Академический Документы
Профессиональный Документы
Культура Документы
Suggested Solutions
Operational Risk Management
RSK4801
Year module
The purpose of this assignment was to cover the fundamentals of the module and to prepare
students to answer essay questions based on case studies. Assessment plays an important role in
the learning process and there are different types of performance standards that one can use
when assessing performance. This module is based on the mastery of specified learning
outcomes, which, together with the assessment criteria, are included in your study guide and
Tutorial Letter 101. Standards for accrediting qualifications are set by the South African
Qualifications Authority (SAQA), which oversees the National Qualifications Framework (NQF).
The two assignments form part of the formative assessment in this module. They are used to
assess your progress during the year and provide feedback which you can use to improve your
future performance in this module. In addition to being assessed on the learning outcomes of the
module, you will also be assessed on the critical cross- field outcomes (CCFOs) associated with
the module and with postgraduate studies in general. These CCFOs are generic outcomes that
inform all teaching and learning and have been integrated with the formative and summative
assessment in this module. The following table indicates the appropriate CCFOs and the
For more information in the CCFOs, please visit the South African Qualifications
Authority (SAQA) website at http://www.saqa.org.za.
At this early stage of your learning experience we have to sound a warning. Simply memorising
and presenting the content of your prescribed books will definitely lead to poor results. It is our duty
and privilege to give you the guidance and assistance necessary to make your learning experience
2
RSK4801/201
at UNISA worthwhile. However, as a postgraduate student you are responsible to ensure that
you pass this module. This means that you have to work on a regular basis throughout the
year. We will give you all the support that we possibly can but, ultimately, it is up to you to decide
how you are going to master the required skills. We strongly encourage you to either form
study groups with fellow students in your area or to join an online study group via myUnisa.
3
SUGGESTED SOLUTIONS FOR ASSIGNMENT 01
An announcement with general feedback on Assignment 01 will be made during August. The
purpose is to highlight general mistakes and guidelines and areas for improvement.
The assessment has been done by considering the questions as a whole. A mark has been be
allocated on a rubric for every question. Please note that each question was rated in its totality and
not by counting the different ticks. (One tick does not represent one mark).
4
RSK4801
Question 1 30 Marks
The purpose of this question was to introduce students to learning with case study. You were therefore required to read the Benchmark case
critically with the objective to have an understanding of the facts presented in the case study, and then to compare the facts of the case with a
theoretical framework – in this instance, the requirements of the King III report with regard to risk management and internal audit. Although the
focus of this course is not on the King III report, it provides the context for the operational risk framework, which is important f or the module.
Suggested solution
Governance of risk The key elements within governance structure A bank with such a complex structure and
The board’s responsibility for risk relevant to this matter are: products should have a Board Risk
governance Board and board committees: Committee (which was established at a later
∙ The board should be responsible for Main Board (the Board). stage).
6
RSK4801/201
Membership and resources of the audit dealing with adverse reporting by the regulators
as it did not table the report at the main board.
committee
The report included comments on:
∙ Audit committee members should be
suitably skilled and experienced lax approach to limit management;
independent non-executive directors culture of poor adherence to risk
∙ The audit committee should be management policies;
7
itself of the expertise, resources and would report on risk strategy, appetite and
experience of the company’s finance control frameworks. These divisions will then
function report the outcomes of control frameworks to
∙ The audit committee should be BAC. The BRC would address all elements of
responsible for overseeing of internal risk including market risk, although it was
audit acknowledged that credit risk would be a
significant component of the Committee’s
∙ The audit committee should be an
deliberations.
integral component of the risk
management process
In particular, the BRC’s charter explicitly notes
The audit committee is responsible for
that it is to “ Ensure that the Group has a
recommending the appointment of the
comprehensive independent market risk control
external auditor and overseeing the
framework in operation” and it is to “ Review and
external audit process
The audit committee should report to the set Value at Risk (VaR) limits” .
board and shareholders on how it has
At the BRC meeting in November 2011, the
discharged its duties
BRC received an overview of the market risk
profile of CIB and the risk measurement
Compliance with laws, rules, codes andframework from the Head of MR&PC. It was
standards
noted that the average usage for 2010/2011 was
The board should ensure that the
approximately R22.4 million, which was well
company complies with applicable laws
within the maximum VaR limit for the group of
and considers adherence to nonbinding
R80 million. Although the analyses of VaR by
rules, codes and standards
region and product were reviewed, there is no
The board and each individual director
record of discussion or escalation of VaR sub-
8
RSK4801/201
should have a working understanding of limit breaches at the BRC even though these
the effect of the applicable laws, rules, were well known by MR&PC at the time.
