Chapter 12 Quiz

Operational Risk and Technology Risk Management

16 questions. Answers follow.

1. The Basel Committee on Banking Supervision defines operational risk as the risk of loss resulting from:

A) Changes in market prices, interest rates, and exchange rates B) The default of borrowers and counterparties C) Inadequate or failed internal processes, people, and systems, or from external events D) Strategic errors by senior management and reputational damage

2. Which of the following is explicitly EXCLUDED from the Basel definition of operational risk?

A) Technology system failures B) External fraud C) Strategic risk and reputational risk D) Employment practices and workplace safety

3. The Basel IV / Standardized Measurement Approach (SMA) for operational risk capital differs from the Advanced Measurement Approach (AMA) primarily in that:

A) The SMA uses the institution's own historical loss data in combination with a standardized Business Indicator formula, reducing the scope for model-driven regulatory arbitrage B) The SMA requires institutions to build complex internal models while AMA uses a simplified formula C) The SMA applies only to large globally systemic banks while AMA applies to all institutions D) The SMA does not require any capital for operational risk — it is purely a disclosure regime

4. DORA (the EU Digital Operational Resilience Act) requires financial institutions to report major ICT incidents within what initial timeframe?

A) 24 hours of the incident B) 4 hours of classifying the incident as major C) 10 business days D) One month of the incident

5. The RCSA (Risk and Control Self-Assessment) process involves:

A) External auditors assessing the institution's risk controls without input from business units B) Business units systematically identifying the operational risks in their processes, assessing inherent and residual risk, and documenting the controls that mitigate each risk C) Central risk management calculating the operational risk capital charge for each business line D) The board approving all risk decisions made by operational risk managers

6. The ORX (Operational Riskdata eXchange) serves what purpose in operational risk management?

A) It is the EU regulatory database for operational risk incidents filed by banks B) It is an industry utility that provides external loss data, enabling institutions to assess low-frequency, high-severity risks that may not appear in their own historical data C) It is the Basel Committee's official operational risk model validation service D) It is a software platform for operational risk capital calculation

7. A Key Risk Indicator (KRI) is RED. This means:

A) The KRI is approaching its threshold but has not yet exceeded it B) The KRI has exceeded its defined threshold, requiring immediate management action C) The KRI cannot be calculated because data is unavailable D) The KRI is at a normal level — red simply indicates the highest-priority business line

8. Under the US 2023 Interagency Guidance on Third-Party Relationships, a "critical" third-party arrangement is one where:

A) The third-party charges more than $1 million annually for its services B) The third-party is based in a foreign jurisdiction with different legal requirements C) Failure of the third-party would materially impair the institution's ability to deliver important business services, meet regulatory obligations, or protect customer data D) The third-party has access to personally identifiable information of more than 10,000 customers

9. DORA's third-party pillar requires EU-regulated financial institutions to:

A) Use only EU-based cloud providers for all regulatory compliance functions B) Maintain a register of ICT arrangements, ensure critical providers meet contractual requirements, and develop exit strategies for all critical providers C) Eliminate all cloud-based services and repatriate data to on-premises infrastructure by 2025 D) Seek regulatory approval before entering any new third-party technology arrangement

10. SR 11-7 (Federal Reserve / OCC model risk guidance) requires that model validation be:

A) Conducted by the same team that built the model, to ensure accuracy B) Conducted by an external auditor who is independent of the bank C) Conducted by a party independent of the model development team — internal model risk teams, internal audit, or external validators D) Conducted by the regulator during scheduled examinations

11. The Knight Capital collapse in 2012 is a canonical example of:

A) Market risk — losses from unfavorable price movements B) Credit risk — counterparty defaults in derivatives contracts C) Technology operational risk — a software deployment error activating a legacy trading algorithm that executed $440 million in unintended trades D) Legal risk — a regulatory enforcement action resulting in financial penalties

12. Which of the following would be considered "Business Disruption and System Failures" under the Basel operational risk taxonomy?

A) An employee defrauding customers by creating unauthorized accounts B) A trading system outage lasting four hours during peak market hours C) A natural disaster destroying a branch location D) A regulatory penalty for misselling of insurance products

13. The UK's CBEST framework is relevant to operational/technology risk because:

A) It provides capital relief for banks with strong cybersecurity programs B) It is the Bank of England's threat intelligence-based ethical red team testing program — subjecting major UK financial institutions to rigorous adversarial cybersecurity testing C) It is the UK equivalent of DORA's ICT risk management requirements D) It is the FCA's supervisory approach to reviewing operational resilience documentation

14. A financial institution's ML-based transaction monitoring model was deployed in 2022 and has not been formally validated since deployment. Under SR 11-7 equivalent principles, this represents:

A) Acceptable practice — ML models are validated at deployment and do not require ongoing validation B) A model risk governance gap — all material models require periodic validation by an independent party C) A legal violation — US law requires quarterly validation of all risk models D) An acceptable approach if the model was built by a reputable external vendor

15. Priya's technology risk assessment found that four of eight critical vendors had not been subject to security assessments. Under DORA's third-party requirements, what specific control was the institution missing?

A) The institution was required to cease relationships with unassessed vendors immediately B) Ongoing monitoring of critical ICT third-party providers — including security assessments and review of SOC reports — is a mandatory component of DORA's third-party risk pillar C) DORA only requires security assessments for cloud service providers, not other technology vendors D) Security assessments are a UK/US requirement but not required under EU DORA

16. Cloud concentration risk, highlighted in UK FCA/PRA operational resilience guidance, refers to:

A) The risk that a single cloud region experiences data storage concentration exceeding regulatory limits B) The risk that multiple financial institutions rely on the same cloud provider, meaning a failure at that provider would simultaneously impair many institutions C) The risk that confidential customer data is concentrated in a foreign cloud jurisdiction without adequate data residency controls D) The risk that the institution has concentrated too many applications on a single cloud platform, increasing vendor lock-in

Answer Key