FRM Part II - Operational Risk and Resilience

What Is It?

Operational risk and resilience refer to the potential for losses due to inadequate or failed internal processes, people, and systems, as well as external events. This topic is tested in the FRM exam to assess the candidate's ability to identify, assess, and mitigate operational risks.

Why Does the Exam Ask This?

This topic measures the candidate's ability to think critically about operational risk management, identify potential risk events, and develop strategies to mitigate or manage those risks. It requires the candidate to demonstrate professional judgment, compliance logic, and practical capability in operational risk management.

What Do I Need to Know First?

1. The three lines of defense model
2. The COSO ERM framework
3. Operational risk event types
4. Risk assessment and mitigation techniques

Topic Snapshot

Operational risk and resilience is a critical component of risk management in financial institutions. It involves identifying and assessing potential risks, as well as developing strategies to mitigate or manage those risks. This topic is relevant to the FRM exam because it requires candidates to demonstrate their ability to think critically about operational risk management and identify potential risk events.

Exam / Job / Audit Weighting

Frequency: 5-10% of the exam Difficulty Rating: Intermediate Question Type or Real-World Task Type: Multiple-choice questions, case studies, and scenario-based questions

Difficulty Level

intermediate

Must-Know Rules, Formulas, Standards, or Principles

1. The three lines of defense model: This model consists of three lines of defense, which are the first line (risk management), the second line (risk oversight), and the third line (independent risk assurance).
2. The COSO ERM framework: This framework provides a structured approach to enterprise risk management and includes five components: event identification, risk assessment, risk response, risk monitoring, and risk reporting.
3. Operational risk event types: These include internal events (e.g., human error, system failure), external events (e.g., natural disasters, cyber attacks), and market events (e.g., changes in market conditions).

Misconceptions

1. Operational risk is only related to internal events.
2. Operational risk is only related to financial losses.
3. Operational risk is not a significant risk for financial institutions.
4. Operational risk management is only related to risk assessment and mitigation.
5. Operational risk is not related to compliance and regulatory requirements.

Common Mistakes

1. Failing to identify potential operational risk events.
2. Underestimating the impact of operational risk events.
3. Failing to develop effective risk mitigation strategies.
4. Failing to monitor and report on operational risk events.
5. Failing to comply with regulatory requirements related to operational risk.

The Common Trap

The common trap is to focus only on risk assessment and mitigation, and to overlook the importance of risk monitoring and reporting.

Terms to Remember

1. Operational risk: The potential for losses due to inadequate or failed internal processes, people, and systems, as well as external events.
2. Risk assessment: The process of identifying and evaluating potential risks.
3. Risk mitigation: The process of reducing or eliminating potential risks.
4. Risk monitoring: The process of tracking and reporting on potential risks.
5. Compliance: The process of ensuring that an organization is in compliance with regulatory requirements.

Step-by-Step Process

1. Identify potential operational risk events.
2. Assess the likelihood and impact of each risk event.
3. Develop risk mitigation strategies.
4. Implement risk mitigation strategies.
5. Monitor and report on operational risk events.

Exam Answer Builder

1-mark Question

What is operational risk? A) The potential for losses due to external events. B) The potential for losses due to inadequate or failed internal processes, people, and systems, as well as external events. C) The potential for losses due to market events. D) The potential for losses due to human error.

Answer: B

Key Tip: Operational risk includes both internal and external events.

2-mark Question

What is the three lines of defense model? A) A model that consists of two lines of defense. B) A model that consists of three lines of defense, which are the first line (risk management), the second line (risk oversight), and the third line (independent risk assurance). C) A model that consists of four lines of defense. D) A model that consists of five lines of defense.

Answer: B

Key Tip: The three lines of defense model is a critical component of operational risk management.

5-mark Question

Describe the COSO ERM framework and its five components. A) The COSO ERM framework provides a structured approach to enterprise risk management and includes five components: event identification, risk assessment, risk response, risk monitoring, and risk reporting. B) The COSO ERM framework provides a structured approach to enterprise risk management and includes four components: event identification, risk assessment, risk response, and risk reporting. C) The COSO ERM framework provides a structured approach to enterprise risk management and includes three components: event identification, risk assessment, and risk response. D) The COSO ERM framework provides a structured approach to enterprise risk management and includes two components: event identification and risk assessment.

Answer: A

Key Tip: The COSO ERM framework is a critical component of operational risk management.

This vs That

Operational risk and credit risk are closely related topics. However, operational risk refers to the potential for losses due to inadequate or failed internal processes, people, and systems, as well as external events, whereas credit risk refers to the potential for losses due to borrowers defaulting on their loans.

Time-Saver Hack

To quickly identify potential operational risk events, use the following acronym: PEOPLE (P - Process, E - Equipment, P - Personnel, E - Environment, L - Location, E - Event, O - Opportunity).

Mini Scenarios

Basic Scenario

A bank's IT system fails, causing a disruption to customer services. What is the potential impact of this event? A) Financial loss due to customer dissatisfaction. B) Financial loss due to system failure. C) Reputation loss due to customer dissatisfaction. D) Regulatory non-compliance due to system failure.