codes and standards on the company
and its business
Internal Audit completed a number of reports on
Compliance risk should form an integral
the operation of the currency options desk,
part of the company’s risk management
including an assessment of internal controls and
process
the currency options trading system. For
The board should delegate to management example, in 2009, internal audit rated and raised
the implementation of an effective issues defined as “Serious matters for the
compliance framework and processes attention of the Managing Director and
reportable to BAC”. However, under a revised
Internal Audit rating system for the elevation and escalation of
The board should ensure that there is an audit issues to the BAC, these serious issues
effective risk based internal audit were not raised for consideration and discussion
Internal audit should follow a risk based at the BAC.
approach to its plan
Among the lessons identified from the other
Internal audit should provide a written
banks’ failings, the report noted that alarm bells
assessment of the effectiveness of the
should ring when the following occur:
company’s system of internal controls
“Weaknesses identified by Audit or
and risk management
Regulators are not quickly and permanently
The audit committee should be
resolved;
responsible for overseeing internal audit
breaches of limits are not quickly and
Internal audit should be strategically
independently investigated; and
9
positioned to achieve its objectives there is a culture that allows undue influence
or bullying to prevail over due process.”
The underlying principle is that the board and even its committees were starved of reliable business intelligence i.e. proper feedback on the
findings of the regulators, external auditors, internal auditors and the risk management function. CIB management was also able to suppress
information and ridicule the assurance providers. Furthermore, no one was prepared to ask the tough questions and proper explanations. The
culture of the bank did not encourage open and frank communication.
The workload of the audit committee was also unacceptable and reports highlighting control weaknesses did not receive sufficient attention.
Another problem is whether all the people on the audit committee had sufficient understanding of the implications of some of the control
weaknesses and regulatory concerns would have been understood even if it did make it to the agenda of the meeting.
Hindsight remains perfect and it is possible to draw parallels to the conduct of Benchmark’s board to events that are currently unfolding in both
the public and private sector in South Africa.
11
RSK4801
Question 2 20 Marks
The purpose of the question was to give students the opportunity to classify risks in terms of the risk
definitions and to demonstrate how difficult it sometimes is to classify risks, as the consequence of
the event can caused by a number of different factors. In practice, this is known as the boundary
effect.
Although it may appear to be trivial, the impact on the profitability of a department or division can be
impacted significantly due to loss events. Banks and insurers also have to calculate regulatory
capital, and for operational risk and loss experience is one of the factors considered to calculate the
capital. The incorrect classification of risk can therefore have a significant impact on a department or
division, both from a profitability and regulatory capital aspect.
The identification and classification of risk are also important for exam purposes as you will be
required to identify and classify risk. You will not receive marks where the risks are incorrectly
classified.
Below is the suggested solution for the classification of the events. We added an explanation
where there is a boundary effect. Work through the examples and ensure that you
understand the reasoning for the classification. You needed to convert the foreign exchange in
the loss register to South African Rand. To convert American Dollar (USD) to rand, multiply the
dollar amount with the exchange rate e.g. $1000 x 7.11789 = R7 117.89. You can use the same
principle for the other currencies.
RSK4801
14
RSK4801/201
15
DESCRIPTION CREDIT MARKET OPERATIONAL RISK
to customers
16
RSK4801/201
The purpose of the histograms were to give you the opportunity to graphically illustrate the final classification, frequency and
amounts of the events in the risk register. Few students indicated either the frequency or the amounts. The histograms were also
not discussed and the presentation to EXCO would have been unacceptable.
17
RSK4801
Question 3 30 Marks
can be measured it can be managed effectively. It includes legal risk as legal risk can be
measured in terms of losses suffered in terms of penalties and fines as a result of breaches of
contracts and regulations for example. It usually excludes reputational and strategic risks as
these risks are difficult to measure and thus to manage as a specific risk type.
The operational framework can take many forms and the frame most often used is:
Checklists
Losses history
The purpose of the process should also be clear in order to ensure to raise awareness, track the
risks and assess the financial impact of the risks.
RSK4801/201
Operational risk can be measured in quantitative and qualitative terms. The quantitative
approach aims to quantify risk in numerical terms. The qualitative approach aims to evaluate the
risk exposures that cannot be calculated. The risk exposure are analysed in terms of rating
scales to determine the possible impact and likelihood of the risk events.
Finance
The aim of risk financing is to ensure that the cost of risk and the cost of the risk management
process do not exceed the potential benefits provided to the organisation. The risk management
Monitoring
The monitoring of risk includes regular management and supervisory activities and the other
actions employees undertake in their daily activities. It is important that senior management is
involved in the monitoring of risk. Reporting forms an integral part of the monitoring process.
Reports can be produced for different users e.g. the external stakeholders such as regulators
and the shareholders, internal stakeholders at strategic level such as the board and EXCO,
senior management and line management.
