This course is divided into five topics and an end-of-course assessment.
The Home button at the end of each topic takes you to the Home page.
The Menu button provides access to the individual topics.
The Resource button provides a list of useful links.
The Switch Language button lets you switch to a different language.
The Close button ends your training session and closes the course window.
If you are accessing the course from a personal device directly over the Internet (outside of the Citi network), some links may not work if they link to content within Citi’s network. This will not impact your ability to complete the course.
So how does ORM help Citi manage Operational Risk? ORM’s core activities are aligned to the Risk Management Lifecycle governed by Enterprise Risk Management (ERM): Identify, Measure, Monitor, Control, Report. Some of these core activities will be covered later in this training.
Select each activity to view its purpose.
Risk Taxonomy and Reference Data
A tiered classification system for the risks associated with Citi’s businesses.
Risk Identification
Process by which operational risks are identified and assessed for materiality.
Risk & Control Assessment (RCA)
Process to assess operational risks as well as the controls used to manage them.
Scenario Analysis
Involves constructing hypothetical scenarios or situations that analyze the impact to Citi in the event they would materialize.
Select each activity to view its purpose.
Risk Appetite
The aggregate level and types of risk Citi is willing to take in order to achieve our strategic objectives and business plan, consistent with applicable capital, liquidity, and other regulatory requirements.
New Activity
Framework for assessing whether the risks of a proposed new or modified activity have been identified and sufficiently addressed.
Independent Assurance
Governance and principles for ORM’s testing and monitoring of First Line of Defense (1LOD) risk processes, activities, and/or controls.
Control Framework
ORM sets requirements for the design and management of controls and owns the Control Taxonomy.
Select each activity to view its purpose.
Issue Management & Lessons Learned
Issue Management: The process of identifying and addressing issues, from identification to closure.
Lessons Learned: The process of identifying and reporting root cause and contributing factors of events, to strengthen controls and limit occurrence of similar future events.
Loss Events
Maintaining a centralized repository of operational risk events enables Citi to identify areas of monetary loss, as well as potential control inadequacies.
Management Reporting
Timely and accurate data helps risk managers make informed decisions.
Capital Measurement
Capital measurement (e.g. for Comprehensive Capital Analysis and Review (CCAR)), a critical responsibility for the bank, uses Operational Risk data to help us assess whether we have sufficient capital to withstand a severe economic shock.
Citi’s Group-wide Risk Taxonomy is a classification system for the risks associated with Citi’s businesses. The Risk Taxonomy creates a common risk language that can be used by all Lines of Defense to identify, assess, and monitor risk. It provides the foundation for risk management practices such as Risk Identification and Risk Appetite, both of which we’ll cover in this training.
The hierarchy of the Risk Taxonomy is structured logically, moving from high-level categories to more granular risks (L0 through L4). Level 0s are the primary risk categories, such as Operational Risk. These categories are further defined in the Enterprise Risk Management Framework (ERMF).
A tree with roots formed by the Risk Management Lifecycle: Identify, Measure, Monitor, Control, Report. The tree’s branches are the Level 0 Primary Risk Categories: Market Risk, Strategic Risk, Operational Risk, Credit Risk, Liquidity Risk, Reputation Risk, Compliance Risk.
We turn our focus now to the L1 Risks, which represent broad risk categories where risk quantity and quality can be assessed using Key Risk Indicators (KRIs), limits, and Internal Audit assessments.
Levels 2 through 4 show more granular risk segments, and you can see these as part of the full risk taxonomy, including descriptions, published on the Operational Risk Management website.
A tree with roots formed by the Risk Management Lifecycle: Identify, Measure, Monitor, Control, Report. The tree’s main branches are the Level 0 Primary Risk Categories: Market Risk, Strategic Risk, Operational Risk, Credit Risk, Liquidity Risk, Reputation Risk, Compliance Risk.
