0%
 

Introduction to Citi’s Operational Risk (ERMTP-Foundational)

Welcome to Operational Risk (ERMTP-Foundational)

Course Navigation Tips

The Menu button provides access to the individual sections.

The Home button at the end of each section takes you to the start of the course.

The Resources button provides a list of useful links.

The Switch Language button lets you switch to a different language.

The Close button ends your training session and closes the course window.

If you are accessing the course from a personal device directly over the Internet (outside of the Citi network), some links may not work if they link to content within Citi’s network. This will not impact your ability to complete the course.

Welcome

This course is an introduction to operational risk management, which is about the real-world risks that could stop us achieving our business objectives – from system failures and fraud to process errors and people risks.

It exists in everything we do and can have major consequences, from substantial losses to client and reputational damage, if not managed effectively.

This course explains what operational risk is and how all Citi staff have a role to help identify and mitigate operational risk for the firm.

This training will take approximately 15 minutes to complete.

Scroll down to continue.

Citi’s Enterprise Risk Management Training Program

Enterprise Risk Management Training Program Risk And Controls Policy Knowledge Common Risk and Controls Skills Specialized Risk and Control Skills

Why This?

This course is part of Citi's Enterprise Risk Management Training Program (ERMTP), a series of courses which will build your understanding of your risk and control responsibilities.

Why Now?

The Enterprise Risk Management Framework (ERMF) is Citi’s standard for managing risk. As part of Citi’s Enterprise Risk Management Framework (ERMF) supporting capabilities, we are committed to equipping all Citi staff with knowledge and training to carry out day-to-day risk and control responsibilities.

Why Us?

Managing risk is everyone’s job at Citi. We are all risk managers. Risk is inherent to Citi’s business and cannot be avoided. Everyone must be vigilant and manage risk with consistency and accountability, including compliance with applicable laws and regulations.

What’s the Win?

Awareness and consistent understanding of risk and controls policy knowledge, roles, and responsibilities across all lines of defense.

Introduction to the ERMF


The ERMF establishes an overarching, integrated, and consistent approach to risk management firm wide.

This training will specifically focus on Operational Risk within Pillar 3 (Risk Management) of the ERMF.

The four pillars of Citi’s ERM Framework.
Pillar 1: Culture includes Values, Behaviors and Leadership Principles, and Performance Management
Pillar 2: Governance includes Board and Management, Board Oversight, Delegation, Executive Management, Committees and Escalation, Lines of Defense, and Policies, Standards and Procedures.
Pillar 3: Risk Management covers the Risk Management Lifecycle (Identify, Measure, Monitor, Control, Report), Financial Risks (Credit, Market (Trading), Market (Non-Trading), Liquidity), and Non-Financial Risks (Operational, Compliance, Strategic, Reputation).
Pillar 4: Enterprise Programs covers Enterprise Risk Identification, Risk Appetite and Limits, Stress Testing, Strategic Planning, and New Activities Approval.
Supporting Capabilities are: Talent, Performance Management and Compensation; Communication and Training; Technology and Data; and Models and Analytics.

Course Learning Objectives

After completing this course, you will be able to:

  • Define Operational Risk
  • Recognize what Operational Risk means to all Citi staff and their responsibility for mitigating it

Completion Criteria

This course contains a final assessment. You must score 80% or higher on the assessment to receive credit for this training.

This course also includes an optional test-out. If you pass, you can bypass the course content and final assessment and receive credit for completion.

If you prefer you can skip the test-out and go straight to the content.

Understanding Operational Risk

Understanding Operational Risk

In this section, we'll examine Operational Risk at Citi, Operational Risk categories, and types of Operational Risk. Let's begin with a scenario.

Scroll down to continue.

What is Operational Risk

In this first scenario, two bank colleagues are standing in line at the cafeteria having an impromptu conversation about Operational Risk. Mary is a non-Risk employee while John is an Operational Risk Manager.

To proceed, select the arrow on the right to learn more.

 

Getting to Know Operational Risk

Mary: “Hi, I’m Mary. What department are you in?”
John: “Hi, Mary, I’m John and I'm in Operational Risk Management.”
Mary: “What is Operational Risk? In my mind isn’t it the same as risk?”
John: “I’d be happy to explain it to you.”
 

What is Operational Risk?

John: “To summarize, risk is the possibility of losing something of value and Operational Risk specifically is the risk of loss due to inadequate or failed internal processes, people, systems or from external events.”
 

Examples of Operational Risk

John: “Examples of Operational Risk are system breakdown, theft, data loss, human errors, etc.”
 

Examples of Impact

John: “Examples of Impact are monetary, reputation, availability of data and systems, etc.”
 
