for internal use only

Overview of Frameworks, Governance and Evolution

Jonathan Dix 5/18/2015

Operational Risk Management:

2

Where are you from?

16% Asia Pacific Bangladesh Taiwan Indonesia Thailand Philippines Republic of Korea Singapore Sri Lanka

15% Americas

34% Africa/Middle East 35% Europe

Angola Pakistan UAE Egypt Palestine Zambia Ghana Saudi Arabia Israel Sierra Leone Jordan Tanzania Kuwait Uganda

Canada Curacao

El Salvador Mexico

Nicaragua Suriname

Cyprus Norway Switzerland Czech Repub. Poland Denmark Russian Fed. Germany Slovakia Italy Spain Montenegro Sweden

3

Your Role in the Institution

4.92%

6.56%

14.75%

31.15%

42.62%

0 0.05 0.1 0.15 0.2 0.25 0.3 0.35 0.4 0.45

Business Continuity

Business Area Risk Management

Corporate Risk Management

Other

Auditor

4

Operational Risk

5

Business Continuity

6

Investment Review

7

Project Management

8

Agenda

• Risk Management Culture • Framework and Governance • Evolution and Elements of Risk Reporting • Continuous Improvement • Summary: Key Success Factors

9

• 2005 to 2008: Strengthen the Bank’s operational risk management by adopting private sector best practice – Formed Operational Risk Committee. – Bank established risk event reporting, escalation process, and a risk assessment template. – Supported by an independent operational risk management function.

• 2009 to 2010: Focus on financial risk – Engaged external consulting firm with expertise in risk management. – Established Chief Risk Officer role and built out financial risk analysis and reporting. – Formed Risk Oversight Committee to consider difficult financial risk issues. – Advised to merge risk areas at future time.

• 2011 to 2012: Emphasis on end-to-end process improvement – Established business process excellence program. – Provided new control policies to apply lessons learned in one area to all areas. – Focus included end-user developed tools (e.g., spreadsheets) and contingent workers.

• 2013 to 2014: Focus on integration – Established Risk Group under Chief Risk Officer with responsibility for operational and financial risk. – Developed risk grid to show residual risk exposure across risk management disciplines and Bank core functions. – Developed business process risk and control mapping framework to evaluate and establish controls at the

activity level. – Transformed the Risk Oversight Committee (predominantly focused on financial risks) to be the Bank’s Risk

Committee, inclusive of all risks.

Building our Risk Management Culture

10

Cultural Influences

• Internal Audit provided strong motivation – Management focused on new ways to strengthen the overall control environment, based

on audit observations. • Insisted on business ownership of risk and controls. • Highlighted stronger risk management of end-to-end processes. • Inspired wider use of business process excellence and business risk and control mapping. • Introduced targets for past due audit findings and “effective” audit ratings.

• Board of Directors Audit and Risk Committee (ARC) – ARC Chairs during the financial crisis pushed for an integrated risk management structure

under the Chief Risk Officer and an integrated view of risk. – The current ARC Chair guided us toward providing an integrated view of risk through a

residual risk grid.

We don’t do this alone!

11

Framework & Governance

12

• Quick and transparent escalation of risk events – Bank Risk Event Disclosure, Escalation and Reporting Policy – Local area risk event reporting policies – Analysis of risk events by risk advisors

• Standard classification of risk categories – ERM Risk Framework/Key Operational Risk Categories

(Business Continuity, Business Process, External Environment, Human Resources, and Technology & Info. Mgmt.)

• Thoughtful, consistent evaluation and discussion within/across Groups – Risk Committee and other risk-focused assemblies – share risk events, discuss impact, plan for

mitigation – Regular meetings between business areas and Internal Audit & Operational Risk

• Timely enterprise risk profile – Reporting expectations for business areas (data, metrics, information) – Central risk area reporting captures aggregate information

Framework – why it works…

13

Governance

Board of Directors

Management Committee

Internal Audit

Risk Sub-committee

Risk Forum &

Risk Advisory Council

Risk Advisors

Business

• Audit and Risk Committee (ARC) approves risk management approach

• Provides sponsorship, approvals, and oversight of risk management activities

• Supports the MC through the development of the enterprise risk framework.

• Provides independent assessment of control environment

• Collaborative session hosted by the CRO where key operational risk themes within the Bank are discussed.

• Working group focused on specific risk objectives.

• Support business areas in assessing controls, vulnerabilities, and implementing mitigation strategies.

• Identify and take ownership of risks, assess controls, and make ultimate decision on mitigation based on cost/impact.

Formal Risk Governance Committees

Risk Functions (Operational, Financial,

Compliance)

• Perform risk management assessments of processes, aggregate and analyze Bank-view of risk, and present analysis to senior management and ARC.

