For many operational losses, especially in the oil-trading case, the root cause wasn’t missing controls but human workarounds. If people can always bypass a control when under pressure, should the risk manager view that as a Control failure or a Governance/Culture exposure? Where does an intentionally circumvented control sit? Governance?
Controls are what is on paper. Governance ensures they are effective. For example, part of the Controls is that their adequacy is regularly tested. Governance ensures it happens, and if it doesn't happen, what corrective actions are put in place. But the labels matter less than the actions. The labels make it neatly packaged.
This case shows how identifying intrinsic exposures is only the first step, the real value comes from mapping controls, testing their adequacy, and calculating residual risk against appetite. The process reinforces that governance, cross-team collaboration, and disciplined corrective actions are essential for preventing major oil-trading blowups before they occur.
For me, the biggest takeaway from Case 4.1 is how often organizations stop after listing exposures and controls, thinking the job is done.
But Part 2 makes it clear that unless we assess adequacy, calculate residual risk, and compare it to appetite, we don’t actually know if the risk is managed.
The step of designing CAPs for risks outside appetite felt especially important — that’s where Op Risk becomes real, not just theoretical.
This case clearly shows what disciplined operational-risk management looks like in a high-stakes business like oil trading. The CRO’s approach moves beyond simply identifying exposures—she pushes the team to map controls, evaluate their adequacy, and quantify residual risk using a structured scorecard. What matters is the linkage: exposures → controls → residual risk → risk appetite. This ensures decisions are grounded, comparable, and defensible. The requirement to design Corrective Action Plans for out-of-appetite items reinforces that risk management is not paperwork but active intervention. It’s a strong example of governance done right.
I find it interesting that identifying the exposures is actually the easy part. The harder part is proving whether the controls truly keep those exposures within appetite. In oil trading, controls can look complete on a matrix, but the real test is whether security, segregation, and monitoring still work when the business moves fast and the pressure is high.
in many cases, identifying the complete list of exposures, including what drives them and their assessment, is not done right. Citi Revlon, SVP CS and TD are such cases
For many operational losses, especially in the oil-trading case, the root cause wasn’t missing controls but human workarounds. If people can always bypass a control when under pressure, should the risk manager view that as a Control failure or a Governance/Culture exposure? Where does an intentionally circumvented control sit? Governance?
This case shows how identifying intrinsic exposures is only the first step, the real value comes from mapping controls, testing their adequacy, and calculating residual risk against appetite. The process reinforces that governance, cross-team collaboration, and disciplined corrective actions are essential for preventing major oil-trading blowups before they occur.
For me, the biggest takeaway from Case 4.1 is how often organizations stop after listing exposures and controls, thinking the job is done.
But Part 2 makes it clear that unless we assess adequacy, calculate residual risk, and compare it to appetite, we don’t actually know if the risk is managed.
The step of designing CAPs for risks outside appetite felt especially important — that’s where Op Risk becomes real, not just theoretical.
This case clearly shows what disciplined operational-risk management looks like in a high-stakes business like oil trading. The CRO’s approach moves beyond simply identifying exposures—she pushes the team to map controls, evaluate their adequacy, and quantify residual risk using a structured scorecard. What matters is the linkage: exposures → controls → residual risk → risk appetite. This ensures decisions are grounded, comparable, and defensible. The requirement to design Corrective Action Plans for out-of-appetite items reinforces that risk management is not paperwork but active intervention. It’s a strong example of governance done right.
I find it interesting that identifying the exposures is actually the easy part. The harder part is proving whether the controls truly keep those exposures within appetite. In oil trading, controls can look complete on a matrix, but the real test is whether security, segregation, and monitoring still work when the business moves fast and the pressure is high.