Tonderai Milford Chawira 21739196
RSK4801 OPERATIONAL RISK MANAGEMENT
JAN/FEB 2025 FINAL EXAMINATION
BY
TONDERAI MILFORD CHAWIRA 21739196
Date & Time of submission:
2025-23-01
8.00-12.00
1
� Tonderai Milford Chawira 21739196
QUESTION 1
Benefits of a sound operational risk report.
It helps directors and managers make informed decisions as good operational
risk report gives them information about risk exposure, facilitating prompt and
well-informed decision-making.
It enables regulatory compliance by lowering the possibility of fines or penalties
therefore ensuring the Bank complies with regulatory rules.
It increases transparency and accountability ence improving the Governance
of the bank.
Reporting helps show a strong approach to risk management and building
confidence with various stakeholders
It helps identify areas of high risk and proposes mitigation strategies to prevent
losses and improve resilience.
It also help tack risk trends over time, enabling continuous improvement in
operations.
It helps supports supports strategic Goals by Aligns operational risk
management with the Bank’s strategic objectives.
It helps in creating risk awareness across the organisation.
It helps the organisation to prioritize resources for high-risk areas, ensuring
efficient use of funds.
QUESTION 2
Definition of Operational Risk:
Operational risk refers to the risk of loss resulting from inadequate or failed internal
processes, people, systems, or external events.
Design for Operational Risk Report:
A report should be defined before considering its draft design or prototype. A
definition of a report typically contains the following:
name of the report
objective(s) of the report
distribution list of the recipients
names of fields to be used
calculations required in each field
manual actions to be performed in each field
uses of the report and actions resulting from the final report
2
� Tonderai Milford Chawira 21739196
QUESTION 4:
Operational risk factors and allocation of risks from the case study.
Operational Risk Factors:
People Risks
Employee-related risk such misconduct, or skills shortages fraud; breaches of
employment law; unauthorised activity; loss or lack of key personnel;
inadequate training; inadequate supervision. In the case study we note people
risk associated with psychological effects of COVID-19 and resourcing skilled
staff for risk management.
Process Risks:
This is the risk resulting from failures in internal procedures and controls. It
Includes: payment or settlement failures; documentation which is not fit for
purpose; errors in valuation/pricing models and processes; project
management failures; internal/external reporting; In the context of the case
study we learn that the bank was faced with a challenge of inadequate fraud
detection processes, regulatory constraints.
Systems Risks: This is the risk arising from system failures. In context with
the case study such risk were technology instability, ransomware attacks,
fraud via digital channels.
External Risks: Events outside the organisation control, such as natural
disasters or market volatility; regulatory risk; political risk; utilities’ failures;
competition. In context with case study such risk can be identified as Back-to-
back extreme weather events, threats from emerging technology companies.
.
QUESTION 4:
RCSA approaches and potential benefits.
The goal of an RCSA is to identify, quantify, and monitor risks and controls. An RCSA
can be analysed qualitatively, quantitatively, or both. Qualitative assessments rely on
value judgements like low/medium/high frequency and low/medium/high effect. A
quantitative evaluation uses numbers, percentages, or volumes to quantify hazards.
An RCSA can be undertaken at the strategy, process, or activity levels. At the strategic
level, risks and controls will stem from corporate objectives, whereas risks for
processes may impede the company from reaching its goals. At the activity level
nearest to the risk exposures, risks and controls linked to various activities within the
company will be determined.
3
� Tonderai Milford Chawira 21739196
Benefits of RCSA include:
A thorough awareness of the business's operational risk profile.
Provide accurate information on company risk levels.
Identify possible hazards and control bottlenecks.
Defined risk and control structures ensure uniform and effective risk
management across the company.
Effective risk management and mitigation.
Foster a risk-acceptance culture in the organisation by supporting risk
managers on a regular basis.
Integrating risk management into core business operations.
Explaining the organization's perspective on risks and controls.
Improving cross-functional risk management capabilities.
Improved reaction to business concerns through increased risk awareness.
Provide confidence to the board for accurate and consistent reporting.
Improved business continuity planning.
Document risk and controls for external stakeholders.