Additional branches represent L1 Risks under Operational Risk: Data Risk, Business Disruption and Safety Risk, Financial Statement Reporting Risk, Regulatory and Management Reporting Risk, Model Risk, Fraud and Theft Risk (excluding Technology), Human Capital Risk, Processing Risk, Third Party Risk, Cyber Risk (including Information Security), Technology Risk.
At Citi, we are all risk managers. Everyone has a role to play in identifying, measuring, controlling, and monitoring risks to protect our clients and the bank, and that is certainly true for Operational Risk.
To do that, all three lines of defense must work together in a constant feedback loop.
Why? Because we are better when we manage risk together.
Select each line of defense to learn more.
The first line of defense (1LOD) consists of the businesses and functions responsible for implementing and maintaining effective controls to reduce the Operational Risks they are exposed to.
The second line of defense (2LOD) is responsible for overseeing the risk-taking activities of the first line, and challenging the first line in execution of their risk management responsibilities. The second line consists of Independent Risk Management (IRM) and Independent Compliance Risk Management (ICRM). ORM is part of IRM.
The third line of defense (3LOD), Internal Audit, provides senior management with independent opinions on the effectiveness of the ORM framework as a whole.
Risk identification is a crucial initial step in Operational Risk management, particularly for those risks that have the most material impact. Awareness and preparedness are essential elements in risk identification.
Select each button to learn more.
Risk identification brings awareness of potential risks. By systematically identifying and assessing risks, organizations become more knowledgeable about the threats they face. It helps us understand what could go wrong and how it may impact operations, employees, customers, finances, or our reputation.
Once risks are recognized, we can take appropriate measures to mitigate, avoid, accept, or transfer those risks. Identifying risks allows us to make informed decisions and helps us allocate our resources more wisely.
One key part of the risk measurement process is Scenario Analysis, which assesses the likelihood and loss impact of hypothetical Operational Risk events. The hypothetical scenarios are forward-looking, plausible, high-severity, and of low likelihood.
Select each tab to learn more.
Some examples of scenarios analyzed include:
Citi’s large loss experience is sparse, and Scenario Analysis allow us to investigate what could happen without actually having to experience the loss event.
As an outcome of the program, we can identify unknown risks and exposures, and put plans into place to address these gaps and strengthen controls.
There are two key outputs gained from engaging in the Scenario Analysis process:
An issue occurs when a risk is not mitigated to an acceptable level due to the inadequate design, ineffective execution, or absence of appropriate controls.
Issues can arise from any oversight activities, including assessments, reviews, testing, challenges, monitoring, or business as usual activities from internal parties (Businesses/Functions, Risk, Compliance, Internal Audit) or external parties (such as Regulators or External Auditors).
Issue Management is the process of identifying and addressing issues through the entire Issue Management Lifecycle, from identification to closure.
For more information on Issue Management, review the Global Issue Management Policy.
Issues are recorded and tracked in the Issue and Corrective Action Plan System (iCAPS).
By effectively managing Issues, Citi can minimize potential damage, protect stakeholders’ interests, and help ensure long-term sustainability of our businesses.
ORM oversees the Risk and Control Assessment (RCA), which is used to identify and evaluate Operational Risks and gauge the effectiveness of our organization’s controls in managing those risks. ORM establishes the minimum requirements to complete granular RCAs through risk and control identification and assessment, as well as risk management.
Select each tab to learn more.
All relevant risks that, in the absence of controls, will prevent the business and function from meeting its objectives must be identified and assessed. Such risk is categorized as Inherent Risk.
Inherent Risks must be assessed considering:
Once the Inherent Risk is identified and assessed, the key controls mitigating this risk must also be identified and assessed. The controls are evaluated to determine whether they are:
Residual Risk is the amount of risk remaining after the controls have mitigated the risk.
RCA doesn’t stop at assessing residual risk; the final step is to manage that residual risk so that it is reduced to an acceptable level.
