Transcript October 8-10, 2007 Diana Downward, DTCC
Slide 1
Operational Risk
ACSDA Leadership Forum
New York City, USA - October 8-10, 2007
Diana Downward, DTCC
Agenda
Background
DTCC’s Operational Risk Management
Program
DTCC Risk Scenarios
DTCC Risk Metrics
2
Why Focus on
Operational Risk Management?
Largest financial and reputational losses
in the financial services industry are
attributed to Operational Risk
Good business sense
Regulatory Expectations
Sound Risk Management
Practices
Robust Business Resiliency
3
Examples of Op Risk Events
Timeliness of Rating
Agency Downgrades
Arthur
Andersen
Enron
Tyco
CMO Pricing Issues
NYSE
Barings
August 2003
Blackout
REFCO
Hurricane
Katrina!
4
DTCC’s Operational Risk Definition
“The risk of loss, including
reputational harm, resulting from
inadequate or failed internal processes,
people and systems or from external
events.”
5
What Operational Risk is Not
Operational Risk is not Credit Risk,
Market Risk, Liquidity Risk or
Strategic Risk.
However, Operational Risk is NOT
LIMITED to the processing type of
risks generally associated with a
back-office operation.
6
Operational Risks at a CSD
Computer
Hacking
Governance Issues
AML
Fraud
System Failures
Customer
Confidentiality Failure
Incomplete Due Diligence
External Threats
Corporate
Actions Losses
Data Entry Errors
Settlement Fails
Missing Certificates
7
8
DTCC
Operational Risk Management Objectives
Establish a common risk language across the
organization
Foster a climate where risks are identified and
openly discussed by all departments and
employees
Inform senior management and Board about
Operational Risk across the enterprise
Reinforce transparency and comply with
regulatory expectations
9
10
Program Components
Enterprise-wide reporting
Risk and Control Self-Assessment
Risk Metrics
Leveraging off existing risk event
information
11
Status of Effort to Date
Governance Structure in place
Corporate Policy and other documents issued
Risk & Control Self-Assessment (RCSA)
process formalized-initial and periodic updates
System internally built
High level reporting developed
Risk Metrics in progress
Scenario analysis process recently established
Risk incident collection in initial stages
12
Governance Structure
Audit Committee
Board of Directors
DTCC Management
Committee
Compliance and
Operational Risk
Management Committee
DTCC Internal Risk
Management
Committee
DTCC Internal
Operational Risk
Steering Committee
13
2007 Objectives
Develop a plan to collect Risk
incidents
Implement a scenario analysis
process
Continue to enhance
Management reporting
Continue to work with
business units to
identify risk metrics
14
High Level Reporting
Enterprise Major Risk Report
39 risk scenarios major to
DTCC
Mitigants addressing risks
Additional plans to further
mitigate risk
Enterprise Risk Metrics
Report
Metrics that address the major
risks of DTCC
15
Enterprise Risk Scenario Categories
Liquidity Risk
Market Risk
Concentration Risk
People & Culture Risk
External Risk
Operational Risk
Process Risk
Business Continuity Risk
Technology Risk
Reputational Risk
16
Enterprise Risk Scenario Examples
Liquidity Risk
Insufficient
liquidity to
fund
settlement
Inability to
access
liquidity to
fund
settlement
Credit Risk
Not informed
timely about
major credit
event/
insolvency
involving a
member
Exposure
from
related
entities
17
Enterprise Risk Scenario Examples –
cont’d
Market Risk
Insufficient
clearing
fund/
insufficient
collateral
Model risk
Concentration
Risk
Multiple
forms of
exposure to
one
member
18
Enterprise Risk Scenario Examples –
cont’d
Theft of funds
or securities
Corporate Action
processing errors
Operational
Risk
Insufficient system
capacity
Cyber
attack disables
key production
systems
Unauthorized
Inability to
access to
complete settlement
company systems
Disaster eliminates
primary operating
region capability
19
Enterprise Risk Metrics Examples
Adequacy of clearing fund coverage
Adequacy of liquidity
Settlement timeliness
System availability
Timely implementation of Internal Audit
recommendations
Operations losses >$10,000
20
Slide 2
Operational Risk
ACSDA Leadership Forum
New York City, USA - October 8-10, 2007
Diana Downward, DTCC
Agenda
Background
DTCC’s Operational Risk Management
Program
DTCC Risk Scenarios
DTCC Risk Metrics
2
Why Focus on
Operational Risk Management?
Largest financial and reputational losses
in the financial services industry are
attributed to Operational Risk
Good business sense
Regulatory Expectations
Sound Risk Management
Practices
Robust Business Resiliency
3
Examples of Op Risk Events
Timeliness of Rating
Agency Downgrades
Arthur
Andersen
Enron
Tyco
CMO Pricing Issues
NYSE
Barings
August 2003
Blackout
REFCO
Hurricane
Katrina!
4
DTCC’s Operational Risk Definition
“The risk of loss, including
reputational harm, resulting from
inadequate or failed internal processes,
people and systems or from external
events.”
5
What Operational Risk is Not
Operational Risk is not Credit Risk,
Market Risk, Liquidity Risk or
Strategic Risk.
However, Operational Risk is NOT
LIMITED to the processing type of
risks generally associated with a
back-office operation.
6
Operational Risks at a CSD
Computer
Hacking
Governance Issues
AML
Fraud
System Failures
Customer
Confidentiality Failure
Incomplete Due Diligence
External Threats
Corporate
Actions Losses
Data Entry Errors
Settlement Fails
Missing Certificates
7
8
DTCC
Operational Risk Management Objectives
Establish a common risk language across the
organization
Foster a climate where risks are identified and
openly discussed by all departments and
employees
Inform senior management and Board about
Operational Risk across the enterprise
Reinforce transparency and comply with
regulatory expectations
9
10
Program Components
Enterprise-wide reporting
Risk and Control Self-Assessment
Risk Metrics
Leveraging off existing risk event
information
11
Status of Effort to Date
Governance Structure in place
Corporate Policy and other documents issued
Risk & Control Self-Assessment (RCSA)
process formalized-initial and periodic updates
System internally built
High level reporting developed
Risk Metrics in progress
Scenario analysis process recently established
Risk incident collection in initial stages
12
Governance Structure
Audit Committee
Board of Directors
DTCC Management
Committee
Compliance and
Operational Risk
Management Committee
DTCC Internal Risk
Management
Committee
DTCC Internal
Operational Risk
Steering Committee
13
2007 Objectives
Develop a plan to collect Risk
incidents
Implement a scenario analysis
process
Continue to enhance
Management reporting
Continue to work with
business units to
identify risk metrics
14
High Level Reporting
Enterprise Major Risk Report
39 risk scenarios major to
DTCC
Mitigants addressing risks
Additional plans to further
mitigate risk
Enterprise Risk Metrics
Report
Metrics that address the major
risks of DTCC
15
Enterprise Risk Scenario Categories
Liquidity Risk
Market Risk
Concentration Risk
People & Culture Risk
External Risk
Operational Risk
Process Risk
Business Continuity Risk
Technology Risk
Reputational Risk
16
Enterprise Risk Scenario Examples
Liquidity Risk
Insufficient
liquidity to
fund
settlement
Inability to
access
liquidity to
fund
settlement
Credit Risk
Not informed
timely about
major credit
event/
insolvency
involving a
member
Exposure
from
related
entities
17
Enterprise Risk Scenario Examples –
cont’d
Market Risk
Insufficient
clearing
fund/
insufficient
collateral
Model risk
Concentration
Risk
Multiple
forms of
exposure to
one
member
18
Enterprise Risk Scenario Examples –
cont’d
Theft of funds
or securities
Corporate Action
processing errors
Operational
Risk
Insufficient system
capacity
Cyber
attack disables
key production
systems
Unauthorized
Inability to
access to
complete settlement
company systems
Disaster eliminates
primary operating
region capability
19
Enterprise Risk Metrics Examples
Adequacy of clearing fund coverage
Adequacy of liquidity
Settlement timeliness
System availability
Timely implementation of Internal Audit
recommendations
Operations losses >$10,000
20
Slide 3
Operational Risk
ACSDA Leadership Forum
New York City, USA - October 8-10, 2007
Diana Downward, DTCC
Agenda
Background
DTCC’s Operational Risk Management
Program
DTCC Risk Scenarios
DTCC Risk Metrics
2
Why Focus on
Operational Risk Management?
Largest financial and reputational losses
in the financial services industry are
attributed to Operational Risk
Good business sense
Regulatory Expectations
Sound Risk Management
Practices
Robust Business Resiliency
3
Examples of Op Risk Events
Timeliness of Rating
Agency Downgrades
Arthur
Andersen
Enron
Tyco
CMO Pricing Issues
NYSE
Barings
August 2003
Blackout
REFCO
Hurricane
Katrina!
4
DTCC’s Operational Risk Definition
“The risk of loss, including
reputational harm, resulting from
inadequate or failed internal processes,
people and systems or from external
events.”
5
What Operational Risk is Not
Operational Risk is not Credit Risk,
Market Risk, Liquidity Risk or
Strategic Risk.
However, Operational Risk is NOT
LIMITED to the processing type of
risks generally associated with a
back-office operation.
6
Operational Risks at a CSD
Computer
Hacking
Governance Issues
AML
Fraud
System Failures
Customer
Confidentiality Failure
Incomplete Due Diligence
External Threats
Corporate
Actions Losses
Data Entry Errors
Settlement Fails
Missing Certificates
7
8
DTCC
Operational Risk Management Objectives
Establish a common risk language across the
organization
Foster a climate where risks are identified and
openly discussed by all departments and
employees
Inform senior management and Board about
Operational Risk across the enterprise
Reinforce transparency and comply with
regulatory expectations
9
10
Program Components
Enterprise-wide reporting
Risk and Control Self-Assessment
Risk Metrics
Leveraging off existing risk event
information
11
Status of Effort to Date
Governance Structure in place
Corporate Policy and other documents issued
Risk & Control Self-Assessment (RCSA)
process formalized-initial and periodic updates
System internally built
High level reporting developed
Risk Metrics in progress
Scenario analysis process recently established
Risk incident collection in initial stages
12
Governance Structure
Audit Committee
Board of Directors
DTCC Management
Committee
Compliance and
Operational Risk
Management Committee
DTCC Internal Risk
Management
Committee
DTCC Internal
Operational Risk
Steering Committee
13
2007 Objectives
Develop a plan to collect Risk
incidents
Implement a scenario analysis
process
Continue to enhance
Management reporting
Continue to work with
business units to
identify risk metrics
14
High Level Reporting
Enterprise Major Risk Report
39 risk scenarios major to
DTCC
Mitigants addressing risks
Additional plans to further
mitigate risk
Enterprise Risk Metrics
Report
Metrics that address the major
risks of DTCC
15
Enterprise Risk Scenario Categories
Liquidity Risk
Market Risk
Concentration Risk
People & Culture Risk
External Risk
Operational Risk
Process Risk
Business Continuity Risk
Technology Risk
Reputational Risk
16
Enterprise Risk Scenario Examples
Liquidity Risk
Insufficient
liquidity to
fund
settlement
Inability to
access
liquidity to
fund
settlement
Credit Risk
Not informed
timely about
major credit
event/
insolvency
involving a
member
Exposure
from
related
entities
17
Enterprise Risk Scenario Examples –
cont’d
Market Risk
Insufficient
clearing
fund/
insufficient
collateral
Model risk
Concentration
Risk
Multiple
forms of
exposure to
one
member
18
Enterprise Risk Scenario Examples –
cont’d
Theft of funds
or securities
Corporate Action
processing errors
Operational
Risk
Insufficient system
capacity
Cyber
attack disables
key production
systems
Unauthorized
Inability to
access to
complete settlement
company systems
Disaster eliminates
primary operating
region capability
19
Enterprise Risk Metrics Examples
Adequacy of clearing fund coverage
Adequacy of liquidity
Settlement timeliness
System availability
Timely implementation of Internal Audit
recommendations
Operations losses >$10,000
20
Slide 4
Operational Risk
ACSDA Leadership Forum
New York City, USA - October 8-10, 2007
Diana Downward, DTCC
Agenda
Background
DTCC’s Operational Risk Management
Program
DTCC Risk Scenarios
DTCC Risk Metrics
2
Why Focus on
Operational Risk Management?
Largest financial and reputational losses
in the financial services industry are
attributed to Operational Risk
Good business sense
Regulatory Expectations
Sound Risk Management
Practices
Robust Business Resiliency
3
Examples of Op Risk Events
Timeliness of Rating
Agency Downgrades
Arthur
Andersen
Enron
Tyco
CMO Pricing Issues
NYSE
Barings
August 2003
Blackout
REFCO
Hurricane
Katrina!
4
DTCC’s Operational Risk Definition
“The risk of loss, including
reputational harm, resulting from
inadequate or failed internal processes,
people and systems or from external
events.”
5
What Operational Risk is Not
Operational Risk is not Credit Risk,
Market Risk, Liquidity Risk or
Strategic Risk.
However, Operational Risk is NOT
LIMITED to the processing type of
risks generally associated with a
back-office operation.
6
Operational Risks at a CSD
Computer
Hacking
Governance Issues
AML
Fraud
System Failures
Customer
Confidentiality Failure
Incomplete Due Diligence
External Threats
Corporate
Actions Losses
Data Entry Errors
Settlement Fails
Missing Certificates
7
8
DTCC
Operational Risk Management Objectives
Establish a common risk language across the
organization
Foster a climate where risks are identified and
openly discussed by all departments and
employees
Inform senior management and Board about
Operational Risk across the enterprise
Reinforce transparency and comply with
regulatory expectations
9
10
Program Components
Enterprise-wide reporting
Risk and Control Self-Assessment
Risk Metrics
Leveraging off existing risk event
information
11
Status of Effort to Date
Governance Structure in place
Corporate Policy and other documents issued
Risk & Control Self-Assessment (RCSA)
process formalized-initial and periodic updates
System internally built
High level reporting developed
Risk Metrics in progress
Scenario analysis process recently established
Risk incident collection in initial stages
12
Governance Structure
Audit Committee
Board of Directors
DTCC Management
Committee
Compliance and
Operational Risk
Management Committee
DTCC Internal Risk
Management
Committee
DTCC Internal
Operational Risk
Steering Committee
13
2007 Objectives
Develop a plan to collect Risk
incidents
Implement a scenario analysis
process
Continue to enhance
Management reporting
Continue to work with
business units to
identify risk metrics
14
High Level Reporting
Enterprise Major Risk Report
39 risk scenarios major to
DTCC
Mitigants addressing risks
Additional plans to further
mitigate risk
Enterprise Risk Metrics
Report
Metrics that address the major
risks of DTCC
15
Enterprise Risk Scenario Categories
Liquidity Risk
Market Risk
Concentration Risk
People & Culture Risk
External Risk
Operational Risk
Process Risk
Business Continuity Risk
Technology Risk
Reputational Risk
16
Enterprise Risk Scenario Examples
Liquidity Risk
Insufficient
liquidity to
fund
settlement
Inability to
access
liquidity to
fund
settlement
Credit Risk
Not informed
timely about
major credit
event/
insolvency
involving a
member
Exposure
from
related
entities
17
Enterprise Risk Scenario Examples –
cont’d
Market Risk
Insufficient
clearing
fund/
insufficient
collateral
Model risk
Concentration
Risk
Multiple
forms of
exposure to
one
member
18
Enterprise Risk Scenario Examples –
cont’d
Theft of funds
or securities
Corporate Action
processing errors
Operational
Risk
Insufficient system
capacity
Cyber
attack disables
key production
systems
Unauthorized
Inability to
access to
complete settlement
company systems
Disaster eliminates
primary operating
region capability
19
Enterprise Risk Metrics Examples
Adequacy of clearing fund coverage
Adequacy of liquidity
Settlement timeliness
System availability
Timely implementation of Internal Audit
recommendations
Operations losses >$10,000
20
Slide 5
Operational Risk
ACSDA Leadership Forum
New York City, USA - October 8-10, 2007
Diana Downward, DTCC
Agenda
Background
DTCC’s Operational Risk Management
Program
DTCC Risk Scenarios
DTCC Risk Metrics
2
Why Focus on
Operational Risk Management?
Largest financial and reputational losses
in the financial services industry are
attributed to Operational Risk
Good business sense
Regulatory Expectations
Sound Risk Management
Practices
Robust Business Resiliency
3
Examples of Op Risk Events
Timeliness of Rating
Agency Downgrades
Arthur
Andersen
Enron
Tyco
CMO Pricing Issues
NYSE
Barings
August 2003
Blackout
REFCO
Hurricane
Katrina!
4
DTCC’s Operational Risk Definition
“The risk of loss, including
reputational harm, resulting from
inadequate or failed internal processes,
people and systems or from external
events.”
5
What Operational Risk is Not
Operational Risk is not Credit Risk,
Market Risk, Liquidity Risk or
Strategic Risk.
However, Operational Risk is NOT
LIMITED to the processing type of
risks generally associated with a
back-office operation.
6
Operational Risks at a CSD
Computer
Hacking
Governance Issues
AML
Fraud
System Failures
Customer
Confidentiality Failure
Incomplete Due Diligence
External Threats
Corporate
Actions Losses
Data Entry Errors
Settlement Fails
Missing Certificates
7
8
DTCC
Operational Risk Management Objectives
Establish a common risk language across the
organization
Foster a climate where risks are identified and
openly discussed by all departments and
employees
Inform senior management and Board about
Operational Risk across the enterprise
Reinforce transparency and comply with
regulatory expectations
9
10
Program Components
Enterprise-wide reporting
Risk and Control Self-Assessment
Risk Metrics
Leveraging off existing risk event
information
11
Status of Effort to Date
Governance Structure in place
Corporate Policy and other documents issued
Risk & Control Self-Assessment (RCSA)
process formalized-initial and periodic updates
System internally built
High level reporting developed
Risk Metrics in progress
Scenario analysis process recently established
Risk incident collection in initial stages
12
Governance Structure
Audit Committee
Board of Directors
DTCC Management
Committee
Compliance and
Operational Risk
Management Committee
DTCC Internal Risk
Management
Committee
DTCC Internal
Operational Risk
Steering Committee
13
2007 Objectives
Develop a plan to collect Risk
incidents
Implement a scenario analysis
process
Continue to enhance
Management reporting
Continue to work with
business units to
identify risk metrics
14
High Level Reporting
Enterprise Major Risk Report
39 risk scenarios major to
DTCC
Mitigants addressing risks
Additional plans to further
mitigate risk
Enterprise Risk Metrics
Report
Metrics that address the major
risks of DTCC
15
Enterprise Risk Scenario Categories
Liquidity Risk
Market Risk
Concentration Risk
People & Culture Risk
External Risk
Operational Risk
Process Risk
Business Continuity Risk
Technology Risk
Reputational Risk
16
Enterprise Risk Scenario Examples
Liquidity Risk
Insufficient
liquidity to
fund
settlement
Inability to
access
liquidity to
fund
settlement
Credit Risk
Not informed
timely about
major credit
event/
insolvency
involving a
member
Exposure
from
related
entities
17
Enterprise Risk Scenario Examples –
cont’d
Market Risk
Insufficient
clearing
fund/
insufficient
collateral
Model risk
Concentration
Risk
Multiple
forms of
exposure to
one
member
18
Enterprise Risk Scenario Examples –
cont’d
Theft of funds
or securities
Corporate Action
processing errors
Operational
Risk
Insufficient system
capacity
Cyber
attack disables
key production
systems
Unauthorized
Inability to
access to
complete settlement
company systems
Disaster eliminates
primary operating
region capability
19
Enterprise Risk Metrics Examples
Adequacy of clearing fund coverage
Adequacy of liquidity
Settlement timeliness
System availability
Timely implementation of Internal Audit
recommendations
Operations losses >$10,000
20
Slide 6
Operational Risk
ACSDA Leadership Forum
New York City, USA - October 8-10, 2007
Diana Downward, DTCC
Agenda
Background
DTCC’s Operational Risk Management
Program
DTCC Risk Scenarios
DTCC Risk Metrics
2
Why Focus on
Operational Risk Management?