 

Operational Risk at Citi

The following is the definition of Operational Risk found in the Operational Risk Management Policy:

The risk of loss resulting from inadequate or failed internal processes, people, and systems, or from external events. This definition of operational risk includes legal risk - which is the risk of loss (including litigation costs, settlements, and regulatory fines) resulting from the failure of Citi to comply with laws, regulations, prudent ethical standards, and contractual obligations in any aspect of Citi's business - but excludes strategic and reputation risks.

We also recognize the impact of Operational Risk on the reputation risk associated with Citi’s business activities.

The Operational Risk Management Framework and Operational Risk Management Policy include more details to help you better understand how we ensure effective management at Citi.

Operational Risk Categories

There are eleven sub-types of operational risk: fraud, processing, data, cyber, technology, third party, business disruption & safety, human capital, regulatory & management reporting, financial statement reporting and model risk.

Each of these are defined in full in Citi’s Risk Taxonomy which can be found here.

To proceed, select each button to reveal some examples of these risks.

Cyber Risk

Cyber Risk

Cyber Risk which relates to potential for unauthorized access, use, disclosure, modification, or destruction of information and/or disruption of information systems.
Data Risk

Data Risk

Data Risk which relates to the inappropriate retention, disposal, use or quality of data, or breaches of data privacy.
Fraud Risk

Fraud Risk

Fraud Risk which relates to dishonest use or intentional misappropriation of assets, resources, services or benefits for personal gain or to cause loss.
Business Disruption and Safety Risk

Business Disruption and Safety Risk

Business Disruption and Safety Risk which relates to physical harm to, or unavailability of, Citi premises, supporting utilities, physical assets, and/or people.

Think about it…

What are the types of operational risks you recognize in your job and what is the potential impact they could have?

Types of Operational Risk:

  • system breakdown, theft, data loss, processing errors, technology failures, and so much more

Types of Impact:

  • monetary, reputational damage, client impact, and so much more

For any questions you may have regarding Operational Risk, reach out to either your In-Business Senior Operational Risk Manager (In-Business SORM) or your L1 Risk Category Lead (L1 RCL).

Select the terms above to learn more about each role.

Select the Register of In-Business SORMs and Independent SORMs and Register of L1 RCLs and L1 RCSMEs to view the appointed individuals for both roles.

Coming Next

Now that you've learned about the different types of Operational Risk, next we'll look at lessons learned from past experiences and then lessons learned from the industry. We'll first start with what's been learned from past experience.

Learn from Past Experience

Learn from Past Experience

In this section, we’ll explore how we can use what has been learned from the past to reduce Operational Risk.

Scroll down to continue.

Lessons Learned from the Past

The following scenario is an example of Cyber Risk and Fraud & Theft Risk. Here, Abdullah and Lee are in a conference room discussing an upcoming control enhancement project.

Abdullah is Lee’s manager and has worked in cybersecurity for 10 years. Lee recently joined the group.

To proceed, select the arrow on the right to learn more.

 

Abdullah and Lee Meet

Abdullah: “We have a project coming up to strengthen our controls against potential cyberattacks. This will reduce risk exposure from cyberattacks and protect Citi from financial losses. Can you think of a time a cyberattack caused a big financial loss?”
Lee: “Not off the top of my head.”
 

Abdullah Shares an Experience from the Past

Abdullah: “Let me tell you about a cyber-attack that happened to us. This will help you further understand the importance of our upcoming project.”
Lee: “Sounds good.”
 

Abdullah Warns of Cyberattack

Abdullah: “A few years ago, cyber criminals targeted our online acquisition portal which millions of new clients use to apply for various credit card products we offer.

There was an error in validating customers’ identities in one of our systems which allowed the opening of fraudulent accounts. Our fraud prevention and detection tools were not robust enough to prevent or detect this.”
 

Abdullah Explains What Happened

 Abdullah: “Cyber criminals saw this as an opportunity which resulted in a spike of fraudulent applications. This resulted in millions of dollars of losses.”
 

Abdullah Tells of a Second Attempt

Lee: “I bet they wanted to target us again.”
Abdullah: “You’re right and they did. They then used automated “bots” to target us again. However, we had further strengthened our fraud prevention and detection controls, so they were unsuccessful.”
 

Lee Discovers the Lesson Learned from the Past

Lee: “That’s great! So, our project is to proactively implement additional automated controls?”
Abdullah: “Yes. Let’s begin.”
 
 

Think about it…

Think back to a time something went wrong that impacted how you operate in your daily role.

What did you learn from the event and what adjustments did you make to minimize the chance of it happening again?

Coming Next

Now that we’ve examined lessons learned from past experiences, let’s next look at lessons learned from the industry.

