Febraban

How Convergence can lead to better Enterprise Risk Management

13 May 2010

Agenda

Current environment Wh t d What does th the term t convergence mean? ? Business drivers and convergence objectives P ti l case studies Practical t di

Page 2

The current crisis has exposed failings of risk management

Risk management practices

Internal factors

Business and strategy Lack of understanding of risk / return dynamics Unchallenged and weak assumptions Flawed incentive structures Duplicative infrastructures efficiency quests

Siloed risk management and reporting Backward-looking; g data-driven models Reporting not fit for purpose Correlations and dependencies not fully understood

Financial Crisis

Regulatory frameworks

External factors

Market discipline Lack of transparency Over reliance on rating agencies Inadequate infrastructure Complex products

Lack of systemic oversight Unregulated markets Weak capital and liquidity standards

Page 3

The current environment of risk

Leading risk practices are emerging in the wake of the current economic crisis:

Greater

alignment/ Integration

Re-assess

indicators

Proactive

Common

data sources

Transparency p y:

Linking g

front-office and back-office Skills

Risk

as an art, and a science

Specialty

The current financial crisis calls for fundamental changes in the way banks identify, identify assess, manage and communicate financial performance and risk. With a risk-and-return oriented view, banks will be able to select customers more effectively, make better product and pricing decisions, operate more efficiently and report to stakeholders with greater confidence confidence.
Footnote (1) Ernst & Young (2005). Investors on Risk: The need for transparency

Page 4

Current environment in risk management

Risk management spend has increased significantly in the last decade due to expansion of regulatory compliance requirements The number of risk functions has increased to keep up with these compliance requirements 73% of companies have seven or more separate risk functions The coverage and focus of risk functions has become increasingly difficult to manage 67% of companies reported they have overlapping risk coverage with two or more risk functions 50% of companies reported gaps in their coverage between risk functions 96% of companies p agree g there are opportunities pp to improve p their risk management efforts Companies believe efficiencies can be gained in their risk management activities Companies p want improved p risk coverage g while balancing g cost and value

Page 5

Integrated risk monitoring is still a work in progress

% of respondents who can track and report an enterprise wide view of risk

% of respondents who have developed enterprise-wide risk reporting

67%

77%

24% 9% Limited tracking Tracking, not consolidated 14% 9% In the early stages Midway Nearly complete

Complete holistic view

Every few years I think the reports should be thrown out and started again. One day, Id like to stop sending a risk report out and see if anyone notices: save some trees.
Source: Ernst & Young Survey: Navigating the Crisis: A Survey of the Worlds Largest Banks (December 2008)

Page 6

What does the term convergence mean?

The industry sometimes uses the terms enterprise risk management (ERM) and risk convergence interchangeably. Ernst & Young believes the two terms are distinct. distinct

ERM exists to help the board set the objectives for risk management and enable decisions to be made strategically and operationally across the enterprise within defined parameters of risk tolerance. Risk convergence considers the functions and framework built for ERM and seeks k t to address dd inefficiencies i ffi i i and d opportunities t iti t to maximize i i th the cost tb benefit fit to risk management of performing certain processes. In other words risk convergence seeks to refine the target operating model and find practical ways to coordinate, align and ultimately implement process improvement.

The aim is to help the risk organization reach the next level one that can manage and control costs, mitigate risk and support strategic d i i decision-making. ki

Page 7

Three lines of defense governance model

Convergence focuses on the 2nd and 3rd lines of defense.

Executive Management / Executive Boards Perform Oversight

Management / Boards

Perform Oversight

Internal Audit Test and Verify

Third line of defense

Compliance Co p a ce Interpret and Develop Develop

Report Monitor and Report

Risk Mgmt Second line of defense Design and Second line of defense Facilitate Monitor and Report

BU Process BU Process and Risk and Risk Owners Owners

BU Process and Risk Owners

BU Process BU Process and Risk Owners

First line of defense

Page 8

Current flow of risk and control information

External regulators, analysts, investors
Board/senior management g oversight g Audit Committee Risk Committee Other Committees

Risk Management

Internal Audit

Legal/ Compliance

Finance/ Sox

Information Technology

Other

Business Unit

Business Unit

Business Unit

Business Unit

K I Key Issues Risk management process fatigue Poorly y defined roles and responsibilities p
Page 9

Concern over effectiveness of risk and control Conflicting g and inconsistent risk reporting p g

A possible converged flow

External regulators, analysts, investors B d/ Board/senior i management t oversight i ht Audit Committee Risk Committee Other Committees

