Risk management

an example of Etsy has been added to guide you on what is expected. Please note that the Etsy example is a simplified outline highlighting the main points but students are expected to provide additional explanations of the objectives / risks / controls and their assumptions (e.g. how they selected the Basel categories).  You can use bullet points, attach flow charts, grids, or text (as seen in example below).

Select a firm currently in business.  Explain 1 to 3 primary business objectives (e.g. firm does this well to be competitive). For each objective, using the Basel categories, identify and briefly explain the applicable risks to each objective (1 to 3 risks).  For each risk, describe the controls (1 to 3 examples) that you would put in place to address the risks.

Sample example: 
Etsy provides a “global marketplace for unique and creative goods.”(see reference below)  The primary business objectives include (Obj1) matching buyers and sellers along with (Obj2) creating a superior search tool.  Operational risks to the processes for matching buyers and sellers (Obj1) are (R1) compromised user data (External Fraud) and (R2) incomplete transactions when goods and funds are not exchanged as expected (EDPM).  For the search tool (Obj2), the risks are (R3) developers skewing the results due to undisclosed incentives (Internal Fraud) and (R4) system outages (BDSF).  To address the risks with user data becoming inadvertently disclosed (R1), the main controls would be to use end-to-end encryption in managing the customer data (C1) and surveillance on any attempts to access sensitive user information (C2).  For instances when customers have issues with buying or selling on the Etsy platform (R2), the complaints would be assigned severity and handled by senior sales managers (C3) while monthly metrics that breach tolerance levels would be presented to the Board by the sales managers (C4).  To ensure developers are following requirements (R3), independent test teams can check the search results against modeled results and sign off on any major deviances before code is released to production systems (C5).  System outages (R4) must be logged and those with severity or duration above those set by senior tech managers would be added to an established Stability program for real-time monitoring (C6).

Obj1 Obj2 represent Objective
R1 R2 R3  RISK
C1 C2 C3…. CONTROL

General Reference: Etsy Investor Relations site.  https://investors.etsy.com/home/default.aspx   

BDSF EDPM meanings
LO 41.1: Describe the seven Basel II event risk categories and identify examples of
https://kenpyfin.com/blog/2018/11/03/lo-41-1-describe-the-seven-basel-ii-event-risk-categories-and-identify-examples-of/

Leave a Reply

Your email address will not be published. Required fields are marked *