at local business levels, in a department, or at the individual process level. It is often done in a risk and control self-assessment where participants anticipate and consider the various operational risks and controls faced by the given activity. For example, in a fast- growing Fintech bank, a top-down approach may identify cyberattack as a major risk, and the bottom-up approach at the product level may assess the vulnerability of the bank’s online application system to hacking.
  • The difference between top-down and bottom-up risk identification is the level at which the identification takes place. Top-down is with senior leadership and bottom-up is with staff in different departments.

Tools For Risk Identification

  • The tools for top-down risk identification that are described here are intended to organize the examination and analysis of data to support imaginative consideration of the risks and challenges to the organization –
    1. Business-Specific Risk Identification: Exposures and Vulnerabilities
    2. The Risk Wheel
    3. Emerging Risk Identification: Horizon Scanning
  • In order to be more anchored in the facts of an activity or a process, bottom-up risk identification tools diverge from broad brainstorming exercises. The primary instruments of local operational risk assessment are –
    1. Event and Loss Data Analysis: Internal Losses, External Losses, and Near Misses
    2. Risk and Control Self-Assessment (RCSA)
    3. Process Mapping

Exposures And Vulnerabilities

Microsoft PowerPoint – OR 3 – Risk Identification (1)

  • Financial firms face inherent business risk exposure related to key clients, distribution channels, central systems, revenue sources, and regulatory agencies. These risks include significant third-party exposure and large corporate initiatives. The focus of operational risk management is on managing project and outsourcing-related risks. Any failure in these operations increases exposure and risk.
  • The weakest points in company operations are vulnerabilities. They
    can lead to major losses or even its downfall. Weak points can be insufficient products or processes, outdated systems, resistance to risk management, or unmonitored non-core companies. Utilizing a list of exposures and vulnerabilities as a brainstorming tool for risk identification is effective because it is industry-specific and easy for all to understand, not just those familiar with risk management.
Examples of Exposures
Critical third parties
Key distribution channels
Important clients
Essential systems
Principal regulator
Main drivers of revenues
Sources of goodwill
Key persons
Examples of Vulnerabilities
Issues in control systems
Overdue resolutions of issues
Stand-alone systems
Revenue channels at risk
Unmonitored operations or people
Blind spots
Unmaintained systems
BCP overdue for testing
Systems overdue for updates

The Risk Wheel (Top-Down Wheel)

  • The risk wheel is a classic brainstorming tool to encourage creativity and ideas during risk identification workshops. This figure presents one example of the risk wheel.
  • The risk wheel is a helpful tool for identifying enterprise risks in non-financial industries. Also, financial risk managers have found it useful to have a more imaginative way to discuss risk themes. The circular representation of risks helps highlight connections between risk types and potential cause-and-effect chains. For example –
    • Conditions in the labor market (a disk of the wheel in the figure) can impact personal effectiveness, leading to delays or descoping of projects and change, causing IT risk materialization, impacting business continuity and potentially causing reputational damage (all of which are separate disks of the wheel).
    • Natural disasters or pandemics can disrupt supply chains, leading to business continuity issues. A power cut may cause a credit card company to suffer a few days of disruption, which can result in reputational damage.
  • It is crucial to recognize and discuss the connections between risks, as these causal linkages between risks should guide the priorities for risk management and risk reduction. When risk management prioritizes the reduction of risks that have a cascading effect on other risks, it’s more effective and prevents a “domino effect”. Treating the root causes rather than the symptoms is the key to effective risk management.

Horizon Scanning (Top-Down Tool)