Risk Management

Internal Audit

Legal/ Compliance

Finance/ Sox

Information Technology

Other

Key Advantages Well defined roles and responsibilities Distributed risk management responsibility Coordination and leverage across f functions i Efficiency and effectiveness in dealing with BU Clear and comprehensive risk reporting
Page 10

Common data structure gy architecture Common technology Common risk and control processes

Business Unit

Business Unit

Business Unit

Business Unit

Organizational model to support convergence Illustrative Example

Board Level

Audit Committee/ Risk Committee Operational Risk Committee

Senior Mgmnt Level

Risk Working Group

Cross-Disciplined Group -Risk Management -Internal Audit -IT Risk -Finance (e.g. SoX) -Compliance

Corporate Operational Risk

Risk Teams Aligned to LOB

Operational Risk Managers Aligned to LOB Shared Support Functions Operational Risk Managers (e.g. Finance, Operations, Technology)

Lines of Business
Business Control / Support

Shared Support Functions

Finance, Operations, Technology

Page 11

Convergence A Portfolio Approach

Convergence does not have a single defined roadmap the improvement path is component based and depends on start point and priorities..
Current State
Risk Committee Board/Senior Management Oversight Audit Committee Other Committees
Board/Senior Management Oversight

Future State
Risk Committee Other Committees

PMO Initiation and Ongoing Operation

Operational Risk

Audit Committee

Internal Audit

Legal Compliance

Finance

Information Technology

Other

Operational Risk

Internal Audit

Legal/ Compliance

Finance

Information Technology

Other

Firmwide Risk Assessment Framework (RCSA)

Entity Level Control Design and Implementation

Common Data Structure Common Technology Architecture Common Risk & Control Processes

Business Unit

Business Unit

Business Unit

Business Unit

Governance Model

Control Testing Strategies

Business Unit

Business Unit

Business Unit

Business Unit

Common Technology / Integration E i ti Technology T h l Of Existing

Risk Based Control R ti Rationalization li ti

Issue Tracking

Integrated Training

Pre Convergence Analysis

Define The Vision

Redesign/ Rationalize Risk Reporting

Key Indicators for Risk Monitoring

Refine and Stabilize

Common Taxonomy/ y Data Structure Foundation Structure Organizational View

Page 12

Risk Convergence Maturity Model where are you?

Increasing maturity
Current State Level 1 Certain level of autonomy within BUs or segments to set policy No clearly defined risk appetite or strategy by Board or committees No segregation of duties Coordination Phase Level 2 Policies inventoried and policy setting owners identified Risk appetite and strategy defined by Board and committees Segregation of duties identified Alignment Phase Level 3 Corporate and BU policies formally aligned Risk appetite and strategy aligned across BUs Segregation of duties aligned across BUs Integration Phase Level 4 Policies aligned, but not consistently applied across organization Escalation of limit breaches and key decisions to appropriate committees and the Board Corporate and BU organizational charts communicated but not fully communicated, operational Roles and responsibilities operating in practice as defined Risk and control processes integrated across BUs Standardized core processes Integrate risk and control reporting across BUs and functions

Leading practice
Converged Level 5 Policy set at corporate level and approved by Board Assessment and decision making around risk appetite ingrained in business as usual activities Coordinated risk management and compliance efforts Single view of the organization Clearly identified risk and control owners including hand-offs owners, Scope is comprehensive and not overlapping

Policy P li & Governance Structure

Organization & People

Multiple, inconsistent views on the organizational structure No clearly defined roles and responsibilities Scope set by each function varies

Multiple, inconsistent views on the organizational structure No clearly defined roles and Organizational charts Corporate and BU responsibilities inventoried and in the process of organizational charts aligned being rationalized Roles and responsibilities of Scope S set t by b each function ti and BUs defined Roles and responsibilities for BUh f corporate personnel in the process of and documented varies being defined and documented
Risk and control processes and rating methodologies inventoried Risk and control reporting metrics rationalized and business requirements developed Risk and control processes and rating methodology rationalized and aligned Risk and reporting metrics aligned across risk functions

Processes & Activities

Multiple risk and control assessment processes, each with own measurement of risk Limited analysis of output, periodic reporting of mostly flat risk and control data

Common measurement of risk and IT infrastructure integrated control at both BU and entity level Effective periodic reporting Common reporting p g tools of aggregated risks (inherent and residual), trends, supporting data implemented for (losses, KRIs) to drive risk appetite decisions of report standardization Data warehouse concept with shared risk and control attributes and information Robust and flexible MI system to support assessment process and drive reports.