Largest financial and reputational losses
in the financial services industry are
attributed to Operational Risk
Good business sense
Regulatory Expectations
Sound Risk Management
Practices
Robust Business Resiliency
3
Examples of Op Risk Events
Timeliness of Rating
Agency Downgrades
Arthur
Andersen
Enron
Tyco
CMO Pricing Issues
NYSE
Barings
August 2003
Blackout
REFCO
Hurricane
Katrina!
4
DTCC’s Operational Risk Definition
“The risk of loss, including
reputational harm, resulting from
inadequate or failed internal processes,
people and systems or from external
events.”
5
What Operational Risk is Not
Operational Risk is not Credit Risk,
Market Risk, Liquidity Risk or
Strategic Risk.
However, Operational Risk is NOT
LIMITED to the processing type of
risks generally associated with a
back-office operation.
6
Operational Risks at a CSD
Computer
Hacking
Governance Issues
AML
Fraud
System Failures
Customer
Confidentiality Failure
Incomplete Due Diligence
External Threats
Corporate
Actions Losses
Data Entry Errors
Settlement Fails
Missing Certificates
7
8
DTCC
Operational Risk Management Objectives
Establish a common risk language across the
organization
Foster a climate where risks are identified and
openly discussed by all departments and
employees
Inform senior management and Board about
Operational Risk across the enterprise
Reinforce transparency and comply with
regulatory expectations
9
10
Program Components
Enterprise-wide reporting
Risk and Control Self-Assessment
Risk Metrics
Leveraging off existing risk event
information
11
Status of Effort to Date
Governance Structure in place
Corporate Policy and other documents issued
Risk & Control Self-Assessment (RCSA)
process formalized-initial and periodic updates
System internally built
High level reporting developed
Risk Metrics in progress
Scenario analysis process recently established
Risk incident collection in initial stages
12
Governance Structure
Audit Committee
Board of Directors
DTCC Management
Committee
Compliance and
Operational Risk
Management Committee
DTCC Internal Risk
Management
Committee
DTCC Internal
Operational Risk
Steering Committee
13
2007 Objectives
Develop a plan to collect Risk
incidents
Implement a scenario analysis
process
Continue to enhance
Management reporting
Continue to work with
business units to
identify risk metrics
14
High Level Reporting
Enterprise Major Risk Report
39 risk scenarios major to
DTCC
Mitigants addressing risks
Additional plans to further
mitigate risk
Enterprise Risk Metrics
Report
Metrics that address the major
risks of DTCC
15
Enterprise Risk Scenario Categories
Liquidity Risk
Market Risk
Concentration Risk
People & Culture Risk
External Risk
Operational Risk
Process Risk
Business Continuity Risk
Technology Risk
Reputational Risk
16
Enterprise Risk Scenario Examples
Liquidity Risk
Insufficient
liquidity to
fund
settlement
Inability to
access
liquidity to
fund
settlement
Credit Risk
Not informed
timely about
major credit
event/
insolvency
involving a
member
Exposure
from
related
entities
17
Enterprise Risk Scenario Examples –
cont’d
Market Risk
Insufficient
clearing
fund/
insufficient
collateral
Model risk
Concentration
Risk
Multiple
forms of
exposure to
one
member
18
Enterprise Risk Scenario Examples –
cont’d
Theft of funds
or securities
Corporate Action
processing errors
Operational
Risk
Insufficient system
capacity
Cyber
attack disables
key production
systems
Unauthorized
Inability to
access to
complete settlement
company systems
Disaster eliminates
primary operating
region capability
19
Enterprise Risk Metrics Examples
Adequacy of clearing fund coverage
Adequacy of liquidity
Settlement timeliness
System availability
Timely implementation of Internal Audit
recommendations
Operations losses >$10,000
20
Slide 7
Operational Risk
ACSDA Leadership Forum
New York City, USA - October 8-10, 2007
Diana Downward, DTCC
Agenda
Background
DTCC’s Operational Risk Management
Program
DTCC Risk Scenarios
DTCC Risk Metrics
2
Why Focus on
Operational Risk Management?
Largest financial and reputational losses
in the financial services industry are
attributed to Operational Risk
Good business sense
Regulatory Expectations
Sound Risk Management
Practices
Robust Business Resiliency
3
Examples of Op Risk Events
Timeliness of Rating
Agency Downgrades
Arthur
Andersen
Enron
Tyco
CMO Pricing Issues
NYSE
Barings
August 2003
Blackout
REFCO
Hurricane
Katrina!
4
DTCC’s Operational Risk Definition
“The risk of loss, including
reputational harm, resulting from
inadequate or failed internal processes,
people and systems or from external
events.”
5
What Operational Risk is Not
Operational Risk is not Credit Risk,
Market Risk, Liquidity Risk or
Strategic Risk.
However, Operational Risk is NOT
LIMITED to the processing type of
risks generally associated with a
back-office operation.
6
Operational Risks at a CSD
Computer
Hacking
Governance Issues
AML
Fraud
System Failures
Customer
Confidentiality Failure
Incomplete Due Diligence
External Threats
Corporate
Actions Losses
Data Entry Errors
Settlement Fails
Missing Certificates
7
8
DTCC
Operational Risk Management Objectives
Establish a common risk language across the
organization
Foster a climate where risks are identified and
openly discussed by all departments and
employees
Inform senior management and Board about
Operational Risk across the enterprise
Reinforce transparency and comply with
regulatory expectations
9
10
Program Components
Enterprise-wide reporting
Risk and Control Self-Assessment
Risk Metrics
Leveraging off existing risk event
information
11
Status of Effort to Date
Governance Structure in place
Corporate Policy and other documents issued
Risk & Control Self-Assessment (RCSA)
process formalized-initial and periodic updates
System internally built
High level reporting developed
Risk Metrics in progress
Scenario analysis process recently established
Risk incident collection in initial stages
12
Governance Structure
Audit Committee
Board of Directors
DTCC Management
Committee
Compliance and
Operational Risk
Management Committee
DTCC Internal Risk
Management
Committee
DTCC Internal
Operational Risk
Steering Committee
13
2007 Objectives
Develop a plan to collect Risk
incidents
Implement a scenario analysis
process
Continue to enhance
Management reporting
Continue to work with
business units to
identify risk metrics
14
High Level Reporting
Enterprise Major Risk Report
39 risk scenarios major to
DTCC
Mitigants addressing risks
Additional plans to further
mitigate risk
Enterprise Risk Metrics
Report
Metrics that address the major
risks of DTCC
15
Enterprise Risk Scenario Categories
Liquidity Risk
Market Risk
Concentration Risk
People & Culture Risk
External Risk
Operational Risk
Process Risk
Business Continuity Risk
Technology Risk
Reputational Risk
16
Enterprise Risk Scenario Examples
Liquidity Risk
Insufficient
liquidity to
fund
settlement
Inability to
access
liquidity to
fund
settlement
Credit Risk
Not informed
timely about
major credit
event/
insolvency
involving a
member
Exposure
from
related
entities
17
Enterprise Risk Scenario Examples –
cont’d
Market Risk
Insufficient
clearing
fund/
insufficient
collateral
Model risk
Concentration
Risk
Multiple
forms of
exposure to
one
member
18
Enterprise Risk Scenario Examples –
cont’d
Theft of funds
or securities
Corporate Action
processing errors
Operational
Risk
Insufficient system
capacity
Cyber
attack disables
key production
systems
Unauthorized
Inability to
access to
complete settlement
company systems
Disaster eliminates
primary operating
region capability
19
Enterprise Risk Metrics Examples
Adequacy of clearing fund coverage
Adequacy of liquidity
Settlement timeliness
System availability
Timely implementation of Internal Audit
recommendations
Operations losses >$10,000
20
Slide 8
Operational Risk
ACSDA Leadership Forum
New York City, USA - October 8-10, 2007
Diana Downward, DTCC
Agenda
Background
DTCC’s Operational Risk Management
Program
DTCC Risk Scenarios
DTCC Risk Metrics
2
Why Focus on
Operational Risk Management?
Largest financial and reputational losses
in the financial services industry are
attributed to Operational Risk
Good business sense
Regulatory Expectations
Sound Risk Management
Practices
Robust Business Resiliency
3
Examples of Op Risk Events
Timeliness of Rating
Agency Downgrades
Arthur
Andersen
Enron
Tyco
CMO Pricing Issues
NYSE
Barings
August 2003
Blackout
REFCO
Hurricane
Katrina!
4
DTCC’s Operational Risk Definition
“The risk of loss, including
reputational harm, resulting from
inadequate or failed internal processes,
people and systems or from external
events.”
5
What Operational Risk is Not
Operational Risk is not Credit Risk,
Market Risk, Liquidity Risk or
Strategic Risk.
However, Operational Risk is NOT
LIMITED to the processing type of
risks generally associated with a
back-office operation.
6
Operational Risks at a CSD
Computer
Hacking
Governance Issues
AML
Fraud
System Failures
Customer
Confidentiality Failure
Incomplete Due Diligence
External Threats
Corporate
Actions Losses
Data Entry Errors
Settlement Fails
Missing Certificates
7
8
DTCC
Operational Risk Management Objectives
Establish a common risk language across the
organization
Foster a climate where risks are identified and
openly discussed by all departments and
employees
Inform senior management and Board about
Operational Risk across the enterprise
Reinforce transparency and comply with
regulatory expectations
9
10
Program Components
Enterprise-wide reporting
Risk and Control Self-Assessment
Risk Metrics
Leveraging off existing risk event
information
11
Status of Effort to Date
Governance Structure in place
Corporate Policy and other documents issued
Risk & Control Self-Assessment (RCSA)
process formalized-initial and periodic updates
System internally built
High level reporting developed
Risk Metrics in progress
Scenario analysis process recently established
Risk incident collection in initial stages
12
Governance Structure
Audit Committee
Board of Directors
DTCC Management
Committee
Compliance and
Operational Risk
Management Committee
DTCC Internal Risk
Management
Committee
DTCC Internal
Operational Risk
Steering Committee
13
2007 Objectives
Develop a plan to collect Risk
incidents
Implement a scenario analysis
process
Continue to enhance
Management reporting
Continue to work with
business units to
identify risk metrics
14
High Level Reporting
Enterprise Major Risk Report
39 risk scenarios major to
DTCC
Mitigants addressing risks
Additional plans to further
mitigate risk
Enterprise Risk Metrics
Report
Metrics that address the major
risks of DTCC
15
Enterprise Risk Scenario Categories
Liquidity Risk
Market Risk
Concentration Risk
People & Culture Risk
External Risk
Operational Risk
Process Risk
Business Continuity Risk
Technology Risk
Reputational Risk
16
Enterprise Risk Scenario Examples
Liquidity Risk
Insufficient
liquidity to
fund
settlement
Inability to
access
liquidity to
fund
settlement
Credit Risk
Not informed
timely about
major credit
event/
insolvency
involving a
member
Exposure
from
related
entities
17
Enterprise Risk Scenario Examples –
cont’d
Market Risk
Insufficient
clearing
fund/
insufficient
collateral
Model risk
Concentration
Risk
Multiple
forms of
exposure to
one
member
18
Enterprise Risk Scenario Examples –
cont’d
Theft of funds
or securities
Corporate Action
processing errors
Operational
Risk
Insufficient system
capacity
Cyber
attack disables
key production
systems
Unauthorized
Inability to
access to
complete settlement
company systems
Disaster eliminates
primary operating
region capability
19
Enterprise Risk Metrics Examples
Adequacy of clearing fund coverage
Adequacy of liquidity
Settlement timeliness
System availability
Timely implementation of Internal Audit
recommendations
Operations losses >$10,000
20
Slide 9
Operational Risk
ACSDA Leadership Forum
New York City, USA - October 8-10, 2007
Diana Downward, DTCC
Agenda
Background
DTCC’s Operational Risk Management
Program
DTCC Risk Scenarios
DTCC Risk Metrics
2
Why Focus on
Operational Risk Management?
Largest financial and reputational losses
in the financial services industry are
attributed to Operational Risk
Good business sense
Regulatory Expectations
Sound Risk Management
Practices
Robust Business Resiliency
3
Examples of Op Risk Events
Timeliness of Rating
Agency Downgrades
Arthur
Andersen
Enron
Tyco
CMO Pricing Issues
NYSE
Barings
August 2003
Blackout
REFCO
Hurricane
Katrina!
4
DTCC’s Operational Risk Definition
“The risk of loss, including
reputational harm, resulting from
inadequate or failed internal processes,
people and systems or from external
events.”
5
What Operational Risk is Not
Operational Risk is not Credit Risk,
Market Risk, Liquidity Risk or
Strategic Risk.
However, Operational Risk is NOT
LIMITED to the processing type of
risks generally associated with a
back-office operation.
6
Operational Risks at a CSD
Computer
Hacking
Governance Issues
AML
Fraud
System Failures
Customer
Confidentiality Failure
Incomplete Due Diligence
External Threats
Corporate
Actions Losses
Data Entry Errors
Settlement Fails
Missing Certificates
7
8
DTCC
Operational Risk Management Objectives
Establish a common risk language across the
organization
Foster a climate where risks are identified and
openly discussed by all departments and
employees
Inform senior management and Board about
Operational Risk across the enterprise
Reinforce transparency and comply with
regulatory expectations
9
10
Program Components
Enterprise-wide reporting
Risk and Control Self-Assessment
Risk Metrics
Leveraging off existing risk event
information
11
Status of Effort to Date
Governance Structure in place
Corporate Policy and other documents issued
Risk & Control Self-Assessment (RCSA)
process formalized-initial and periodic updates
System internally built
High level reporting developed
Risk Metrics in progress
Scenario analysis process recently established
Risk incident collection in initial stages
12
Governance Structure
Audit Committee
Board of Directors
DTCC Management
Committee
Compliance and
Operational Risk
Management Committee
DTCC Internal Risk
Management
Committee
DTCC Internal
Operational Risk
Steering Committee
13
2007 Objectives
Develop a plan to collect Risk
incidents
Implement a scenario analysis
process
Continue to enhance
Management reporting
Continue to work with
business units to
identify risk metrics
14
High Level Reporting
Enterprise Major Risk Report
39 risk scenarios major to
DTCC
Mitigants addressing risks
Additional plans to further
mitigate risk
Enterprise Risk Metrics
Report
Metrics that address the major
risks of DTCC
15
Enterprise Risk Scenario Categories
Liquidity Risk
Market Risk
Concentration Risk
People & Culture Risk
External Risk
Operational Risk
Process Risk
Business Continuity Risk
Technology Risk
Reputational Risk
16
Enterprise Risk Scenario Examples
Liquidity Risk
Insufficient
liquidity to
fund
settlement
Inability to
access
liquidity to
fund
settlement
Credit Risk
Not informed
timely about
major credit
event/
insolvency
involving a
member
Exposure
from
related
entities
17
Enterprise Risk Scenario Examples –
cont’d
Market Risk
Insufficient
clearing
fund/
insufficient
collateral
Model risk
Concentration
Risk
Multiple
forms of
exposure to
one
member
18
Enterprise Risk Scenario Examples –
cont’d
Theft of funds
or securities
Corporate Action
processing errors
Operational
Risk
Insufficient system
capacity
Cyber
attack disables
key production
systems
Unauthorized
Inability to
access to
complete settlement
company systems
Disaster eliminates
primary operating
region capability
19
Enterprise Risk Metrics Examples
Adequacy of clearing fund coverage
Adequacy of liquidity
Settlement timeliness
System availability
Timely implementation of Internal Audit
recommendations
Operations losses >$10,000
20
Slide 10
Operational Risk
ACSDA Leadership Forum
New York City, USA - October 8-10, 2007
Diana Downward, DTCC
Agenda
Background
DTCC’s Operational Risk Management
Program
DTCC Risk Scenarios
DTCC Risk Metrics
2
Why Focus on
Operational Risk Management?
Largest financial and reputational losses
in the financial services industry are
attributed to Operational Risk
Good business sense
Regulatory Expectations
Sound Risk Management
Practices
Robust Business Resiliency
3
Examples of Op Risk Events
Timeliness of Rating
Agency Downgrades
Arthur
Andersen
Enron
Tyco
CMO Pricing Issues
NYSE
Barings
August 2003
Blackout
REFCO
Hurricane
Katrina!
4
DTCC’s Operational Risk Definition
“The risk of loss, including
reputational harm, resulting from
inadequate or failed internal processes,
people and systems or from external
events.”
5
What Operational Risk is Not
Operational Risk is not Credit Risk,
Market Risk, Liquidity Risk or
Strategic Risk.
However, Operational Risk is NOT
LIMITED to the processing type of
risks generally associated with a
back-office operation.
6
Operational Risks at a CSD
Computer
Hacking
Governance Issues
AML
Fraud
System Failures
Customer
Confidentiality Failure
Incomplete Due Diligence
External Threats
Corporate
Actions Losses
Data Entry Errors
Settlement Fails
Missing Certificates
7
8
DTCC
Operational Risk Management Objectives
Establish a common risk language across the
organization
Foster a climate where risks are identified and
openly discussed by all departments and
employees
Inform senior management and Board about
Operational Risk across the enterprise
Reinforce transparency and comply with
regulatory expectations
9
10
Program Components
Enterprise-wide reporting
Risk and Control Self-Assessment
Risk Metrics
Leveraging off existing risk event
information
11
Status of Effort to Date
Governance Structure in place
Corporate Policy and other documents issued
Risk & Control Self-Assessment (RCSA)
process formalized-initial and periodic updates
System internally built
High level reporting developed
Risk Metrics in progress
Scenario analysis process recently established
Risk incident collection in initial stages
12
Governance Structure
Audit Committee
Board of Directors
DTCC Management
Committee
Compliance and
Operational Risk
Management Committee
DTCC Internal Risk
Management
Committee
DTCC Internal
Operational Risk
Steering Committee
13
2007 Objectives
Develop a plan to collect Risk
incidents
Implement a scenario analysis
process
Continue to enhance
Management reporting
Continue to work with
business units to
identify risk metrics
14
High Level Reporting
Enterprise Major Risk Report
39 risk scenarios major to
DTCC
Mitigants addressing risks
Additional plans to further
mitigate risk
Enterprise Risk Metrics
Report
Metrics that address the major
risks of DTCC
15
Enterprise Risk Scenario Categories
Liquidity Risk
Market Risk
Concentration Risk
People & Culture Risk
External Risk
Operational Risk
Process Risk
Business Continuity Risk
Technology Risk
Reputational Risk
16
Enterprise Risk Scenario Examples
Liquidity Risk
Insufficient
liquidity to
fund
settlement
Inability to
access
liquidity to
fund
settlement
Credit Risk
Not informed
timely about
major credit
event/
insolvency
involving a
member
Exposure
from
related
entities
17
Enterprise Risk Scenario Examples –
cont’d
Market Risk
Insufficient
clearing
fund/
insufficient
collateral
Model risk
Concentration
Risk
Multiple
forms of
exposure to
one
member
18
Enterprise Risk Scenario Examples –
cont’d
Theft of funds
or securities
Corporate Action
processing errors
Operational
Risk
Insufficient system
capacity
Cyber
attack disables
key production
systems
Unauthorized
Inability to
access to
complete settlement
company systems
Disaster eliminates
primary operating
region capability
19
Enterprise Risk Metrics Examples
Adequacy of clearing fund coverage
Adequacy of liquidity
Settlement timeliness
System availability
Timely implementation of Internal Audit
recommendations
Operations losses >$10,000
20
Slide 11
Operational Risk
ACSDA Leadership Forum
New York City, USA - October 8-10, 2007
Diana Downward, DTCC
Agenda
Background
DTCC’s Operational Risk Management
Program
DTCC Risk Scenarios
DTCC Risk Metrics
2
Why Focus on
Operational Risk Management?