  • Horizon scanning is the common method used to identify emerging risks. The importance of identifying emerging risks has increased in recent years due to a more volatile business environment, new technologies, and growing cyber threats. The COVID-19 pandemic and the war in Ukraine have emphasized the unpredictability of events, leading organizations to prioritize anticipating large risks. For unavoidable surprises, general preparedness and resilience are key. Some emerging risks, like cyber, compliance, employee well-being, mental health, and climate change, have been identified for decades and are becoming more prevalent. Other, newer emerging risks are just starting to emerge and require identification.
  • The key sources for identifying emerging risks are – “Global Risks Report” by World Economic Forum, “Top Operational Risks” survey by risk.net, “Operational Risk Horizon” report by ORX, and annual lists of top-10 risks by organizations such as the “big 4” audit firms.
  • PESTLE analysis is a useful method for identifying horizon risks. The acronym stands for the six key components of the operating environment – Political (P), Economic (E), Social (S), Technological (T), Legal (L), and Environmental (E).
  • It is not necessary to identify all the changes and evolutions in a firm’s operating environment. Rather, an organization should focus on changes that affect its mission and strategy, pose a threat to its long-term plans, impact business exposure or value drivers, and need to be considered in scenario analysis and contingency planning.
  • Monitoring academic research and emerging trends in relevant fields can be valuable for a firm. This includes keeping track of new technologies and innovations that could impact the business model. Machine learning and big data analysis can be especially useful for operational risk screening, but their potential has yet to be widely adopted in the market.
  • To use human expertise, some large firms, especially those with operations in multiple countries, set up “emerging risk committees” to track specific themes. These committees are made up of experts from each region where the firm operates and meet quarterly to discuss emerging trends and developments. This approach is most commonly used for monitoring compliance risks and is well-established in heavily regulated industries where large regulatory fines are common.

Event And Loss Data Analysis (Bottom-Up Tool)

  • Past incidents at a firm or similar organizations can provide valuable insights for identifying operational risks. Analyzing past incidents can be useful for risk identification, especially in stable market conditions where past events can predict future occurrences.
  • Internal losses can indicate the concentration of operational risk in a company. In banks, these losses usually occur in back-offices, financial market activities, retail, and IT. The number of transactions and amount of money flow also play a role. If repeated internal losses suggest a failure in internal controls, they should be taken into consideration when budgeting and pricing financial products or services. Unexpected internal losses can provide new information for risk identification.
  • External losses, such as those experienced by other firms, can assist with risk identification and assessment. Consortium data from sources like ORX or other loss incident data providers can be helpful. It is best practice to monitor major incidents reported by peers and ask – “Could this happen to us?” If the answer is yes, the organization should examine its risk mitigation processes and controls to reduce the risk of similar losses.
  • Near misses are incidents that almost resulted in loss but were avoided due to luck or an event that was beyond the organization’s control. Examples of near misses include mistyping a transaction amount with too many zeros but having the transaction rejected because there was also a mistake in the bank account number. Near misses are “lessons for free”. These can reveal vulnerabilities in a control system and show what could have happened. Firms with a healthy risk culture encourage reporting of near misses to improve controls, but this is only possible when employees feel comfortable admitting mistakes without consequences. In industries where safety is a concern, such as aviation and healthcare, near misses are often reported and used as opportunities for improvement.
  • Institutions regularly review past events, including losses and near misses, in committee meetings to assess changes in risk, control adequacy and adjust risk management.

RCSA (Bottom-Up Tool)

  • A risk and control self-assessment (RCSA) exercise is a process to evaluate operational risks in an organization or department through workshop-style discussions or questionnaires facilitated by the firm-wide risk management function. The goal is to gather information about risks in the business units. RCSAs assess the inherent risks of a business unit, the effectiveness of the key controls in place, and the residual risk after considering the current control environment.
  • RCSAs are risk assessment exercises, but they are also frequently utilized in practice as risk identification exercises. RCSAs merge the steps of risk identification and assessment as the business units discuss their risks in workshop meetings. The process highlights the integrated and iterative nature of risk management as it combines discussion of risks, their importance, and the controls in place.
  • In RCSA workshops, selecting the right participants is key. Two groups are ideal to interview – experienced employees with long tenure at the company, and recent hires from different firms/industries who can provide fresh perspectives. These contrasts in practices can highlight the strengths and weaknesses of an organization, as seen in a so called “amazement report”.
  • RCSAs are typically conducted annually and updated after significant changes in the firm’s risk environment, such as incidents at peer firms, changes in the external environment, or significant events. In mature firms, they may also be updated quarterly, but too frequent updates can lead to a lack of thoroughness in evaluations.
  • RCSA scope must be chosen carefully for effective results. If the scope is too narrow, the output will be a collection of small, isolated risks that may not provide much value. This can result in missing the big picture and understanding of risk interactions in the organization.