Learn from the Industry

Learn from the Industry

In this section, we’ll examine how we learn from the industry in recognizing Operational Risk, and about our own obligation to report it.

Scroll down to continue.

Recognizing the Cues

In this scenario, Molly, who works in the Operations Department at a bank, turns on the news and hears about a data breach caused by a third-party vendor who did not have strong enough controls.

The next day, Molly evaluates the processes at her organization and believes there may be a problem with their third-party vendor.

What Should Molly Do?

Since Molly believes there may be a problem with their third-party vendor, what should she do next?

Select the best response from the four options and then select Submit.

Please use the Space key only when selecting a radio option with the keyboard. The Enter key is not fully supported. If the Enter key has been used to select a radio option, please use the Escape key. Then you will be able to use the Space key again to select a radio option.

Submit

Obligation to Report Risk

After reading Citi’s Escalation Policy, she realized she has an obligation to report it even though she doesn’t have all of the information she thinks might be needed.

During a team meeting that week, Molly shares her concerns, and her manager advises she will look into it. Her manager reviews further and determines that Molly might be right. The matter is escalated to the third-party risk management team for further review. A month later, recommended improvements are presented to the Third-Party Committee.

As a result, controls were proactively put in place to minimize future control breakdowns.

Think about it…

Take a moment to reflect around your responsibility for managing risk at the firm:

When you notice something in the news and you think it could also happen at Citi, it is your responsibility to be a risk manager – identify and escalate.

Coming Next

Next, we’ll look at an example of Fraud & Theft Risk and implementation of effective controls.

Implement Effective Controls

Implement Effective Controls

In this section, we’ll review an example of Fraud & Theft Risk and the importance of effective controls.

Scroll down to continue.

The Importance of Effective Controls

In this scenario, two colleagues Imogen and Girish decide to grab lunch together. Imogen is a branch employee, and Girish works in Marketing. Over lunch, Girish asks Imogen if she heard about the ATM story that’s been spreading across social media.

To proceed, select the arrow on the right to learn more.

 

Girish: “Did you hear about an ATM software update that resulted in exposing an entire ATM network?”
Imogen: “No, what happened?”
 

Girish: “The ATMs stopped checking for pin errors or available funds. This allowed customers to withdraw more money than they had in their account. Also, criminals were able to withdraw money from customers’ accounts without needing to know their pins.”
Imogen: “How did that happen?”
 

Girish: “The bank was upgrading software on ATMs, and an error passed through testing. The news of the glitch quickly spread across social media.”
 
Imogen: “Didn’t someone at the bank know it was happening from all of the social media attention?”
Girish: “At the time, no. The bank wasn’t checking social media for real time events.”
Imogen: “So… what did they do?”
 

Girish: “The bank did a complete review of what went wrong to determine how to prevent it from happening again.

They put additional controls in place during testing and started monitoring social media for real time events.

So you see Imogen, something that may seem like a simple upgrade can potentially have a significant impact.”
 
 

Think about it…

Can you think of a time when there was a breakdown in something you do in your role?

Was the breakdown caused by people, processes, technology, or all of the above?

Coming Next

In the next Processing Risk scenario, we’ll look at how we can learn from near-misses.

Learn from Near-Misses

Learn from Near-Misses

In this section, we’ll identify how we can learn from near-misses.

Scroll down to continue.

Processing Risk Scenario

Jayden is in accounting. One of his job responsibilities is to wire money to clients.

Jayden receives a request from a client to transfer a large amount of funds.

Jayden goes through his normal process of preparing to wire the funds to the customer’s bank. He sends the funds and goes home for the night. The next day, Jayden comes into the office and is immediately brought into his manager, Nancy’s office.

To proceed, select the arrow on the right to learn more.

 

Jayden Meets with His Manager

Nancy: “Hi, Jayden.”
Jayden: “Hi, Nancy.“
Nancy: “Are you available to go over a wire transfer that was performed last night?”
 

Nancy Explains the Issue

Nancy explains to Jayden that the wire transfer was sent in the wrong currency and significantly higher than the amount that was supposed to be wired. Jayden is extremely shocked.
 

Nancy Explains the Near-Miss Event

Jayden: “What happened?”
Nancy: “It appears that there was a manual error in the currency field when setting up the account – something that was missed during the maker / checker process. The amount was recovered in full within hours, and the corrected amount was sent to the customer. This is called a Near-Miss event.”
 

Lesson Learned from a Near-Miss

Jayden: “It looks like we need to assess what is needed to enhance our controls.”
 
 

Think about it…

Take a moment to reflect about a near-miss event that has happened to you.

Was it due to a lack of controls or automated checks? How was it remediated?

Coming Next

Finally, we’ll review the importance of knowing your requirements.