Largest financial and reputational losses
in the financial services industry are
attributed to Operational Risk
Good business sense
Regulatory Expectations
Sound Risk Management
Practices
Robust Business Resiliency
3
Examples of Op Risk Events
Timeliness of Rating
Agency Downgrades
Arthur
Andersen
Enron
Tyco
CMO Pricing Issues
NYSE
Barings
August 2003
Blackout
REFCO
Hurricane
Katrina!
4
DTCC’s Operational Risk Definition
“The risk of loss, including
reputational harm, resulting from
inadequate or failed internal processes,
people and systems or from external
events.”
5
What Operational Risk is Not
Operational Risk is not Credit Risk,
Market Risk, Liquidity Risk or
Strategic Risk.
However, Operational Risk is NOT
LIMITED to the processing type of
risks generally associated with a
back-office operation.
6
Operational Risks at a CSD
Computer
Hacking
Governance Issues
AML
Fraud
System Failures
Customer
Confidentiality Failure
Incomplete Due Diligence
External Threats
Corporate
Actions Losses
Data Entry Errors
Settlement Fails
Missing Certificates
7
8
DTCC
Operational Risk Management Objectives
Establish a common risk language across the
organization
Foster a climate where risks are identified and
openly discussed by all departments and
employees
Inform senior management and Board about
Operational Risk across the enterprise
Reinforce transparency and comply with
regulatory expectations
9
10
Program Components
Enterprise-wide reporting
Risk and Control Self-Assessment
Risk Metrics
Leveraging off existing risk event
information
11
Status of Effort to Date
Governance Structure in place
Corporate Policy and other documents issued
Risk & Control Self-Assessment (RCSA)
process formalized-initial and periodic updates
System internally built
High level reporting developed
Risk Metrics in progress
Scenario analysis process recently established
Risk incident collection in initial stages
12
Governance Structure
Audit Committee
Board of Directors
DTCC Management
Committee
Compliance and
Operational Risk
Management Committee
DTCC Internal Risk
Management
Committee
DTCC Internal
Operational Risk
Steering Committee
13
2007 Objectives
Develop a plan to collect Risk
incidents
Implement a scenario analysis
process
Continue to enhance
Management reporting
Continue to work with
business units to
identify risk metrics
14
High Level Reporting
Enterprise Major Risk Report
39 risk scenarios major to
DTCC
Mitigants addressing risks
Additional plans to further
mitigate risk
Enterprise Risk Metrics
Report
Metrics that address the major
risks of DTCC
15
Enterprise Risk Scenario Categories
Liquidity Risk
Market Risk
Concentration Risk
People & Culture Risk
External Risk
Operational Risk
Process Risk
Business Continuity Risk
Technology Risk
Reputational Risk
16
Enterprise Risk Scenario Examples
Liquidity Risk
Insufficient
liquidity to
fund
settlement
Inability to
access
liquidity to
fund
settlement
Credit Risk
Not informed
timely about
major credit
event/
insolvency
involving a
member
Exposure
from
related
entities
17
Enterprise Risk Scenario Examples –
cont’d
Market Risk
Insufficient
clearing
fund/
insufficient
collateral
Model risk
Concentration
Risk
Multiple
forms of
exposure to
one
member
18
Enterprise Risk Scenario Examples –
cont’d
Theft of funds
or securities
Corporate Action
processing errors
Operational
Risk
Insufficient system
capacity
Cyber
attack disables
key production
systems
Unauthorized
Inability to
access to
complete settlement
company systems
Disaster eliminates
primary operating
region capability
19
Enterprise Risk Metrics Examples
Adequacy of clearing fund coverage
Adequacy of liquidity
Settlement timeliness
System availability
Timely implementation of Internal Audit
recommendations
Operations losses >$10,000
20
Slide 12
Operational Risk
ACSDA Leadership Forum
New York City, USA - October 8-10, 2007
Diana Downward, DTCC
Agenda
Background
DTCC’s Operational Risk Management
Program
DTCC Risk Scenarios
DTCC Risk Metrics
2
Why Focus on
Operational Risk Management?
Largest financial and reputational losses
in the financial services industry are
attributed to Operational Risk
Good business sense
Regulatory Expectations
Sound Risk Management
Practices
Robust Business Resiliency
3
Examples of Op Risk Events
Timeliness of Rating
Agency Downgrades
Arthur
Andersen
Enron
Tyco
CMO Pricing Issues
NYSE
Barings
August 2003
Blackout
REFCO
Hurricane
Katrina!
4
DTCC’s Operational Risk Definition
“The risk of loss, including
reputational harm, resulting from
inadequate or failed internal processes,
people and systems or from external
events.”
5
What Operational Risk is Not
Operational Risk is not Credit Risk,
Market Risk, Liquidity Risk or
Strategic Risk.
However, Operational Risk is NOT
LIMITED to the processing type of
risks generally associated with a
back-office operation.
6
Operational Risks at a CSD
Computer
Hacking
Governance Issues
AML
Fraud
System Failures
Customer
Confidentiality Failure
Incomplete Due Diligence
External Threats
Corporate
Actions Losses
Data Entry Errors
Settlement Fails
Missing Certificates
7
8
DTCC
Operational Risk Management Objectives
Establish a common risk language across the
organization
Foster a climate where risks are identified and
openly discussed by all departments and
employees
Inform senior management and Board about
Operational Risk across the enterprise
Reinforce transparency and comply with
regulatory expectations
9
10
Program Components
Enterprise-wide reporting
Risk and Control Self-Assessment
Risk Metrics
Leveraging off existing risk event
information
11
Status of Effort to Date
Governance Structure in place
Corporate Policy and other documents issued
Risk & Control Self-Assessment (RCSA)
process formalized-initial and periodic updates
System internally built
High level reporting developed
Risk Metrics in progress
Scenario analysis process recently established
Risk incident collection in initial stages
12
Governance Structure
Audit Committee
Board of Directors
DTCC Management
Committee
Compliance and
Operational Risk
Management Committee
DTCC Internal Risk
Management
Committee
DTCC Internal
Operational Risk
Steering Committee
13
2007 Objectives
Develop a plan to collect Risk
incidents
Implement a scenario analysis
process
Continue to enhance
Management reporting
Continue to work with
business units to
identify risk metrics
14
High Level Reporting
Enterprise Major Risk Report
39 risk scenarios major to
DTCC
Mitigants addressing risks
Additional plans to further
mitigate risk
Enterprise Risk Metrics
Report
Metrics that address the major
risks of DTCC
15
Enterprise Risk Scenario Categories
Liquidity Risk
Market Risk
Concentration Risk
People & Culture Risk
External Risk
Operational Risk
Process Risk
Business Continuity Risk
Technology Risk
Reputational Risk
16
Enterprise Risk Scenario Examples
Liquidity Risk
Insufficient
liquidity to
fund
settlement
Inability to
access
liquidity to
fund
settlement
Credit Risk
Not informed
timely about
major credit
event/
insolvency
involving a
member
Exposure
from
related
entities
17
Enterprise Risk Scenario Examples –
cont’d
Market Risk
Insufficient
clearing
fund/
insufficient
collateral
Model risk
Concentration
Risk
Multiple
forms of
exposure to
one
member
18
Enterprise Risk Scenario Examples –
cont’d
Theft of funds
or securities
Corporate Action
processing errors
Operational
Risk
Insufficient system
capacity
Cyber
attack disables
key production
systems
Unauthorized
Inability to
access to
complete settlement
company systems
Disaster eliminates
primary operating
region capability
19
Enterprise Risk Metrics Examples
Adequacy of clearing fund coverage
Adequacy of liquidity
Settlement timeliness
System availability
Timely implementation of Internal Audit
recommendations
Operations losses >$10,000
20
Slide 13
Operational Risk
ACSDA Leadership Forum
New York City, USA - October 8-10, 2007
Diana Downward, DTCC
Agenda
Background
DTCC’s Operational Risk Management
Program
DTCC Risk Scenarios
DTCC Risk Metrics
2
Why Focus on
Operational Risk Management?
Largest financial and reputational losses
in the financial services industry are
attributed to Operational Risk
Good business sense
Regulatory Expectations
Sound Risk Management
Practices
Robust Business Resiliency
3
Examples of Op Risk Events
Timeliness of Rating
Agency Downgrades
Arthur
Andersen
Enron
Tyco
CMO Pricing Issues
NYSE
Barings
August 2003
Blackout
REFCO
Hurricane
Katrina!
4
DTCC’s Operational Risk Definition
“The risk of loss, including
reputational harm, resulting from
inadequate or failed internal processes,
people and systems or from external
events.”
5
What Operational Risk is Not
Operational Risk is not Credit Risk,
Market Risk, Liquidity Risk or
Strategic Risk.
However, Operational Risk is NOT
LIMITED to the processing type of
risks generally associated with a
back-office operation.
6
Operational Risks at a CSD
Computer
Hacking
Governance Issues
AML
Fraud
System Failures
Customer
Confidentiality Failure
Incomplete Due Diligence
External Threats
Corporate
Actions Losses
Data Entry Errors
Settlement Fails
Missing Certificates
7
8
DTCC
Operational Risk Management Objectives
Establish a common risk language across the
organization
Foster a climate where risks are identified and
openly discussed by all departments and
employees
Inform senior management and Board about
Operational Risk across the enterprise
Reinforce transparency and comply with
regulatory expectations
9
10
Program Components
Enterprise-wide reporting
Risk and Control Self-Assessment
Risk Metrics
Leveraging off existing risk event
information
11
Status of Effort to Date
Governance Structure in place
Corporate Policy and other documents issued
Risk & Control Self-Assessment (RCSA)
process formalized-initial and periodic updates
System internally built
High level reporting developed
Risk Metrics in progress
Scenario analysis process recently established
Risk incident collection in initial stages
12
Governance Structure
Audit Committee
Board of Directors
DTCC Management
Committee
Compliance and
Operational Risk
Management Committee
DTCC Internal Risk
Management
Committee
DTCC Internal
Operational Risk
Steering Committee
13
2007 Objectives
Develop a plan to collect Risk
incidents
Implement a scenario analysis
process
Continue to enhance
Management reporting
Continue to work with
business units to
identify risk metrics
14
High Level Reporting
Enterprise Major Risk Report
39 risk scenarios major to
DTCC
Mitigants addressing risks
Additional plans to further
mitigate risk
Enterprise Risk Metrics
Report
Metrics that address the major
risks of DTCC
15
Enterprise Risk Scenario Categories
Liquidity Risk
Market Risk
Concentration Risk
People & Culture Risk
External Risk
Operational Risk
Process Risk
Business Continuity Risk
Technology Risk
Reputational Risk
16
Enterprise Risk Scenario Examples
Liquidity Risk
Insufficient
liquidity to
fund
settlement
Inability to
access
liquidity to
fund
settlement
Credit Risk
Not informed
timely about
major credit
event/
insolvency
involving a
member
Exposure
from
related
entities
17
Enterprise Risk Scenario Examples –
cont’d
Market Risk
Insufficient
clearing
fund/
insufficient
collateral
Model risk
Concentration
Risk
Multiple
forms of
exposure to
one
member
18
Enterprise Risk Scenario Examples –
cont’d
Theft of funds
or securities
Corporate Action
processing errors
Operational
Risk
Insufficient system
capacity
Cyber
attack disables
key production
systems
Unauthorized
Inability to
access to
complete settlement
company systems
Disaster eliminates
primary operating
region capability
19
Enterprise Risk Metrics Examples
Adequacy of clearing fund coverage
Adequacy of liquidity
Settlement timeliness
System availability
Timely implementation of Internal Audit
recommendations
Operations losses >$10,000
20
Slide 14
Operational Risk
ACSDA Leadership Forum
New York City, USA - October 8-10, 2007
Diana Downward, DTCC
Agenda
Background
DTCC’s Operational Risk Management
Program
DTCC Risk Scenarios
DTCC Risk Metrics
2
Why Focus on
Operational Risk Management?
Largest financial and reputational losses
in the financial services industry are
attributed to Operational Risk
Good business sense
Regulatory Expectations
Sound Risk Management
Practices
Robust Business Resiliency
3
Examples of Op Risk Events
Timeliness of Rating
Agency Downgrades
Arthur
Andersen
Enron
Tyco
CMO Pricing Issues
NYSE
Barings
August 2003
Blackout
REFCO
Hurricane
Katrina!
4
DTCC’s Operational Risk Definition
“The risk of loss, including
reputational harm, resulting from
inadequate or failed internal processes,
people and systems or from external
events.”
5
What Operational Risk is Not
Operational Risk is not Credit Risk,
Market Risk, Liquidity Risk or
Strategic Risk.
However, Operational Risk is NOT
LIMITED to the processing type of
risks generally associated with a
back-office operation.
6
Operational Risks at a CSD
Computer
Hacking
Governance Issues
AML
Fraud
System Failures
Customer
Confidentiality Failure
Incomplete Due Diligence
External Threats
Corporate
Actions Losses
Data Entry Errors
Settlement Fails
Missing Certificates
7
8
DTCC
Operational Risk Management Objectives
Establish a common risk language across the
organization
Foster a climate where risks are identified and
openly discussed by all departments and
employees
Inform senior management and Board about
Operational Risk across the enterprise
Reinforce transparency and comply with
regulatory expectations
9
10
Program Components
Enterprise-wide reporting
Risk and Control Self-Assessment
Risk Metrics
Leveraging off existing risk event
information
11
Status of Effort to Date
Governance Structure in place
Corporate Policy and other documents issued
Risk & Control Self-Assessment (RCSA)
process formalized-initial and periodic updates
System internally built
High level reporting developed
Risk Metrics in progress
Scenario analysis process recently established
Risk incident collection in initial stages
12
Governance Structure
Audit Committee
Board of Directors
DTCC Management
Committee
Compliance and
Operational Risk
Management Committee
DTCC Internal Risk
Management
Committee
DTCC Internal
Operational Risk
Steering Committee
13
2007 Objectives
Develop a plan to collect Risk
incidents
Implement a scenario analysis
process
Continue to enhance
Management reporting
Continue to work with
business units to
identify risk metrics
14
High Level Reporting
Enterprise Major Risk Report
39 risk scenarios major to
DTCC
Mitigants addressing risks
Additional plans to further
mitigate risk
Enterprise Risk Metrics
Report
Metrics that address the major
risks of DTCC
15
Enterprise Risk Scenario Categories
Liquidity Risk
Market Risk
Concentration Risk
People & Culture Risk
External Risk
Operational Risk
Process Risk
Business Continuity Risk
Technology Risk
Reputational Risk
16
Enterprise Risk Scenario Examples
Liquidity Risk
Insufficient
liquidity to
fund
settlement
Inability to
access
liquidity to
fund
settlement
Credit Risk
Not informed
timely about
major credit
event/
insolvency
involving a
member
Exposure
from
related
entities
17
Enterprise Risk Scenario Examples –
cont’d
Market Risk
Insufficient
clearing
fund/
insufficient
collateral
Model risk
Concentration
Risk
Multiple
forms of
exposure to
one
member
18
Enterprise Risk Scenario Examples –
cont’d
Theft of funds
or securities
Corporate Action
processing errors
Operational
Risk
Insufficient system
capacity
Cyber
attack disables
key production
systems
Unauthorized
Inability to
access to
complete settlement
company systems
Disaster eliminates
primary operating
region capability
19
Enterprise Risk Metrics Examples
Adequacy of clearing fund coverage
Adequacy of liquidity
Settlement timeliness
System availability
Timely implementation of Internal Audit
recommendations
Operations losses >$10,000
20
Slide 15
Operational Risk
ACSDA Leadership Forum
New York City, USA - October 8-10, 2007
Diana Downward, DTCC
Agenda
Background
DTCC’s Operational Risk Management
Program
DTCC Risk Scenarios
DTCC Risk Metrics
2
Why Focus on
Operational Risk Management?
Largest financial and reputational losses
in the financial services industry are
attributed to Operational Risk
Good business sense
Regulatory Expectations
Sound Risk Management
Practices
Robust Business Resiliency
3
Examples of Op Risk Events
Timeliness of Rating
Agency Downgrades
Arthur
Andersen
Enron
Tyco
CMO Pricing Issues
NYSE
Barings
August 2003
Blackout
REFCO
Hurricane
Katrina!
4
DTCC’s Operational Risk Definition
“The risk of loss, including
reputational harm, resulting from
inadequate or failed internal processes,
people and systems or from external
events.”
5
What Operational Risk is Not
Operational Risk is not Credit Risk,
Market Risk, Liquidity Risk or
Strategic Risk.
However, Operational Risk is NOT
LIMITED to the processing type of
risks generally associated with a
back-office operation.
6
Operational Risks at a CSD
Computer
Hacking
Governance Issues
AML
Fraud
System Failures
Customer
Confidentiality Failure
Incomplete Due Diligence
External Threats
Corporate
Actions Losses
Data Entry Errors
Settlement Fails
Missing Certificates
7
8
DTCC
Operational Risk Management Objectives
Establish a common risk language across the
organization
Foster a climate where risks are identified and
openly discussed by all departments and
employees
Inform senior management and Board about
Operational Risk across the enterprise
Reinforce transparency and comply with
regulatory expectations
9
10
Program Components
Enterprise-wide reporting
Risk and Control Self-Assessment
Risk Metrics
Leveraging off existing risk event
information
11
Status of Effort to Date
Governance Structure in place
Corporate Policy and other documents issued
Risk & Control Self-Assessment (RCSA)
process formalized-initial and periodic updates
System internally built
High level reporting developed
Risk Metrics in progress
Scenario analysis process recently established
Risk incident collection in initial stages
12
Governance Structure
Audit Committee
Board of Directors
DTCC Management
Committee
Compliance and
Operational Risk
Management Committee
DTCC Internal Risk
Management
Committee
DTCC Internal
Operational Risk
Steering Committee
13
2007 Objectives
Develop a plan to collect Risk
incidents
Implement a scenario analysis
process
Continue to enhance
Management reporting
Continue to work with
business units to
identify risk metrics
14
High Level Reporting
Enterprise Major Risk Report
39 risk scenarios major to
DTCC
Mitigants addressing risks
Additional plans to further
mitigate risk
Enterprise Risk Metrics
Report
Metrics that address the major
risks of DTCC
15
Enterprise Risk Scenario Categories
Liquidity Risk
Market Risk
Concentration Risk
People & Culture Risk
External Risk
Operational Risk
Process Risk
Business Continuity Risk
Technology Risk
Reputational Risk
16
Enterprise Risk Scenario Examples
Liquidity Risk
Insufficient
liquidity to
fund
settlement
Inability to
access
liquidity to
fund
settlement
Credit Risk
Not informed
timely about
major credit
event/
insolvency
involving a
member
Exposure
from
related
entities
17
Enterprise Risk Scenario Examples –
cont’d
Market Risk
Insufficient
clearing
fund/
insufficient
collateral
Model risk
Concentration
Risk
Multiple
forms of
exposure to
one
member
18
Enterprise Risk Scenario Examples –
cont’d
Theft of funds
or securities
Corporate Action
processing errors
Operational
Risk
Insufficient system
capacity
Cyber
attack disables
key production
systems
Unauthorized
Inability to
access to
complete settlement
company systems
Disaster eliminates
primary operating
region capability
19
Enterprise Risk Metrics Examples
Adequacy of clearing fund coverage
Adequacy of liquidity
Settlement timeliness
System availability
Timely implementation of Internal Audit
recommendations
Operations losses >$10,000
20
Slide 16
Operational Risk
ACSDA Leadership Forum
New York City, USA - October 8-10, 2007
Diana Downward, DTCC
Agenda
Background
DTCC’s Operational Risk Management
Program
DTCC Risk Scenarios
DTCC Risk Metrics
2
Why Focus on
Operational Risk Management?
