On that last example they say the job is not done even if residual risk is inside appetite and I agree. Being within limits does not mean you walk away. You still watch how often that residual loss hits and how tight the controls actually are. Now the question for me is how to split time money and resources between the stuff above appetite and the stuff below it. Do we clear all the above appetite issues first and then come back to the lower ones or do we keep a smaller stream of effort on the below benchmark items while the main resources hit the high priority ones.
You have highlighted an interesting finer resolution of the RA. The RA should have two components: individual losses and cumulative losses. In the example discussed in class, the RA was stated as: the total losses under a mild stress scenario over a one-year time frame should be less than EBT. This captures both individual and cumulative losses. If you are uncomfortable with losses within those bounds, then what you are really saying is that the RA is too high. You may have, in theory, thought you were comfortable with that RA level but experiencing the losses has shown otherwise. The action is lower your RA and then other actions follow since now your residual risk will be above your new…
What I found most interesting is how controls only matter to the extent that they actually change our residual risk, not just how good they look on paper. Once we separate “what we hope the controls do” from “what they really deliver,” it becomes clearer why some risks stay above appetite even after many controls are listed.
It also makes me think about how easily we can overestimate control impact when several controls overlap or depend on the same people or systems. A small weakness can cancel out multiple layers. So a big question for me is: how do we test controls in a way that reflects real conditions, not just design intent? Without that, it’s hard to judge whether to…
When I go back to review these notes, the clear takeaway is that controls tighten the loss distribution, so the max loss at our chosen confidence level becomes the residual risk. Then Risk Appetite becomes a decision test. If residual risk sits outside it, we either strengthen controls or scale back the activity, and the hardest part is scoring control strength.
It is interesting to note how for some exposures, we are still left with high residual risk remaining despite applying controls. And it requires agile problem solving until our residual risk fits the acceptable limits for our firm.
On that last example they say the job is not done even if residual risk is inside appetite and I agree. Being within limits does not mean you walk away. You still watch how often that residual loss hits and how tight the controls actually are. Now the question for me is how to split time money and resources between the stuff above appetite and the stuff below it. Do we clear all the above appetite issues first and then come back to the lower ones or do we keep a smaller stream of effort on the below benchmark items while the main resources hit the high priority ones.
What I found most interesting is how controls only matter to the extent that they actually change our residual risk, not just how good they look on paper. Once we separate “what we hope the controls do” from “what they really deliver,” it becomes clearer why some risks stay above appetite even after many controls are listed.
It also makes me think about how easily we can overestimate control impact when several controls overlap or depend on the same people or systems. A small weakness can cancel out multiple layers. So a big question for me is: how do we test controls in a way that reflects real conditions, not just design intent? Without that, it’s hard to judge whether to…
After reviewing these notes, it made me clearer about what's inside controls and how we can apply controls to mitigate the risks.
When I go back to review these notes, the clear takeaway is that controls tighten the loss distribution, so the max loss at our chosen confidence level becomes the residual risk. Then Risk Appetite becomes a decision test. If residual risk sits outside it, we either strengthen controls or scale back the activity, and the hardest part is scoring control strength.
It is interesting to note how for some exposures, we are still left with high residual risk remaining despite applying controls. And it requires agile problem solving until our residual risk fits the acceptable limits for our firm.