Contents Acknowledgments xiii Introduction to Operational Risk Book 1 Operational Risk at a Crossroads 1 Chapter 1 The History and Importance of Operational Risk 3 The Definition of Operational Risk 3 The Impact of the Barings PLC Unauthorized Trading Event 5 The Introduction of Basel II and Operational Risk Capital Adequacy 5 The Language of Operational Risk 8 Basel III Endgame 9 Significant Unauthorized Trading Events 11 Chapter 2 Managing Operational Risk in the New World Order 19 Managing Through the Great Challenges of Our Time 19 Managing Operational Risks Associated with Geopolitical Events 21 Communicating Operational Risks 27 Interview with Industry Veteran on Managing Operational Risk and Compliance: Mike Silva 28 Chapter 3 Building the Team for Today and Tomorrow Across the Lines of Defense 33 Managing Operational Risk Across the Lines of Defense 33 General vs. Specialist Roles 36 The Composition of Operational Risk Teams 37 Interview with Industry Veteran on First-Line Risk Management: Aarona Chou 38 Chapter 4 Making It Real: Developing a Framework for the Real World 43 The Operational Risk Framework Is Only as Effective as Its Implementation 44 Elements of the Framework 46 Governance 46 Policies and Procedures 47 Risk Appetite 48 Key Risk Indicators 49 Loss Data 50 Risk and Control Assessment 51 Scenario Analysis 52 Issue Management 53 Monitoring and Reporting 54 Culture and Awareness 55 Chapter 5 Managing Operational risk appetite and Key Risk Indicators 59 Definitions 60 Considerations When Managing Risk Appetite 60 Risk Appetite Framework 62 Integration with Operational Risk Program Components 66 Key Risk Indicators 67 Chapter 6 Developing and Deploying Risk Assessments 73 Risk and Control Self-Assessment Overview 73 Governance: Defined Roles and Responsibilities 75 Communication Plan 78 Leveling Up: Determining Risk Assessment Units 79 The Perspective: Top Down and Bottom Up 81 Technology Enablement 84 Methodology: Rating Risks and Controls 86 Process Mapping 93 The Trigger-based Approach 94 Remediation 96 Reporting on the Results 98 Chapter 7 Internal and External Loss Data 103 Types of Loss Data 105 Roles and Responsibilities 106 Framework and Methodology 107 Internal Loss Data 108 Stage 1: Identify 109 Stage 2: Assess 113 Stage 3: Mitigate 116 Stage 4: Monitor 116 Stage 5: Report 117 External Data 118 Citibank Revlon Bond Case Study 120 Chapter 8 Setting Up the Guardrails: Operational Risk Governance 123 Risk Culture 124 Training 127 Conduct Risk 127 Policies and Frameworks 131 Governance 134 Risk Committees 135 Interview with Industry Veteran: Maureen Day 138 Wells Fargo Pays USD $7.57 Billion in Penalties and Redress Over Retail Customer Violations 141 Chapter 9 The Fourth Line: Managing Regulatory Risks 151 The Regulatory Climate 151 Managing Regulatory Relationships 155 Tracking Regulatory Changes 158 Regulatory Expectations 159 The Four Lines of Defense Model 160 Seeking Help 161 Confidential Supervisory Information 162 Interview with Industry Veteran on Managing Regulatory Risk: Tom Balogh 164 Chapter 10 It Could Happen Here: On Developing Scenarios 169 The Scenario Program 172 The Scenario Framework 172 Governance and Framework 172 Preparation 175 Facilitation 176 Scenario Workshop 178 Reporting and Alignment 179 Scenario Examples 182 Interview with Industry Veteran on the Use of Scenarios: Evan Sekeris 184 Chapter 11 Know Your Process: Managing Execution Risks 191 Managing Through the Operational Risk Framework 194 Governance 195 Policies and Procedures 195 Risk Appetite and Key Risk Indicators 196 Loss Data, Incidents, Escalations, and Issue Management 198 Risk and Control Assessment 199 Scenario Analysis 202 Monitoring and Reporting 204 Culture and Awareness 204 Payments 205 Boeing Case Study 206 Citigroup Fat Finger Case Study Courtesy of IBM 209 Chapter 12 Managing Change, and Product and Service Risk 215 Change Management 215 Lifecycle 218 Change Initiative Risk Assessment 221 Roles and Responsibilities 223 Waterfall vs. Agile 223 Success Criteria 224 Products and Services Change Initiatives 225 U.S. Regulatory Guidance 227 Chapter 13 Managing Data Risk, AI, and Machine Learning 235 Data Risk Management Framework 237 Governance and Policies and Procedures 240 Risk Appetite and Key Risk Indicators 241 Loss Data 242 Risk and Control Assessments and Maturity Assessment 243 Scenario Analysis 244 Monitoring and Reporting 246 Cultural Awareness 246 AI and Machine Learning 246 Data Is Foundational to AI and Machine Learning 248 AI-Specific Operational Risks 249 Using AI to Manage Risk 250 Interview with Industry Veteran on Data and Machine Learning: Jae Kang 252 Chapter 14 Managing Cyber Risk 257 A Tale of Two Attacks 258 Cyber Frameworks 259 Aligning NIST to an Operational Risk Framework 267 Strong Cyber Practices 270 Interview with Industry Veteran: Alicja Cade 271 United Healthcare Case Study Courtesy of IBM 276 Chapter 15 Managing Third-Party Risk 281 Third-Party Risk Management Framework 282 Planning (Including Governance) 283 Due Diligence and Third-Party Selection 286 Contract Negotiation 288 Ongoing Monitoring 289 Termination 290 Interview with Industry Veteran: Jeannie Pumphrey 293 Chapter 16 Managing Fraud 297 Managing Internal and External Fraud 298 Fraud Risk Management Frameworks 301 JPMorgan London Whale Case from O.R.X: An Example of internal Fraud 308 Garda World Robbery Case Study from ORX.

Example of an External Fraud 312 Chapter 17 Managing Business Resilience 317 Resilence Framework 319 Managing Claimate Risk 326 Index 331.