大浩浩的笔记课堂——FRM考试学习笔记112

Topic 41 Observations on Developments in Risk Appetite Frameworks and IT Infrastructure

1.Implementing a risk appetite framework(RAF):

⑴introduction of RAF:

①background:

It is the board´s responsibility to "approve and oversee the implementation of the bank´s overall risk strategy,including its risk tolerance or appetite".

②definition:

A.It is a strategic decision-making tool and represents the firm´s core risk strategy.

B.It sets in place a clear,future-oriented perspective of the firm´s target risk profile in a number of different scenarios and maps out a strategy for achieving that risk profile.

③characteristic:

It should start with a risk appetite statement that is essentially a mission statement from a risk perspective.

④benefits:

Its benefits include:

A.assisting firms in preparing for the unexpected 

B.greatly improving a firm´s strategic planning and tactical decision-making

⑵developing and implementing an effective RAF:

①board of directors(playing a central role):

A.highly engaged boards of directors working closely with CEO,CFO and CRO

B.be willing to challenge management to operate the firm consistent with the RAF

C.actively work with senior management to continually receive the RAF

D.have sufficient technique and business understanding of the risks facing the firm

E.be proactive in stating the nature and frequency of the information they need

F.set up a reputational risk committee to approve transactions on the basis of geography or product line

G.with input from senior management,setting overarching expectations for the risk profile

②the "c-suite"(CEO,CRO(chief risk officer),CFO)(playing a central role):

A.Strong support at the CEO level is crucial for the RAF´s successful implementation.

B.Translating those expectations into incentives and constrains for business lines,and the board holds the business accountable for performance related to the expectations.

C.The CEOs encourage board members to contract the CRO directly.

·特别注意！

·CRO should be easily available to the board of directors and there should be a strong alliance between the CRO and CFO.

·CRO has the final word on significant risk decisions at firm.

③business lines:

A.A critical element in the process of building an RAF is the link with the business strategy and budgeting process.

B.The RAF is a useful tool to ensure that each business line´s strategies align with the firm´s desired risk profile.

C.Manage within the boundaries of these incentives and constraints,and their performance depends in part on the RAF´s performance:

a/ Individual business lines may collectively cause the firm´s RAF to drift when market conditions change.

b/ Each business line´s risk appetite allotment according to the RAF may be amerced if another business line encounters an opportunity that requires more capital.

c/ The business line managers submit medium-term business plan to senior management and/or the board.

⑶effective RAF metrics:

①examples of risk metrics:

capital target,liquidity ratio terms,survival horizons,net interest income volatility or earnings-at-risk calculations,VaR limits,risk sensitivity limits,risk constraints,expected loss ratios,the firm´s own credit spreads,asset growth ceilings,performance of internal audit ratings,EVA,post-stress-test target

②The risk metrics that are used at different level:

A.high level→director:

Directors should receive high-level metrics(less detail) that reflect the firm´s key risks.

B.more detailed→c-suite:

CEO,CFO,CRO should receive more detailed metrics than directors.

C.appropriately pointed→business line leaders:

Business line leaders should receive very detailed metrics,especially in relation to their respective business lines.

③The risk metrics should be divided into classes,depending on who is receiving the information within the firm.

⑷promoting a firmwide RAF approaches:

①promotions based on adherence to the RAF

②career advancement through posting to higher level control functions

③compensation explicitly linked to the RAF

④dismissals for those who disregard the framework

⑸monitoring the firm´s risk profile within the RAF

2.Implementing a comprehensive risk data infrastructure:

⑴background and approach

⑵the importance of IT governance in strategic planning and decision-making:

①key elements of an effective IT risk management policy:

A.clearly defined standards and internal risk reporting requirements

B.sufficient funding is provided to develop IT systems or comparable funding for IT projects and revenue-generating projects

C.assessing IT infrastructure and capacity prior to approving new products

D.timely post-implementation reviews of IT systems performed at least 6-18 months after implementation

E.the level of governance for outsourced IT activities is the same as if they were don in-house

F.the existence of effective project management offices(PMOs)

G.having a single person in charge of the project management office

H.the data owner must ensure a sufficiently high level of data accuracy,integrity,and availability

I.the board is able to implement relevant internal audit programs

J.integrating legacy IT systems into the new IT systems immediately

K.catch errors early in the process

②poor or fragmented IT infrastructure:

A.a lack of agreement(no common understanding of long-term business strategy) between business lines and IT management

B.decisions that favor short-term financial considerations

C.turnover in key IT management areas

D.weak data governance processes can contribute to inconsistent approaches to the upgrading of systems and insufficient data management plan

E.mergers and acquisitions

③The lack of integrated IT systems is the major challenge related to data aggregation,many best practices regarding data aggregations exist including:

A.minimizing the amount of manual data processes

B.using single platform centralized databases

C.creating data warehouses

D.automated and periodic data reconciliations

E.timely integration of legacy IT systems

⑶automating risk data aggregation capabilities

⑷prioritizing the integration of IT systems and platforms

⑸maintaining appropriate systems capacity

3.Data quality management:

⑴business impacts of poor data quality:

①financial impacts

②confidence-based impacts:

A.Manager may make incorrect business decisions based on faulty data.

B.Poor forecasting may occur.

C.Inaccurate internal reporting may occur.

③satisfaction impacts

④productivity impacts

⑤risk impacts:

Underestimating credit risk ＆ investment risk

⑥compliance impacts

⑵data errors:

They may lead to inconsistent reporting,incorrect product pricing,or failures in trade settlement:

①data entry errors

②missing record

③duplicate records

④inconsistent data

⑤nonstandard formats

⑥complex data transformations

⑦failed identity management process

⑧undocumented,incorrect,or misleading metadata

⑶operational data governance:

①definition:

It refers to the collective set of rules and processes regarding data that allow an organization to have sufficient confidence in the quality of its data.

②data quality inspection vs. data validation:

A.data quality inspection:

It is an on-going set of steps aimed to reduce the number of errors,spot data flaws,solve the cause of errors and flaws.

B.data validation:

It is a one-time step that reviews and assesses whether data conforms to defined business specifications.

③data quality scorecard:

A.base-level:

Data quality scorecards serve as a strong management technique if they are able to summarize important organizational information as well as provide warning signs to management when corrective actions are required.

B.complex metric scorecard viewpoints:

a/ data quality issues view:

Considering the impact of a specific data quality problem over multiple business processes.

b/ business process view:

For each business process,metrics that quantify the impact of each data quality problem.

c/ business impact view(high-level understanding of the risks):

It considers various data quality problems that occur in various business processes.

⑷acceptable data:

The key dimensions of data quality are:

①accuracy

②completeness

③consistency:

A.record level:

the consistency between one set of data values and another set within the same record

B.cross-record level:

the consistency between one set of data values and another set in different record

C.temporal level:

the consistency between one set of data values and another set within the same record

at different points in time

④reasonableness

⑤currency

⑥uniqueness

4.Managing outsourcing risk:

⑴risks from the use of service providers:

①compliance risks

②concentration risks:

Having very few service providers to choose from or that the service providers are clustered in only a few geographic areas.

③reputational risks

④country risks

⑤operational risks

⑥legal risks

⑵effective program to manage outsourcing risk:

①risk assessments

②due diligence and selection of service providers

③contract provisions and considerations

④incentive compensation review

⑤oversight and monitoring of service providers

⑥business continuity and contingency plans

⑶board of directors and senior management responsibilities:

①The use of service providers does not relieve a financial institution´s board of directors and senior management of their responsibility

②Policies should be approved by the board of directors.

③Senior management is responsible for ensuring that policies are 

appropriately executed.

⑷due diligence on the third-party service providers:

①In performing due diligence on a third-party service provider,a 

financial institution should involve any relevant technical specialists and/or important stakeholders:

The 3 key areas of review are including:

A.business background,reputation,and strategy

B.financial performance and condition(insurance coverage)

C.operations and internal controls

②Considerations and provisions that should be addressed in a contract with a third-party service provider include the following:

A.scope

B.cost and compensation

C.incentive compensation

D.right to audit(optional)

E.establishment and monitoring of performance standards

F.oversight and monitoring

G.confidentiality and security of information

H.ownership and license

I.indemnification

J.default and termination(determining acceptance level of performance)

K.dispute resolution

L.limits on liability

M.insurance

N.customer complaints

O.business resumption and contingency plan of the service provider

P.foreign-based service providers

Q.subcontracting

·特别注意！

·There should always be a description of any amounts payable for non-recurring items and special requests.

大浩浩的笔记课堂之FRM考试学习笔记合集