OPERATIONAL RISK MANAGEMENT (2 or 3 day programme)


Basic knowledge of risk management and high level understanding of the financial industry.


In recent years, several notable events, combined with an additional scrutiny from regulators and financial intermediaries have forced financial institutions to recognise the importance of operational risk.

As a consequence, the banking industry first, followed closely by the insurance undertakings, has been undergoing a surge of innovation and development in several areas to develop sound operational risk management practices and systems.

The management of operational risks concentrates on the proactive prevention of frauds or business disruption of financial institutions that cover four areas: employees, process, systems, and external attacks. Therefore, the needed skill set is rather broad and mixes traditional internal control/audit methods as well as very sophisticated quantitative risk management techniques.

Financial institutions also continue to face conceptual challenges, such as, what is operational risks and what is its scope? Should financial institutions be concerned with operational risks? If so, how should they be assessed and intelligently integrated with other risks? What are the best practices for the measurement and management of operational risks? In this course, we will provide the first discussion and an up-to-date treatment of all these issues. 

At the end of the course, the student should be able to:

• Have a view on main principles of risk management
• Understand the nature of operational risk
• Grasp the main concepts related to Operational Risk and specifically the notions of causes, events and impacts
• Explain the Operational Risk management process and its main components
• Understand the importance of support and control functions in mitigating Operational Risks
• Have a view on Enterprise Risk Management


Part 1: Operational Risk Scope and Framework


• Scope of Operational Risk

• Losses, near misses, impacts

• Benchmark of operational losses to gross income

• The four actions of Risk Management

• Frameworks: ISO, PRA

• Attributes of effective risk management


Case studies: Examples of Framework


• Maturity level and ORM development: the ORM Pyramid

• Examples of Operational Risk Frameworks in Banking and Insurance

• The ORM pyramid: which level are you at?


Group discussion and sharing of experience around a maturity model of ORM


Part 2: Regulation and Governance of the Risk Function


• Basel II and II for operational risk

• PRA expectations around the IMMMR framework

• FCA and Conduct risk: what to expect

• Three lines of defence

• Tone at the top the role of the CEO

• 1st line and 2d line of defense: the relationship


Case study and class discussion


Part 3: Risk Identification


• Tools and techniques for risk identification

• Exposures and Vulnerabilities

• The Risk Wheel

• Value Drivers

Part 4: Scenario Analysis and Planning


• Regulation on data testing and scenario analysis: EBA guidance

• Sound Process to make Scenario Analysis repeatable

• Assessing probabilities of rare events: fault trees and bayesian approach

• Acting on Scenarios

• Management: cold book for hot times


Group work: identify your top risks and class feedback, share practice on loss and risk reporting


Part 5: Designing and Selecting Preventive Key Risk Indicators


• Essential features of preventive KRIs

• KPI, KRI, KCI? concepts and examples per activity

• KRI must address risks, not events: know your risk drivers

• Classifying KRIs: Environmental, Stress, Causal and Failure

• KRI Design: Frequency - Trigger levels - Escalation criteria – Ownership - Data accuracy


Part 6: Root Cause Analysis, Human Error and Control Design


• Root Cause Analysis: the bow tie: benefits and application

• Why do we make mistakes?

• Typology and causes of human errors

• Understand and treat the cause of human error

• Prevention by design


Case study: 4 financial services companies

Group work: perform a root cause analysis, feedback to the class


Part 7: Effective Risk and Control Self Assessments


• Definition and rules for RCSAs

• Tool: Impact / probability matrix: shapes and forms, definitions

• Usage and choice when defining RCSAs: extreme cases or median cases, distribution or single points, inherent or residual risk, likelihood or frequencies

• Risk rating: when and how.


Group work: highlight top risks and controls in your process: comments and class sharing


Part 8: Implementing the Desired Risk Culture: a method


• Defining Risk Culture

• Acting on behaviours: the Influencer

• Necessary conditions: willingness and ability

• Risk Culture: DESIRE steps: Define – Inspire – Support – Enable – Reinforce - Evaluate

• Assessing risk culture


Group work: Plan your own culture change