Inicial

OPERATIONAL RISK IN CSDs 1 Elizabeth Garbayo CENTRALCLEARING - www.centralclearing.com.br

ACSDA November 2002

Operational Risk

“The most common and persistent risk that central securities depositories must face.” “Uncertainty of losses due to inadequate systems, controls and human resources management.” “All sources of risk excluding market risk and credit risk.”

2

3 CENTRALCLEARING

is a Central Counterparty All concepts are applicable to CSDs

4 Main Goals in Controlling Operational Risk in CENTRALCLEARING 1 – Control of internal processes and procedures.

2 – Monitoring systems against frauds.

3 – IT control, system performance and reliability.

4 – STP (Straight Through Processing).

5 Controlling Operational Risk CENTRALCLEARING 1 - Control of internal processes and procedures:

• Risk Committee.

• Compliance Director.

• Independent internal / external auditing and periodical reports.

Controlling Operational Risk CENTRALCLEARING

Auditing techniques -

Internal, external and systems auditing are made by using sophisticated techniques

Key IT Controls

Internal Audit System Development Change Management Management of IT 5 4 3 2 1 0 Physical Security Security of Information 1st Quartile 2nd Quartile 3rd Quartile 4th Quartile Continuity of Systems Central

6

7 Controlling Operational Risk CENTRALCLEARING

Auditing techniques –

Physical security

Physical security

3 2 5 4 1 0

Physical Access Control

CENTRAL 1st Quartile 2nd Quartile 3rd Quartile 4th Quartile

Protection of Environment

8 Controlling Operational Risk CENTRALCLEARING

Auditing techniques –

Risk Matrix

Risk Matrix – Key IT Controls High Moderate Low Low Moderate

Probability

High

9 Controlling Operational Risk CENTRALCLEARING 2 - Monitoring systems against frauds:

• Physical access control.

• Surveillance system.

• Internal controls.

• System access control.

• Operational insurance.

10 Controlling Operational Risk CENTRALCLEARING 3 - IT control, system performance and reliability:

• Mirrored storage.

• Disaster-recovery plan.

• Physical security of hardware.

11 Controlling Operational Risk CENTRALCLEARING

System Contingency

Server redundancy: • Two identical servers.

• Contingency server.

12 Controlling Operational Risk CENTRALCLEARING

Office contingency:

Office redundancy: • Two contingency offices: 1.

2.

ALGORITHMICS (RJ).

CENTRALCLEARING (SP).

13 Controlling Operational Risk CENTRALCLEARING

System contingency:

• Redundant telecommunication links.

• Internal network is duplicated.

• Quarterly contingency tests.

Controlling Operational Risk CENTRALCLEARING

2 Independent links

System display for each service:

2 Independent links

Outside world Server 1 Contingency Server Server 2 Main site Contingency site 14

15 Controlling Operational Risk CENTRALCLEARING

Other features for system performance and reliability:

• High availability servers.

• Redundant power and cooling systems.

• High speed backup and restoration.

• High historical availability.

16 Controlling Operational Risk CENTRALCLEARING 4 – STP (Straight Through Processing):

CETIP

End to End

CENTRAL

Inicial

OPERATIONAL RISK IN CSDs 17 Elizabeth Garbayo CENTRALCLEARING - www.centralclearing.com.br

ACSDA November 2002