Process Mapping (Bottom-Up Tool)

  • Process mapping is a bottom-up approach for identifying risks and controls. It is commonly used in IT, operations, and project management and can be applied to other areas as well. The approach involves laying out the steps of a process and asking what can go wrong in each step. This structured method helps identify risks attached to a set of activities. It is easier to start by observing controls and inferring the risks they address, which can highlight over- or under- control of some risks.
  • In process mapping, selecting the right level of detail is crucial for effective risk and control identification. The ideal level is where each step of the mapping relates to a significant action in the process, including key controls and verifications. To use process mapping as a risk identification tool, one identifies the risk mitigated by each control and considers what can go wrong at each step of the process.

Extreme Risk Identification – Scenarios

  • Scenario/stress-test identification follows logically from the risk identification exercise. This process starts with identifying scenarios that would cause significant harm to organizations. Such scenarios often involve rare events like natural disasters such as earthquakes, hurricanes, typhoons, or pandemics, or man-made incidents like large cyberattacks or business disruptions that require multiple controls to fail in order to occur. Despite their rarity, these scenarios are still more likely to occur than many organizations predict.

Regulatory Guidance On Scenario Analysis

  • The Basel Committee guidance on operational risk defines scenario analysis as “a method to identify, analyze and measure a range of scenarios, including low probability and high severity events, some of which could result in severe operational risk losses.”
  • The guidance states that banks should create forward-looking business continuity plans (BCP) with scenario analysis that considers the potential impact and recovery procedures. The banks must identify key operations and dependencies and define scenarios that could affect continuity. Each scenario should undergo a business impact analysis to consider financial, operational, legal, and reputational consequences. Continuity procedures should outline steps for resuming operations, set time and point objectives for recovery, and communicate guidelines to affected parties.
  • The Basel committee advises banks to include specific considerations for the potential unexpected events that could cause significant business disruptions in their list of operational risk scenarios.

Brainstorming For Scenarios And Top Risk Identification

  • The challenge in scenario analysis is to ensure consistency and reduce biases. It is a strong regulatory requirement that scenario analysis should lead to repeatable results, both quantitative and qualitative. Regulators require firms to minimize subjectivity and base assumptions on empirical evidence. The rationale, assumptions and processes for generating scenario analysis must also be documented to ensure repeatable results.
  • The preparation phase involves compiling a “preparation pack” of documents to help with scenario selection and assessment. This pack can be distributed before the first meeting or kept from participants to maintain creativity during brainstorming. Preparation documents for scenario identification include –
    • External loss data
    • Internal loss data, including large historical loss incidents and near misses
    • RCSA results
    • Key risk indicator scores
    • Audit issues and logbooks recording other issues, if any
    • Concentrated exposures, known vulnerabilities and issues
    • Any other relevant documents for risk and exposure assessment
  • Senior managers from various corporate and business functions who have knowledge of the risks in their field should participate in scenario analysis workshops and brainstorming sessions. The involvement of additional external experts is advisable but not overly common in practice. A perspective from an external expert on the scenario analysis process can help reduce some common assessment biases such as the following –
    • Myopia – The over-estimation of recent events.
    • An excessive focus on scenarios driven by external causes – Many financial institution scenarios are identified with respect to external events, but a significant portion of large loss events result from internal causes such as rogue trading, rigging of LIBOR, and IT breakdowns. These internal events often lead to regulatory fines and business restrictions, serving as reminders of the potential impact of internal weaknesses.
  • In a scenario workshop, the generation phase is the initial step, which involves creating an extensive list of scenarios. This list is then assessed to select a final list of scenarios.
  • Operational risk scenario analysis workshops are facilitated by ORM professionals who guide discussions and coordinate debates to reach a consensus. The facilitators can begin the meeting with simple warm-up questions to engage the participants and encourage reflection. For example –
    • What are your biggest concerns for the business in the next 1–3 years?
    • Why?
    • Are there incidents and losses that you avoided recently, that keep concerning you?
  • The questions help participants reflect on past and potential losses, generating numerous scenario ideas. The facilitator then guides discussion for each scenario, encouraging everyone to share their ideas and refine the narrative. They categorize the scenarios based on risk or consequence type and encourage further discussion for additional ideas and potential new scenarios.
  • Scenario selection is an intermediate phase where some scenarios are combined, added, or removed in order to produce a relevant list for accurate assessment. Examples of scenarios that can be viewed as a single scenario include those that have the same internal impact but different external causes, such as physical asset damage brought on by a variety of factors. Businesses can use these scenarios to validate or guide their business continuity planning process and to comply with recent resilience regulations.
  • During scenario selection, small-impact scenarios can be eliminated in order to concentrate on bigger, more important ones. Scenarios can also be ruled out if the risk owner can demonstrate that the average operating margin can absorb the maximum loss without negatively impacting operations. For instance, the “key person risk” scenario might be dropped if the HR head can show that key positions have backup and succession plans.
  • A mid-size firm should produce 20-30 scenarios during scenario identification, and around 15 scenarios after selection. The number of scenarios produced may vary for small and large firms, with international banks generating up to 50 operational risk scenarios.
  • Comparing the scenarios generated by a firm with an industry-specific list can help identify omitted scenarios and risk drivers. ORIC and ORX are industry-specific organizations that provide ready-made scenario lists. To avoid skewed results, it is best to compare a company’s scenario list with an independent industry source only after producing scenarios.
  • CASE STUDY – SCENARIO IDENTIFICATION THROUGH SILENT VOTING
  • Silent voting is a risk and scenario identification technique used in banks and insurance companies. It involves asking workshop participants to list two or three worries they have about the business, such as recent near misses or other past incidents. This guarantees that everyone takes part in the discussion and actively contributes their ideas.
  • By preventing a single opinionated or senior person from controlling the conversation, this approach avoids bias.
  • Following the writing down of everyone’s worries, each person shares their thoughts one at a time, and each worry is discussed and contrasted with others.
  • This method generates a wealth of data that can be used to create scenarios regarding losses, present and potential threats, and the general business environment.

