PENNY CAGAN is a Senior Risk Advisor, where she leads client-facing risk and control engagements with financial institutions. Previously, she served as Managing Director and Head of Operational Risk for UBS Americas and Head of Operational Risk and Governance at MUFG Americas. She founded one of the first operational risk databases, which became an industry standard. Her contributions have earned her Outstanding Contribution to Operational Risk and Ten Years of Excellence awards from Operational Risk & Regulation Magazine. She teaches as a part-time adjunct faculty member in Columbia University's Enterprise Risk Management Master's program and at NYU's Management and Analytics Master's Program.

Acknowledgments xiii Introduction to Operational Risk Book 1
Operational Risk at a Crossroads 1 Chapter 1
The History and Importance of Operational Risk 3
The Definition of Operational Risk 3
The Impact of the Barings PLC Unauthorized Trading Event 5
The Introduction of Basel II and Operational Risk Capital Adequacy 5
The Language of Operational Risk 8
Basel III Endgame 9
Significant Unauthorized Trading Events 11 Chapter 2
Managing Operational Risk in the New World Order 19
Managing Through the Great Challenges of Our Time 19
Managing Operational Risks Associated with Geopolitical Events 21
Communicating Operational Risks 27
Interview with Industry Veteran on Managing Operational Risk and Compliance: Mike Silva 28 Chapter 3
Building the Team for Today and Tomorrow Across the Lines of Defense 33
Managing Operational Risk Across the Lines of Defense 33
General vs. Specialist Roles 36
The Composition of Operational Risk Teams 37
Interview with Industry Veteran on First-Line Risk Management: Aarona Chou 38 Chapter 4
Making It Real: Developing a Framework for the Real World 43
The Operational Risk Framework Is Only as Effective as Its Implementation 44
Elements of the Framework 46
Governance 46
Policies and Procedures 47
Risk Appetite 48
Key Risk Indicators 49
Loss Data 50
Risk and Control Assessment 51
Scenario Analysis 52
Issue Management 53
Monitoring and Reporting 54
Culture and Awareness 55 Chapter 5
Managing Operational risk appetite and Key Risk Indicators 59
Definitions 60
Considerations When Managing Risk Appetite 60
Risk Appetite Framework 62
Integration with Operational Risk Program Components 66
Key Risk Indicators 67 Chapter 6
Developing and Deploying Risk Assessments 73
Risk and Control Self-Assessment Overview 73
Governance: Defined Roles and Responsibilities 75
Communication Plan 78
Leveling Up: Determining Risk Assessment Units 79
The Perspective: Top Down and Bottom Up 81
Technology Enablement 84
Methodology: Rating Risks and Controls 86
Process Mapping 93
The Trigger-based Approach 94
Remediation 96
Reporting on the Results 98 Chapter 7
Internal and External Loss Data 103
Types of Loss Data 105
Roles and Responsibilities 106
Framework and Methodology 107
Internal Loss Data 108
Stage 1: Identify 109
Stage 2: Assess 113
Stage 3: Mitigate 116
Stage 4: Monitor 116
Stage 5: Report 117
External Data 118
Citibank Revlon Bond Case Study 120 Chapter 8
Setting Up the Guardrails: Operational Risk Governance 123
Risk Culture 124
Training 127
Conduct Risk 127
Policies and Frameworks 131
Governance 134
Risk Committees 135
Interview with Industry Veteran: Maureen Day 138
Wells Fargo Pays USD [...] Billion in Penalties and Redress Over Retail Customer Violations 141 Chapter 9
The Fourth Line: Managing Regulatory Risks 151
The Regulatory Climate 151
Managing Regulatory Relationships 155
Tracking Regulatory Changes 158
Regulatory Expectations 159
The Four Lines of Defense Model 160
Seeking Help 161
Confidential Supervisory Information 162
Interview with Industry Veteran on Managing Regulatory Risk: Tom Balogh 164 Chapter 10
It Could Happen Here: On Developing Scenarios 169
The Scenario Program 172
The Scenario Framework 172
Governance and Framework 172
Preparation 175
Facilitation 176
Scenario Workshop 178
Reporting and Alignment 179
Scenario Examples 182
Interview with Industry Veteran on the Use of Scenarios: Evan Sekeris 184 Chapter 11
Know Your Process: Managing Execution Risks 191
Managing Through the Operational Risk Framework 194
Governance 195
Policies and Procedures 195
Risk Appetite and Key Risk Indicators 196
Loss Data, Incidents, Escalations, and Issue Management 198
Risk and Control Assessment 199
Scenario Analysis 202
Monitoring and Reporting 204
Culture and Awareness 204
Payments 205
Boeing Case Study 206
Citigroup Fat Finger Case Study Courtesy of IBM 209 Chapter 12
Managing Change, and Product and Service Risk 215
Change Management 215
Lifecycle 218
Change Initiative Risk Assessment 221
Roles and Responsibilities 223
Waterfall vs. Agile 223
Success Criteria 224
Products and Services Change Initiatives 225
U.S. Regulatory Guidance 227 Chapter 13
Managing Data Risk, AI, and Machine Learning 235
Data Risk Management Framework 237
Governance and Policies and Procedures 240
Risk Appetite and Key Risk Indicators 241
Loss Data 242
Risk and Control Assessments and Maturity Assessment 243
Scenario Analysis 244
Monitoring and Reporting 246
Cultural Awareness 246
AI and Machine Learning 246
Data Is Foundational to AI and Machine Learning 248
AI-Specific Operational Risks 249
Using AI to Manage Risk 250
Interview with Industry Veteran on Data and Machine Learning: Jae Kang 252 Chapter 14
Managing Cyber Risk 257
A Tale of Two Attacks 258
Cyber Frameworks 259
Aligning NIST to an Operational Risk Framework 267
Strong Cyber Practices 270
Interview with Industry Veteran: Alicja Cade 271
United Healthcare Case Study Courtesy of IBM 276 Chapter 15
Managing Third-Party Risk 281
Third-Party Risk Management Framework 282
Planning (Including Governance) 283
Due Diligence and Third-Party Selection 286
Contract Negotiation 288
Ongoing Monitoring 289
Termination 290
Interview with Industry Veteran: Jeannie Pumphrey 293 Chapter 16
Managing Fraud 297
Managing Internal and External Fraud 298
Fraud Risk Management Frameworks 301
JPMorgan London Whale Case from O.R.X: An Example of internal Fraud 308
Garda World Robbery Case Study from ORX. Example of an External Fraud 312 Chapter 17 Managing Business Resilience 317
Resilence Framework 319
Managing Claimate Risk 326

Index 331