Largest financial and reputational losses
in the financial services industry are
attributed to Operational Risk
Good business sense
Regulatory Expectations
Sound Risk Management
Practices
Robust Business Resiliency
3
Examples of Op Risk Events
Timeliness of Rating
Agency Downgrades
Arthur
Andersen
Enron
Tyco
CMO Pricing Issues
NYSE
Barings
August 2003
Blackout
REFCO
Hurricane
Katrina!
4
DTCC’s Operational Risk Definition
“The risk of loss, including
reputational harm, resulting from
inadequate or failed internal processes,
people and systems or from external
events.”
5
What Operational Risk is Not
Operational Risk is not Credit Risk,
Market Risk, Liquidity Risk or
Strategic Risk.
However, Operational Risk is NOT
LIMITED to the processing type of
risks generally associated with a
back-office operation.
6
Operational Risks at a CSD
Computer
Hacking
Governance Issues
AML
Fraud
System Failures
Customer
Confidentiality Failure
Incomplete Due Diligence
External Threats
Corporate
Actions Losses
Data Entry Errors
Settlement Fails
Missing Certificates
7
8
DTCC
Operational Risk Management Objectives
Establish a common risk language across the
organization
Foster a climate where risks are identified and
openly discussed by all departments and
employees
Inform senior management and Board about
Operational Risk across the enterprise
Reinforce transparency and comply with
regulatory expectations
9
10
Program Components
Enterprise-wide reporting
Risk and Control Self-Assessment
Risk Metrics
Leveraging off existing risk event
information
11
Status of Effort to Date
Governance Structure in place
Corporate Policy and other documents issued
Risk & Control Self-Assessment (RCSA)
process formalized-initial and periodic updates
System internally built
High level reporting developed
Risk Metrics in progress
Scenario analysis process recently established
Risk incident collection in initial stages
12
Governance Structure
Audit Committee
Board of Directors
DTCC Management
Committee
Compliance and
Operational Risk
Management Committee
DTCC Internal Risk
Management
Committee
DTCC Internal
Operational Risk
Steering Committee
13
2007 Objectives
Develop a plan to collect Risk
incidents
Implement a scenario analysis
process
Continue to enhance
Management reporting
Continue to work with
business units to
identify risk metrics
14
High Level Reporting
Enterprise Major Risk Report
39 risk scenarios major to
DTCC
Mitigants addressing risks
Additional plans to further
mitigate risk
Enterprise Risk Metrics
Report
Metrics that address the major
risks of DTCC
15
Enterprise Risk Scenario Categories
Liquidity Risk
Market Risk
Concentration Risk
People & Culture Risk
External Risk
Operational Risk
Process Risk
Business Continuity Risk
Technology Risk
Reputational Risk
16
Enterprise Risk Scenario Examples
Liquidity Risk
Insufficient
liquidity to
fund
settlement
Inability to
access
liquidity to
fund
settlement
Credit Risk
Not informed
timely about
major credit
event/
insolvency
involving a
member
Exposure
from
related
entities
17
Enterprise Risk Scenario Examples –
cont’d
Market Risk
Insufficient
clearing
fund/
insufficient
collateral
Model risk
Concentration
Risk
Multiple
forms of
exposure to
one
member
18
Enterprise Risk Scenario Examples –
cont’d
Theft of funds
or securities
Corporate Action
processing errors
Operational
Risk
Insufficient system
capacity
Cyber
attack disables
key production
systems
Unauthorized
Inability to
access to
complete settlement
company systems
Disaster eliminates
primary operating
region capability
19
Enterprise Risk Metrics Examples
Adequacy of clearing fund coverage
Adequacy of liquidity
Settlement timeliness
System availability
Timely implementation of Internal Audit
recommendations
Operations losses >$10,000
20
Slide 17
Operational Risk
ACSDA Leadership Forum
New York City, USA - October 8-10, 2007
Diana Downward, DTCC
Agenda
Background
DTCC’s Operational Risk Management
Program
DTCC Risk Scenarios
DTCC Risk Metrics
2
Why Focus on
Operational Risk Management?
Largest financial and reputational losses
in the financial services industry are
attributed to Operational Risk
Good business sense
Regulatory Expectations
Sound Risk Management
Practices
Robust Business Resiliency
3
Examples of Op Risk Events
Timeliness of Rating
Agency Downgrades
Arthur
Andersen
Enron
Tyco
CMO Pricing Issues
NYSE
Barings
August 2003
Blackout
REFCO
Hurricane
Katrina!
4
DTCC’s Operational Risk Definition
“The risk of loss, including
reputational harm, resulting from
inadequate or failed internal processes,
people and systems or from external
events.”
5
What Operational Risk is Not
Operational Risk is not Credit Risk,
Market Risk, Liquidity Risk or
Strategic Risk.
However, Operational Risk is NOT
LIMITED to the processing type of
risks generally associated with a
back-office operation.
6
Operational Risks at a CSD
Computer
Hacking
Governance Issues
AML
Fraud
System Failures
Customer
Confidentiality Failure
Incomplete Due Diligence
External Threats
Corporate
Actions Losses
Data Entry Errors
Settlement Fails
Missing Certificates
7
8
DTCC
Operational Risk Management Objectives
Establish a common risk language across the
organization
Foster a climate where risks are identified and
openly discussed by all departments and
employees
Inform senior management and Board about
Operational Risk across the enterprise
Reinforce transparency and comply with
regulatory expectations
9
10
Program Components
Enterprise-wide reporting
Risk and Control Self-Assessment
Risk Metrics
Leveraging off existing risk event
information
11
Status of Effort to Date
Governance Structure in place
Corporate Policy and other documents issued
Risk & Control Self-Assessment (RCSA)
process formalized-initial and periodic updates
System internally built
High level reporting developed
Risk Metrics in progress
Scenario analysis process recently established
Risk incident collection in initial stages
12
Governance Structure
Audit Committee
Board of Directors
DTCC Management
Committee
Compliance and
Operational Risk
Management Committee
DTCC Internal Risk
Management
Committee
DTCC Internal
Operational Risk
Steering Committee
13
2007 Objectives
Develop a plan to collect Risk
incidents
Implement a scenario analysis
process
Continue to enhance
Management reporting
Continue to work with
business units to
identify risk metrics
14
High Level Reporting
Enterprise Major Risk Report
39 risk scenarios major to
DTCC
Mitigants addressing risks
Additional plans to further
mitigate risk
Enterprise Risk Metrics
Report
Metrics that address the major
risks of DTCC
15
Enterprise Risk Scenario Categories
Liquidity Risk
Market Risk
Concentration Risk
People & Culture Risk
External Risk
Operational Risk
Process Risk
Business Continuity Risk
Technology Risk
Reputational Risk
16
Enterprise Risk Scenario Examples
Liquidity Risk
Insufficient
liquidity to
fund
settlement
Inability to
access
liquidity to
fund
settlement
Credit Risk
Not informed
timely about
major credit
event/
insolvency
involving a
member
Exposure
from
related
entities
17
Enterprise Risk Scenario Examples –
cont’d
Market Risk
Insufficient
clearing
fund/
insufficient
collateral
Model risk
Concentration
Risk
Multiple
forms of
exposure to
one
member
18
Enterprise Risk Scenario Examples –
cont’d
Theft of funds
or securities
Corporate Action
processing errors
Operational
Risk
Insufficient system
capacity
Cyber
attack disables
key production
systems
Unauthorized
Inability to
access to
complete settlement
company systems
Disaster eliminates
primary operating
region capability
19
Enterprise Risk Metrics Examples
Adequacy of clearing fund coverage
Adequacy of liquidity
Settlement timeliness
System availability
Timely implementation of Internal Audit
recommendations
Operations losses >$10,000
20
Slide 18
Operational Risk
ACSDA Leadership Forum
New York City, USA - October 8-10, 2007
Diana Downward, DTCC
Agenda
Background
DTCC’s Operational Risk Management
Program
DTCC Risk Scenarios
DTCC Risk Metrics
2
Why Focus on
Operational Risk Management?
Largest financial and reputational losses
in the financial services industry are
attributed to Operational Risk
Good business sense
Regulatory Expectations
Sound Risk Management
Practices
Robust Business Resiliency
3
Examples of Op Risk Events
Timeliness of Rating
Agency Downgrades
Arthur
Andersen
Enron
Tyco
CMO Pricing Issues
NYSE
Barings
August 2003
Blackout
REFCO
Hurricane
Katrina!
4
DTCC’s Operational Risk Definition
“The risk of loss, including
reputational harm, resulting from
inadequate or failed internal processes,
people and systems or from external
events.”
5
What Operational Risk is Not
Operational Risk is not Credit Risk,
Market Risk, Liquidity Risk or
Strategic Risk.
However, Operational Risk is NOT
LIMITED to the processing type of
risks generally associated with a
back-office operation.
6
Operational Risks at a CSD
Computer
Hacking
Governance Issues
AML
Fraud
System Failures
Customer
Confidentiality Failure
Incomplete Due Diligence
External Threats
Corporate
Actions Losses
Data Entry Errors
Settlement Fails
Missing Certificates
7
8
DTCC
Operational Risk Management Objectives
Establish a common risk language across the
organization
Foster a climate where risks are identified and
openly discussed by all departments and
employees
Inform senior management and Board about
Operational Risk across the enterprise
Reinforce transparency and comply with
regulatory expectations
9
10
Program Components
Enterprise-wide reporting
Risk and Control Self-Assessment
Risk Metrics
Leveraging off existing risk event
information
11
Status of Effort to Date
Governance Structure in place
Corporate Policy and other documents issued
Risk & Control Self-Assessment (RCSA)
process formalized-initial and periodic updates
System internally built
High level reporting developed
Risk Metrics in progress
Scenario analysis process recently established
Risk incident collection in initial stages
12
Governance Structure
Audit Committee
Board of Directors
DTCC Management
Committee
Compliance and
Operational Risk
Management Committee
DTCC Internal Risk
Management
Committee
DTCC Internal
Operational Risk
Steering Committee
13
2007 Objectives
Develop a plan to collect Risk
incidents
Implement a scenario analysis
process
Continue to enhance
Management reporting
Continue to work with
business units to
identify risk metrics
14
High Level Reporting
Enterprise Major Risk Report
39 risk scenarios major to
DTCC
Mitigants addressing risks
Additional plans to further
mitigate risk
Enterprise Risk Metrics
Report
Metrics that address the major
risks of DTCC
15
Enterprise Risk Scenario Categories
Liquidity Risk
Market Risk
Concentration Risk
People & Culture Risk
External Risk
Operational Risk
Process Risk
Business Continuity Risk
Technology Risk
Reputational Risk
16
Enterprise Risk Scenario Examples
Liquidity Risk
Insufficient
liquidity to
fund
settlement
Inability to
access
liquidity to
fund
settlement
Credit Risk
Not informed
timely about
major credit
event/
insolvency
involving a
member
Exposure
from
related
entities
17
Enterprise Risk Scenario Examples –
cont’d
Market Risk
Insufficient
clearing
fund/
insufficient
collateral
Model risk
Concentration
Risk
Multiple
forms of
exposure to
one
member
18
Enterprise Risk Scenario Examples –
cont’d
Theft of funds
or securities
Corporate Action
processing errors
Operational
Risk
Insufficient system
capacity
Cyber
attack disables
key production
systems
Unauthorized
Inability to
access to
complete settlement
company systems
Disaster eliminates
primary operating
region capability
19
Enterprise Risk Metrics Examples
Adequacy of clearing fund coverage
Adequacy of liquidity
Settlement timeliness
System availability
Timely implementation of Internal Audit
recommendations
Operations losses >$10,000
20
Slide 19
Operational Risk
ACSDA Leadership Forum
New York City, USA - October 8-10, 2007
Diana Downward, DTCC
Agenda
Background
DTCC’s Operational Risk Management
Program
DTCC Risk Scenarios
DTCC Risk Metrics
2
Why Focus on
Operational Risk Management?
Largest financial and reputational losses
in the financial services industry are
attributed to Operational Risk
Good business sense
Regulatory Expectations
Sound Risk Management
Practices
Robust Business Resiliency
3
Examples of Op Risk Events
Timeliness of Rating
Agency Downgrades
Arthur
Andersen
Enron
Tyco
CMO Pricing Issues
NYSE
Barings
August 2003
Blackout
REFCO
Hurricane
Katrina!
4
DTCC’s Operational Risk Definition
“The risk of loss, including
reputational harm, resulting from
inadequate or failed internal processes,
people and systems or from external
events.”
5
What Operational Risk is Not
Operational Risk is not Credit Risk,
Market Risk, Liquidity Risk or
Strategic Risk.
However, Operational Risk is NOT
LIMITED to the processing type of
risks generally associated with a
back-office operation.
6
Operational Risks at a CSD
Computer
Hacking
Governance Issues
AML
Fraud
System Failures
Customer
Confidentiality Failure
Incomplete Due Diligence
External Threats
Corporate
Actions Losses
Data Entry Errors
Settlement Fails
Missing Certificates
7
8
DTCC
Operational Risk Management Objectives
Establish a common risk language across the
organization
Foster a climate where risks are identified and
openly discussed by all departments and
employees
Inform senior management and Board about
Operational Risk across the enterprise
Reinforce transparency and comply with
regulatory expectations
9
10
Program Components
Enterprise-wide reporting
Risk and Control Self-Assessment
Risk Metrics
Leveraging off existing risk event
information
11
Status of Effort to Date
Governance Structure in place
Corporate Policy and other documents issued
Risk & Control Self-Assessment (RCSA)
process formalized-initial and periodic updates
System internally built
High level reporting developed
Risk Metrics in progress
Scenario analysis process recently established
Risk incident collection in initial stages
12
Governance Structure
Audit Committee
Board of Directors
DTCC Management
Committee
Compliance and
Operational Risk
Management Committee
DTCC Internal Risk
Management
Committee
DTCC Internal
Operational Risk
Steering Committee
13
2007 Objectives
Develop a plan to collect Risk
incidents
Implement a scenario analysis
process
Continue to enhance
Management reporting
Continue to work with
business units to
identify risk metrics
14
High Level Reporting
Enterprise Major Risk Report
39 risk scenarios major to
DTCC
Mitigants addressing risks
Additional plans to further
mitigate risk
Enterprise Risk Metrics
Report
Metrics that address the major
risks of DTCC
15
Enterprise Risk Scenario Categories
Liquidity Risk
Market Risk
Concentration Risk
People & Culture Risk
External Risk
Operational Risk
Process Risk
Business Continuity Risk
Technology Risk
Reputational Risk
16
Enterprise Risk Scenario Examples
Liquidity Risk
Insufficient
liquidity to
fund
settlement
Inability to
access
liquidity to
fund
settlement
Credit Risk
Not informed
timely about
major credit
event/
insolvency
involving a
member
Exposure
from
related
entities
17
Enterprise Risk Scenario Examples –
cont’d
Market Risk
Insufficient
clearing
fund/
insufficient
collateral
Model risk
Concentration
Risk
Multiple
forms of
exposure to
one
member
18
Enterprise Risk Scenario Examples –
cont’d
Theft of funds
or securities
Corporate Action
processing errors
Operational
Risk
Insufficient system
capacity
Cyber
attack disables
key production
systems
Unauthorized
Inability to
access to
complete settlement
company systems
Disaster eliminates
primary operating
region capability
19
Enterprise Risk Metrics Examples
Adequacy of clearing fund coverage
Adequacy of liquidity
Settlement timeliness
System availability
Timely implementation of Internal Audit
recommendations
Operations losses >$10,000
20
Slide 20
Operational Risk
ACSDA Leadership Forum
New York City, USA - October 8-10, 2007
Diana Downward, DTCC
Agenda
Background
DTCC’s Operational Risk Management
Program
DTCC Risk Scenarios
DTCC Risk Metrics
2
Why Focus on
Operational Risk Management?
Largest financial and reputational losses
in the financial services industry are
attributed to Operational Risk
Good business sense
Regulatory Expectations
Sound Risk Management
Practices
Robust Business Resiliency
3
Examples of Op Risk Events
Timeliness of Rating
Agency Downgrades
Arthur
Andersen
Enron
Tyco
CMO Pricing Issues
NYSE
Barings
August 2003
Blackout
REFCO
Hurricane
Katrina!
4
DTCC’s Operational Risk Definition
“The risk of loss, including
reputational harm, resulting from
inadequate or failed internal processes,
people and systems or from external
events.”
5
What Operational Risk is Not
Operational Risk is not Credit Risk,
Market Risk, Liquidity Risk or
Strategic Risk.
However, Operational Risk is NOT
LIMITED to the processing type of
risks generally associated with a
back-office operation.
6
Operational Risks at a CSD
Computer
Hacking
Governance Issues
AML
Fraud
System Failures
Customer
Confidentiality Failure
Incomplete Due Diligence
External Threats
Corporate
Actions Losses
Data Entry Errors
Settlement Fails
Missing Certificates
7
8
DTCC
Operational Risk Management Objectives
Establish a common risk language across the
organization
Foster a climate where risks are identified and
openly discussed by all departments and
employees
Inform senior management and Board about
Operational Risk across the enterprise
Reinforce transparency and comply with
regulatory expectations
9
10
Program Components
Enterprise-wide reporting
Risk and Control Self-Assessment
Risk Metrics
Leveraging off existing risk event
information
11
Status of Effort to Date
Governance Structure in place
Corporate Policy and other documents issued
Risk & Control Self-Assessment (RCSA)
process formalized-initial and periodic updates
System internally built
High level reporting developed
Risk Metrics in progress
Scenario analysis process recently established
Risk incident collection in initial stages
12
Governance Structure
Audit Committee
Board of Directors
DTCC Management
Committee
Compliance and
Operational Risk
Management Committee
DTCC Internal Risk
Management
Committee
DTCC Internal
Operational Risk
Steering Committee
13
2007 Objectives
Develop a plan to collect Risk
incidents
Implement a scenario analysis
process
Continue to enhance
Management reporting
Continue to work with
business units to
identify risk metrics
14
High Level Reporting
Enterprise Major Risk Report
39 risk scenarios major to
DTCC
Mitigants addressing risks
Additional plans to further
mitigate risk
Enterprise Risk Metrics
Report
Metrics that address the major
risks of DTCC
15
Enterprise Risk Scenario Categories
Liquidity Risk
Market Risk
Concentration Risk
People & Culture Risk
External Risk
Operational Risk
Process Risk
Business Continuity Risk
Technology Risk
Reputational Risk
16
Enterprise Risk Scenario Examples
Liquidity Risk
Insufficient
liquidity to
fund
settlement
Inability to
access
liquidity to
fund
settlement
Credit Risk
Not informed
timely about
major credit
event/
insolvency
involving a
member
Exposure
from
related
entities
17
Enterprise Risk Scenario Examples –
cont’d
Market Risk
Insufficient
clearing
fund/
insufficient
collateral
Model risk
Concentration
Risk
Multiple
forms of
exposure to
one
member
18
Enterprise Risk Scenario Examples –
cont’d
Theft of funds
or securities
Corporate Action
processing errors
Operational
Risk
Insufficient system
capacity
Cyber
attack disables
key production
systems
Unauthorized
Inability to
access to
complete settlement
company systems
Disaster eliminates
primary operating
region capability
19
Enterprise Risk Metrics Examples
Adequacy of clearing fund coverage
Adequacy of liquidity
Settlement timeliness
System availability
Timely implementation of Internal Audit
recommendations
Operations losses >$10,000
20
Operational Risk
ACSDA Leadership Forum
New York City, USA - October 8-10, 2007
Diana Downward, DTCC
Agenda
Background
DTCC’s Operational Risk Management
Program
DTCC Risk Scenarios
DTCC Risk Metrics
2
Why Focus on
Operational Risk Management?
