Lesson 1: Framework and Taxonomy for Operational Risk

The Lesson reviews the different risk management frameworks currently used in the industry, highlighting the benefits of new contributions such as the revised ERM COSO framework. Next, the Lesson discusses the importance of a risk taxonomy that extends to causes, controls and impacts, as well as highlighting the links between various risks, for a representation of their interdependence and connectivity, rather than a single list.

Lesson 1.1: Risk Management Frameworks

  • Definition of risk and structure of risk management
  • Review of different type of frameworks
  • COSO revised ERM framework, 2017
  • Risk Management as a performance enhancer
  • Measuring the value of effective risk management

Lesson 1.2: Taxonomy

  • Structure of a risk taxonomy
  • Examples of cause, risk, impact and control categories
  • Risk connectivity and interdependence
  • Risk network representations, to prioritize risk management and mitigation

Lesson 2: Risk Appetite Statements and Tolerance Limits

Risk appetite is the foundation of any consistent framework. This Lesson reviews the best practices for structuring, cascading and communicating risk appetite statements. Based on years of practical experience, this Lesson presents cases, examples and suggestions to define sound risk appetite statements in firms.

Lesson 2.1: Risk Appetite Structure

  • Definition of risk appetite
  • Benefits of risk-taking
  • The risk appetite funnel: risk appetite beyond tolerance for losses
  • Communicating risk appetite
  • Risk appetite and tolerance statements

Lesson 2.2: Risk Appetite & Framework consistency

  • Structure of actionable risk appetite statements
  • Risks to choose, to balance and to avoid
  • Consistency with other Lessons of the framework
  • Risk appetite and P/I matrix and scales
Lesson 2.3: Risk Appetite and reality checks
  • In practice: bottom-up vs. top-down risk appetite definitions
  • Risk appetite and reality checks
  • Reputation risk appetite
  • Decision-making and risk
  • Excessive risk-taking

Lesson 3: A Modern Representation of Risk & Control Self Assessments (RCSA)

Risk registers and RCSA have been around in the industry since the beginning of operational risk. Simple in appearance, the tool requires strict methodology and guidance to be applied consistently and to deliver useful information; this Lesson explains how. Additionally, the Lesson reviews essentials of control design and control testing.

Lesson 3.1: Modern RCSA

  • Principles of risk and control assessment
  • Probability / Impact Matrix
  • Types of impacts and scales 
  • Findings of RCSAs
  • Modern representation of RCSAs
  • Typical likelihood scales 
  • Risk assessment hints

Lesson 3.2: Control Design and Testing

  • Type of risk responses
  • Control typology
  • Control testing program
  • Beware of poor control design
  • Prevention by design (James Reason)

Lesson 4: Scenario Analysis: Simple Method for Quantifying Rare Events

Scenario analysis is critically important in risk, both for management and measurement. Quantification of rare events does not have to be guess-work and does not necessarily require heavy quantitative background. The Lesson explains how, in a few simple steps, scenario assessment can be decomposed into a useful discussion about exposure, control layers and points of failures, for better mitigation and more robust quantification.

Lesson 4.1: Scenario identification

  • Definition of Scenario Analysis
  • Challenges and Uses of Scenarios
  • Regulatory Requirements
  • Six Steps of Scenario Analysis
  • Running a Scenario Generation Workshop

Lesson 4.2: Scenario assessment

  • Elements of Assessment
  • Delphi Technique
  • Fault Tree Analysis (FTA) and Structured Scenarios
  • Examples

Lesson 4.3: Scenario validation

  • Scenario Documentation Sheet
  • Role and Process of Scenario Validation
  • Use of Scenario Data in Capital
  • Use of Scenario Data in Management

Lesson 5: Six Steps to Define and Design Preventive KRIs

Preventive KRIs are metrics of risk drivers. Once we know the causes of a risk, identifying KRIs is easy. This Lesson presents tools and technique to identify and select KRIs, before detailing how to design KRI dashboards and the different alternative to select relevant threshold. KRI governance and reporting will also be discussed.

Lesson 5.1: KRIs: Identifying causal factors

  • Features of Leading KRIs
  • KRIs of Likelihood and of Impact
  • A Framework for Selecting and Designing Preventive KRIs

Lesson 5.2: Four types of preventive KRIs

  • KPI and KCI reusable as leading KRIs
  • Selection Phase and Monitoring Phase
  • Categories of KRIs
  • Examples of KRIs for Information Security

Lesson 5.3: Designing and reporting on KRIs

  • How Many KRIs?
  • KRI Design: Reporting Thresholds and Format
  • KRI Governance
  • Aggregating Colors
  • KRI Validation

Lesson 6: Operational Risk Management for Projects

Project and changes are common place in the financial industry. It is only recently that project risk is explicitly included in the operational risk management scope. Yet, the coordination between the risk function and the project management teams are not always straight-forward. Based on practical successful experiences, this Lesson suggests framework and policy rules to assess and address operational risk on corporate projects. 

Lesson 6.1: ORM for Projects

  • Framework
  • Policy for Project Risk Management
  • Project Rating Criteria
  • Stages of Involvement of ORM
  • Risk Assessment Matrix for Projects

Lesson 6.2: Essentials of project management

  • The Project Case
  • Key Success Factors
  • Typology of Stakeholders 
  • Common Causes of Project Failure 
  • Risk Wheel for Project Management
  • Project Monitoring and Control

Lesson 7: Information Security Assessment and Essentials of Cyber Protection

Cyber risk is voted top risk for the financial industry for three years in row. This Lesson explains how the same risk management framework can be applied to cyber risk and, more generally, to information security risk assessment. Based on real case studies, it presents a taxonomy for information security risk, essentials of assessment and the key elements of mitigation of cyber and information risk.

Lesson 7.1: Information security risk Assessment

  • Framework
  • Typology of InfoSec Risks
  • Assessment Steps
  • Exposure
  • RCSA Matrix for InfoSec Risk
  • Modern Representation of a Risk Matrix

Lesson 7.2: Information security risk mitigation

  • Key Cyber Protection Measures
  • Control Layering
  • Mitigation Assessment
  • The Importance of Exposure
  • KRI for InfoSec Risk
  • Highlights

Lesson 8: Conduct and Culture: Measurement and Management 

Culture – or risk culture – is measurable as long as one defines an target objective. Inspired by the Influencer methodology and based on practical conduct and culture assignments, this Lessons presents practical ways to approach and influence risk culture in an organization, as well as most of the common metrics to monitor good conduct in financial companies.

Lesson 8.1: Conduct & Culture

  • Context and Metrics
  • Regulatory Context 
  • Conduct Dashboards
    • Examples of Indicators
    • Format
  • Case Studies

Lesson 8.2: Conduct & Culture Behaviours

  • Behavioral trend
  • Embedding a risk culture
  • The role of the CEO
  • Influencing: research and results
  • Key Behaviors

Lesson 8.3: Conduct & Culture: Case Studies

  • Risk Management Values at BNP Paribas
  • TEA values at a local bank
  • Embedding Behaviors - The Influencer Matrix
  • Key Behaviors – Previous audiences