Operational Risk Taxonomy

  • In the financial industry, operational risk has been defined by the Basel Committee as “the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events”.
  • The International Organization for Standardization (ISO) in its risk management standard ISO 31000 and the Institute of Risk Management define each risk as a unique combination of a single cause, a single event, and a single impact, expressed as follows –
    • “Risk of … (impact) due to … (risk) caused by…. (cause)
    • Example: “Risk of regulatory fine (impact) due to a breach of regulations (risk) caused by delays in implementing the changes required by the new regulation (cause)”
  • The financial industry has not widely adopted this risk description approach because operational risks typically have several causes and impacts, making it less applicable.
  • It is important to be precise when describing risks. A precise description of the risk makes it easier to connect it to its causes and effects, assess, evaluate, and mitigate it.
  • Although it’s not a risk, technology can still lead to potential accidents if it fails. When manual processing is combined with poorly designed processes, the likelihood of other risks increases. These risks could include failure to send reports to clients, errors in accounting records, and fund valuation. Risk assessments must take into account the underlying causes of operational risk, which could lead to higher losses for processes that rely on technology. Organizations recognize that their people and processes are prone to mistakes and inefficient operations.
  • Compliance with the regulatory environment is a top priority for every regulated entity. The risk comes from a compliance violation, not from compliance itself. Compliance is a constraint imposed by the operating environment, and new regulations on resilience, for example, may make compliance even more onerous. Regulation can result in unfavorable outcomes, such as non-compliance brought on by a lack of supervision or a failure to promptly adapt to new regulations, which can result in significant penalties and fines, as was the case during the “Great Financial Crisis” of 2007–2009.
  • To differentiate risk from a theme, it is helpful to describe it as an adverse occurrence, uncertainty, incident, or accident. By posing the question – What could go wrong? , risks can be expressed in specific and concrete terms. This makes it easier to evaluate risks and identify pertinent mitigating measures.
  • The practice of breaking down uncertainties into separate parts, such as causes, risks, impacts, and controls, is used in the financial services sector. During the assessment phase, these elements are listed separately and linked together. To organize causes, risks, impacts, and controls, taxonomies are used.
  • A structured way to express risks in increasing levels of detail is through taxonomies. It’s similar to the increasing level of specificity used in taxonomies to classify animals or plants.

