Exam FRM Level 2 Ultimate Guide (Book 3)

Estimated reading time: 29 minutes



We now turn our attention towards book 3 in our extensive Level 2 FRM course summary.

(click here to see previous guide)

You may download this entire content on our shop page, free of charge.


FRM Level 2 Book 3 – Operational Risk and Resiliency


Management of Operational Risk

Loss data collection exercises, quantitative impact studies, and range of practice reviews covering governance, data and modelling issues have contributed to industry and supervisory knowledge and the emergence of sound industry practice

Supervisors should conduct regular independent evaluations of a bank’s policies, processes and systems related to operational risk

Supervisors should ensure that there are appropriate mechanisms in place which allow them to remain apprised of developments at a bank

Some supervisors may choose to use external auditors in assessment processes


Management Principles

Principle 1: The board of directors should take the lead in establishing a strong risk management culture

Principle 2: Banks should develop, implement and maintain a Framework that is fully integrated into the bank’s overall risk management processes

Principle 3: The board of directors should establish, approve and periodically review the Framework

Principle 4: The board of directors should approve and review a risk appetite and tolerance statement for operational risk

Principle 5: Senior management should develop a clear, effective and robust governance structure with well defined, transparent and consistent lines of responsibility

Principle 6: Senior management should ensure the identification and assessment of the operational risk inherent in all material products, activities, processes and systems

Principle 7: Senior management should ensure that there is an approval process for all new products, activities, processes and systems that fully assesses operational risk

Principle 8: Senior management should implement a process to regularly monitor operational risk profiles and material exposures to losses

Principle 9: Banks should have a strong control environment that utilizes policies, processes and systems and appropriate risk mitigation and/or transfer strategies

Principle 10: Banks should have business resiliency and continuity plans in place to ensure an ability to operate on an ongoing basis and limit losses in the event of severe business disruption

Principle 11: A bank’s public disclosures should allow stakeholders to assess its approach to operational risk management


Enterprise Risk Management

The past two decades have seen a dramatic change in the role of risk management in corporations

Twenty years ago, the job of the corporate risk manager would typically be a low-level position in the corporate treasury— involved mainly the purchase of insurance

Over the last ten years, however, corporate risk management has expanded well beyond insurance and the hedging of financial exposures to include a variety of other kinds of risk—notably:

  • Operational risk
  • Reputational risk
  • Strategic risk

A corporation can manage risks in one of two fundamentally different ways:

  • One risk at a time, on a largely compartmentalized and decentralized basis; or
  • All risks viewed together within a coordinated and strategic framework

The latter approach is often called “enterprise risk management,” or “ERM” for short

It is believed that companies that succeed in creating an effective ERM have a long-run competitive advantage over those that manage and monitor risks individually

Companies tend to find that some of their most troubling risks are the most difficult to quantify

  • Notably, reputational and strategic risks


What Is ERM?

Risks are by their very nature dynamic, fluid, and highly inter-dependent

  • As such, they cannot be broken into separate components and managed independently

Since the practice of ERM is still relatively new, there have yet to be any widely accepted industry standards with regard to the definition of ERM

A definition provided by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) in 2004:

“ERM is a process, effected by an entity’s board of directors, management, and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its appetite, to provide reasonable assurance regarding the achievement of entity objectives.”

ERM is all about integration, in three ways:

  • First, ERM requires an integrated risk organization
  • Second, ERM requires the integration of risk transfer strategies
  • Third, ERM requires the integration of risk management into the business processes of a company


Implementing Robust Risk Appetite Frameworks

Key lessons learned from the 2007 financial crisis:

  • Some firms took more risk in aggregate than they were able to bear given their capital, liquidity, and risk management capabilities
  • Some firms took risks that their management and Boards did not properly understand or control

Overall Lessons:

  • There needs to be a demonstrable commitment to explaining the importance the institution attaches to risk appetite
  • It is important to develop measurable indicators of compliance with risk management norms
  • Clear communication of risk appetite parameters and preferences is a prerequisite for developing the appropriate culture
  • There must be consistency of messages and consistency of senior behaviors with these messages
  • Communication and education on the benefits of a risk appetite framework are essential
  • Limit setting is a key part of risk management
  • Business unit heads must own local business plans
  • Continuous and open dialogue about risks is seen as fundamentally important
  • The risk appetite framework needs to incorporate all material forms of risk
  • Firms should make a maximum effort to quantify such risks, making use of innovative approaches
  • Maximum use should be made of proxies and other metrics
  • Leadership from the top is crucial