Technology

Fragmented IT infrastructure with limited interfacing and significant manual vetting and reconciliation of data Various reporting engines delivering disparate risk and control assessment output

IT infrastructure inventoried Reports and reporting engines inventoried

Infrastructure in the process of being integrated Reporting tools in the process of being integrated

IT infrastructure integrated Common reporting tools implemented for standardization of report

Data Model

Each function has own data structure High level of autonomy to define risks and controls within the business units or segments no efficient translation method

Source systems indentified Risk and control definitions identified

Alignment of data structure and source systems in process Common risk taxonomy initiative underway

Integrate data structure and source systems Consolidation of risk and control language risk library owned at corporate level.

Data structure allows for BU customization but supports organizational roll-up. Risks and controls owned by BU. Map existing BU risks to list of highlevel risks defined by corporate

Assurance & Validation

Multiple functions perform assurance and validation activities Various structures and methodologies around process and controls documentation and testing

Common methodology and structure for assurance and validation activities identified

Integrated validation policy and procedures developed

Validation policy finalized and procedures deployed Methodology and structure implemented

Assurance and validation activities performed on a coordinated/leveraged basis, perhaps by one single function/utility One structure and methodology for assurance and validation activities

Page 13

Risk Responsibility Matrix Who is responsible for risk oversight?

Risk Responsibility Matrix

Risk Management Ownership BCP RISK TYPE Market Credit People Transaction IT Reputational Legal/ Regulatory Financial Reporting Vendor St t i Strategic PRIMARY RESP SECONDARY RESP
Compliance Operational Risk

Finance

Market

IT

Credit Risk

HR

KEY

Some risk families may have little coverage

Multiple assessments for a risk family may present opportunities for enhanced coordination

Page 14

Targeted priorities surface as a result of completing a diagnostic

4
Benefit to r risk management

Coordinate compliance testing

11

Implement risk pm incentives

2 5
Develop common risk taxonomy

Optimize SOX 404 testing

10

Increase use of risk self-assessment

9 8 3 1 6
Rationalize risk i k reporting ti

Accelerate embedding of BCP

Adopt business risk model Deploy data analytics

Implement common risk technology

Consolidate issue tracking

Time for implementation

Page 15

Case study 1: Assess the current state - Diagnostic

CURRENT SAVINGS
Business FTEs Risk FTEs Business FTEs

S i Savings
Risk Identification & Assessment

$ $000

Risk FTEs

$ $000

Q lit ti Qualitative
Targets risk activity at the riskiest parts of the business Focuses risk assessment on areas where the business has direct control Consequential improvement in the control environment Focuses risk activity on output Provides greater information transparency Pushes responsibility back on the business for risk and controls Streamlined process is less bureaucratic Consistent and complete information allows better analysis and leverage More integrated action plans Consistent and complete information allows better analysis and leverage Reduced planning activity More flexible deployment of resources Lower overall testing activity driven by focus and consistency More efficient use of resources within first line without increasing net risk position

1,200

4.8

4.8

630

1.7

3.1

Risk Reporting & Monitoring

1,700

5.9

560

Incident Data Management

2,700

9.8

24

600

1.8

Issue Tracking

960

10.3

270

2.6

Management Assurance

1,300

9.3

3.5

300

(0.7)

3.5

Mitigation: Process & Control Opportunities

2,030

41.1

1,290

29.4

Total

9,890

30.1

90.7

3,650

7.8

46.6

Step change in capability Increased certainty over the final result Reduce unnecessary costs

Page 16

Define and confirm future state: Risk identification and assessment

Current State Cost = $1,200,000
Current State Risks Ri k are identified id tifi d and d assessed d within ithi 18 areas of f th the b business i Risk teams identify and assess risks The estimated combined effort of risk identification and assessments is 2,496 man days p.a / 9.6 FTEs/$1,200,000 cost p.a. The liaison between the business and the 2nd line is via the risk coordinator. This role is performed by individuals of varying skills and grades across the business The Th current t risk i k register i t i is reviewed i dt to see if risks i k should h ld b be added dd d or removed d as part of the quarterly assessment process
Future State Recommendations The proposed future state is based on the fundamental reengineering of the risk identification and assessment process Risk identification and assessment is focused on the riskiest areas of the business business, in low risk areas, to adopt a fix on failure approach Reduce the number of risk registers from 18 to 9, with 2 areas requiring extensive control assessments and the remaining areas to incorporate their key risks in scenario analysis Risk registers focused on risk events and are categorized into financial and non-financial risks Risk assessment is focused on financial impact with a weighing to take account of regulatory or customer impact Identification and assessment activity should be carried out by the advisory team with input from RM standards and the Monitoring & Analysis teams Future State FTE's Business Risk Coordinators 1 0.7 $570,000 Cost