The Basel Operational Risk Taxonomy

  • The official operational risk taxonomy for banks is provided by BCBS. It consists of three levels –
    • Level 1 is the highest-level category. There are seven “Level 1” categories based on loss events.
    • Each Level 1 category is divided into Level 2 sub-categories
    • Each Level 2 sub-category is broken down into Level 3 activity examples.
  • Only the first two levels are recognized as regulatory categories. In management practice, it’s best to use a minimal number of categories for risk categorization and leave detailed examples for specific cases. This helps keep the number of risks manageable and prevents information overload. Too much detail can harm the quality of information and require excessive effort and resources for limited benefits.
  • This taxonomy, defined in the late 1990s during the drafting of the Basel regulation for operational risk, is still the official one in use more than two decades later. This classification is used by regulated financial services organizations to report operational risk to the regulator.
Event-Type Category (Level 1) Definition
Internal fraud Losses due to acts of a type intended to defraud, misappropriate property or circumvent regulations, the law or company policy, excluding diversity/discrimination events, which involves at least one internal party
External fraud Losses due to acts of a type intended to defraud, misappropriate property or circumvent the law, by a third party
Employment Practices and Workplace Safety Losses arising from acts inconsistent with employment, health or safety laws or agreements, from payment of personal injury claims, or from diversity/discrimination events
Clients, Products & Business Practices Losses arising from an unintentional or negligent failure to meet a professional obligation to specific clients (including fiduciary and suitability requirements), or from the nature or design of a product
Damage to Physical Assets Losses arising from loss or damage to physical assets from natural disaster or other events
Business disruption and system failures Losses arising from disruption of business or system failures
Execution, Delivery & Process Management Losses from failed transaction processing or process management, from relations with trade counterparties and vendors

Internal Fraud

  • Internal fraud is the term for fraudulent actions committed by or attempted by a company’s own employees. This kind of OpRisk loss is relatively uncommon because of the sophisticated controls that most organizations have in place. Nevertheless, incidents like traders misreporting positions do happen, particularly when dealing with assets that lack a recognised market value. In recent years, there have been a few high-profile internal fraud cases that cost billions of dollars because traders at a particular bank hid their positions. Even though these occurrences are uncommon, they frequently cause sizable financial losses.
Category (Level 1) Category (Level 2) Activity Examples
Internal Fraud Unauthorized Activity Transactions not reported (intentional); transaction type unauthorized (with monetary loss); mismarking of position (intentional)
Theft and Fraud Fraud/credit fraud/worthless deposits; theft/extortion/embezzlement/robbery; misappropriation of assets, malicious destruction of assets; forgery; check kiting; smuggling; account takeover/impersonation/etc.; tax noncompliance/evasion (willful); bribes/kickbacks; insider trading (not on firm’s account)

External Fraud

  • External fraud is the term for fraudulent actions committed or attempted against a company by parties outside the company. System hacking, check fraud, and credit card fraud are examples of external fraud. This kind of fraud is common in retail establishments where financial institutions deal with a lot of different customers. Customers frequently attempt or commit fraud in industries like retail banking, retail brokerage, and credit card services.
Category (Level 1) Category (Level 2) Activity Examples
External Fraud Theft and Fraud Theft/robbery; forgery; check kiting
Systems Security Hacking damage; theft of information (w/ monetary loss)

Employment Practices And Workplace Safety

  • Due to either outdated labour laws or a higher prevalence of litigation against employers, the Employment Practices and Workplace Safety (EPWS) type of risk is more prevalent in the Americas than in Europe or Asia. Employment-related issues are also very significant in some business sectors, such as investment banking. Due to the high compensation of the key personnel in these business lines, which primarily offer advisory services to large corporations, litigation against some of these key employees and their departure could result in costs of millions of dollars.
Category (Level 1) Category (Level 2) Activity Examples
Employment Practices and Workplace Safety Employee relations Compensation, benefit, termination issues; organized labor activity
Safe environment General liability (e.g., slip and fall); employee health and safety rules events; workers compensation
Diversity and discrimination All discrimination types

Clients, Products, And Business Practices (CBBP)

