Operational Risk

Operational Risk ACSDA Leadership Forum New York City, USA - October 8-10, 2007 Diana Downward, DTCC

Agenda • Background • DTCC’s Operational Risk Management Program • DTCC Risk Scenarios • DTCC Risk Metrics

Why Focus onOperational Risk Management? • Largest financial and reputational losses in the financial services industry are attributed to Operational Risk • Good business sense • Regulatory Expectations • Sound Risk Management Practices • Robust Business Resiliency Risk

Examples of Op Risk Events Timeliness of Rating Agency Downgrades Arthur Andersen Enron Tyco CMO Pricing Issues NYSE Barings REFCO August 2003 Blackout Hurricane Katrina!

DTCC’s Operational Risk Definition “The risk of loss, including reputational harm, resulting from inadequate or failed internal processes, people and systems or from external events.”

What Operational Risk is Not • Operational Risk is not Credit Risk, Market Risk, Liquidity Risk or Strategic Risk. • However, Operational Risk is NOT LIMITED to the processing type of risks generally associated with a back-office operation.

Operational Risks at a CSD Governance Issues Computer Hacking AML Fraud System Failures Customer Confidentiality Failure Incomplete Due Diligence External Threats Settlement Fails Corporate Actions Losses Missing Certificates Data Entry Errors

DTCCOperational Risk Management Objectives • Establish a common risk language across the organization • Foster a climate where risks are identified and openly discussed by all departments and employees • Inform senior management and Board about Operational Risk across the enterprise • Reinforce transparency and comply with regulatory expectations

Program Components • Enterprise-wide reporting • Risk and Control Self-Assessment • Risk Metrics • Leveraging off existing risk event information

Status of Effort to Date • Governance Structure in place • Corporate Policy and other documents issued • Risk & Control Self-Assessment (RCSA) process formalized-initial and periodic updates • System internally built • High level reporting developed • Risk Metrics in progress • Scenario analysis process recently established • Risk incident collection in initial stages

GovernanceStructure Audit Committee Board of Directors Compliance and • Operational Risk • Management Committee DTCC Management Committee DTCC Internal Risk Management Committee DTCC Internal Operational Risk Steering Committee

2007 Objectives • Develop a plan to collect Risk incidents • Implement a scenario analysis process • Continue to enhance Management reporting • Continue to work with business units to identify risk metrics

High Level Reporting • Enterprise Major Risk Report • 39 risk scenarios major to DTCC • Mitigants addressing risks • Additional plans to further mitigate risk • Enterprise Risk Metrics Report • Metrics that address the major risks of DTCC

Enterprise Risk Scenario Categories Liquidity Risk Market Risk Concentration Risk People & Culture Risk External Risk Process Risk Operational Risk Business Continuity Risk Technology Risk Reputational Risk

Enterprise Risk Scenario Examples Liquidity Risk Credit Risk Insufficient liquidity to fund settlement Inability to access liquidity to fund settlement Not informed timely about major credit event/ insolvency involving a member Exposure from related entities

Enterprise Risk Scenario Examples –cont’d Market Risk Concentration Risk Insufficient clearing fund/ insufficient collateral Model risk Multiple forms of exposure to one member

Enterprise Risk Scenario Examples –cont’d Theft of funds or securities Operational Risk Insufficient system capacity Cyber attack disables key production systems Corporate Action processing errors Unauthorized access to company systems Inability to complete settlement Disaster eliminates primary operating region capability

Enterprise Risk Metrics Examples • Adequacy of clearing fund coverage • Adequacy of liquidity • Settlement timeliness • System availability • Timely implementation of Internal Audit recommendations • Operations losses >$10,000

Operational Risk