14

Role of Central Operational Risk (COR)

• Facilitate and manage operational risk program – Develop comprehensive framework – Define standard language – Support and coordinate with business areas – Monitor and oversee risk and control issues – Lead Risk Forum and Risk Advisory Council

• Perform aggregate risk analysis – Business areas’ self assessments – Risk events – Audit and Risk Committee residual risk ratings (i.e. ARC grids) – Other assessment processes (e.g. business risk and control mapping)

• Develop integrated risk profile and action items for the Bank – Identify key risk themes and raise them for decision points – Present and monitor key risks and mitigating actions – Present profile through the various risk governance committees.

15

Role of Risk Advisors & Business

• Partner with COR and business – Assist in assessing residual risk – Assess shared risk and centralized

controls

• Communication – Co-author operational risk profile – Provide status of ongoing risk

mitigation initiatives

• Risk Event reviews – Analyze Bank-wide risk events – Opine on certain event attributes

• Own and manage risk – Monitor risk issues, develop

mitigating action plans

• Perform self assessments – Assess level of inherent risk within

the business – Assess effectiveness of controls and

determine residual risk level

• Report Risk Events – Perform root cause analysis, resolve

issues, and communicate lessons learned.

Risk Advisors Business

Participate on Risk Forum and Risk Advisory Council

16

Evolution & Elements of Risk Reporting

17

Evolution of Risk Reporting

• Original risk assessment information was very limited and prescriptive – Business area approached it like a checklist – Detailed list of risks with little commentary – Did not facilitate risk management discussions

• Current risk assessment information is more meaningful – Provides the opportunity for detailed commentary – Facilitates discussion with Functions and Groups

• Residual Risk Rating Grid – Introduces historic and future views of residual risk, in addition to the current rating – Facilitates discussions across all levels of the organization and risk governance

• Operational Risk Profile Report – Identifies key risk themes, trends, and mitigating action plans – Primary source is business area self-risk assessments & risk event information – Facilitate discussions with the risk governance committees

18

Elements of Risk Reporting (ARC)

• Challenged to show a comprehensive residual risk view across the Bank

• Depicts risks related to the Bank’s core responsibilities (rather than business silos) – E.g. For FOMC, Lender of Last Resort, As Fiscal Agent, etc.

• Names executives accountable for risk and risk mitigation

• Requires assessment of risk more frequently

• General Feedback (after some pain-points) – Business areas find value is seeing themselves within the “enterprise” view of risk

– Drives a more consistent understanding of risks across the Bank’s businesses.

Refer to Appendix A for summarized Risk Grid.

19

Elements of Risk Reporting (RCSA)

Field Name Overview of Field Risk Title Concise summary of the risk being assessed

Risk Description Discussion of the risk being assessed

Likelihood The probability that an event will occur over a given time horizon. Assessed as Low, Moderate, or High. Typical time frame is one year.

Impact A measure of the effect that an incident, problem, or change is having or might have on the Bank. Assessed as Low, Moderate, or High.

Inherent Risk Rating The risk to the entity in the absence of actions that management may take to alter the likelihood or impact of the risk. Assessed from the responses to the Likelihood and Impact ratings as Low, Moderate, or High.

Mitigation Description of actions taken to reduce the likelihood and/or impact of the identified risks occurring. The description should convey which aspects of the risks are mitigated by the specific controls, as well as which aspects of risk are not mitigated.

Residual Risk Rating The portion of inherent risk that remains after controls or other mitigating actions have been applied. Assessed as Low, Moderate, or High.

Risk Acceptance or Steps to Further Mitigate Risk

A statement indicating the plans for future steps that will further reduce the level of residual risk OR an indication that the business accepts the level of residual risk. Required if the residual risk is assessed as Moderate or High.

Emerging Risks A newly developing or changing risk that may have an impact on the Bank.

20

Elements of Risk Reporting (Risk Events)

• Developed a policy that defines: – a risk event and severity levels

– risk event notification and escalation process

– risk analysis and reporting process

– Initial and final information requirements

• Every employee, regardless of rank or tenure, is responsible for ensuring that risk events are reported

• Enhances risk/control culture at all levels by engaging multiple levels of staff and management

• Serve as an input to a variety of analysis within the Bank

• No penalty for reporting a risk event

21

Elements of Risk Reporting (BRCM)

• Three step process: – Map business process, including handoffs

– Identify and assess process risk

– Define mitigation strategies and controls.

• Provides cross business end-to-end view of risks and controls.

• Supports a process for accepting residual risk and provides insight where to direct investment.

Refer to Appendix B & C for supporting artifacts.

22

Continuous Improvement

23

Continuous Improvement

• Development of Taxonomy for Processes, Risks and Controls – To facilitate a more robust “common language” for risk

– To provide a means to collect meaningful, quantitative data (improve reporting)

– To identify shared risks (and common controls) across the Bank.

• Enhancing & Streamlining the RCSA process – To better facilitate control function integration (e.g. Compliance, SOX)

– Will leverage PRC taxonomy.

• Continue to invest in tools to identify and measure potential and realized risk

• Continue to improve our risk framework and governance

24

Appendix

25

Appendix A

26

Appendix B

27

Appendix C