Largest financial and reputational losses
in the financial services industry are
attributed to Operational Risk
Good business sense
Regulatory Expectations
Sound Risk Management
Practices
Robust Business Resiliency
3
Examples of Op Risk Events
Timeliness of Rating
Agency Downgrades
Arthur
Andersen
Enron
Tyco
CMO Pricing Issues
NYSE
Barings
August 2003
Blackout
REFCO
Hurricane
Katrina!
4
DTCC’s Operational Risk Definition
“The risk of loss, including
reputational harm, resulting from
inadequate or failed internal processes,
people and systems or from external
events.”
5
What Operational Risk is Not
Operational Risk is not Credit Risk,
Market Risk, Liquidity Risk or
Strategic Risk.
However, Operational Risk is NOT
LIMITED to the processing type of
risks generally associated with a
back-office operation.
6
Operational Risks at a CSD
Computer
Hacking
Governance Issues
AML
Fraud
System Failures
Customer
Confidentiality Failure
Incomplete Due Diligence
External Threats
Corporate
Actions Losses
Data Entry Errors
Settlement Fails
Missing Certificates
7
8
DTCC
Operational Risk Management Objectives
Establish a common risk language across the
organization
Foster a climate where risks are identified and
openly discussed by all departments and
employees
Inform senior management and Board about
Operational Risk across the enterprise
Reinforce transparency and comply with
regulatory expectations
9
10
Program Components
Enterprise-wide reporting
Risk and Control Self-Assessment
Risk Metrics
Leveraging off existing risk event
information
11
Status of Effort to Date
Governance Structure in place
Corporate Policy and other documents issued
Risk & Control Self-Assessment (RCSA)
process formalized-initial and periodic updates
System internally built
High level reporting developed
Risk Metrics in progress
Scenario analysis process recently established
Risk incident collection in initial stages
12
Governance Structure
Audit Committee
Board of Directors
DTCC Management
Committee
Compliance and
Operational Risk
Management Committee
DTCC Internal Risk
Management
Committee
DTCC Internal
Operational Risk
Steering Committee
13
2007 Objectives
Develop a plan to collect Risk
incidents
Implement a scenario analysis
process
Continue to enhance
Management reporting
Continue to work with
business units to
identify risk metrics
14
High Level Reporting
Enterprise Major Risk Report
39 risk scenarios major to
DTCC
Mitigants addressing risks
Additional plans to further
mitigate risk
Enterprise Risk Metrics
Report
Metrics that address the major
risks of DTCC
15
Enterprise Risk Scenario Categories
Liquidity Risk
Market Risk
Concentration Risk
People & Culture Risk
External Risk
Operational Risk
Process Risk
Business Continuity Risk
Technology Risk
Reputational Risk
16
Enterprise Risk Scenario Examples
Liquidity Risk
Insufficient
liquidity to
fund
settlement
Inability to
access
liquidity to
fund
settlement
Credit Risk
Not informed
timely about
major credit
event/
insolvency
involving a
member
Exposure
from
related
entities
17
Enterprise Risk Scenario Examples –
cont’d
Market Risk
Insufficient
clearing
fund/
insufficient
collateral
Model risk
Concentration
Risk
Multiple
forms of
exposure to
one
member
18
Enterprise Risk Scenario Examples –
cont’d
Theft of funds
or securities
Corporate Action
processing errors
Operational
Risk
Insufficient system
capacity
Cyber
attack disables
key production
systems
Unauthorized
Inability to
access to
complete settlement
company systems
Disaster eliminates
primary operating
region capability
19
Enterprise Risk Metrics Examples
Adequacy of clearing fund coverage
Adequacy of liquidity
Settlement timeliness
System availability
Timely implementation of Internal Audit
recommendations
Operations losses >$10,000
20
Slide 2
Operational Risk
ACSDA Leadership Forum
New York City, USA - October 8-10, 2007
Diana Downward, DTCC
Agenda
Background
DTCC’s Operational Risk Management
Program
DTCC Risk Scenarios
DTCC Risk Metrics
2
Why Focus on
Operational Risk Management?
Largest financial and reputational losses
in the financial services industry are
attributed to Operational Risk
Good business sense
Regulatory Expectations
Sound Risk Management
Practices
Robust Business Resiliency
3
Examples of Op Risk Events
Timeliness of Rating
Agency Downgrades
Arthur
Andersen
Enron
Tyco
CMO Pricing Issues
NYSE
Barings
August 2003
Blackout
REFCO
Hurricane
Katrina!
4
DTCC’s Operational Risk Definition
“The risk of loss, including
reputational harm, resulting from
inadequate or failed internal processes,
people and systems or from external
events.”
5
What Operational Risk is Not
Operational Risk is not Credit Risk,
Market Risk, Liquidity Risk or
Strategic Risk.
However, Operational Risk is NOT
LIMITED to the processing type of
risks generally associated with a
back-office operation.
6
Operational Risks at a CSD
Computer
Hacking
Governance Issues
AML
Fraud
System Failures
Customer
Confidentiality Failure
Incomplete Due Diligence
External Threats
Corporate
Actions Losses
Data Entry Errors
Settlement Fails
Missing Certificates
7
8
DTCC
Operational Risk Management Objectives
Establish a common risk language across the
organization
Foster a climate where risks are identified and
openly discussed by all departments and
employees
Inform senior management and Board about
Operational Risk across the enterprise
Reinforce transparency and comply with
regulatory expectations
9
10
Program Components
Enterprise-wide reporting
Risk and Control Self-Assessment
Risk Metrics
Leveraging off existing risk event
information
11
Status of Effort to Date
Governance Structure in place
Corporate Policy and other documents issued
Risk & Control Self-Assessment (RCSA)
process formalized-initial and periodic updates
System internally built
High level reporting developed
Risk Metrics in progress
Scenario analysis process recently established
Risk incident collection in initial stages
12
Governance Structure
Audit Committee
Board of Directors
DTCC Management
Committee
Compliance and
Operational Risk
Management Committee
DTCC Internal Risk
Management
Committee
DTCC Internal
Operational Risk
Steering Committee
13
2007 Objectives
Develop a plan to collect Risk
incidents
Implement a scenario analysis
process
Continue to enhance
Management reporting
Continue to work with
business units to
identify risk metrics
14
High Level Reporting
Enterprise Major Risk Report
39 risk scenarios major to
DTCC
Mitigants addressing risks
Additional plans to further
mitigate risk
Enterprise Risk Metrics
Report
Metrics that address the major
risks of DTCC
15
Enterprise Risk Scenario Categories
Liquidity Risk
Market Risk
Concentration Risk
People & Culture Risk
External Risk
Operational Risk
Process Risk
Business Continuity Risk
Technology Risk
Reputational Risk
16
Enterprise Risk Scenario Examples
Liquidity Risk
Insufficient
liquidity to
fund
settlement
Inability to
access
liquidity to
fund
settlement
Credit Risk
Not informed
timely about
major credit
event/
insolvency
involving a
member
Exposure
from
related
entities
17
Enterprise Risk Scenario Examples –
cont’d
Market Risk
Insufficient
clearing
fund/
insufficient
collateral
Model risk
Concentration
Risk
Multiple
forms of
exposure to
one
member
18
Enterprise Risk Scenario Examples –
cont’d
Theft of funds
or securities
Corporate Action
processing errors
Operational
Risk
Insufficient system
capacity
Cyber
attack disables
key production
systems
Unauthorized
Inability to
access to
complete settlement
company systems
Disaster eliminates
primary operating
region capability
19
Enterprise Risk Metrics Examples
Adequacy of clearing fund coverage
Adequacy of liquidity
Settlement timeliness
System availability
Timely implementation of Internal Audit
recommendations
Operations losses >$10,000
20
Slide 3
Operational Risk
ACSDA Leadership Forum
New York City, USA - October 8-10, 2007
Diana Downward, DTCC
Agenda
Background
DTCC’s Operational Risk Management
Program
DTCC Risk Scenarios
DTCC Risk Metrics
2
Why Focus on
Operational Risk Management?
Largest financial and reputational losses
in the financial services industry are
attributed to Operational Risk
Good business sense
Regulatory Expectations
Sound Risk Management
Practices
Robust Business Resiliency
3
Examples of Op Risk Events
Timeliness of Rating
Agency Downgrades
Arthur
Andersen
Enron
Tyco
CMO Pricing Issues
NYSE
Barings
August 2003
Blackout
REFCO
Hurricane
Katrina!
4
DTCC’s Operational Risk Definition
“The risk of loss, including
reputational harm, resulting from
inadequate or failed internal processes,
people and systems or from external
events.”
5
What Operational Risk is Not
Operational Risk is not Credit Risk,
Market Risk, Liquidity Risk or
Strategic Risk.
However, Operational Risk is NOT
LIMITED to the processing type of
risks generally associated with a
back-office operation.
6
Operational Risks at a CSD
Computer
Hacking
Governance Issues
AML
Fraud
System Failures
Customer
Confidentiality Failure
Incomplete Due Diligence
External Threats
Corporate
Actions Losses
Data Entry Errors
Settlement Fails
Missing Certificates
7
8
DTCC
Operational Risk Management Objectives
Establish a common risk language across the
organization
Foster a climate where risks are identified and
openly discussed by all departments and
employees
Inform senior management and Board about
Operational Risk across the enterprise
Reinforce transparency and comply with
regulatory expectations
9
10
Program Components
Enterprise-wide reporting
Risk and Control Self-Assessment
Risk Metrics
Leveraging off existing risk event
information
11
Status of Effort to Date
Governance Structure in place
Corporate Policy and other documents issued
Risk & Control Self-Assessment (RCSA)
process formalized-initial and periodic updates
System internally built
High level reporting developed
Risk Metrics in progress
Scenario analysis process recently established
Risk incident collection in initial stages
12
Governance Structure
Audit Committee
Board of Directors
DTCC Management
Committee
Compliance and
Operational Risk
Management Committee
DTCC Internal Risk
Management
Committee
DTCC Internal
Operational Risk
Steering Committee
13
2007 Objectives
Develop a plan to collect Risk
incidents
Implement a scenario analysis
process
Continue to enhance
Management reporting
Continue to work with
business units to
identify risk metrics
14
High Level Reporting
Enterprise Major Risk Report
39 risk scenarios major to
DTCC
Mitigants addressing risks
Additional plans to further
mitigate risk
Enterprise Risk Metrics
Report
Metrics that address the major
risks of DTCC
15
Enterprise Risk Scenario Categories
Liquidity Risk
Market Risk
Concentration Risk
People & Culture Risk
External Risk
Operational Risk
Process Risk
Business Continuity Risk
Technology Risk
Reputational Risk
16
Enterprise Risk Scenario Examples
Liquidity Risk
Insufficient
liquidity to
fund
settlement
Inability to
access
liquidity to
fund
settlement
Credit Risk
Not informed
timely about
major credit
event/
insolvency
involving a
member
Exposure
from
related
entities
17
Enterprise Risk Scenario Examples –
cont’d
Market Risk
Insufficient
clearing
fund/
insufficient
collateral
Model risk
Concentration
Risk
Multiple
forms of
exposure to
one
member
18
Enterprise Risk Scenario Examples –
cont’d
Theft of funds
or securities
Corporate Action
processing errors
Operational
Risk
Insufficient system
capacity
Cyber
attack disables
key production
systems
Unauthorized
Inability to
access to
complete settlement
company systems
Disaster eliminates
primary operating
region capability
19
Enterprise Risk Metrics Examples
Adequacy of clearing fund coverage
Adequacy of liquidity
Settlement timeliness
System availability
Timely implementation of Internal Audit
recommendations
Operations losses >$10,000
20
Slide 4
Operational Risk
ACSDA Leadership Forum
New York City, USA - October 8-10, 2007
Diana Downward, DTCC
Agenda
Background
DTCC’s Operational Risk Management
Program
DTCC Risk Scenarios
DTCC Risk Metrics
2
Why Focus on
Operational Risk Management?
Largest financial and reputational losses
in the financial services industry are
attributed to Operational Risk
Good business sense
Regulatory Expectations
Sound Risk Management
Practices
Robust Business Resiliency
3
Examples of Op Risk Events
Timeliness of Rating
Agency Downgrades
Arthur
Andersen
Enron
Tyco
CMO Pricing Issues
NYSE
Barings
August 2003
Blackout
REFCO
Hurricane
Katrina!
4
DTCC’s Operational Risk Definition
“The risk of loss, including
reputational harm, resulting from
inadequate or failed internal processes,
people and systems or from external
events.”
5
What Operational Risk is Not
Operational Risk is not Credit Risk,
Market Risk, Liquidity Risk or
Strategic Risk.
However, Operational Risk is NOT
LIMITED to the processing type of
risks generally associated with a
back-office operation.
6
Operational Risks at a CSD
Computer
Hacking
Governance Issues
AML
Fraud
System Failures
Customer
Confidentiality Failure
Incomplete Due Diligence
External Threats
Corporate
Actions Losses
Data Entry Errors
Settlement Fails
Missing Certificates
7
8
DTCC
Operational Risk Management Objectives
Establish a common risk language across the
organization
Foster a climate where risks are identified and
openly discussed by all departments and
employees
Inform senior management and Board about
Operational Risk across the enterprise
Reinforce transparency and comply with
regulatory expectations
9
10
Program Components
Enterprise-wide reporting
Risk and Control Self-Assessment
Risk Metrics
Leveraging off existing risk event
information
11
Status of Effort to Date
Governance Structure in place
Corporate Policy and other documents issued
Risk & Control Self-Assessment (RCSA)
process formalized-initial and periodic updates
System internally built
High level reporting developed
Risk Metrics in progress
Scenario analysis process recently established
Risk incident collection in initial stages
12
Governance Structure
Audit Committee
Board of Directors
DTCC Management
Committee
Compliance and
Operational Risk
Management Committee
DTCC Internal Risk
Management
Committee
DTCC Internal
Operational Risk
Steering Committee
13
2007 Objectives
Develop a plan to collect Risk
incidents
Implement a scenario analysis
process
Continue to enhance
Management reporting
Continue to work with
business units to
identify risk metrics
14
High Level Reporting
Enterprise Major Risk Report
39 risk scenarios major to
DTCC
Mitigants addressing risks
Additional plans to further
mitigate risk
Enterprise Risk Metrics
Report
Metrics that address the major
risks of DTCC
15
Enterprise Risk Scenario Categories
Liquidity Risk
Market Risk
Concentration Risk
People & Culture Risk
External Risk
Operational Risk
Process Risk
Business Continuity Risk
Technology Risk
Reputational Risk
16
Enterprise Risk Scenario Examples
Liquidity Risk
Insufficient
liquidity to
fund
settlement
Inability to
access
liquidity to
fund
settlement
Credit Risk
Not informed
timely about
major credit
event/
insolvency
involving a
member
Exposure
from
related
entities
17
Enterprise Risk Scenario Examples –
cont’d
Market Risk
Insufficient
clearing
fund/
insufficient
collateral
Model risk
Concentration
Risk
Multiple
forms of
exposure to
one
member
18
Enterprise Risk Scenario Examples –
cont’d
Theft of funds
or securities
Corporate Action
processing errors
Operational
Risk
Insufficient system
capacity
Cyber
attack disables
key production
systems
Unauthorized
Inability to
access to
complete settlement
company systems
Disaster eliminates
primary operating
region capability
19
Enterprise Risk Metrics Examples
Adequacy of clearing fund coverage
Adequacy of liquidity
Settlement timeliness
System availability
Timely implementation of Internal Audit
recommendations
Operations losses >$10,000
20
Slide 5
Operational Risk
ACSDA Leadership Forum
New York City, USA - October 8-10, 2007
Diana Downward, DTCC
Agenda
Background
DTCC’s Operational Risk Management
Program
DTCC Risk Scenarios
DTCC Risk Metrics
2
Why Focus on
Operational Risk Management?
Largest financial and reputational losses
in the financial services industry are
attributed to Operational Risk
Good business sense
Regulatory Expectations
Sound Risk Management
Practices
Robust Business Resiliency
3
Examples of Op Risk Events
Timeliness of Rating
Agency Downgrades
Arthur
Andersen
Enron
Tyco
CMO Pricing Issues
NYSE
Barings
August 2003
Blackout
REFCO
Hurricane
Katrina!
4
DTCC’s Operational Risk Definition
“The risk of loss, including
reputational harm, resulting from
inadequate or failed internal processes,
people and systems or from external
events.”
5
What Operational Risk is Not
Operational Risk is not Credit Risk,
Market Risk, Liquidity Risk or
Strategic Risk.
However, Operational Risk is NOT
LIMITED to the processing type of
risks generally associated with a
back-office operation.
6
Operational Risks at a CSD
Computer
Hacking
Governance Issues
AML
Fraud
System Failures
Customer
Confidentiality Failure
Incomplete Due Diligence
External Threats
Corporate
Actions Losses
Data Entry Errors
Settlement Fails
Missing Certificates
7
8
DTCC
Operational Risk Management Objectives
Establish a common risk language across the
organization
Foster a climate where risks are identified and
openly discussed by all departments and
employees
Inform senior management and Board about
Operational Risk across the enterprise
Reinforce transparency and comply with
regulatory expectations
9
10
Program Components
Enterprise-wide reporting
Risk and Control Self-Assessment
Risk Metrics
Leveraging off existing risk event
information
11
Status of Effort to Date
Governance Structure in place
Corporate Policy and other documents issued
Risk & Control Self-Assessment (RCSA)
process formalized-initial and periodic updates
System internally built
High level reporting developed
Risk Metrics in progress
Scenario analysis process recently established
Risk incident collection in initial stages
12
Governance Structure
Audit Committee
Board of Directors
DTCC Management
Committee
Compliance and
Operational Risk
Management Committee
DTCC Internal Risk
Management
Committee
DTCC Internal
Operational Risk
Steering Committee
13
2007 Objectives
Develop a plan to collect Risk
incidents
Implement a scenario analysis
process
Continue to enhance
Management reporting
Continue to work with
business units to
identify risk metrics
14
High Level Reporting
Enterprise Major Risk Report
39 risk scenarios major to
DTCC
Mitigants addressing risks
Additional plans to further
mitigate risk
Enterprise Risk Metrics
Report
Metrics that address the major
risks of DTCC
15
Enterprise Risk Scenario Categories
Liquidity Risk
Market Risk
Concentration Risk
People & Culture Risk
External Risk
Operational Risk
Process Risk
Business Continuity Risk
Technology Risk
Reputational Risk
16
Enterprise Risk Scenario Examples
Liquidity Risk
Insufficient
liquidity to
fund
settlement
Inability to
access
liquidity to
fund
settlement
Credit Risk
Not informed
timely about
major credit
event/
insolvency
involving a
member
Exposure
from
related
entities
17
Enterprise Risk Scenario Examples –
cont’d
Market Risk
Insufficient
clearing
fund/
insufficient
collateral
Model risk
Concentration
Risk
Multiple
forms of
exposure to
one
member
18
Enterprise Risk Scenario Examples –
cont’d
Theft of funds
or securities
Corporate Action
processing errors
Operational
Risk
Insufficient system
capacity
Cyber
attack disables
key production
systems
Unauthorized
Inability to
access to
complete settlement
company systems
Disaster eliminates
primary operating
region capability
19
Enterprise Risk Metrics Examples
Adequacy of clearing fund coverage
Adequacy of liquidity
Settlement timeliness
System availability
Timely implementation of Internal Audit
recommendations
Operations losses >$10,000
20
Slide 6
Operational Risk
ACSDA Leadership Forum
New York City, USA - October 8-10, 2007
Diana Downward, DTCC
Agenda
Background
DTCC’s Operational Risk Management
Program
DTCC Risk Scenarios
DTCC Risk Metrics
2
Why Focus on
Operational Risk Management?