Banking Conduct and Culture

Lesson 1: Managing culture is not a one-off event, but a continuous and ongoing effort

Lesson 2: Leadership always matters. Conduct and culture must be embedded from the top down

Lesson 3: The scope of conduct management is shifting from misconduct to conduct risk management

Lesson 4: Managing culture requires a multipronged approach

Lesson 5: A more diverse set of views and voices in senior management is needed for success

Lesson 6: The behaviors and outcomes that culture drives can and should be measured

Lesson 7: Regulation has a limited role to play given that culture cannot be mandated/defined by rules

Lesson 8: Restoring trust will benefit the industry as a whole


Risk Culture

Risk culture can be seen as a subculture with a central role in financial institutions

Culture is more complex than other organizational variables:

  • It can be extremely effective and resistant to the need for change dictated by the environment

Culture has always been considered a key tool affecting corporate behavior, but authors do not agree on how this occurs

Some consider culture as a fixed effect on firm performance, while others argue that it is a variable that can be managed over time

Risk culture is essential for a prudent and sound bank management, and needs to be central in any evaluation


OpRisk Data and Governance

One of the most important phases in any analytical process is to cast the data into a form amenable to analysis

This is the very first challenge that an analyst or quant faces when determined to model, measure, and even manage OpRisk

There is a need to establish how the information available can be modeled to act as an input in the analytical process that would allow for proper risk assessment

The OpRisk framework starts by having solid risk taxonomy so risks are properly classified

Firms also need to perform a comprehensive risk mapping across their processes to make sure that no risk is left out of the measurement process

Banks rely heavily on quantitative analysis and models in most aspects of financial decision making

They routinely use models for a broad range of activities, including underwriting credits; valuing exposures, instruments, and positions; measuring risk; managing and safeguarding client assets

In recent years, banks have applied models to more complex products and with more ambitious scope, such as enterprise-wide risk measurement

But models also come with costs. There is the direct cost of devoting resources to develop and implement models properly

There are also the potential indirect costs of relying on models


Model risk should be managed like other types of risk

Model risk increases with greater model complexity, higher uncertainty about inputs and assumptions

Banks should consider risk from individual models and in the aggregate

Aggregate model risk is affected by interaction and dependencies among models

Reliance on common assumptions, data, or methodologies could adversely affect models and their outputs at the same time

Banks should also ensure that they maintain strong governance and controls to help manage model risk


Information Risk and Data Quality Management

The consideration of information as a fluid asset makes it difficult to envision ways to assess the risks related to data failures

Scorecards are effective management tools when they can summarize important organizational knowledge

Scorecards are effective in alerting the appropriate staff members when diagnostic or remedial actions need to be taken

Part of an information risk management program would incorporate a data quality scorecard that supports an organizational data governance program

The impact taxonomy can be used to narrow the scope of describing the business impacts

While the dimensions of data quality guide the analyst in defining quantifiable measures that can be correlated to business impacts


Validating Rating Models

A rating system ‘comprises all of the methods, processes, controls, and data collection and IT systems that support the assessment of credit risk, the assignment of internal risk ratings, and the quantification of default and loss estimates’ (Basel Committee, 2004)

It is clear that the validation scope is quite wide

Validation includes, too, the critical verification that the rating system is actually used (and how) in the various areas of bank operations

  • This is known as the ‘use test’, also required by Basel II and better specified in Basel Committee (2006)

The results of the validation process need to be adequately documented and periodically submitted to the internal control functions and the governing bodies

  • The reports shall specifically address any problem areas


Quantitative validation

Quantitative validation covers four main areas:

  • Sample representativeness of the reference population at the time of the estimates and in subsequent periods
  • Discriminatory power: the accuracy of ratings assignments in terms of the models’ ability to rank obligors by risk levels
  • Dynamic properties: the stability of rating systems and properties of migration matrices
  • Calibration: the predictive power concerning probabilities of default


Assessing the Quality of Risk Measures

VaR has been subjected to much criticism

  • The sharpest critique: that the standard normal return model underpinning most VaR estimation procedures is simply wrong

But there are other lines of attack on VaR that are relevant even if VaR estimates are not based on the standard model

Three of these viewpoints:

