Certified Operational Risk Executive II

Certified Operational Risk Executive II

This course follows on from CORE I. Delegates must either have successfully completed CORE I or be able to demonstrate at least two years' experience in Operational Risk Management before being able to register to attend. The course is spread over four days and, like CORE I, is a mix of presentations and case study work, with a formal examination at the end; in this case the examination takes up the whole of the final day.

Delegates will be provided with a detailed case study for an international bank, this will form the basis for the practical exercises on the course.

Delegates will learn about the need to decide how their organization is to be divided so as to ensure full risk coverage; what Entities do we need, functional, product or process – perhaps a mixture of all three!

Delegates, in groups, will interview members of the Board to obtain more detail about the bank and the directors' view of the risks that confront it.

Next we will discuss the concept of Corporate Risks; are they simply risks that are common across all areas of the organization or are they something different. Corporate Risks often need to be linked to individual Entities within the organization; this aspect will be fully covered here, as will the concept of Strategic Risk.

Delegates will discuss the concept of probability and how to decide on the frequency to apply; how many levels should there be? Also the various Risk Parameters that need to be considered at the Corporate Level will be discussed.

Finally, the subject of Risk Appetite will be discussed; should this be established at the corporate level or by entity, if it is to be by entity what if the entity is not a function? The "ownership" of the appetite will be discussed

Using the data gathered from their interviews, plus data in the case study, the delegate groups will have to determine:

  • The Asset Types to be used in their Risk Profiling;
  • The probability criteria to be used;
  • The Strategic Risks;
  • The corporate risks.

As part of the overall discussion the concepts of Emerging Risks and Composite Risks are covered; delegates will get a chance to define one of the latter.

Overnight, the presenters will debrief the delegate group's work and at the start of the day will provide feedback in general terms. A model answer will be provided.

Since delegates will be expected to understand the necessary liaison between Risk Management and Internal Audit, there will be a discussion about the Environment Ratings to be used by Internal Auditors, such as Complexity, Throughput etc., if they are using Risk Based Audit Planning techniques. What are these and how are they determined and updated?

Impact sizes will be discussed as will the need to decide whether to fix these by entity or for the organization as a whole.

Next delegates will discuss Key Risk Indicators. What they are and what they are not. What do we do with them? The linkage to risks will be discussed, as will the merits of internal and external indicators.

Using the case study material and their interview notes from Day 1, delegates will:

  • Decide upon the risk parameters to apply across the organization;
  • Decide upon the Impact sizes to apply to the entities in the case study model answer from Day 1;
  • Decide upon the Appetite for Risk and the Control Gap % to be applied to each entity;
  • Determine the control environment for the Corporate Risks.

The presenters will debrief the delegate group's work and will provide feedback in general terms. A model answer will be provided

The delegates will participate in a discussion about event capture and modelling of incident data. This will be an interactive session dealing with the practical issues raised by the need for capital adequacy modelling under BASLE II and so participants will be expected to have an understanding of these requirements. Delegates will be expected to summarize the AMA; discussions will be held around:

  • Analysing previous loss data;
  • "Tail" events;
  • Changes in the control environment both retrospective and prospective;
  • Modelling all losses or just "Basle" losses.

We will discuss the importance of event capture in modelling; do we model Gross or Net? We will look at the need to reconcile between Finance and Risk Management – how do Finance capture these events?

This will lead naturally into a discussion of how actual incident data should be used to refine previously developed Risk Models. Delegates will be given some actual incident data along with the Risk Profile to which it relates and will need to determine what changes, if any, to make to the model.

Next delegates will discuss the necessary components of a Risk Management Policy; this will include decisions on the parameters to be used by the organization, the type and frequency of reporting to be used and the Risk Committee and its link to the Audit Committee.

Using the Case Study materials and the notes taken so far, delegates will write the Risk Management Policy for the Group.

The model answer for this assignment will constitute a template for an Operational Risk Policy document.

Prior to the examination there will be a half-hour recap session, run on a question and answer basis, with delegates being able to put questions to the presenters.


This will take up most of the day and will be in three parts:

  1. Delegates will answer a 20 question test paper, the questions being multiple choice;
  2. Delegates will prepare a report to the Board on the current control environment across the Group;
  3. Using all of the materials accumulated so far, delegates are required to produce an Operational Risk Management Policy document for the HK & C Group. The document is not to exceed eight pages, with a two-page appendix if desired. Marks will be deducted for any document exceeding these ten pages.