Largest financial and reputational losses
in the financial services industry are
attributed to Operational Risk
Good business sense
Regulatory Expectations
Sound Risk Management
Practices
Robust Business Resiliency
3
Examples of Op Risk Events
Timeliness of Rating
Agency Downgrades
Arthur
Andersen
Enron
Tyco
CMO Pricing Issues
NYSE
Barings
August 2003
Blackout
REFCO
Hurricane
Katrina!
4
DTCC’s Operational Risk Definition
“The risk of loss, including
reputational harm, resulting from
inadequate or failed internal processes,
people and systems or from external
events.”
5
What Operational Risk is Not
Operational Risk is not Credit Risk,
Market Risk, Liquidity Risk or
Strategic Risk.
However, Operational Risk is NOT
LIMITED to the processing type of
risks generally associated with a
back-office operation.
6
Operational Risks at a CSD
Computer
Hacking
Governance Issues
AML
Fraud
System Failures
Customer
Confidentiality Failure
Incomplete Due Diligence
External Threats
Corporate
Actions Losses
Data Entry Errors
Settlement Fails
Missing Certificates
7
8
DTCC
Operational Risk Management Objectives
Establish a common risk language across the
organization
Foster a climate where risks are identified and
openly discussed by all departments and
employees
Inform senior management and Board about
Operational Risk across the enterprise
Reinforce transparency and comply with
regulatory expectations
9
10
Program Components
Enterprise-wide reporting
Risk and Control Self-Assessment
Risk Metrics
Leveraging off existing risk event
information
11
Status of Effort to Date
Governance Structure in place
Corporate Policy and other documents issued
Risk & Control Self-Assessment (RCSA)
process formalized-initial and periodic updates
System internally built
High level reporting developed
Risk Metrics in progress
Scenario analysis process recently established
Risk incident collection in initial stages
12
Governance Structure
Audit Committee
Board of Directors
DTCC Management
Committee
Compliance and
Operational Risk
Management Committee
DTCC Internal Risk
Management
Committee
DTCC Internal
Operational Risk
Steering Committee
13
2007 Objectives
Develop a plan to collect Risk
incidents
Implement a scenario analysis
process
Continue to enhance
Management reporting
Continue to work with
business units to
identify risk metrics
14
High Level Reporting
Enterprise Major Risk Report
39 risk scenarios major to
DTCC
Mitigants addressing risks
Additional plans to further
mitigate risk
Enterprise Risk Metrics
Report
Metrics that address the major
risks of DTCC
15
Enterprise Risk Scenario Categories
Liquidity Risk
Market Risk
Concentration Risk
People & Culture Risk
External Risk
Operational Risk
Process Risk
Business Continuity Risk
Technology Risk
Reputational Risk
16
Enterprise Risk Scenario Examples
Liquidity Risk
Insufficient
liquidity to
fund
settlement
Inability to
access
liquidity to
fund
settlement
Credit Risk
Not informed
timely about
major credit
event/
insolvency
involving a
member
Exposure
from
related
entities
17
Enterprise Risk Scenario Examples –
cont’d
Market Risk
Insufficient
clearing
fund/
insufficient
collateral
Model risk
Concentration
Risk
Multiple
forms of
exposure to
one
member
18
Enterprise Risk Scenario Examples –
cont’d
Theft of funds
or securities
Corporate Action
processing errors
Operational
Risk
Insufficient system
capacity
Cyber
attack disables
key production
systems
Unauthorized
Inability to
access to
complete settlement
company systems
Disaster eliminates
primary operating
region capability
19
Enterprise Risk Metrics Examples
Adequacy of clearing fund coverage
Adequacy of liquidity
Settlement timeliness
System availability
Timely implementation of Internal Audit
recommendations
Operations losses >$10,000
20
Slide 7
Operational Risk
ACSDA Leadership Forum
New York City, USA - October 8-10, 2007
Diana Downward, DTCC
Agenda
Background
DTCC’s Operational Risk Management
Program
DTCC Risk Scenarios
DTCC Risk Metrics
2
Why Focus on
Operational Risk Management?
Largest financial and reputational losses
in the financial services industry are
attributed to Operational Risk
Good business sense
Regulatory Expectations
Sound Risk Management
Practices
Robust Business Resiliency
3
Examples of Op Risk Events
Timeliness of Rating
Agency Downgrades
Arthur
Andersen
Enron
Tyco
CMO Pricing Issues
NYSE
Barings
August 2003
Blackout
REFCO
Hurricane
Katrina!
4
DTCC’s Operational Risk Definition
“The risk of loss, including
reputational harm, resulting from
inadequate or failed internal processes,
people and systems or from external
events.”
5
What Operational Risk is Not
Operational Risk is not Credit Risk,
Market Risk, Liquidity Risk or
Strategic Risk.
However, Operational Risk is NOT
LIMITED to the processing type of
risks generally associated with a
back-office operation.
6
Operational Risks at a CSD
Computer
Hacking
Governance Issues
AML
Fraud
System Failures
Customer
Confidentiality Failure
Incomplete Due Diligence
External Threats
Corporate
Actions Losses
Data Entry Errors
Settlement Fails
Missing Certificates
7
8
DTCC
Operational Risk Management Objectives
Establish a common risk language across the
organization
Foster a climate where risks are identified and
openly discussed by all departments and
employees
Inform senior management and Board about
Operational Risk across the enterprise
Reinforce transparency and comply with
regulatory expectations
9
10
Program Components
Enterprise-wide reporting
Risk and Control Self-Assessment
Risk Metrics
Leveraging off existing risk event
information
11
Status of Effort to Date
Governance Structure in place
Corporate Policy and other documents issued
Risk & Control Self-Assessment (RCSA)
process formalized-initial and periodic updates
System internally built
High level reporting developed
Risk Metrics in progress
Scenario analysis process recently established
Risk incident collection in initial stages
12
Governance Structure
Audit Committee
Board of Directors
DTCC Management
Committee
Compliance and
Operational Risk
Management Committee
DTCC Internal Risk
Management
Committee
DTCC Internal
Operational Risk
Steering Committee
13
2007 Objectives
Develop a plan to collect Risk
incidents
Implement a scenario analysis
process
Continue to enhance
Management reporting
Continue to work with
business units to
identify risk metrics
14
High Level Reporting
Enterprise Major Risk Report
39 risk scenarios major to
DTCC
Mitigants addressing risks
Additional plans to further
mitigate risk
Enterprise Risk Metrics
Report
Metrics that address the major
risks of DTCC
15
Enterprise Risk Scenario Categories
Liquidity Risk
Market Risk
Concentration Risk
People & Culture Risk
External Risk
Operational Risk
Process Risk
Business Continuity Risk
Technology Risk
Reputational Risk
16
Enterprise Risk Scenario Examples
Liquidity Risk
Insufficient
liquidity to
fund
settlement
Inability to
access
liquidity to
fund
settlement
Credit Risk
Not informed
timely about
major credit
event/
insolvency
involving a
member
Exposure
from
related
entities
17
Enterprise Risk Scenario Examples –
cont’d
Market Risk
Insufficient
clearing
fund/
insufficient
collateral
Model risk
Concentration
Risk
Multiple
forms of
exposure to
one
member
18
Enterprise Risk Scenario Examples –
cont’d
Theft of funds
or securities
Corporate Action
processing errors
Operational
Risk
Insufficient system
capacity
Cyber
attack disables
key production
systems
Unauthorized
Inability to
access to
complete settlement
company systems
Disaster eliminates
primary operating
region capability
19
Enterprise Risk Metrics Examples
Adequacy of clearing fund coverage
Adequacy of liquidity
Settlement timeliness
System availability
Timely implementation of Internal Audit
recommendations
Operations losses >$10,000
20
Slide 8
Operational Risk
ACSDA Leadership Forum
New York City, USA - October 8-10, 2007
Diana Downward, DTCC
Agenda
Background
DTCC’s Operational Risk Management
Program
DTCC Risk Scenarios
DTCC Risk Metrics
2
Why Focus on
Operational Risk Management?
Largest financial and reputational losses
in the financial services industry are
attributed to Operational Risk
Good business sense
Regulatory Expectations
Sound Risk Management
Practices
Robust Business Resiliency
3
Examples of Op Risk Events
Timeliness of Rating
Agency Downgrades
Arthur
Andersen
Enron
Tyco
CMO Pricing Issues
NYSE
Barings
August 2003
Blackout
REFCO
Hurricane
Katrina!
4
DTCC’s Operational Risk Definition
“The risk of loss, including
reputational harm, resulting from
inadequate or failed internal processes,
people and systems or from external
events.”
5
What Operational Risk is Not
Operational Risk is not Credit Risk,
Market Risk, Liquidity Risk or
Strategic Risk.
However, Operational Risk is NOT
LIMITED to the processing type of
risks generally associated with a
back-office operation.
6
Operational Risks at a CSD
Computer
Hacking
Governance Issues
AML
Fraud
System Failures
Customer
Confidentiality Failure
Incomplete Due Diligence
External Threats
Corporate
Actions Losses
Data Entry Errors
Settlement Fails
Missing Certificates
7
8
DTCC
Operational Risk Management Objectives
Establish a common risk language across the
organization
Foster a climate where risks are identified and
openly discussed by all departments and
employees
Inform senior management and Board about
Operational Risk across the enterprise
Reinforce transparency and comply with
regulatory expectations
9
10
Program Components
Enterprise-wide reporting
Risk and Control Self-Assessment
Risk Metrics
Leveraging off existing risk event
information
11
Status of Effort to Date
Governance Structure in place
Corporate Policy and other documents issued
Risk & Control Self-Assessment (RCSA)
process formalized-initial and periodic updates
System internally built
High level reporting developed
Risk Metrics in progress
Scenario analysis process recently established
Risk incident collection in initial stages
12
Governance Structure
Audit Committee
Board of Directors
DTCC Management
Committee
Compliance and
Operational Risk
Management Committee
DTCC Internal Risk
Management
Committee
DTCC Internal
Operational Risk
Steering Committee
13
2007 Objectives
Develop a plan to collect Risk
incidents
Implement a scenario analysis
process
Continue to enhance
Management reporting
Continue to work with
business units to
identify risk metrics
14
High Level Reporting
Enterprise Major Risk Report
39 risk scenarios major to
DTCC
Mitigants addressing risks
Additional plans to further
mitigate risk
Enterprise Risk Metrics
Report
Metrics that address the major
risks of DTCC
15
Enterprise Risk Scenario Categories
Liquidity Risk
Market Risk
Concentration Risk
People & Culture Risk
External Risk
Operational Risk
Process Risk
Business Continuity Risk
Technology Risk
Reputational Risk
16
Enterprise Risk Scenario Examples
Liquidity Risk
Insufficient
liquidity to
fund
settlement
Inability to
access
liquidity to
fund
settlement
Credit Risk
Not informed
timely about
major credit
event/
insolvency
involving a
member
Exposure
from
related
entities
17
Enterprise Risk Scenario Examples –
cont’d
Market Risk
Insufficient
clearing
fund/
insufficient
collateral
Model risk
Concentration
Risk
Multiple
forms of
exposure to
one
member
18
Enterprise Risk Scenario Examples –
cont’d
Theft of funds
or securities
Corporate Action
processing errors
Operational
Risk
Insufficient system
capacity
Cyber
attack disables
key production
systems
Unauthorized
Inability to
access to
complete settlement
company systems
Disaster eliminates
primary operating
region capability
19
Enterprise Risk Metrics Examples
Adequacy of clearing fund coverage
Adequacy of liquidity
Settlement timeliness
System availability
Timely implementation of Internal Audit
recommendations
Operations losses >$10,000
20
Slide 9
Operational Risk
ACSDA Leadership Forum
New York City, USA - October 8-10, 2007
Diana Downward, DTCC
Agenda
Background
DTCC’s Operational Risk Management
Program
DTCC Risk Scenarios
DTCC Risk Metrics
2
Why Focus on
Operational Risk Management?
Largest financial and reputational losses
in the financial services industry are
attributed to Operational Risk
Good business sense
Regulatory Expectations
Sound Risk Management
Practices
Robust Business Resiliency
3
Examples of Op Risk Events
Timeliness of Rating
Agency Downgrades
Arthur
Andersen
Enron
Tyco
CMO Pricing Issues
NYSE
Barings
August 2003
Blackout
REFCO
Hurricane
Katrina!
4
DTCC’s Operational Risk Definition
“The risk of loss, including
reputational harm, resulting from
inadequate or failed internal processes,
people and systems or from external
events.”
5
What Operational Risk is Not
Operational Risk is not Credit Risk,
Market Risk, Liquidity Risk or
Strategic Risk.
However, Operational Risk is NOT
LIMITED to the processing type of
risks generally associated with a
back-office operation.
6
Operational Risks at a CSD
Computer
Hacking
Governance Issues
AML
Fraud
System Failures
Customer
Confidentiality Failure
Incomplete Due Diligence
External Threats
Corporate
Actions Losses
Data Entry Errors
Settlement Fails
Missing Certificates
7
8
DTCC
Operational Risk Management Objectives
Establish a common risk language across the
organization
Foster a climate where risks are identified and
openly discussed by all departments and
employees
Inform senior management and Board about
Operational Risk across the enterprise
Reinforce transparency and comply with
regulatory expectations
9
10
Program Components
Enterprise-wide reporting
Risk and Control Self-Assessment
Risk Metrics
Leveraging off existing risk event
information
11
Status of Effort to Date
Governance Structure in place
Corporate Policy and other documents issued
Risk & Control Self-Assessment (RCSA)
process formalized-initial and periodic updates
System internally built
High level reporting developed
Risk Metrics in progress
Scenario analysis process recently established
Risk incident collection in initial stages
12
Governance Structure
Audit Committee
Board of Directors
DTCC Management
Committee
Compliance and
Operational Risk
Management Committee
DTCC Internal Risk
Management
Committee
DTCC Internal
Operational Risk
Steering Committee
13
2007 Objectives
Develop a plan to collect Risk
incidents
Implement a scenario analysis
process
Continue to enhance
Management reporting
Continue to work with
business units to
identify risk metrics
14
High Level Reporting
Enterprise Major Risk Report
39 risk scenarios major to
DTCC
Mitigants addressing risks
Additional plans to further
mitigate risk
Enterprise Risk Metrics
Report
Metrics that address the major
risks of DTCC
15
Enterprise Risk Scenario Categories
Liquidity Risk
Market Risk
Concentration Risk
People & Culture Risk
External Risk
Operational Risk
Process Risk
Business Continuity Risk
Technology Risk
Reputational Risk
16
Enterprise Risk Scenario Examples
Liquidity Risk
Insufficient
liquidity to
fund
settlement
Inability to
access
liquidity to
fund
settlement
Credit Risk
Not informed
timely about
major credit
event/
insolvency
involving a
member
Exposure
from
related
entities
17
Enterprise Risk Scenario Examples –
cont’d
Market Risk
Insufficient
clearing
fund/
insufficient
collateral
Model risk
Concentration
Risk
Multiple
forms of
exposure to
one
member
18
Enterprise Risk Scenario Examples –
cont’d
Theft of funds
or securities
Corporate Action
processing errors
Operational
Risk
Insufficient system
capacity
Cyber
attack disables
key production
systems
Unauthorized
Inability to
access to
complete settlement
company systems
Disaster eliminates
primary operating
region capability
19
Enterprise Risk Metrics Examples
Adequacy of clearing fund coverage
Adequacy of liquidity
Settlement timeliness
System availability
Timely implementation of Internal Audit
recommendations
Operations losses >$10,000
20
Slide 10
Operational Risk
ACSDA Leadership Forum
New York City, USA - October 8-10, 2007
Diana Downward, DTCC
Agenda
Background
DTCC’s Operational Risk Management
Program
DTCC Risk Scenarios
DTCC Risk Metrics
2
Why Focus on
Operational Risk Management?
Largest financial and reputational losses
in the financial services industry are
attributed to Operational Risk
Good business sense
Regulatory Expectations
Sound Risk Management
Practices
Robust Business Resiliency
3
Examples of Op Risk Events
Timeliness of Rating
Agency Downgrades
Arthur
Andersen
Enron
Tyco
CMO Pricing Issues
NYSE
Barings
August 2003
Blackout
REFCO
Hurricane
Katrina!
4
DTCC’s Operational Risk Definition
“The risk of loss, including
reputational harm, resulting from
inadequate or failed internal processes,
people and systems or from external
events.”
5
What Operational Risk is Not
Operational Risk is not Credit Risk,
Market Risk, Liquidity Risk or
Strategic Risk.
However, Operational Risk is NOT
LIMITED to the processing type of
risks generally associated with a
back-office operation.
6
Operational Risks at a CSD
Computer
Hacking
Governance Issues
AML
Fraud
System Failures
Customer
Confidentiality Failure
Incomplete Due Diligence
External Threats
Corporate
Actions Losses
Data Entry Errors
Settlement Fails
Missing Certificates
7
8
DTCC
Operational Risk Management Objectives
Establish a common risk language across the
organization
Foster a climate where risks are identified and
openly discussed by all departments and
employees
Inform senior management and Board about
Operational Risk across the enterprise
Reinforce transparency and comply with
regulatory expectations
9
10
Program Components
Enterprise-wide reporting
Risk and Control Self-Assessment
Risk Metrics
Leveraging off existing risk event
information
11
Status of Effort to Date
Governance Structure in place
Corporate Policy and other documents issued
Risk & Control Self-Assessment (RCSA)
process formalized-initial and periodic updates
System internally built
High level reporting developed
Risk Metrics in progress
Scenario analysis process recently established
Risk incident collection in initial stages
12
Governance Structure
Audit Committee
Board of Directors
DTCC Management
Committee
Compliance and
Operational Risk
Management Committee
DTCC Internal Risk
Management
Committee
DTCC Internal
Operational Risk
Steering Committee
13
2007 Objectives
Develop a plan to collect Risk
incidents
Implement a scenario analysis
process
Continue to enhance
Management reporting
Continue to work with
business units to
identify risk metrics
14
High Level Reporting
Enterprise Major Risk Report
39 risk scenarios major to
DTCC
Mitigants addressing risks
Additional plans to further
mitigate risk
Enterprise Risk Metrics
Report
Metrics that address the major
risks of DTCC
15
Enterprise Risk Scenario Categories
Liquidity Risk
Market Risk
Concentration Risk
People & Culture Risk
External Risk
Operational Risk
Process Risk
Business Continuity Risk
Technology Risk
Reputational Risk
16
Enterprise Risk Scenario Examples
Liquidity Risk
Insufficient
liquidity to
fund
settlement
Inability to
access
liquidity to
fund
settlement
Credit Risk
Not informed
timely about
major credit
event/
insolvency
involving a
member
Exposure
from
related
entities
17
Enterprise Risk Scenario Examples –
cont’d
Market Risk
Insufficient
clearing
fund/
insufficient
collateral
Model risk
Concentration
Risk
Multiple
forms of
exposure to
one
member
18
Enterprise Risk Scenario Examples –
cont’d
Theft of funds
or securities
Corporate Action
processing errors
Operational
Risk
Insufficient system
capacity
Cyber
attack disables
key production
systems
Unauthorized
Inability to
access to
complete settlement
company systems
Disaster eliminates
primary operating
region capability
19
Enterprise Risk Metrics Examples
Adequacy of clearing fund coverage
Adequacy of liquidity
Settlement timeliness
System availability
Timely implementation of Internal Audit
recommendations
Operations losses >$10,000
20
Slide 11
Operational Risk
ACSDA Leadership Forum
New York City, USA - October 8-10, 2007
Diana Downward, DTCC
Agenda
Background
DTCC’s Operational Risk Management
Program
DTCC Risk Scenarios
DTCC Risk Metrics
2
Why Focus on
Operational Risk Management?