  • The devil is in the details: Subtle and not-so-subtle differences in how VaR is computed can lead to large differences in the estimates
  • VaR cannot provide powerful tests of its own accuracy
  • VaR is “philosophically” incoherent: It cannot do what it purports to be able to do, namely, rank portfolios in order of riskiness

A pervasive basic problem with all models, including risk models: the fact that they can err or be used inappropriately

The basic modeling problem facing VaR is that the actual distribution of returns doesn’t conform to the model assumption of normality under which VaR is often computed

Using a VaR implementation that relies on normality without appreciating the deviations of the model from reality is an example of model risk

  • The term “model risk” describes the possibility of making incorrect trading or risk management decisions because of errors in models and how they are applied

Model risk can manifest itself and cause losses in a number of ways

  • The consequences of model error can be trading losses, as well as adverse legal, reputational, accounting, and regulatory results

Model errors can occur in the valuation of securities or in hedging

  • Errors in valuation can result in losses that are hidden within the firm or from external stakeholders
  • Valuation errors due to inaccurate models are examples of market risk as well as of operational risk


Risk-Adjusted Performance Measurement

This segment takes a look at the roles of risk capital and at how risk capital can be attributed to business lines as part of a risk-adjusted performance measurement (RAPM) system

RAPM represents a key challenge for financial institutions and nonfinancial firms around the world today

Only by forging a connection between risk measurement, risk capital, risk-based pricing, and performance measurement can firms ensure that the decisions they take reflect the interests of stakeholders

Risk capital is the cushion that provides protection against the various risks inherent in the business of a corporation

Risk capital gives confidence to the corporation’s stakeholders

Risk capital is often called economic capital

  • The generally accepted convention is that risk capital and economic capital are identical


Risk Adjusted Return on Capital (RAROC)

RAROC systems, developed first by large financial institutions, are being implemented in smaller banks and other trading firms, such as energy trading companies

Wherever risk capital is an important concern, RAROC balances the divergent desires of the various external stakeholders, while also aligning them with the incentives of internal decision makers

RAROC information allows senior managers to better understand where shareholder value is being created and where it is being destroyed

RAROC promotes:

  • Strategic planning
  • Risk-adjusted profitability reporting
  • Better incentive compensation schemes
  • Proactive allocation of resources
  • Better management of concentration risk
  • Better product pricing


Range of Practices and Issues in Economic Capital Frameworks

Economic capital can be defined as the methods or practices that allow banks to consistently assess risk and attribute capital to cover the economic effects of risk-taking activities

Economic capital was originally developed by banks as a tool for capital allocation and performance assessment

  • For these purposes, economic capital measures mostly need to reliably and accurately measure risks in a relative sense, with less importance attached to the measurement of the overall level of risk or capital

Over time, the use of economic capital has been extended to applications that require accuracy in estimation of the level of capital (or risk)

  • Such as the quantification of the absolute level of internal capital needed by a bank

This evolution in the use of economic capital has been driven by both internal capital management needs of banks and regulatory initiatives

Economic capital can be analyzed and used at various levels—ranging from firm-wide aggregation, to risk-type or business-line level

Many building blocks of economic capital are complex and raise challenges for banks and supervisors


Capital Planning at Large Bank Holding Companies

The Federal Reserve has previously noted the importance of capital planning at large, complex bank holding companies (BHCs)

Capital is central to a BHC’s ability to absorb unexpected losses and continue to lend to creditworthy businesses and consumers

Capital serves as the first line of defense against losses, protecting the deposit insurance fund and taxpayers

Even if current assessments of capital adequacy suggest that a BHC’s capital level is sufficient to withstand potential economic stress, it is robust capital planning that helps ensure that this outcome will continue to hold in the future


Stress Testing Banks

How much capital and liquidity does a bank need to support its risk taking activities?