Risk owners must determine the Corrective Action Plans (CAPs) to mitigate individual residual risks that are not in accordance with Citi’s Risk Appetite, or formalize a Risk Acceptance where the residual risk cannot feasibly be reduced any further.
Note: The RCA is an input into the Risk Appetite Assessment Process, but by itself it does not assess if a risk is within or outside of risk appetite – only the Risk Appetite Assessment can determine this.
Another key initiative in reporting of risk and strengthening controls is via the Lessons Learned program.
Select each tab to learn more.
The Lessons Learned Policy establishes the framework and requirements for the timely identification, analysis, reporting and sharing of qualifying events. A qualifying event is an event that exceeds established criteria and thresholds as specified in the Lessons Learned Procedure.
Independent Risk Management and the Business can also identify other meaningful and/or significant events for Lessons Learned treatment that don’t meet minimum thresholds.
The goals of the program are:
Within the Lessons Learned process, Businesses must analyze significant internal and external adverse events when there is a reasonable potential for a similar event to (re-)occur in that Business. The Business must document, within a Lessons Learned Report, the analysis of the root cause, contributing and controlling factors, along with remediation plans to reduce the likelihood of a similar event from reoccurring.
Independent Risk Management’s role and responsibility is to:
Lastly, Lessons Learned Program Management shares the published Lessons Learned Reports with senior risk managers across the company to expand awareness of the events more broadly, and to have these reports reviewed by a larger audience for consideration of similar possible risk exposure within their respective business units.
Which of the following statements regarding Risk and Control Assessments (RCAs) are TRUE?
Select all that apply and then select Submit.
The correct option(s) are displayed.
The correct option(s) are displayed.
That is correct.
That is not correct.
That is not correct. Refer to Managing Operational Risk for more information.
Which of the following statements are correct regarding the lines of defense?
Select all that apply and then select Submit.
The correct option(s) are displayed.
The correct option(s) are displayed.
That is correct.
That is not correct.
That is not correct. Refer to Managing Operational Risk for more information.
Governance and principles for ORM’s testing and monitoring of the first line of defense (1LOD) processes, activities, and controls are provided through:
Select the best response and then select Submit.
The correct option(s) are displayed.
Not quite.
The correct option(s) are displayed.
Not quite.
Governance and principles for ORM’s testing and monitoring of first line of defense (1LOD) risk processes, activities, and/or controls are provided through Independent Assurance.
The Operational Risk Appetite Statement defines acceptable levels of Operational Risk. Issue Management is the process of identifying and addressing issues through the entire Issue Management Lifecycle. The purpose of Management Reporting is to provide timely and accurate data to help risk managers make informed decisions.
That is correct.
That is not correct.
That is not correct. Refer to Understanding Operational Risk for more information.
What are the characteristics of hypothetical scenarios generated in the Scenario Analysis process?
Select all that apply and then select Submit.
The correct option(s) are displayed.
The correct option(s) are displayed.
That is correct.
That is not correct.
That is not correct. Refer to Operational Risk Management Cycle for more information.
Which of the following risk types are categorized at Level 0 (L0) in the risk taxonomy?
Select all that apply and then select Submit.
The correct option(s) are displayed.
The correct option(s) are displayed.
That is correct.
That is not correct.
That is not correct. Refer to Understanding Operational Risk for more information.
Inherent Risk is typically measured as a function of which two variables?
Select the best response and then select Submit.
The correct option(s) are displayed.
Not quite.
The correct option(s) are displayed.
Not quite.
The correct option(s) are displayed.
That is correct.
That is not correct.
That is not correct. Refer to Operational Risk Management Cycle for more information.
Which of the following are types of Operational Risk?
Select all that apply and then select Submit.
The correct option(s) are displayed.
The correct option(s) are displayed.
That is correct.
That is not correct.
That is not correct. Refer to Understanding Operational Risk for more information.
