To become a proficient operational risk manager, you need to build fundamental capabilities (BFC) by deliberately practicing "What You Should Be Able to Do" after each lesson. This involves practicing, testing the results of your practice against some benchmark, receiving feedback, then re-practice after incorporating the feedback and repeating as necessary, until the desired level of proficiency is achieved.
Avoiding the Ilusion of Proficiency
Research shows that the more people merely watch others perform (without actually practicing it themselves i.e. listening to a lecture, or reading ), the more they believe they can perform what they watched others do. However, test after test shows that people's actual ability to perform what they observed others do does not improve. All that improves is their ability to describe the task accurately but not their ability to perform the task proficiently. For example, you may know all the rules of chess by studying the rules or observing others play chess but you will never be an expert chess player unless you deliberately practice playing chess. The same is true for doing risk management.
To avoid the illusion of proficiency, you must practice, identify gaps in your practice against the desired level of proficiency by either self or coached feedback, practice correcting the gaps, and repeat until there are no remaining gaps within your desired level of proficiency. This is what is meant by deliberate practice.
Becoming Proficient
In this course, there will be ample opportunity for you to deliberately practice both in class and offline. It will be up to you to seize the opportunity.
In class, case studies and working through risk issues will give you time to practice. Offline, the opportunity to practice is provided through practice exercises after each class, as described below.
These exercises are more than just key takeaways. Key takeaways are summaries of what you should know while BFC are practice sessions designed to improve your proficiency in doing rather than just knowing. It is about improving know -how not know about.
BFC provides a self-assessment after each class to identify areas (the gaps) where you need further practice and feedback to improve your proficiency. To get the full benefit of completing BFC, you should actually practice doing the exercise with a colleague and get their feedback or ask questions in the comment section below. If you just read them and convince yourself that you can do it, you will fall into the illusion of proficiency and the illusion will be shattered once you are asked to perform the task either on an exam or more importantly at work.
To paraphrase Feynman, one of the greatest 20th-century theoretical physicists, the best way to know if you really understand something is by showing to someone else how it is done. This technique has become popular beyond physics and is now known as the Feynman technique.
By practicing BFC with a colleague or in groups, you will identify
what you really can do vs. what you think you can do and
guide you to seek feedback on those you can't yet do
you can seek feedback by asking in-class questions or by positing as "comments" in the related post.
BFC: What You Should be Able To Do (organized by Class)
Create a MECE structure
gather lots of information about something you find interesting and organize the information into a MECE structure
Use Agile Problem Solving when appropriate
take any interesting problem you would like to solve
where you don't know where to start and solve it using the Agile Problem Solving methodology
Create an Elevator Pitch
Find a question you may be asked, like "What is the operational risk course about" or "What are you working on?" or any other question
Create an answer
Organize the answer into a MECE structure, this may involve adding parts or deleting parts of the answer
Create an EP from the MECE, using the EP methodology ( example of an EP: "I am creating y, for x, by using z." or some variation of this structure, and where x, y, and z are the first level of your MECE structured answer.)
Create and Communicate the RMF
Create the RMF as a MECE and Communicate through an Elevator Pitch.
Create a gap analysis
identify gaps
create corrective action plans to close the gap
Use the Basel Operational Risk Type
create rules for removing ambiguity arising from Basel op rik types not being MECE
Create and OPR
analyze and draw insights
create a MECE structure for the analysis and insights
write an EP to summarize the analysis and insights
Create a current ORP with
Internal Data
External Data
Changes in Business Internal and External Environment
Scenario Analysis
Identify both benefits, issues, and ways to deal with including Internal Data, External Data, Changes in Business Internal and External Environment, and
Scenario Analysis in Building the current ORP
Analyze the ORP
use the RLOB ORP to develop a first cut for Identifying op risks associated with any new initiative
summarize the analysis through an EP
Create and RCSA, including
identify the inherent risks and rate them
identify the associated appropriate controls and rate them
rate the residual risk
develop corrective action plans where the residual risk is outside the RA
Summarize the results of the RCSA in an EP
Create and assess the Governance structure for managing (op) risk, including
Major risk policies' effectiveness
clarity of roles and responsibilities for First Line, Second Line, and Third Line
committee mandates
assess the strength of risk culture
meeting regulatory expectations.
build a MECE structure as an intermediate step
Summarize the results of the assessment in an EP
Create and assess the Operational Resilience capability for managing (op) risk, including
critical activities
recovery Time and Point (Level) Objectives
establish roles and responsibilities for First Line, Second Line, and Third Line
committee mandates
Business Continuity Plan
meeting regulatory expectations.
build a MECE structure as an intermediate step
Summarize the results of the assessment in an EP
Create and assess the Financial Resilience capability for managing (op) risk, including
Evaluate strengths and weaknesses of alternative methods
Summarize the what and how Financial Resilience achieves in an EP
Apply ECRG to Cybersecurity
Summarize the what and how of Cybersecurity Risk Management in an EP
Apply ECRG to Model Risk Management
Summarize the what and how of Model Risk Management in an EP
In the case study of week 9, the disagreement between Zev and Avi raises an important question about risk management philosophy: should new risks be incorporated into an existing framework, or does it require building a dedicated TPRM framework? This debate highlights the challenges that institutions face in balancing legacy risk frameworks with the need to address complex third-party risks effectively. I wonder how can bank evaluate the effectiveness of its current risk framework to determine if a new one is necessary? What are the strengths and limitations of Global Bank’s existing RMF in managing third-party risks?
For the Global Bank case, I feel while Avi’s integrative approach could offer simplification, Octavio’s dedicated MRM framework is more appropriate given the complexity of model risk and the strict regulatory requirements. However, they need to pay attention to resource allocation and organizational culture challenges during implementation. Therefore, I will recommend create an independent MRM framework, implement a risk rating system, adopt a phased approach, and promote collaborative communication. This would allow Global Bank to meet regulatory demands effectively while balancing resource distribution, maintaining team support, and engagement throughout the transformation process.
Scenario analysis plays a vital role in Model Risk Management (MRM) by preparing models for adverse or unexpected conditions. How should scenario analysis be incorporated into MRM to prepare models for unexpected market or operational conditions? Which scenarios would offer the most insight for model resilience?
What methods can risk managers use to gain buy-in for enhanced model risk management practices, especially from teams accustomed to existing frameworks? How can the tangible benefits of these new practices be communicated effectively?
How can we best identify and address specific gaps in our risk management practice to ensure we achieve the desired proficiency? Are there recommended techniques or feedback methods that have proven effective for refining practical skills in operational risk management?