Future State Cost = $570,000

Saving of $630,000 (52%)

Risk Management

3.1

Potential Savings & Benefits The potential savings for risk identification and assessment are 1,248 man days p.a. / 4.8 FTEs FTE s / $630,000 p.a. In addition, the following benefits can be realized: Better value for money and stronger assurance for senior management by focusing on the risks that matter Reduced need for risk coordinator time Clarity on assessments should improve the quality of the information Greater consistency of the risk coordinator role as well as the role being based on a better understanding d t di of f the th skills kill required i dt to d do th the j job b( (e.g., people l d doing i th the j job b are equipped i dt to d do it) Improving risk identification and assessment should have a consequential reduction in incidents

Page 17

Risk assessment - targeted approach

High Level Highest g est Level e e Risk Categories Investigate Fat Tail Events
Theft and Fraud

High Level Risk Profile

People Clients, Products and Business Practices Physical Assets and Data Security Information Technology Transaction Processing Financial Recording & Reporting External Provider

e.g. Major Fraudulent Event

Scenario Analysis
e.g. Compliance Review

Targeted A Assessment t s Deep Dive Assessment A t s

Top level risk identification and assessment covering th 8 Hi the Highest h tL Level l categories for Operational Risk and identifying fat tail events.

Detailed Targeted Risk/Control Ri k/C lA Assessment e.g. SOX e.g. Ext. Vendor SAS 70

Very y Detailed Targeted g RCA

Targeted assessments driven by regulatory requirements i t ( (e.g., SOX SOX; Data Protection) or by high inherent risk levels (e.g., business area is subject to high levels of dependency on third party suppliers) suppliers). Increasingly narrow scope for the assessment, Deep Dive focused f d on high hi h risk i k area / Assessments weak control coverage. This could involve reviewing similar processing across different products

Scop pe

De etail

High Level RCAs

T Targeted t d Assessment s

Page 18
18

Case study #2 - Converged issue reporting

ie s l ra s m s tru c t F a u re D i s ilu r e /S y s ru p a n te t io d n ge t A so P h se ys ts ic a ws , an R eg d B ul a P r a u s in t io n c ti e ss s ce s

kM a P ran a g cti e m e ce nt s

U Em nau p l o th o y e r iz e eA d c ti v it

F in an R e c ia l g a R e u la t o n d p o ry rtin g

Wo E n rk p l v ir a c on e me nt

ec P r ou t io n ce an ss d in g

lF

rau

te r

na

Business Division

Type

Risk Total

ma

Ex

La

Corporate/Firmwide

External Internal Issues External Internal Issues External Internal Issues External Internal Issues External Internal Issues

$MMs 3,547.2 0.0 0.0 00 0.0 0.0 0.0 197.8 0.0 226.0 0.0 25.0 0.0 133.7 133 7 0.0 1,566.2 0.0 0.0 0.0 5,695.9 -

# 14 0 0 0 0 0 0 0 0 15 0 0 1 0 0 2 0 0 2 0 0 1 0 0 0 0 0 35 0 0

$MMs 39.6 0.0 0.0 00 0.0 0.0 0.0 0.0 0.0 675.0 0.0 0.0 0.0 0.0 0 0 0.0 0.0 0.0 -

# 3 0 1 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0

$MMs 284.9 0.0 0.0 00 0.0 0.0 1.3 5.3 0.0 0.0 0.0 0.0 5.0 0.0 0 0 1.1 0.0 0.0 -

# 9 0 0 0 0 0 0 1 1 2 0 0 0 0 0 0 1 0 0 1 1 0 0 0 0.0 0.0 0.0 0.0 0 0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0 0 0.0 0.0 0.0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

Da

$MMs 2,175.8 0.0 25.6 00 0.0 327.6 0.0 2,825.0 0.0 0.0 0.0 373.5 8.8 500.8 500 8 0.0 0.0 0.0 -

# 10 0 4 1 0 0 12 0 4 41 0 4 0 0 2 12 3 1 10 0 3 0 0 0

$MMs 0.0 0.0 0.0 0.0 0 0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0 0 1.4 0.0 0.0 -