QUESTION 5:
Draft a risk map indicating the risks
Risk Severity Frequency Score
1. Regulatory constraints 3 3 9
2. Emerging technology companies' threats 4 4 16
3. Psychological effects of COVID-19 2 2 4
4. Fraud via digital channels 3 3 9
5. Internal fraud detection issues 3 2 6
6. ESG risk management resourcing 3 3 9
7. Technology instability 4 3 12
8. Customer unawareness of digital fraud 3 4 12
9. Skilled staff resourcing for risk mgmt 4 5 20
10. Third-party operational dependence 4 2 8
11. Extreme weather events 5 3 15
12. Ransomware attacks 5 5 25
The following is the probability of six key risk
Ransomware attacks (5,5): Score = 25
Skilled staff resourcing (4,5): Score = 20
Emerging technology companies' threats (4,4): Score = 16
Extreme weather events (5,3): Score = 15
Customer unawareness of digital fraud (3,4): Score = 12
Technology instability (4,3): Score = 12
4
� Tonderai Milford Chawira 21739196
QUESTION 6:
Mitigation Measures Table
Operational Risks Mitigation/Control Measures
Regulatory constraints Monitoring regulatory requirements and train
employees on compliance related issues.
Emerging technology threats Being proactive in embracing the latest technology
Psychological effects of Staff wellbeing initiatives, employee support
COVID-19 programmes.
Fraud via digital channels Awareness programmes, fraud detection tools.
Internal fraud detection Internal fraud detection tools, robust procedures.
ESG risk management ESG-specific staffing and resource allocation.
resourcing
Technology instability Regular disaster recovery testing, business
resilience.
Customer unawareness Customer education campaigns.
(digital fraud)
Skilled staff for risk Intensive training and recruitment programmes.
management
Third-party dependence Continuous monitoring of service agreements.
Extreme weather events Natural disaster insurance, climate change policy
updates.
Ransomware attacks Continuous system monitoring, disaster recovery.
5
� Tonderai Milford Chawira 21739196
QUESTION 7:
The following are the roles and responsibility of the three lines of Defence:
First Line of defence
It primary responsibility is identifying and managing risks in daily activities. It is made
up of the business line management.
It is responsible for promoting strong risk culture
Setting risk appetite and creating risk definition
Ownership of risk management process
Implementing controls
Day to day risk management by risk takers.
Second Line of defence.
It main responsibility is to provide oversight and policy [Link] is made up of
the risk management, HR,finance,IT and compliance.
It develops centralised policies and standards
Develops risk management processes and controls
Monitor and report on risk.
Third Line of defence:
Its main responsibility is to provide independent assurance of risk management
effectiveness. It made up of the audit committee.
It provides independent and objective challenge of the levels of assurance
provided by business operations and oversight
Validates process in risk management frameworks.
6
� Tonderai Milford Chawira 21739196
QUESTION 8
Definition of risk appetite.
The overall level of risk that a company is prepared to take on in order to achieve its
goals. It might differ between corporate divisions or activities and represents strategic
priorities.
Difference between risk appetite and risk tolerance
Risk Appetite: The total amount of risk an organization is willing to accept in pursuit
of its objectives. It reflects strategic priorities and can vary across business units or
activities. For instance, the level of risk the bank is willing to accept is to achieve its
objectives.
Risk Tolerance: The acceptable level of variation from the risk appetite. It is often
more specific and operational, focusing on limits within which the organization must
[Link] the case of the bank an example would be appetite may allow moderate
creidit risk, but tolerance ensures losses don’t exceed a set [Link] bank has
zero tolerance for internal fraud and regulatory breaches.
QUESTION 9:
Operational risk culture
At its core, operational risk culture is about establishing the proper atmosphere and
culture. A company's culture is defined by the beliefs and actions that make it possible
to accomplish its goals and strategy. The board and top management must be
committed to upholding the agreed-upon values and behaviours as well as moral
behaviour in order to establish a risk culture. An organisation should have a trusting
atmosphere where individuals collaborate in a culture of accepted ethics and
behaviours and share values, including a shared approach to risk.
Principles of Sound Risk Culture:
Mitigating people risks; Creating the right environment reduces people risks, and
effective controls will mitigate the remaining risks.
Selection Poor selection leads to cost and wasted management resources, whereas
rigorous selection adds opportunities and benefit to the firm.
7
� Tonderai Milford Chawira 21739196
Appraisals and performance management - presents an opportunity to reinforce
the right behaviours that will increase the chances of sustained success and reduce
risks by confronting poor behaviours.
Training and development -objectives help to frame a firm’s learning and
development needs and those of individual employees.
Reward – remuneration- remuneration, closely linked to appraisal, should reinforce
performance and discourage unwanted behaviour