Bank balance sheets are notoriously opaque and susceptible to asset substitution (easy swapping of high risk for low risk assets)

There are three kinds of capital and liquidity:

  • The capital/liquidity you have
  • The capital/liquidity you need (to support your business activities)
  • The capital/liquidity the regulators think that you need

Stress testing, regulatory capital/liquidity and bank-internal (so-called “economic capital/liquidity”) models all seek to do the same thing:

  • To assess the amount of capital and liquidity which is needed to support the business activities of the financial institution

Capital adequacy addresses the right side of the balance sheet (net worth), and liquidity the left side (share of assets that are “liquid”, however defined)

If all goes well, both the economic and regulatory capital/liquidity are less than the required regulatory minimum, and their difference (between economic and regulatory) is small

Special Note:

Prior to their failure or near-failure, financial institutions such as Bear Stearns, Washington Mutual, Fannie Mae, Freddie Mac, Lehman and Wachovia were ALL adequately or even well capitalized

  • (…at least according to the regulatory capital rules disclosed in their public filings)


Guidance on Managing Outsourcing Risk

In addition to traditional core bank processing and information technology services, financial institutions outsource operational activities such as:

  • Accounting
  • Appraisal management
  • Internal audit
  • Human resources
  • Sales and marketing
  • Loan review
  • Asset and wealth management
  • Loan servicing

Financial institutions should consider the following risks before entering into and while managing outsourcing arrangements:

  • Compliance risks – arise when a service provider fails to comply with applicable U.S. laws and regulations
  • Concentration risks – arise when outsourced services or products are provided by a limited number of service providers or are concentrated in limited geographic locations
  • Reputational risks – arise when actions or poor performance of a service provider causes the public to form a negative opinion about a financial institution
  • Country risks arise – when a financial institution engages a foreign-based service provider, exposing the institution to possible economic, social, and political conditions
  • Operational risks – arise when a service provider exposes a financial institution to losses due to inadequate or failed internal processes or systems
  • Legal risks arise – when a service provider exposes a financial institution to legal expenses and possible lawsuits


Risks Associated with Money Laundering and Financing Terrorism

Many nations and international bodies have developed laws, regulations or guidelines focused on limiting the use of banking services to support criminal activities, particularly money laundering (ML) or financing of terrorism (FT)

Criminals and terrorists use payment services to finance their activities, or to convert funds linked to criminal activity (including tax evasion) to an untainted or laundered form

Because banks are at the heart of the global payment system, they are uniquely vulnerable to being ensnared in such activities

ML/FT risk management includes some specific activities that supervisors and other authorities expect at every bank:

  • Risk assessment
  • Customer due diligence and acceptance (CDD) [aka Know Your Customer (KYC)]
  • Transaction and other monitoring
  • Reporting of suspicious activity and freezing assets
  • Addressing risks associated with global operations
  • Attention to third-party risk and correspondent banking risks
  • Awareness of an array of official sector pronouncements


Regulation of the OTC Derivatives Market

The exchange-traded market is a market where products developed by an exchange are bought and sold on a trading platform developed by the exchange

A market participant’s trade must be cleared by a member of the exchange clearing house

The exchange clearing house requires margin (i.e., collateral) from its members

  • And the members require margin from the brokers whose trades they are clearing
  • The brokers in turn require margin from their clients

The OTC market is a market where financial institutions, fund managers, and corporate treasurers deal directly with each other

  • Here, an exchange is not involved

Before the 2007–2008 credit crisis, the OTC market was largely unregulated

  • Two market participants could enter into any trade they liked
  • They could agree to post collateral or not post collateral
  • They could agree to clear the trade directly with each other or use a third party
  • They were under no obligation to disclose details of the trade to anyone else

Since the crisis, the OTC market has been subject to a great deal of regulation


Capital Regulation before the Global Financial Crisis

Financial regulation has developed incrementally over the centuries, often in response to stressful periods which exposed the limitations of previous regulations

In the days before government regulation, banks or insurance companies could be created without official approval

  • Success (or failure) was based primarily on whether they could persuade clients to use their services

Financial institution failures were frequent, and sometimes occurred not because of insolvency but because of a loss of client confidence

Later, governments required new financial institutions to obtain a license before being allowed to operate

The first “regulations” were the result of financial firms banding together to share resources in the event of runs

  • Clearinghouse members shared financial statements with each other and had rights of inspection, and so monitoring and enforcement of solvency was a part of the arrangements
  • However, this was done privately

Basel II introduced additional approaches to capital for credit risk that were much more risk-sensitive and more aligned with modern credit risk management analysis

Basel II also introduced two new pillars in addition to quantitative capital requirements: supervision and disclosure


Solvency, Liquidity and Regulation after the Global Crisis

The financial crisis that began in the summer of 2007 revealed limitations and gaps in the existing solvency and liquidity regulations

The financial crisis revealed market practices and product designs that proved ill-suited to stressed environments