Largest financial and reputational losses
in the financial services industry are
attributed to Operational Risk
Good business sense
Regulatory Expectations
Sound Risk Management
Practices
Robust Business Resiliency
3
Examples of Op Risk Events
Timeliness of Rating
Agency Downgrades
Arthur
Andersen
Enron
Tyco
CMO Pricing Issues
NYSE
Barings
August 2003
Blackout
REFCO
Hurricane
Katrina!
4
DTCC’s Operational Risk Definition
“The risk of loss, including
reputational harm, resulting from
inadequate or failed internal processes,
people and systems or from external
events.”
5
What Operational Risk is Not
Operational Risk is not Credit Risk,
Market Risk, Liquidity Risk or
Strategic Risk.
However, Operational Risk is NOT
LIMITED to the processing type of
risks generally associated with a
back-office operation.
6
Operational Risks at a CSD
Computer
Hacking
Governance Issues
AML
Fraud
System Failures
Customer
Confidentiality Failure
Incomplete Due Diligence
External Threats
Corporate
Actions Losses
Data Entry Errors
Settlement Fails
Missing Certificates
7
8
DTCC
Operational Risk Management Objectives
Establish a common risk language across the
organization
Foster a climate where risks are identified and
openly discussed by all departments and
employees
Inform senior management and Board about
Operational Risk across the enterprise
Reinforce transparency and comply with
regulatory expectations
9
10
Program Components
Enterprise-wide reporting
Risk and Control Self-Assessment
Risk Metrics
Leveraging off existing risk event
information
11
Status of Effort to Date
Governance Structure in place
Corporate Policy and other documents issued
Risk & Control Self-Assessment (RCSA)
process formalized-initial and periodic updates
System internally built
High level reporting developed
Risk Metrics in progress
Scenario analysis process recently established
Risk incident collection in initial stages
12
Governance Structure
Audit Committee
Board of Directors
DTCC Management
Committee
Compliance and
Operational Risk
Management Committee
DTCC Internal Risk
Management
Committee
DTCC Internal
Operational Risk
Steering Committee
13
2007 Objectives
Develop a plan to collect Risk
incidents
Implement a scenario analysis
process
Continue to enhance
Management reporting
Continue to work with
business units to
identify risk metrics
14
High Level Reporting
Enterprise Major Risk Report
39 risk scenarios major to
DTCC
Mitigants addressing risks
Additional plans to further
mitigate risk
Enterprise Risk Metrics
Report
Metrics that address the major
risks of DTCC
15
Enterprise Risk Scenario Categories
Liquidity Risk
Market Risk
Concentration Risk
People & Culture Risk
External Risk
Operational Risk
Process Risk
Business Continuity Risk
Technology Risk
Reputational Risk
16
Enterprise Risk Scenario Examples
Liquidity Risk
Insufficient
liquidity to
fund
settlement
Inability to
access
liquidity to
fund
settlement
Credit Risk
Not informed
timely about
major credit
event/
insolvency
involving a
member
Exposure
from
related
entities
17
Enterprise Risk Scenario Examples –
cont’d
Market Risk
Insufficient
clearing
fund/
insufficient
collateral
Model risk
Concentration
Risk
Multiple
forms of
exposure to
one
member
18
Enterprise Risk Scenario Examples –
cont’d
Theft of funds
or securities
Corporate Action
processing errors
Operational
Risk
Insufficient system
capacity
Cyber
attack disables
key production
systems
Unauthorized
Inability to
access to
complete settlement
company systems
Disaster eliminates
primary operating
region capability
19
Enterprise Risk Metrics Examples
Adequacy of clearing fund coverage
Adequacy of liquidity
Settlement timeliness
System availability
Timely implementation of Internal Audit
recommendations
Operations losses >$10,000
20
Slide 12
Operational Risk
ACSDA Leadership Forum
New York City, USA - October 8-10, 2007
Diana Downward, DTCC
Agenda
Background
DTCC’s Operational Risk Management
Program
DTCC Risk Scenarios
DTCC Risk Metrics
2
Why Focus on
Operational Risk Management?
Largest financial and reputational losses
in the financial services industry are
attributed to Operational Risk
Good business sense
Regulatory Expectations
Sound Risk Management
Practices
Robust Business Resiliency
3
Examples of Op Risk Events
Timeliness of Rating
Agency Downgrades
Arthur
Andersen
Enron
Tyco
CMO Pricing Issues
NYSE
Barings
August 2003
Blackout
REFCO
Hurricane
Katrina!
4
DTCC’s Operational Risk Definition
“The risk of loss, including
reputational harm, resulting from
inadequate or failed internal processes,
people and systems or from external
events.”
5
What Operational Risk is Not
Operational Risk is not Credit Risk,
Market Risk, Liquidity Risk or
Strategic Risk.
However, Operational Risk is NOT
LIMITED to the processing type of
risks generally associated with a
back-office operation.
6
Operational Risks at a CSD
Computer
Hacking
Governance Issues
AML
Fraud
System Failures
Customer
Confidentiality Failure
Incomplete Due Diligence
External Threats
Corporate
Actions Losses
Data Entry Errors
Settlement Fails
Missing Certificates
7
8
DTCC
Operational Risk Management Objectives
Establish a common risk language across the
organization
Foster a climate where risks are identified and
openly discussed by all departments and
employees
Inform senior management and Board about
Operational Risk across the enterprise
Reinforce transparency and comply with
regulatory expectations
9
10
Program Components
Enterprise-wide reporting
Risk and Control Self-Assessment
Risk Metrics
Leveraging off existing risk event
information
11
Status of Effort to Date
Governance Structure in place
Corporate Policy and other documents issued
Risk & Control Self-Assessment (RCSA)
process formalized-initial and periodic updates
System internally built
High level reporting developed
Risk Metrics in progress
Scenario analysis process recently established
Risk incident collection in initial stages
12
Governance Structure
Audit Committee
Board of Directors
DTCC Management
Committee
Compliance and
Operational Risk
Management Committee
DTCC Internal Risk
Management
Committee
DTCC Internal
Operational Risk
Steering Committee
13
2007 Objectives
Develop a plan to collect Risk
incidents
Implement a scenario analysis
process
Continue to enhance
Management reporting
Continue to work with
business units to
identify risk metrics
14
High Level Reporting
Enterprise Major Risk Report
39 risk scenarios major to
DTCC
Mitigants addressing risks
Additional plans to further
mitigate risk
Enterprise Risk Metrics
Report
Metrics that address the major
risks of DTCC
15
Enterprise Risk Scenario Categories
Liquidity Risk
Market Risk
Concentration Risk
People & Culture Risk
External Risk
Operational Risk
Process Risk
Business Continuity Risk
Technology Risk
Reputational Risk
16
Enterprise Risk Scenario Examples
Liquidity Risk
Insufficient
liquidity to
fund
settlement
Inability to
access
liquidity to
fund
settlement
Credit Risk
Not informed
timely about
major credit
event/
insolvency
involving a
member
Exposure
from
related
entities
17
Enterprise Risk Scenario Examples –
cont’d
Market Risk
Insufficient
clearing
fund/
insufficient
collateral
Model risk
Concentration
Risk
Multiple
forms of
exposure to
one
member
18
Enterprise Risk Scenario Examples –
cont’d
Theft of funds
or securities
Corporate Action
processing errors
Operational
Risk
Insufficient system
capacity
Cyber
attack disables
key production
systems
Unauthorized
Inability to
access to
complete settlement
company systems
Disaster eliminates
primary operating
region capability
19
Enterprise Risk Metrics Examples
Adequacy of clearing fund coverage
Adequacy of liquidity
Settlement timeliness
System availability
Timely implementation of Internal Audit
recommendations
Operations losses >$10,000
20
Slide 13
Operational Risk
ACSDA Leadership Forum
New York City, USA - October 8-10, 2007
Diana Downward, DTCC
Agenda
Background
DTCC’s Operational Risk Management
Program
DTCC Risk Scenarios
DTCC Risk Metrics
2
Why Focus on
Operational Risk Management?
Largest financial and reputational losses
in the financial services industry are
attributed to Operational Risk
Good business sense
Regulatory Expectations
Sound Risk Management
Practices
Robust Business Resiliency
3
Examples of Op Risk Events
Timeliness of Rating
Agency Downgrades
Arthur
Andersen
Enron
Tyco
CMO Pricing Issues
NYSE
Barings
August 2003
Blackout
REFCO
Hurricane
Katrina!
4
DTCC’s Operational Risk Definition
“The risk of loss, including
reputational harm, resulting from
inadequate or failed internal processes,
people and systems or from external
events.”
5
What Operational Risk is Not
Operational Risk is not Credit Risk,
Market Risk, Liquidity Risk or
Strategic Risk.
However, Operational Risk is NOT
LIMITED to the processing type of
risks generally associated with a
back-office operation.
6
Operational Risks at a CSD
Computer
Hacking
Governance Issues
AML
Fraud
System Failures
Customer
Confidentiality Failure
Incomplete Due Diligence
External Threats
Corporate
Actions Losses
Data Entry Errors
Settlement Fails
Missing Certificates
7
8
DTCC
Operational Risk Management Objectives
Establish a common risk language across the
organization
Foster a climate where risks are identified and
openly discussed by all departments and
employees
Inform senior management and Board about
Operational Risk across the enterprise
Reinforce transparency and comply with
regulatory expectations
9
10
Program Components
Enterprise-wide reporting
Risk and Control Self-Assessment
Risk Metrics
Leveraging off existing risk event
information
11
Status of Effort to Date
Governance Structure in place
Corporate Policy and other documents issued
Risk & Control Self-Assessment (RCSA)
process formalized-initial and periodic updates
System internally built
High level reporting developed
Risk Metrics in progress
Scenario analysis process recently established
Risk incident collection in initial stages
12
Governance Structure
Audit Committee
Board of Directors
DTCC Management
Committee
Compliance and
Operational Risk
Management Committee
DTCC Internal Risk
Management
Committee
DTCC Internal
Operational Risk
Steering Committee
13
2007 Objectives
Develop a plan to collect Risk
incidents
Implement a scenario analysis
process
Continue to enhance
Management reporting
Continue to work with
business units to
identify risk metrics
14
High Level Reporting
Enterprise Major Risk Report
39 risk scenarios major to
DTCC
Mitigants addressing risks
Additional plans to further
mitigate risk
Enterprise Risk Metrics
Report
Metrics that address the major
risks of DTCC
15
Enterprise Risk Scenario Categories
Liquidity Risk
Market Risk
Concentration Risk
People & Culture Risk
External Risk
Operational Risk
Process Risk
Business Continuity Risk
Technology Risk
Reputational Risk
16
Enterprise Risk Scenario Examples
Liquidity Risk
Insufficient
liquidity to
fund
settlement
Inability to
access
liquidity to
fund
settlement
Credit Risk
Not informed
timely about
major credit
event/
insolvency
involving a
member
Exposure
from
related
entities
17
Enterprise Risk Scenario Examples –
cont’d
Market Risk
Insufficient
clearing
fund/
insufficient
collateral
Model risk
Concentration
Risk
Multiple
forms of
exposure to
one
member
18
Enterprise Risk Scenario Examples –
cont’d
Theft of funds
or securities
Corporate Action
processing errors
Operational
Risk
Insufficient system
capacity
Cyber
attack disables
key production
systems
Unauthorized
Inability to
access to
complete settlement
company systems
Disaster eliminates
primary operating
region capability
19
Enterprise Risk Metrics Examples
Adequacy of clearing fund coverage
Adequacy of liquidity
Settlement timeliness
System availability
Timely implementation of Internal Audit
recommendations
Operations losses >$10,000
20
Slide 14
Operational Risk
ACSDA Leadership Forum
New York City, USA - October 8-10, 2007
Diana Downward, DTCC
Agenda
Background
DTCC’s Operational Risk Management
Program
DTCC Risk Scenarios
DTCC Risk Metrics
2
Why Focus on
Operational Risk Management?
Largest financial and reputational losses
in the financial services industry are
attributed to Operational Risk
Good business sense
Regulatory Expectations
Sound Risk Management
Practices
Robust Business Resiliency
3
Examples of Op Risk Events
Timeliness of Rating
Agency Downgrades
Arthur
Andersen
Enron
Tyco
CMO Pricing Issues
NYSE
Barings
August 2003
Blackout
REFCO
Hurricane
Katrina!
4
DTCC’s Operational Risk Definition
“The risk of loss, including
reputational harm, resulting from
inadequate or failed internal processes,
people and systems or from external
events.”
5
What Operational Risk is Not
Operational Risk is not Credit Risk,
Market Risk, Liquidity Risk or
Strategic Risk.
However, Operational Risk is NOT
LIMITED to the processing type of
risks generally associated with a
back-office operation.
6
Operational Risks at a CSD
Computer
Hacking
Governance Issues
AML
Fraud
System Failures
Customer
Confidentiality Failure
Incomplete Due Diligence
External Threats
Corporate
Actions Losses
Data Entry Errors
Settlement Fails
Missing Certificates
7
8
DTCC
Operational Risk Management Objectives
Establish a common risk language across the
organization
Foster a climate where risks are identified and
openly discussed by all departments and
employees
Inform senior management and Board about
Operational Risk across the enterprise
Reinforce transparency and comply with
regulatory expectations
9
10
Program Components
Enterprise-wide reporting
Risk and Control Self-Assessment
Risk Metrics
Leveraging off existing risk event
information
11
Status of Effort to Date
Governance Structure in place
Corporate Policy and other documents issued
Risk & Control Self-Assessment (RCSA)
process formalized-initial and periodic updates
System internally built
High level reporting developed
Risk Metrics in progress
Scenario analysis process recently established
Risk incident collection in initial stages
12
Governance Structure
Audit Committee
Board of Directors
DTCC Management
Committee
Compliance and
Operational Risk
Management Committee
DTCC Internal Risk
Management
Committee
DTCC Internal
Operational Risk
Steering Committee
13
2007 Objectives
Develop a plan to collect Risk
incidents
Implement a scenario analysis
process
Continue to enhance
Management reporting
Continue to work with
business units to
identify risk metrics
14
High Level Reporting
Enterprise Major Risk Report
39 risk scenarios major to
DTCC
Mitigants addressing risks
Additional plans to further
mitigate risk
Enterprise Risk Metrics
Report
Metrics that address the major
risks of DTCC
15
Enterprise Risk Scenario Categories
Liquidity Risk
Market Risk
Concentration Risk
People & Culture Risk
External Risk
Operational Risk
Process Risk
Business Continuity Risk
Technology Risk
Reputational Risk
16
Enterprise Risk Scenario Examples
Liquidity Risk
Insufficient
liquidity to
fund
settlement
Inability to
access
liquidity to
fund
settlement
Credit Risk
Not informed
timely about
major credit
event/
insolvency
involving a
member
Exposure
from
related
entities
17
Enterprise Risk Scenario Examples –
cont’d
Market Risk
Insufficient
clearing
fund/
insufficient
collateral
Model risk
Concentration
Risk
Multiple
forms of
exposure to
one
member
18
Enterprise Risk Scenario Examples –
cont’d
Theft of funds
or securities
Corporate Action
processing errors
Operational
Risk
Insufficient system
capacity
Cyber
attack disables
key production
systems
Unauthorized
Inability to
access to
complete settlement
company systems
Disaster eliminates
primary operating
region capability
19
Enterprise Risk Metrics Examples
Adequacy of clearing fund coverage
Adequacy of liquidity
Settlement timeliness
System availability
Timely implementation of Internal Audit
recommendations
Operations losses >$10,000
20
Slide 15
Operational Risk
ACSDA Leadership Forum
New York City, USA - October 8-10, 2007
Diana Downward, DTCC
Agenda
Background
DTCC’s Operational Risk Management
Program
DTCC Risk Scenarios
DTCC Risk Metrics
2
Why Focus on
Operational Risk Management?
Largest financial and reputational losses
in the financial services industry are
attributed to Operational Risk
Good business sense
Regulatory Expectations
Sound Risk Management
Practices
Robust Business Resiliency
3
Examples of Op Risk Events
Timeliness of Rating
Agency Downgrades
Arthur
Andersen
Enron
Tyco
CMO Pricing Issues
NYSE
Barings
August 2003
Blackout
REFCO
Hurricane
Katrina!
4
DTCC’s Operational Risk Definition
“The risk of loss, including
reputational harm, resulting from
inadequate or failed internal processes,
people and systems or from external
events.”
5
What Operational Risk is Not
Operational Risk is not Credit Risk,
Market Risk, Liquidity Risk or
Strategic Risk.
However, Operational Risk is NOT
LIMITED to the processing type of
risks generally associated with a
back-office operation.
6
Operational Risks at a CSD
Computer
Hacking
Governance Issues
AML
Fraud
System Failures
Customer
Confidentiality Failure
Incomplete Due Diligence
External Threats
Corporate
Actions Losses
Data Entry Errors
Settlement Fails
Missing Certificates
7
8
DTCC
Operational Risk Management Objectives
Establish a common risk language across the
organization
Foster a climate where risks are identified and
openly discussed by all departments and
employees
Inform senior management and Board about
Operational Risk across the enterprise
Reinforce transparency and comply with
regulatory expectations
9
10
Program Components
Enterprise-wide reporting
Risk and Control Self-Assessment
Risk Metrics
Leveraging off existing risk event
information
11
Status of Effort to Date
Governance Structure in place
Corporate Policy and other documents issued
Risk & Control Self-Assessment (RCSA)
process formalized-initial and periodic updates
System internally built
High level reporting developed
Risk Metrics in progress
Scenario analysis process recently established
Risk incident collection in initial stages
12
Governance Structure
Audit Committee
Board of Directors
DTCC Management
Committee
Compliance and
Operational Risk
Management Committee
DTCC Internal Risk
Management
Committee
DTCC Internal
Operational Risk
Steering Committee
13
2007 Objectives
Develop a plan to collect Risk
incidents
Implement a scenario analysis
process
Continue to enhance
Management reporting
Continue to work with
business units to
identify risk metrics
14
High Level Reporting
Enterprise Major Risk Report
39 risk scenarios major to
DTCC
Mitigants addressing risks
Additional plans to further
mitigate risk
Enterprise Risk Metrics
Report
Metrics that address the major
risks of DTCC
15
Enterprise Risk Scenario Categories
Liquidity Risk
Market Risk
Concentration Risk
People & Culture Risk
External Risk
Operational Risk
Process Risk
Business Continuity Risk
Technology Risk
Reputational Risk
16
Enterprise Risk Scenario Examples
Liquidity Risk
Insufficient
liquidity to
fund
settlement
Inability to
access
liquidity to
fund
settlement
Credit Risk
Not informed
timely about
major credit
event/
insolvency
involving a
member
Exposure
from
related
entities
17
Enterprise Risk Scenario Examples –
cont’d
Market Risk
Insufficient
clearing
fund/
insufficient
collateral
Model risk
Concentration
Risk
Multiple
forms of
exposure to
one
member
18
Enterprise Risk Scenario Examples –
cont’d
Theft of funds
or securities
Corporate Action
processing errors
Operational
Risk
Insufficient system
capacity
Cyber
attack disables
key production
systems
Unauthorized
Inability to
access to
complete settlement
company systems
Disaster eliminates
primary operating
region capability
19
Enterprise Risk Metrics Examples
Adequacy of clearing fund coverage
Adequacy of liquidity
Settlement timeliness
System availability
Timely implementation of Internal Audit
recommendations
Operations losses >$10,000
20
Slide 16
Operational Risk
ACSDA Leadership Forum
New York City, USA - October 8-10, 2007
Diana Downward, DTCC
Agenda
Background
DTCC’s Operational Risk Management
Program
DTCC Risk Scenarios
DTCC Risk Metrics
2
Why Focus on
Operational Risk Management?
