As with every solution, it needs to be tested to ensure it is fit for purpose.
So too with the ECRG. The ECRG will be used throughout the course and some variation of it is used by risk managers in all organizations. Therefore we need practical assurance that it delivers what it was designed to do.
The ECRG was developed from Case Study 1 and was tested to ensure that it provides the guidance that the CRO in the case asked for. (If it didn't it needed to be iterated until it did.)
Financial Institutions are heavily regulated and therefore at a minimum, ECRG must meet regulatory requirements. In fact, meeting minimum regulatory requirements is a key component of the Governance part of the ECRG.
We tested in class the ERCG against OSFI E21 OSFI E21- Operational Risk Management and Resilience – Guideline (click to view and download)
As a result, we found that ERCG
has nothing that contradicts a regulatory requirement and needs therefore would have to be removed
there is nothing that needs to be added at the E C R G level, but lots of details can be added under the subsequent layers. We will add and explore these layers in future classes.
So we now have high confidence the ECRG meets not only regulatory requirements but also a CRO requirement for a framework that guides the organization to comprehensively manage all its risk.
I got the feedback back from Assignment 2 and it mentioned that we should reference the ECRG MECE structure. Do you have advice on how to adapt this to other situations and cases?
Wonder why for the Basel Regulation have back testing both for the controls part and the resilience part for financial part. What's the difference between these two back-testing, are they mainly focus on testing the possible scenarios?