Course Programme

Course Agenda

Day one 


Registration and refreshments




Addressing emerging risks        

  • Tools and techniques for risk identification       

  • Categories of emerging risks         

  • Risk connectivity: network of risks

  • Horizon scanning and risk identification 

  • The role of AI in risk identification and interdependencies 

Class exercise: identify the network of your top risks and class feedback      


Morning break


Reliable risk assessment - root cause analysis 

  • Root cause analysis: tools and methods

  • Benefits of root cause analysis: tracking the common failures and systematic patterns

  • Treating causes over symptoms

  • Bow-tie: an effective tool to define KRIs

  • Risk assessment: evaluating probability and impact   

Class exercise: RCSA Workshop 




Implementing ORM: the invisible framework

  • Governance of operational risk

  • 1st line and 2nd line: the partnership model

  • Use and reuse: the invisible framework

  • Business value of ORM

Class exercise: build a business case for risk management


Afternoon break


Information security assessment and essentials of cyber protection

  • Cyber risk has been voted the top risk for the financial industry for three years in row. This session explains how the same risk management framework can be applied to cyber risk and more generally to information security risk assessment. Based on real case studies, it presents a taxonomy for information security risk, essentials of assessment and the key elements of mitigation of cyber and information risk.

  • Information security risk management framework

  • Typology of information security risk

  • Information assets inventory

  • Risk assessments

  • Control layering and key controls for information security risks

  • Scenarios and quantification


End of day one

Day two




Human error and control design

  • Slips and mistakes: typology and causes of human errors (J.Reason)

  • HRA: human reliability analysis and other methods

  • Understand and treat the causes of human error

  • Effective or illusory controls

  • Prevention by design

Class exercise: control testing and control assessment, sharing of experience  


Morning break


Risk reporting and conduct reporting

  • Modern issues on events and risk reporting: the regulator's view

  • Analysing operational risk data: get insight, tell a story

  • Management information: the "reporting cake"

  • Aggregate and escalate risk information: your options

  • Conduct reporting: themes and details

Class exercise: highlights of best practice, group discussion and sharing of experience 




Benchmarking your practices

  • Interactive maturity criteria for your ORM framework and use test, plus a priority list for starter firms

Resilience and reputation

  • On the regulatory highlights on operational resilience, and the connections with an effective reputation risk management framework.


Operational risk management for projects

  • It is only recently that project risk has been explicitly included in the operational risk management scope. Yet, the coordination between the risk function and the project management teams are not always straight-forward. Based on practical, successful experiences; this session will suggest a framework and policy rules to assess and address operational risk on corporate projects

  • ORM policy for project management

  • Project rating criteria

  • Causes of project failure

  • Essentials of project risk management

  • Collaborations and benefits


Afternoon break


Implementing the desired risk culture: a method

  • Defining risk culture

  • Acting on behaviours: the influencer

  • Necessary conditions: willingness and ability

  • Risk culture: DESIRE steps: define - inspire - support - enable - reinforce - evaluate

  • Assessing the risk culture

Class exercise: plan your own culture change



  • What have you learnt?

  • What will you remember?

  • What will you apply?            


End of course