It is important that the risk is managed as close to the source as possible. The different levels of
users will have different objectives e.g. the board and EXCO will need less frequent reports to
enable them to manage trends and evaluate the strategies in contrast to line management that
need more frequent reports to rectify transactions. Line management requires daily/intra-day
reports, senior management monthly, the board quarterly and shareholders annually.
19
The risk strategy should consider various risk functions as it determines aspects such as risk
tolerance limits and capital allocation processes. A strategic planning process for operational
risk management consists of the following five steps:
Collate data
Collate the data with respect to the business strategy and objectives to determine the
operational risk management requirements in terms of resources and risk mitigation tools. The
information will also assist with the operational risk management planning process.
Evaluate data
Assists to determine the current operational risk profile. Quantitative and qualitative data are
used to determine the likelihood and impact of potential events on the business. Control self
assessments, key risk indicators and the loss history (internal and external) can be used to
develop the operational risk profile.
policy is approved by the board. Components of the operational risk policy are:
This question was the most theoretical question of the assignment. Most of the
information is availably in the prescribed book. what was important is the structure of the
20
RSK4801/201
answer to ensure completeness of the framework, but also to argue or explain why you
recommended a specific framework as there are different frameworks in the prescribed
book.
Question 4 20 Marks
Many organisations err in identifying too many indicators and classifying it also as key risk
indicator.
Relevance
The risk indicator must be linked to the organisation’s operational risk exposures and provide
management with a quantum regarding the levels of exposure and degree to which such
exposures are changing over time. It is also important to review indicators periodically for
relevance as it can also change over time from the perspective of the users of the indicator.
General focus indicators: Cover a specific area of activity and provide a general
impression of current exposure levels or activity.
Measurable
Risk indicators must be capable of being measured repeatedly and with certainty. To be
measurable, it should meet the following criteria:
21
Must be reported with primary values and be meaningful without interpretation or
some subjective measure.
Predictive
Indicators can provide a leading, lagging or current perspective of the operational risk exposures
of the organisation.
Although there is a need for leading indicators, this is the most difficult to develop as a simple
projection of the future based on historical events will most probably sacrifice accuracy and
therefore reliability. For an indicator to be fully predictive requires significantly more context,
which implies that single indicators by themselves are of little use. To overcome this challenge,
practitioners are moving towards the development of composite or index indicators. An
important requirement to develop a composite or index indicators is to understand both the
causal and underlying relationship with specific datasets to ensure the appropriate groupings of
related indicators.
Lagging indicators provide useful information regarding the historical causes of loss or
exposure. It can also be useful where losses are initially hidden or where changes in historical
trends may reflect changes in circumstances that may have some predictive qualities.
Current indicators provide a current view of operational risk exposures and may identify a
situation that requires attention to reduce an exposure or minimise a loss.
Easy to monitor
Organisations often find it difficult to source the data that can be used for risk indicators,
especially where the data architecture of the organisation is complex. The requirements to ease
the monitoring are:
The data should be simple and relatively cost effective to collect, quality assured and
distribute.
Auditable
Management will place significant reliance on risk indicators and it is therefore important that it is
accurate (sourced and calculated), complete and timely. The operational risk management
department must be satisfied with the quality and as a governance measure, the internal audit
function should include it as part of their audit coverage.
22
RSK4801/201
Comparability
The indicator identification and selection process of an organisation should assess the level of
comparability with benchmarks in and across the industry to ensure that the users for the
indicators have a better understanding of the exposure levels that the indicator relates to.
Identifying KRIs and KCIs can be difficult as each organisation is unique and although industry
benchmarks are available, it still needs to be adapted to suit the individual organisation. The
prescribed book discusses a number of ways that can be used to identify indicators.
To make the use of indicators more effective, organisations establish targets or thresholds to
link indicators with the risk appetite of the organisation and to prioritise indicators for
management purposes. This enables management to focus their efforts where necessary.
It is also important to determine the frequency of recording and reporting the indicator. There is
a direct link between the frequency of the event and the recording and reporting thereof.
Few students referred to the GARP Article. The article illustrate the danger in using only
one metric, especially if the metric is not properly defined. Furthermore, too much
emphasis on one component can lead to the wrong behaviour as experienced by
Walmart/SAMS CLUB and even Benchmark Bank.
REFERENCE
Blunden, T. Thirlwell, J. 2010. Mastering Operational Risk. Harlow: Pearson Education Ltd.
Davies, J. Finlay, M. McLenaghen, T. Wilson, D. 2006. Key Risk Indicators – Their Role in
Operational Risk Management and Measurement. Risk Business International.
http://d.yimg.com/kq/groups/12093474/1290864495/name/McLenaghenTara3.pdf
(Accessed 2011/04/20).
23
King Report on Governance for South Africa 2009. Institute of Directors in Southern Africa
24