Answer: B

Key Tip: System failure can result in significant financial losses.

Applied Scenario

A bank's risk management team identifies a potential operational risk event related to the bank's trading activities. What is the next step in the risk management process? A) Develop a risk mitigation strategy. B) Assess the likelihood and impact of the risk event. C) Monitor and report on the risk event. D) Implement a risk mitigation strategy.

Answer: B

Key Tip: Risk assessment is a critical component of the risk management process.

Tricky Scenario

A bank's risk management team identifies a potential operational risk event related to the bank's outsourcing activities. However, the team is unsure whether the event is an operational risk or a credit risk. What is the next step in the risk management process? A) Assess the likelihood and impact of the risk event. B) Develop a risk mitigation strategy. C) Monitor and report on the risk event. D) Classify the risk event as either an operational risk or a credit risk.

Answer: D

Key Tip: Risk classification is a critical component of the risk management process.

Diagnostic MCQ Bank

Question 1

What is operational risk? A) The potential for losses due to external events. B) The potential for losses due to inadequate or failed internal processes, people, and systems, as well as external events. C) The potential for losses due to market events. D) The potential for losses due to human error.

Options

A) The potential for losses due to external events. B) The potential for losses due to inadequate or failed internal processes, people, and systems, as well as external events. C) The potential for losses due to market events. D) The potential for losses due to human error.

Correct Answer: B

Explanation: Operational risk includes both internal and external events.

Why the correct answer is right: Operational risk is a broad term that encompasses both internal and external events.

Why the trap option is tempting: The trap option (A) is tempting because it focuses on external events, which is a common misconception about operational risk.

Question 2

What is the three lines of defense model? A) A model that consists of two lines of defense. B) A model that consists of three lines of defense, which are the first line (risk management), the second line (risk oversight), and the third line (independent risk assurance). C) A model that consists of four lines of defense. D) A model that consists of five lines of defense.

Options

A) A model that consists of two lines of defense. B) A model that consists of three lines of defense, which are the first line (risk management), the second line (risk oversight), and the third line (independent risk assurance). C) A model that consists of four lines of defense. D) A model that consists of five lines of defense.

Correct Answer: B

Explanation: The three lines of defense model is a critical component of operational risk management.

Why the correct answer is right: The three lines of defense model is a widely accepted framework for operational risk management.

Why the trap option is tempting: The trap option (A) is tempting because it suggests a simpler model, which can be misleading.

Question 3

Describe the COSO ERM framework and its five components. A) The COSO ERM framework provides a structured approach to enterprise risk management and includes five components: event identification, risk assessment, risk response, risk monitoring, and risk reporting. B) The COSO ERM framework provides a structured approach to enterprise risk management and includes four components: event identification, risk assessment, risk response, and risk reporting. C) The COSO ERM framework provides a structured approach to enterprise risk management and includes three components: event identification, risk assessment, and risk response. D) The COSO ERM framework provides a structured approach to enterprise risk management and includes two components: event identification and risk assessment.

Options

A) The COSO ERM framework provides a structured approach to enterprise risk management and includes five components: event identification, risk assessment, risk response, risk monitoring, and risk reporting. B) The COSO ERM framework provides a structured approach to enterprise risk management and includes four components: event identification, risk assessment, risk response, and risk reporting. C) The COSO ERM framework provides a structured approach to enterprise risk management and includes three components: event identification, risk assessment, and risk response. D) The COSO ERM framework provides a structured approach to enterprise risk management and includes two components: event identification and risk assessment.

Correct Answer: A

Explanation: The COSO ERM framework is a critical component of operational risk management.

Why the correct answer is right: The COSO ERM framework provides a comprehensive approach to enterprise risk management.

Why the trap option is tempting: The trap option (B) is tempting because it suggests a simpler framework, which can be misleading.

Real-World Patterns

Operational risk and resilience show up in real work in the following ways:

1. Banks and financial institutions are required to maintain robust risk management systems to identify and mitigate operational risks.
2. Companies are required to comply with regulatory requirements related to operational risk management.
3. Operational risk events can have significant financial and reputational impacts on companies.

30-Second Cheat Sheet

Here are five must-remember facts about operational risk and resilience:

1. Operational risk includes both internal and external events.
2. The three lines of defense model is a critical component of operational risk management.
3. The COSO ERM framework provides a structured approach to enterprise risk management.
4. Operational risk events can have significant financial and reputational impacts on companies.
5. Companies are required to comply with regulatory requirements related to operational risk management.

Related Concepts

Here are three nearby topics, next topics, or follow-on chapters:

1. Credit risk management
2. Market risk management
3. Enterprise risk management

Verified Source List

Here are some trusted sources relevant to operational risk and resilience:

1. COSO (Committee of Sponsoring Organizations)
2. FRM (Financial Risk Manager) exam
3. IFRS (International Financial Reporting Standards)
4. Basel Committee on Banking Supervision
5. ISO 31000 (Risk Management - Principles and Guidelines)