In f

# 0 0 2 0 0 0 0 0 1 0 0 1 0 0 0 0 0 1 0 1 1 0 0 0

$MMs 50.0 0.0 0.0 0.0 0 0 0.0 0.0 55.0 0.0 0.0 0.0 0.0 0.0 00 0.0 2.7 0.0 0.0 -

# 1 0 7 0 0 0 0 0 0 1 0 4 0 0 0 0 0 21 0 1 21 0 0 3

$MMs 136.8 0.0 0.0 0.0 0 0 0.0 0.0 0.0 0.0 0.0 0.0 6,000.0 0.0 120.0 120 0 0.0 0.0 0.0 -

R is

# 1 0 4 0 0 0 0 0 0 0 0 0 0 0 0 1 0 1 1 0 2 0 0 0

$MMs 128.5 0.0 0.0 0.0 0 0 0.0 0.0 29.0 11.2 0.0 0.0 82.1 16.0 337.4 337 4 10.4 0.0 2.5 24.4

Ex

# 1 0 13 0 0 1 0 0 2 2 1 9 0 0 0 1 7 23 2 3 29 0 2 2 1

$MMs 6,362.8 25.6 327.6 1.3 3,112.1 11.2 901.0 6,480.6 29.8 1,091.9 15.5 1,566.2 2.5 24.4 $ $ 19,892.26 60.33 -

# 39 0 31 1 0 1 12 1 8 61 1 18 2 0 2 16 11 47 15 6 57 1 2 5 1 0 0 148 21 169

Global Investment Research

Investment Banking

Investment Management

Merchant Banking

External Securities Division - Macro Internal Issues External Securities Division - Micro Internal Issues Securities Division Principal Investing Securities Division Special Situations / Other External Internal Issues External I Internal l Issues External Internal Issues

Total

714.6 -

4 0 1

290.2 7.3 -

11 3 2

0 0 0

6,228.4 8.8 -

86 3 18

1.4 -

0 1 6

105.0 2.7 -

2 1 56

6,256.8 -

3 0 7

601.4 40.2 -

7 13 79

External ($) $100MM > 0 but < $100MM = $0MM

External (#) 5 > 0 but < 5 =0

Internal ($) $5MM > 0 but < $5MM = $0MM

Internal (#) 5 > 0 but < 5 =0

Page 19

Issue convergence reporting

Data security and Vendor Risk
External Losses in 2006 were the starting points p Event and Issue Timeline

External Loss, $20.3 MM 10/3/03 1/26/06 Vendor V d Event 1/3/06 Vendor V d Event 6/8/06

External Loss, $18 MM 7/1/06 - 10/24/06

Internal Near Miss 10/1/06

I t Internal l Near N Miss 12/1/06

2003

2004

2005

2006

2007

Internal Audit Issue Opened on 3/31/03. Status xxxxx

Internal Audit Issue Opened on 3/31/06. Status ..

Internal Audit Issues

Internal Audit Issue Opened 4/12/06. Downgraded to..

Vendor Events

Three issues remain open Internal Audit Issue Opened 6/1/2006. It remains Internal Audit Issue Opened on 12/13/06. Remains

External Losses

Internal Losses

High/Open issues in 2006 complete classification requirements

Page 20

Internal Near Misses in 2006 add to the story

Convergence lessons learned

A Convergence Vision requires collaboration and co-ordination Compromise is critical Shift from siloed view of risk management Impossible p to measure success if there is no standard to which you y are measuring g Well defined goals and objectives Measures of success cost in our out of scope Clear well articulated business case grounded in fact Build momentum through quick wins establishing the basic building blocks Must be demonstrable

The number of stakeholders involved in this type of project requires robust project governance and management methodologies to be adopted. Communication to all stakeholders critical to retain key executive sponsorship and momentum

Page 21

Convergence lessons learned cont.

Improved business performance results from integrated, coordinated and effective risk practices The right approach can help achieve improved business performance through.

Identification Id tifi ti and d validation lid ti of f th the gaps i in risk i k coverage and d scope across risk i k function/processes and activities Evaluation of the appropriate levels of alignment of risk management practices to organizational, strategic and operational objectives Alignment and coordination risk management capabilities across the enterprise Development D l t of f risk-based i kb d performance f metrics t i th that t support t governance, risk i k management and compliance objectives Establishment of business-level performance measures/drivers

Page 22

C t t Contacts
Dan McKinney Partner, Operational Risk Management (212) 773 4072 Thomas Campanile Partner, Enterprise Risk Management (212) 773 8461

Page 23