Operational Risk Management

Operational risk is the risk of loss resulting from inadequate or failed internal processes, people and systems, including system conversions and integration, and external events. Successful operational risk management is particularly important to diversified financial services companies because of the nature, volume and complexity of the financial services business.

We approach operational risk from two perspectives: enterprise-wide and line of business-specific. The Compliance and Operational Risk Committee provides oversight of significant company-wide operational and compliance issues. Within Global Risk Management, Enterprise Compliance and Operational Risk Management develops policies, practices, controls and monitoring tools for assessing and managing operational risks across the Corporation. We also mitigate operational risk through a broad-based approach to process management and process improvement. Improvement efforts are focused on reduction of variation in outputs. We have a dedicated Quality and Productivity team to manage and certify the process management and improvement efforts. For selected risks, we use specialized support groups, such as Information Security and Supply Chain Management, to develop corporate-wide risk management practices, such as an information security program and a supplier program to ensure that suppliers adopt appropriate policies and procedures when performing work on behalf of the Corporation. These specialized groups also assist the lines of business in the development and implementation of risk management practices specific to the needs of the individual businesses. These groups also work with line of business executives and risk executives to develop appropriate policies, practices, controls and monitoring tools for each line of business. Through training and communication efforts, compliance and operational risk awareness is driven across the Corporation.

The lines of business are responsible for all the risks within the business line, including operational risks. Operational and Compliance Risk executives, working in conjunction with senior line of business executives, have developed key tools to help manage, monitor and report operational risk in each business line. Examples of these include personnel management practices, data reconciliation processes, fraud management units, transaction processing monitoring and analysis, business recovery planning, and new product introduction processes. In addition, the lines of business are responsible for monitoring adherence to corporate practices. Management uses a self-assessment process, which helps to identify and evaluate the status of risk issues, including mitigation plans, as appropriate. The goal of the self-assessment process is to periodically assess changing market and business conditions and to evaluate key operational risks impacting each line of business. In addition to information gathered from the self-assessment process, key operational risk indicators have been developed and are used to help identify trends and issues on both a corporate and a business line level.