Chapter 12 Exercises

Operational Risk and Technology Risk Management

Exercise 12.1: Risk Category Classification

Difficulty: Introductory

For each of the following operational risk events, identify the appropriate Basel operational risk category and briefly explain your classification.

a) A bank employee submits false expense claims totaling £45,000 over 18 months b) A ransomware attack encrypts the bank's loan origination system, forcing manual processing for 3 days c) A wire transfer processing error sends funds to the wrong beneficiary; £280,000 cannot be recovered d) A customer complaint investigation reveals that the bank's relationship managers systematically recommended unsuitable investment products to elderly customers e) An earthquake destroys a regional branch location, including customer records and equipment f) A third-party contractor working on the bank's premises commits fraud against a customer g) The bank is fined by the FCA for late submission of regulatory returns — a failure attributable to a data system error

Exercise 12.2: RCSA Design

Difficulty: Intermediate

You are designing an RCSA for the AML transaction monitoring function at a mid-size bank. The function involves: receiving transaction data daily, running scenarios against the data, generating alerts, assigning alerts to analysts, and documenting alert dispositions.

a) Identify at least six distinct operational risks in this process.

b) For each risk, specify: - Inherent risk level (Low/Medium/High) and basis for that assessment - At least two controls that should mitigate the risk - Residual risk level (after controls)

c) Select what you consider the three highest residual risks and design a KRI for each — specifying the metric, measurement frequency, amber threshold, and red threshold.

Exercise 12.3: KRI Threshold Design

Difficulty: Intermediate

The following KRIs are in use at a UK bank's compliance function. For each, evaluate whether the current threshold is appropriately calibrated, and suggest improvements where needed.

a) Are the current amber/red thresholds appropriate given the monthly averages? Specifically: are there indicators where thresholds may be set too high (allowing significant deterioration before amber is triggered)?

b) For SAR filing deadline breaches specifically: the regulatory risk of a late SAR filing is severe. Should the amber threshold be higher than 5%? Justify your answer.

c) Design two new KRIs for the compliance function that are not currently captured in the table above.

Coding Exercise 12.4: Build an Operational Risk Event Database

Difficulty: Coding — Intermediate

Write a Python system for tracking operational risk events.

1. Define an OperationalRiskEvent dataclass with the following fields: - event_id: str - discovery_date: date - event_date: date - business_line: str - risk_category: str (one of the 7 Basel categories) - description: str - gross_loss: float - recovery: float - net_loss: float (property: gross_loss - recovery) - status: str ('open', 'closed', 'remediated') - root_cause: str

2. Write an OperationalRiskDatabase class that: - Stores a list of events - Provides add_event(event) -> None - Provides summary_by_category() -> pd.DataFrame — total and average net loss by risk category - Provides summary_by_business_line() -> pd.DataFrame — total and average net loss by business line - Provides top_events(n: int = 10) -> pd.DataFrame — top N events by net loss - Provides near_miss_events() -> list[OperationalRiskEvent] — events with gross_loss == 0 (near misses)

3. Create synthetic test data with at least 25 events across at least 5 risk categories and 4 business lines.

4. Generate a summary report using your class and interpret the results.

Exercise 12.5: Third-Party Risk Assessment

Difficulty: Applied

A bank is onboarding a new RegTech vendor — "ClearPath Analytics" — that will provide its ML-based transaction monitoring system. ClearPath will process all transaction data, generate alerts, and provide an analyst interface via SaaS cloud delivery (hosted on AWS).

a) Classify this vendor relationship: is it a "critical" third-party under the 2023 US Interagency Guidance and/or DORA? Justify your classification.

b) Design a pre-contract due diligence questionnaire for ClearPath Analytics. Your questionnaire should cover at least 5 distinct risk dimensions, with 2-3 specific questions per dimension.

c) Identify five mandatory contractual provisions that should be included in the contract with ClearPath. For each, explain why it is mandatory from a regulatory and risk perspective.

d) The bank's existing transaction monitoring system is provided by a different vendor. Design an exit strategy for the ClearPath relationship: what would the bank need to do if ClearPath became insolvent or was unable to continue service?

e) ClearPath uses AWS (Amazon Web Services) as its cloud infrastructure provider. How does this create cloud concentration risk for the bank? What mitigation measures could the bank require?

Research Exercise 12.6: DORA Implementation Reality

Difficulty: Research-required

DORA became effective on January 17, 2025. Research the current state of DORA implementation.

a) Which EU institutions are designated as "critical ICT third-party providers" (CTTPPs) under DORA? What does this designation mean for those entities?

b) What has been the regulatory response to DORA in non-EU jurisdictions (UK, US, Singapore)? Are these jurisdictions developing equivalent frameworks?

c) What compliance challenges have financial institutions reported in implementing DORA's third-party risk requirements? (Look for industry association feedback, law firm publications, or regulatory speeches.)

d) Write a 350-word analysis of whether DORA represents a sufficient response to cloud concentration risk in the EU financial sector, or whether additional regulatory tools are needed.