  • The largest loss events typically fall under the Clients, Products, and Business Practices (CPBP) risk type, especially in the US. These occurrences include financial losses resulting from client and counterparty disputes, regulatory fines resulting from unethical business practices, or improper advisory activities.
Category (Level 1) Category (Level 2) Activity Examples
Clients, Products, and Business Practices Suitability, Disclosure, and Fiduciary Fiduciary breaches/guideline violation; suitability/disclosure issues (e.g., KYC); retail customer disclosure violations; breach of privacy; aggressive sales; account churning; misuse of confidential information; lender liability
Improper Business or Market Practices Antitrust; improper trade/market practices; market manipulation; insider trading (on firm’s account); unlicensed activity; money laundering
Product Flaws Product defects (e.g., unauthorized); model errors
Selection, Sponsorship, and Exposure Failure to investigate client per guidelines; exceeding client exposure limits
Advisory Activities Disputes over performance of advisory activities

Damage To Physical Assets

  • Damage to Physical Assets (DPA) is another type of OpRisk event. The most common method for assessing exposure to this risk is through scenario analysis using insurance in formation. Few firms actively collect losses on this risk type because they are typically either too small or extremely large.
Category (Level 1) Category (Level 2) Activity Examples
Damage to physical assets Disasters and other events Natural disaster losses; human losses from external sources (e.g., terrorism, vandalism)

Business Disruptions And System Failures (BDSF)

  • The BDSF event type is challenging to identify in a large organization, as it can be difficult to detect business disruption and system failures. Although a system crash could result in financial losses for a company, these losses may be categorized as EDPM (covered in next slide).
  • EXAMPLE –
  • If a major bank experiences a funding system crash at 9:00 am and the system is only restored at 4:00 pm, after money markets have closed, the bank may discover that it needs to secure an additional USD 20 billion that day. They would need to negotiate special conditions with their counterparties, but the interest rates they obtain for these funds may be higher than the daily average. This additional cost should be classified as a BDSF event.
Category (Level 1) Category (Level 2) Activity Examples
Business Disruption and System Failures Systems Hardware; software; telecommunications; utility outage/disruptions

Execution, Delivery And Process Management (EDPM)

  • The EDPM loss event type is one of the most significant in the OpRisk profile of enterprises or business units engaged in intensive transaction processing and execution. It includes losses resulting from faulty transaction processing as well as issues with counterparties and vendors.
Category (Level 1) Category (Level 2) Activity Examples
Execution, Delivery & Process Management Transaction Capture, Execution and Maintenance Miscommunication; data entry, maintenance or loading error; missed deadline or responsibility; model/system misoperation; accounting error/entity attribution error; other task misperformance; delivery failure; collateral management failure; reference data maintenance
Monitoring and Reporting Failed mandatory reporting obligation; inaccurate external report (loss incurred)
Customer Intake and Documentation Client permissions/disclaimers missing; legal documents missing/incomplete
Customer/Client Account Management Unapproved access given to accounts; incorrect client records (loss incurred); negligent loss or damage of client assets
Trade Counterparties Nonclient counterparty misperformance; misc. nonclient counterparty disputes
Vendors and Suppliers Outsourcing; vendor disputes

Revision Of Operational Risk Taxonomy By ORX

Microsoft PowerPoint – OR 3 – Risk Identification (1)

  • The Operational Risk data eXchange (ORX) is the most extensive collaborative database of operational losses and events. The consortium is owned and led by its members, which consist of approximately 100 of the world’s largest banks and insurance companies. These members submit their data to the consortium on an anonymous basis and exchange best practices in Operational Risk Management (ORM).
  • ORX, with the support of Oliver Wyman, released a new reference taxonomy in 2019. The taxonomy reflects changes in the industry and risk types as observed by participating members from the banking and insurance sectors. While the taxonomy is similar to the Basel categories, it offers noticeable changes such as presenting 14 level 1 risk types, compared to Basel’s 7. Additionally, some level 2 risks, including third-party failure, statutory reporting and tax, business continuity, data management, information security (including cyber) risks, and model risk, have been elevated to level 1 due to their current significance.
  • ORX is not yet using this new ORX taxonomy to report its loss analysis, although this may change in the coming years.