Know Your Requirements

Know Your Requirements

In this section, we’ll examine the importance of model validation and review the Model Lifecycle.

Scroll down to continue.

Model and Artificial Intelligence (AI) Object Review

Erik is new to the bank and is the head of a department. One of his duties is to review his team’s model and AI object inventory and methods, systems and/or approaches (including key business processes, EUCs/ ITeSSes, CSIs, RPAs, Vendors, MIS reports, decision criteria, targeting criteria, strategies, forecasts, projections, etc.) meeting the definition of a Model and AI Non-Model object to ensure all models and AI objects being used have been submitted to and validated by Model Risk Management (MRM).

In the following hypothetical scenario Erik meets with Jane who is the Model Officer that coordinates the Semi-annual Model and AI Non-Model Object Inventory Attestation for his business.

To proceed, select the arrow on the right to learn more.

 

The Meeting

Erik: “Hi, I’m Erik.”
Jane: “Nice to meet you, Erik. I’m Jane.”
Erik: “Nice to meet you too Jane.”
Jane: “Let’s get started. The purpose of the meeting is to review the list of registered models and AI Objects your team uses.”
Erik: “Sounds good.”

 

Review of Registered Models and AI Objects

As Jane goes through the registered models and AI objects, one model in particular piques Erik’s interest. It sounds similar to another model his team is currently using that doesn’t appear to be on the list.
 

Erik’s Model is Not on The List

Erik: “I noticed one model my team uses doesn’t appear to be on the list. Can you please help guide me through the process so we can get it registered?”
 

The Model and AI Object Identification Process

Jane: “Of course. Using a model or an AI object that isn’t validated goes against our policy. Our team will first perform a full review to determine if it isn’t submitted to and validated by MRM as well as confirm that there aren’t any other instances. After the review, if found that these aren’t submitted to and validated by MRM, we will provide next steps to submit this to Model Risk Management.”
Erik: “Okay. Thank you.”
 
 

Think about it…

Take a moment to reflect. Do you use Models in your role? If so, do you know how to make sure your model is validated?

To learn more about Citi’s Model Risk Framework, refer to the Model Risk Management intranet site.

Coming Next

Up next, there’s a summary of key takeaways from this training.

Key Takeaways

Key Takeaways

In this section, we’ll review what you learned in this course.

Scroll down to continue.

Recap of What You Learned

We are all risk managers and are responsible for reducing Operational Risks.

To do this, we need to:

  • Take ownership to escalate when we see something that is a concern.
  • Continue to learn about the controls and tools in place to identify, measure, monitor, and mitigate risks and how we can enhance these to reduce losses.

The outcome? Citi will be better protected against Operational Risks.

Coming Next

Now it’s time to check your understanding of the content by completing a short assessment.

What is Operational Risk?

Select the best response from the four options and then select Submit.

Please use the Space key only when selecting a radio option with the keyboard. The Enter key is not fully supported. If the Enter key has been used to select a radio option, please use the Escape key. Then you will be able to use the Space key again to select a radio option.

Submit

What is NOT an operational risk category?

Select the best response from the four options and then select Submit.

Please use the Space key only when selecting a radio option with the keyboard. The Enter key is not fully supported. If the Enter key has been used to select a radio option, please use the Escape key. Then you will be able to use the Space key again to select a radio option.

Submit

What can YOU do to help manage Operational Risk?

Select the best response from the four options and then select Submit.

Please use the Space key only when selecting a radio option with the keyboard. The Enter key is not fully supported. If the Enter key has been used to select a radio option, please use the Escape key. Then you will be able to use the Space key again to select a radio option.

Submit

Who has a role to play in managing Operational Risk at Citi?

Select the best response from the four options and then select Submit.

Please use the Space key only when selecting a radio option with the keyboard. The Enter key is not fully supported. If the Enter key has been used to select a radio option, please use the Escape key. Then you will be able to use the Space key again to select a radio option.

Submit

What is a potential consequence of not effectively managing Operational Risks?

Select the best response from the four options and then select Submit.

Please use the Space key only when selecting a radio option with the keyboard. The Enter key is not fully supported. If the Enter key has been used to select a radio option, please use the Escape key. Then you will be able to use the Space key again to select a radio option.

Submit

Copyright © Citi and/or its affiliates. All rights reserved.

Select the Home button at any time to return to this menu.

Welcome

Understanding Operational Risk

Learn from Past Experience

Learn from the Industry

Implement Effective Controls

Learn from Near-Misses

Know Your Requirements

Key Takeaways

Assessment

Home
Welcome
Understanding Operational Risk
Learn from Past Experience
Learn from the Industry
Implement Effective Controls
Learn from Near-Misses
Know Your Requirements
Key Takeaways
Assessment

go to close menu button

 

go to close button