Largest financial and reputational losses
in the financial services industry are
attributed to Operational Risk
Good business sense
Regulatory Expectations
Sound Risk Management
Practices
Robust Business Resiliency
3
Examples of Op Risk Events
Timeliness of Rating
Agency Downgrades
Arthur
Andersen
Enron
Tyco
CMO Pricing Issues
NYSE
Barings
August 2003
Blackout
REFCO
Hurricane
Katrina!
4
DTCC’s Operational Risk Definition
“The risk of loss, including
reputational harm, resulting from
inadequate or failed internal processes,
people and systems or from external
events.”
5
What Operational Risk is Not
Operational Risk is not Credit Risk,
Market Risk, Liquidity Risk or
Strategic Risk.
However, Operational Risk is NOT
LIMITED to the processing type of
risks generally associated with a
back-office operation.
6
Operational Risks at a CSD
Computer
Hacking
Governance Issues
AML
Fraud
System Failures
Customer
Confidentiality Failure
Incomplete Due Diligence
External Threats
Corporate
Actions Losses
Data Entry Errors
Settlement Fails
Missing Certificates
7
8
DTCC
Operational Risk Management Objectives
Establish a common risk language across the
organization
Foster a climate where risks are identified and
openly discussed by all departments and
employees
Inform senior management and Board about
Operational Risk across the enterprise
Reinforce transparency and comply with
regulatory expectations
9
10
Program Components
Enterprise-wide reporting
Risk and Control Self-Assessment
Risk Metrics
Leveraging off existing risk event
information
11
Status of Effort to Date
Governance Structure in place
Corporate Policy and other documents issued
Risk & Control Self-Assessment (RCSA)
process formalized-initial and periodic updates
System internally built
High level reporting developed
Risk Metrics in progress
Scenario analysis process recently established
Risk incident collection in initial stages
12
Governance Structure
Audit Committee
Board of Directors
DTCC Management
Committee
Compliance and
Operational Risk
Management Committee
DTCC Internal Risk
Management
Committee
DTCC Internal
Operational Risk
Steering Committee
13
2007 Objectives
Develop a plan to collect Risk
incidents
Implement a scenario analysis
process
Continue to enhance
Management reporting
Continue to work with
business units to
identify risk metrics
14
High Level Reporting
Enterprise Major Risk Report
39 risk scenarios major to
DTCC
Mitigants addressing risks
Additional plans to further
mitigate risk
Enterprise Risk Metrics
Report
Metrics that address the major
risks of DTCC
15
Enterprise Risk Scenario Categories
Liquidity Risk
Market Risk
Concentration Risk
People & Culture Risk
External Risk
Operational Risk
Process Risk
Business Continuity Risk
Technology Risk
Reputational Risk
16
Enterprise Risk Scenario Examples
Liquidity Risk
Insufficient
liquidity to
fund
settlement
Inability to
access
liquidity to
fund
settlement
Credit Risk
Not informed
timely about
major credit
event/
insolvency
involving a
member
Exposure
from
related
entities
17
Enterprise Risk Scenario Examples –
cont’d
Market Risk
Insufficient
clearing
fund/
insufficient
collateral
Model risk
Concentration
Risk
Multiple
forms of
exposure to
one
member
18
Enterprise Risk Scenario Examples –
cont’d
Theft of funds
or securities
Corporate Action
processing errors
Operational
Risk
Insufficient system
capacity
Cyber
attack disables
key production
systems
Unauthorized
Inability to
access to
complete settlement
company systems
Disaster eliminates
primary operating
region capability
19
Enterprise Risk Metrics Examples
Adequacy of clearing fund coverage
Adequacy of liquidity
Settlement timeliness
System availability
Timely implementation of Internal Audit
recommendations
Operations losses >$10,000
20
Slide 17
Operational Risk
ACSDA Leadership Forum
New York City, USA - October 8-10, 2007
Diana Downward, DTCC
Agenda
Background
DTCC’s Operational Risk Management
Program
DTCC Risk Scenarios
DTCC Risk Metrics
2
Why Focus on
Operational Risk Management?
Largest financial and reputational losses
in the financial services industry are
attributed to Operational Risk
Good business sense
Regulatory Expectations
Sound Risk Management
Practices
Robust Business Resiliency
3
Examples of Op Risk Events
Timeliness of Rating
Agency Downgrades
Arthur
Andersen
Enron
Tyco
CMO Pricing Issues
NYSE
Barings
August 2003
Blackout
REFCO
Hurricane
Katrina!
4
DTCC’s Operational Risk Definition
“The risk of loss, including
reputational harm, resulting from
inadequate or failed internal processes,
people and systems or from external
events.”
5
What Operational Risk is Not
Operational Risk is not Credit Risk,
Market Risk, Liquidity Risk or
Strategic Risk.
However, Operational Risk is NOT
LIMITED to the processing type of
risks generally associated with a
back-office operation.
6
Operational Risks at a CSD
Computer
Hacking
Governance Issues
AML
Fraud
System Failures
Customer
Confidentiality Failure
Incomplete Due Diligence
External Threats
Corporate
Actions Losses
Data Entry Errors
Settlement Fails
Missing Certificates
7
8
DTCC
Operational Risk Management Objectives
Establish a common risk language across the
organization
Foster a climate where risks are identified and
openly discussed by all departments and
employees
Inform senior management and Board about
Operational Risk across the enterprise
Reinforce transparency and comply with
regulatory expectations
9
10
Program Components
Enterprise-wide reporting
Risk and Control Self-Assessment
Risk Metrics
Leveraging off existing risk event
information
11
Status of Effort to Date
Governance Structure in place
Corporate Policy and other documents issued
Risk & Control Self-Assessment (RCSA)
process formalized-initial and periodic updates
System internally built
High level reporting developed
Risk Metrics in progress
Scenario analysis process recently established
Risk incident collection in initial stages
12
Governance Structure
Audit Committee
Board of Directors
DTCC Management
Committee
Compliance and
Operational Risk
Management Committee
DTCC Internal Risk
Management
Committee
DTCC Internal
Operational Risk
Steering Committee
13
2007 Objectives
Develop a plan to collect Risk
incidents
Implement a scenario analysis
process
Continue to enhance
Management reporting
Continue to work with
business units to
identify risk metrics
14
High Level Reporting
Enterprise Major Risk Report
39 risk scenarios major to
DTCC
Mitigants addressing risks
Additional plans to further
mitigate risk
Enterprise Risk Metrics
Report
Metrics that address the major
risks of DTCC
15
Enterprise Risk Scenario Categories
Liquidity Risk
Market Risk
Concentration Risk
People & Culture Risk
External Risk
Operational Risk
Process Risk
Business Continuity Risk
Technology Risk
Reputational Risk
16
Enterprise Risk Scenario Examples
Liquidity Risk
Insufficient
liquidity to
fund
settlement
Inability to
access
liquidity to
fund
settlement
Credit Risk
Not informed
timely about
major credit
event/
insolvency
involving a
member
Exposure
from
related
entities
17
Enterprise Risk Scenario Examples –
cont’d
Market Risk
Insufficient
clearing
fund/
insufficient
collateral
Model risk
Concentration
Risk
Multiple
forms of
exposure to
one
member
18
Enterprise Risk Scenario Examples –
cont’d
Theft of funds
or securities
Corporate Action
processing errors
Operational
Risk
Insufficient system
capacity
Cyber
attack disables
key production
systems
Unauthorized
Inability to
access to
complete settlement
company systems
Disaster eliminates
primary operating
region capability
19
Enterprise Risk Metrics Examples
Adequacy of clearing fund coverage
Adequacy of liquidity
Settlement timeliness
System availability
Timely implementation of Internal Audit
recommendations
Operations losses >$10,000
20
Slide 18
Operational Risk
ACSDA Leadership Forum
New York City, USA - October 8-10, 2007
Diana Downward, DTCC
Agenda
Background
DTCC’s Operational Risk Management
Program
DTCC Risk Scenarios
DTCC Risk Metrics
2
Why Focus on
Operational Risk Management?
Largest financial and reputational losses
in the financial services industry are
attributed to Operational Risk
Good business sense
Regulatory Expectations
Sound Risk Management
Practices
Robust Business Resiliency
3
Examples of Op Risk Events
Timeliness of Rating
Agency Downgrades
Arthur
Andersen
Enron
Tyco
CMO Pricing Issues
NYSE
Barings
August 2003
Blackout
REFCO
Hurricane
Katrina!
4
DTCC’s Operational Risk Definition
“The risk of loss, including
reputational harm, resulting from
inadequate or failed internal processes,
people and systems or from external
events.”
5
What Operational Risk is Not
Operational Risk is not Credit Risk,
Market Risk, Liquidity Risk or
Strategic Risk.
However, Operational Risk is NOT
LIMITED to the processing type of
risks generally associated with a
back-office operation.
6
Operational Risks at a CSD
Computer
Hacking
Governance Issues
AML
Fraud
System Failures
Customer
Confidentiality Failure
Incomplete Due Diligence
External Threats
Corporate
Actions Losses
Data Entry Errors
Settlement Fails
Missing Certificates
7
8
DTCC
Operational Risk Management Objectives
Establish a common risk language across the
organization
Foster a climate where risks are identified and
openly discussed by all departments and
employees
Inform senior management and Board about
Operational Risk across the enterprise
Reinforce transparency and comply with
regulatory expectations
9
10
Program Components
Enterprise-wide reporting
Risk and Control Self-Assessment
Risk Metrics
Leveraging off existing risk event
information
11
Status of Effort to Date
Governance Structure in place
Corporate Policy and other documents issued
Risk & Control Self-Assessment (RCSA)
process formalized-initial and periodic updates
System internally built
High level reporting developed
Risk Metrics in progress
Scenario analysis process recently established
Risk incident collection in initial stages
12
Governance Structure
Audit Committee
Board of Directors
DTCC Management
Committee
Compliance and
Operational Risk
Management Committee
DTCC Internal Risk
Management
Committee
DTCC Internal
Operational Risk
Steering Committee
13
2007 Objectives
Develop a plan to collect Risk
incidents
Implement a scenario analysis
process
Continue to enhance
Management reporting
Continue to work with
business units to
identify risk metrics
14
High Level Reporting
Enterprise Major Risk Report
39 risk scenarios major to
DTCC
Mitigants addressing risks
Additional plans to further
mitigate risk
Enterprise Risk Metrics
Report
Metrics that address the major
risks of DTCC
15
Enterprise Risk Scenario Categories
Liquidity Risk
Market Risk
Concentration Risk
People & Culture Risk
External Risk
Operational Risk
Process Risk
Business Continuity Risk
Technology Risk
Reputational Risk
16
Enterprise Risk Scenario Examples
Liquidity Risk
Insufficient
liquidity to
fund
settlement
Inability to
access
liquidity to
fund
settlement
Credit Risk
Not informed
timely about
major credit
event/
insolvency
involving a
member
Exposure
from
related
entities
17
Enterprise Risk Scenario Examples –
cont’d
Market Risk
Insufficient
clearing
fund/
insufficient
collateral
Model risk
Concentration
Risk
Multiple
forms of
exposure to
one
member
18
Enterprise Risk Scenario Examples –
cont’d
Theft of funds
or securities
Corporate Action
processing errors
Operational
Risk
Insufficient system
capacity
Cyber
attack disables
key production
systems
Unauthorized
Inability to
access to
complete settlement
company systems
Disaster eliminates
primary operating
region capability
19
Enterprise Risk Metrics Examples
Adequacy of clearing fund coverage
Adequacy of liquidity
Settlement timeliness
System availability
Timely implementation of Internal Audit
recommendations
Operations losses >$10,000
20
Slide 19
Operational Risk
ACSDA Leadership Forum
New York City, USA - October 8-10, 2007
Diana Downward, DTCC
Agenda
Background
DTCC’s Operational Risk Management
Program
DTCC Risk Scenarios
DTCC Risk Metrics
2
Why Focus on
Operational Risk Management?
Largest financial and reputational losses
in the financial services industry are
attributed to Operational Risk
Good business sense
Regulatory Expectations
Sound Risk Management
Practices
Robust Business Resiliency
3
Examples of Op Risk Events
Timeliness of Rating
Agency Downgrades
Arthur
Andersen
Enron
Tyco
CMO Pricing Issues
NYSE
Barings
August 2003
Blackout
REFCO
Hurricane
Katrina!
4
DTCC’s Operational Risk Definition
“The risk of loss, including
reputational harm, resulting from
inadequate or failed internal processes,
people and systems or from external
events.”
5
What Operational Risk is Not
Operational Risk is not Credit Risk,
Market Risk, Liquidity Risk or
Strategic Risk.
However, Operational Risk is NOT
LIMITED to the processing type of
risks generally associated with a
back-office operation.
6
Operational Risks at a CSD
Computer
Hacking
Governance Issues
AML
Fraud
System Failures
Customer
Confidentiality Failure
Incomplete Due Diligence
External Threats
Corporate
Actions Losses
Data Entry Errors
Settlement Fails
Missing Certificates
7
8
DTCC
Operational Risk Management Objectives
Establish a common risk language across the
organization
Foster a climate where risks are identified and
openly discussed by all departments and
employees
Inform senior management and Board about
Operational Risk across the enterprise
Reinforce transparency and comply with
regulatory expectations
9
10
Program Components
Enterprise-wide reporting
Risk and Control Self-Assessment
Risk Metrics
Leveraging off existing risk event
information
11
Status of Effort to Date
Governance Structure in place
Corporate Policy and other documents issued
Risk & Control Self-Assessment (RCSA)
process formalized-initial and periodic updates
System internally built
High level reporting developed
Risk Metrics in progress
Scenario analysis process recently established
Risk incident collection in initial stages
12
Governance Structure
Audit Committee
Board of Directors
DTCC Management
Committee
Compliance and
Operational Risk
Management Committee
DTCC Internal Risk
Management
Committee
DTCC Internal
Operational Risk
Steering Committee
13
2007 Objectives
Develop a plan to collect Risk
incidents
Implement a scenario analysis
process
Continue to enhance
Management reporting
Continue to work with
business units to
identify risk metrics
14
High Level Reporting
Enterprise Major Risk Report
39 risk scenarios major to
DTCC
Mitigants addressing risks
Additional plans to further
mitigate risk
Enterprise Risk Metrics
Report
Metrics that address the major
risks of DTCC
15
Enterprise Risk Scenario Categories
Liquidity Risk
Market Risk
Concentration Risk
People & Culture Risk
External Risk
Operational Risk
Process Risk
Business Continuity Risk
Technology Risk
Reputational Risk
16
Enterprise Risk Scenario Examples
Liquidity Risk
Insufficient
liquidity to
fund
settlement
Inability to
access
liquidity to
fund
settlement
Credit Risk
Not informed
timely about
major credit
event/
insolvency
involving a
member
Exposure
from
related
entities
17
Enterprise Risk Scenario Examples –
cont’d
Market Risk
Insufficient
clearing
fund/
insufficient
collateral
Model risk
Concentration
Risk
Multiple
forms of
exposure to
one
member
18
Enterprise Risk Scenario Examples –
cont’d
Theft of funds
or securities
Corporate Action
processing errors
Operational
Risk
Insufficient system
capacity
Cyber
attack disables
key production
systems
Unauthorized
Inability to
access to
complete settlement
company systems
Disaster eliminates
primary operating
region capability
19
Enterprise Risk Metrics Examples
Adequacy of clearing fund coverage
Adequacy of liquidity
Settlement timeliness
System availability
Timely implementation of Internal Audit
recommendations
Operations losses >$10,000
20
Slide 20
Operational Risk
ACSDA Leadership Forum
New York City, USA - October 8-10, 2007
Diana Downward, DTCC
Agenda
Background
DTCC’s Operational Risk Management
Program
DTCC Risk Scenarios
DTCC Risk Metrics
2
Why Focus on
Operational Risk Management?
Largest financial and reputational losses
in the financial services industry are
attributed to Operational Risk
Good business sense
Regulatory Expectations
Sound Risk Management
Practices
Robust Business Resiliency
3
Examples of Op Risk Events
Timeliness of Rating
Agency Downgrades
Arthur
Andersen
Enron
Tyco
CMO Pricing Issues
NYSE
Barings
August 2003
Blackout
REFCO
Hurricane
Katrina!
4
DTCC’s Operational Risk Definition
“The risk of loss, including
reputational harm, resulting from
inadequate or failed internal processes,
people and systems or from external
events.”
5
What Operational Risk is Not
Operational Risk is not Credit Risk,
Market Risk, Liquidity Risk or
Strategic Risk.
However, Operational Risk is NOT
LIMITED to the processing type of
risks generally associated with a
back-office operation.
6
Operational Risks at a CSD
Computer
Hacking
Governance Issues
AML
Fraud
System Failures
Customer
Confidentiality Failure
Incomplete Due Diligence
External Threats
Corporate
Actions Losses
Data Entry Errors
Settlement Fails
Missing Certificates
7
8
DTCC
Operational Risk Management Objectives
Establish a common risk language across the
organization
Foster a climate where risks are identified and
openly discussed by all departments and
employees
Inform senior management and Board about
Operational Risk across the enterprise
Reinforce transparency and comply with
regulatory expectations
9
10
Program Components
Enterprise-wide reporting
Risk and Control Self-Assessment
Risk Metrics
Leveraging off existing risk event
information
11
Status of Effort to Date
Governance Structure in place
Corporate Policy and other documents issued
Risk & Control Self-Assessment (RCSA)
process formalized-initial and periodic updates
System internally built
High level reporting developed
Risk Metrics in progress
Scenario analysis process recently established
Risk incident collection in initial stages
12
Governance Structure
Audit Committee
Board of Directors
DTCC Management
Committee
Compliance and
Operational Risk
Management Committee
DTCC Internal Risk
Management
Committee
DTCC Internal
Operational Risk
Steering Committee
13
2007 Objectives
Develop a plan to collect Risk
incidents
Implement a scenario analysis
process
Continue to enhance
Management reporting
Continue to work with
business units to
identify risk metrics
14
High Level Reporting
Enterprise Major Risk Report
39 risk scenarios major to
DTCC
Mitigants addressing risks
Additional plans to further
mitigate risk
Enterprise Risk Metrics
Report
Metrics that address the major
risks of DTCC
15
Enterprise Risk Scenario Categories
Liquidity Risk
Market Risk
Concentration Risk
People & Culture Risk
External Risk
Operational Risk
Process Risk
Business Continuity Risk
Technology Risk
Reputational Risk
16
Enterprise Risk Scenario Examples
Liquidity Risk
Insufficient
liquidity to
fund
settlement
Inability to
access
liquidity to
fund
settlement
Credit Risk
Not informed
timely about
major credit
event/
insolvency
involving a
member
Exposure
from
related
entities
17
Enterprise Risk Scenario Examples –
cont’d
Market Risk
Insufficient
clearing
fund/
insufficient
collateral
Model risk
Concentration
Risk
Multiple
forms of
exposure to
one
member
18
Enterprise Risk Scenario Examples –
cont’d
Theft of funds
or securities
Corporate Action
processing errors
Operational
Risk
Insufficient system
capacity
Cyber
attack disables
key production
systems
Unauthorized
Inability to
access to
complete settlement
company systems
Disaster eliminates
primary operating
region capability
19
Enterprise Risk Metrics Examples
Adequacy of clearing fund coverage
Adequacy of liquidity
Settlement timeliness
System availability
Timely implementation of Internal Audit
recommendations
Operations losses >$10,000
20