Difference In Taxonomies

Microsoft PowerPoint – OR 3 – Risk Identification (1)

  • Consultants reviewed almost 60 risk taxonomies from ORX members during the ORX Taxonomy review. The review highlighted that there is a variety of practices across institutions in defining their risks. Many firms include level 2 risks that could be classified as control failures (“inadequate supervision”, “lack of training”) or as causes (“lack of resources”). Defining what constitutes a “risk”, a “cause”, or an “impact” is a matter of judgment, reflecting the fact that the chain of cause and impact in operational risks can extend into the external environment, sometimes leading to the ultimate impact on a customer.
  • Another difference in risk taxonomy practice is the treatment of risks that have grown in relevance over the previous decade. This is especially true in the case of cyber risk (classified as external fraud in some organizations, as IT risk in others, and as a separate level 1 risk in still others). Conduct risk is also categorized differently, with some organizations treating it as compliance risk, business practices risk, culture risk, or as a separate risk category. Similarly, third-party risk is categorized as a stand-alone category or as an IT risk since many firms outsource IT procurement. Additionally, it is less commonly categorized as EDPM, as originally defined by the Basel committee, or as a type 2 risk across all categories.
  • These tables show risk taxonomy abstracts from two organizations. An international bank focuses on control failures, likely due to the importance of internal controls in managing a large and complex business. A payment company focuses on operations and IT risks, as they are the primary drivers of its operational risk exposure.
Bank tier 1 – Level 1 – 2 risks
Business Disruption
Conflict of Interest (Market Abuses)
Financial Crimes
Financial Data Integrity Risk
Financial Data Integrity Risk
Improper Trading Practice (Market Manipulation)
Improper Use of Information (Client and Firm)
Inaccurate or Untimely Regulation or External Reporting
Inadequate Supervision
Inadequate Technology Resiliency
Inadequate Third-party Management
Ineffective Technology Change
Internal Attack (Client and Firm)
Transaction / Capture Validation Error
Workforce Misconduct
Payment firm – Level 1 – 2 risks
Operations Risk (A) Service Delivery Disruption
Inadequate Monitoring Tools
System Capacity Gap
Operational Delivery Errors
Damage to Physical Assets
Service Delivery Quality (Failure)
Supplier Failures (Utilities or Others)
Information Security Risk (C,I) Accidental Data Loss or Corruption (Integrity)
Accidental Confidentiality Breach
Malicious Data Corruption (Integrity) – Cybercrime
Malicious Confidential Data Breach
Malicious Act (Internal) & Internal Fraud
Technology Vulnerabilities (Internal) Identified by an External Party
Technology Risks Technology Obsolescence
Maintenance Overdue (Hardware or Software)
Technology Product Delivery Failure
Hardware Systems and Technology Failures
Software Systems and Technology Failures
Testing Failures
Compatibility / Integration Issues
Discontinuity in IT Third-Party Supplier

Cause, Risks, And Events

  • Judgment is needed to define cause, risk, and impact, especially in non-financial risk. Consider an example: A bank’s human resource director hires a branch manager without proper due diligence. The manager is not competent, causing two employees to resign and the rest to sell inappropriate products to customers. Complaints and regulatory investigation follow, and the bank’s reputation suffers.
    • What are the causes, the events, and the impacts in this scenario?
    • There are multiple answers to this question. Categorizing causes, risks, and events for operational risk requires judgment. “Root-cause” assessment is essential, and in this case, a compliance breach occurred due to failure to follow guidelines and inadequate supervision. Analyzing past losses and assessing future vulnerabilities involves identifying and evaluating causes.
  • The variation in risk taxonomies practiced by firms is attributable not just to fundamental disparities in business strategies, but also, potentially, to a lack of universal reference. This is a void that ORX intends to fill with the release of the reference risk taxonomy in 2019. Aside from risk taxonomies, the market could benefit from general agreements on taxonomies of causes, effects, and controls for operational hazards.

Structure Of Taxonomies

  • Developing an inventory of operational risk and assessing it later can be aided by clarifying and categorizing the risks, causes, impacts, and controls of operational risk. Moreover, this approach emphasizes the importance of taking action, as shown in the diagram that outlines the taxonomies of causes, controls, risks, and impacts, with a focus on the actionable aspects of risk management, specifically addressing the causes and controls.
  • To make risk management actionable, start with impacts as the outcomes of uncertainties and risks that firms want to avoid. Eliminating every risk is neither feasible nor cost-effective, but it makes sense to limit the downside of a risk while preserving its upside. To do this, organizations and individuals can act on the causes of risks and apply controls to limit the likelihood and impact of risks.