Global regulators reacted with more restrictive regulations and supervision and with more coordination across nations

The Financial Stability Forum, a body that undertook occasional studies, was reconstituted as the Financial Stability Board (FSB) in the wake of the financial crisis

The FSB is composed of representatives from finance ministries, central banks, prudential regulators, securities regulators, and others from dozens of nations

Although organizations like the Basel Committee and IOSCO appeared to retain their independence and authority, as a practical matter, the FSB became the body in which many changes in international standards were approved


High-Level Summary of Basel III Reforms

The Basel III framework is a central element of the Basel Committee’s response to the global financial crisis

  • It addresses a number of shortcomings in the pre-crisis regulatory framework
  • It also provides a foundation for a resilient banking system to help avoid systemic vulnerabilities

The initial phase of Basel III reforms focused on strengthening the following components of the regulatory framework:

  • Improving the quality of bank regulatory capital by placing a greater focus on going-concern loss-absorbing capital in the form of Common Equity Tier 1 (CET1) capital
  • Increasing the level of capital requirements to ensure that banks are sufficiently resilient to withstand losses in times of stress
  • Enhancing risk capture by revising areas of the risk-weighted capital framework that proved to be acutely mis-calibrated
  • Adding macro-prudential elements to the regulatory frame-work


Basel III: Finalizing Post-Crisis Reforms

Operational risk is defined as the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events

  • This definition includes legal risk, but excludes strategic and reputational risk

The standardized approach for measuring minimum operational risk capital requirements replaces all existing approaches in the Basel II framework

Consistent with Part I (Scope of Application) of the Basel II Framework, the standardized approach applies to internationally active banks on a consolidated basis

  • Supervisors retain the discretion to apply the standardized approach framework to non-internationally active banks


Basel III: The Cyber-Resilient Organization

Cyber security in an organization typically places emphasis on maintaining a secure perimeter, with an emphasis on technology tools for monitoring internal traffic and external communications

Cyber security tools include antivirus software, firewalls, network traffic deep-packet inspection, data management systems, email security systems, server gateways, web application firewalls, and many others

The cyber risk management framework proposed by the National Institute of Standards and Technology (NIST) consists of five functions:

  1. Identify: Develop an organizational understanding to manage cyber security risk
  2. Protect: Develop / implement safeguards to ensure delivery of critical services
  3. Detect: Develop / implement activities to identify the occurrence of a cyber security event
  4. Respond: Develop / implement activities to take action regarding a detected cyber security incident
  5. Recover: Develop / implement activities to maintain resilience and restore any impaired capabilities


Basel III: Cyber-Resilience: Range of Practices

Regulated institutions’ use of technology includes greater levels of automation and integration with third-party service providers and customers

Increased use of third-party providers means that the perimeter of interest to financial sector regulators has gotten bigger, and greater use of cloud services means that the perimeter is also shared

Shared service models require regulated institutions to think differently about how they build and maintain their cyber-resilience in partnership with third parties

Given the increase in the frequency, severity and sophistication of cyber-incidents in recent years, a number of legislative, regulatory and supervisory initiatives have been taken to increase cyber-resilience

Operational resilience refers to the ability of firms, FMIs and the sector as a whole to prevent, respond to, recover and learn from operational disruptions

Improving operational resilience might also be good for competition

  • A shared understanding of minimum standards may help new entrants establish themselves in a market


Basel III: Striving for Operational Resilience

Operational resilience has become a key agenda item for boards and senior management

Increasing complexity in processes and IT, dependence on third parties, interconnectedness and data sharing, and sophistication of malicious actors have made disruptions more likely and their impact more severe

Resilience is fundamentally different from traditional business continuity (BC) and disaster recovery (DR)

  • These disciplines have historically been heavily focused on physical events, were designed and tested in organizational silos, and are primarily viewed as a compliance exercise

Operational resilience, instead, focuses on the adaptability to emerging threats, the dependencies and requirements for providing critical end-to-end business services

Operational resilience requires a mindset shift in the organization away from resilience as a compliance exercise to resilience as a key organizational capability that is everyone‘s responsibility

Boards and senior management need to provide effective challenge of their organization‘s resilience ambitions, program, and critical risks

Achieving operational resilience is inherently challenging given the increasing complexity of processes, technology infrastructure, and organizational silos


In closing

Whenever you are ready, try the following links for more information:


Success is near,

The QuestionBank Family