Operational Risk Management
Operational risk is the risk of loss resulting from
inadequate or failed internal processes, people and systems, including system
conversions and integration, and external events. Successful operational risk management is particularly important to a
diversified financial services company like ours because of the very nature,
volume and complexity of our various businesses.
In keeping with our management governance structure,
the lines of business are responsible for all the risks within the business
including operational risks. Such risks are managed through corporate-wide or
line of business specific policies and procedures, controls, and monitoring
tools. Examples of these include personnel management practices, data
reconciliation processes, fraud management units, transaction processing
monitoring and analysis, business recovery planning, and new product
introduction processes.
We approach operational risk from two perspectives,
enterprise-wide and line of business-specific. The Compliance and Operational
Risk Committee (CORC), chartered in 2005 as a subcommittee of the Finance
Committee, provides consistent communication and oversight of significant
operational and compliance issues and oversees the adoption of best practices. Two
groups within Risk Management, Compliance Risk Management and Enterprise
Operational Risk, facilitate the consistency of effective policies, industry
best practices, controls and monitoring tools for managing and assessing
operational risks across the Corporation. These groups also work with the line of
business executives and their risk counterparts to implement appropriate
policies, processes and assessments at the line of business level and support
groups. Compliance and operational risk awareness is also driven across the
Corporation through training and strategic communication efforts. For selected
risks, we establish specialized support groups, for example, Information
Security and Supply Chain Management. These specialized groups develop
corporate-wide risk management practices, such as an information
security program and a supplier program to ensure suppliers adopt appropriate
policies and procedures when performing work on behalf of the Corporation.
These specialized groups also assist the lines of business in the development
and implementation of risk management practices specific to the needs of the
individual businesses.
At the line of business level, the Line of Business
Risk Executives are responsible for adherence to corporate practices and
oversight of all operational risks in the line of business they support.
Operational and compliance risk management, working in conjunction with senior
line of business executives, have developed key tools to help manage, monitor
and summarize operational risk. One tool the businesses and executive
management utilize is a corporate-wide self-assessment process, which helps to
identify and evaluate the status of risk issues, including mitigation plans, if
appropriate. Its goal is to continuously assess changing market and business
conditions and evaluate all operational risks impacting the line of business.
The self-assessment process assists in identifying emerging operational risk
issues and determining at the line of business or corporate level how they
should be managed. In addition to information gathered from the self-assessment
process, key operational risk indicators have been developed and are used to
help identify trends and issues on both a corporate and a line of business
level.
More generally, we mitigate operational risk through
a broad-based approach to process management and process improvement.
Improvement efforts are focused on reduction of variation in outputs. We have a
dedicated Quality and Productivity team to manage and certify the process
management and improvement efforts.
|