Causes Taxonomy

  • The definition of operational risk provided by Basel is an excellent beginning to classify the underlying causes of such risks. The natural level 1 causes for operational risk events are people, processes, systems, and external events or PPSE -which is indeed the most common approach adopted by the market. However, not all banks go beyond level 1 categorization to level 2, which can offer more valuable insights into the root causes of incidents.
  • ORX has adopted the same level 1 causes of operational risk events as the Basel definition, referred to as PPSE, which stands for people, processes, systems, and external events. Level 2 categories provide a more detailed breakdown of these four categories, including failures related to competence, performance and ethics, systems design, performance and testing, process design, and governance. Additionally, external events are divided into different elements of the business environment, such as political, regulatory, economic, and physical factors. The categories accurately reflect the sources and characteristics of operational risk.

Impact Taxonomy

  • The impact categories outline both the direct and indirect financial effects of operational risks, as well as the “non-financial impacts” that result from operational incidents affecting the firm’s stakeholders.
  • The taxonomy differentiates between different impact “channels”, such as reputation, regulatory enforcement, and disruption (which are often referred to as “impact types” within firms), and identifies the specific types of stakeholders affected, including customers, employees, shareholders, and third parties. This level of detail is more advanced than what is typically seen in the industry.

Control Categories

The classification of controls is the final component of a risk taxonomy. Internal controls are often easier to categories since the practice of internal controls is well-developed, and the internal audit discipline has provided a lot of structure in the field. There are four major types of controls –

  1. Preventative controls are designed to lower the probability of risks occurring by addressing their root causes.
  2. Detective controls are activated during or shortly after an incident with the aim of early detection to minimize the consequences. If detection also determines the cause, it can also have a preventative function.
  3. Corrective controls are used to minimize or remedy the negative effects caused by incidents.
  4. Directive controls consist of established guidelines, procedures, and training that structure operations to reduce risk.

Inventory Of Operational Risks

  • Various causes, control failures, and environmental changes can all result in a wide range of risks with varying consequences. These risks are organised into taxonomies based on industry sectors. Organizations can create their own risk inventory by using a subset of industry-wide taxonomies. The inventory consistently organizes and categorizes the firm’s risks, providing a list that can be sorted and queried to help the firm understand the risks it faces.
  • Common risk lists used by firms include –
    • Risk universe is a comprehensive list of all the potential risks that a company could face.
    • Emerging risks are threats that a company has identified as still small but growing, and may have significant impacts in the future.
    • Top-ten risks are the most critical risks faced by the company based on their likelihood and potential effects.
    • Stress or shock scenarios refer to unlikely events that, if they were to occur, would have a significant impact on the company.
    • Risk register is a primary database for operational risks in financial institutions, which includes all operational risks faced by the institution, along with the corresponding controls, as well as an assessment of the likelihood and potential impact of each risk.

Go to Syllabus

Courses Offered

image

By : Micky Midha

  • 9 Hrs of Videos

  • Available On Web, IOS & Android

  • Access Until You Pass

  • Lecture PDFs

  • Class Notes

image

By : Micky Midha

  • 12 Hrs of Videos

  • Available On Web, IOS & Android

  • Access Until You Pass

  • Lecture PDFs

  • Class Notes

image

By : Micky Midha

  • 257 Hrs Of Videos

  • Available On Web, IOS & Android

  • Access Until You Pass

  • Complete Study Material

  • Quizzes,Question Bank & Mock tests

image

By : Micky Midha

  • 240 Hrs Of Videos

  • Available On Web, IOS & Android

  • Access Until You Pass

  • Complete Study Material

  • Quizzes,Question Bank & Mock tests

image

By : Shubham Swaraj

  • Lecture Videos

  • Available On Web, IOS & Android

  • Complete Study Material

  • Question Bank & Lecture PDFs

  • Doubt-Solving Forum

FAQs


No comments on this post so far:

Add your Thoughts: