KPMG/RMA Operational Risk Management Excellence 2015 Global Heightened Practices Survey

Similar documents
Operational Risk Management Excellence Get to Strong Survey

Compliance Risk Management Survey A Point of View

Operational Risk Management Program Version 1.0 October 2013

Transforming risk management into a competitive advantage kpmg.com

RSA ARCHER OPERATIONAL RISK MANAGEMENT

How To Transform It Risk Management

Basel Committee on Banking Supervision. Review of the Principles for the Sound Management of Operational Risk

Operational Risk Management - The Next Frontier The Risk Management Association (RMA)

Capital Adequacy: Advanced Measurement Approaches to Operational Risk

Risk governance: OCC codifies risk standards, paving the way for increased enforcement actions

RISK MANAGEMENT OVERVIEW 2011 RISK CONFERENCE SPONSORED BY THE FEDERAL RESERVE BANK OF CHICAGO AND DEPAUL UNIVERSITY

OWN RISK AND SOLVENCY ASSESSMENT AND ENTERPRISE RISK MANAGEMENT

Understanding and articulating risk appetite

Linking Risk Management to Business Strategy, Processes, Operations and Reporting

The Role of the Board in Enterprise Risk Management

IT Audit Perspective on Continuous Auditing/ Continuous Monitoring KPMG LLP

Risk appetite in the financial services industry A requisite for risk management today

FINANCIAL SERVICES FLASH REPORT

INTERAGENCY GUIDANCE ON THE ADVANCED MEASUREMENT APPROACHES FOR OPERATIONAL RISK. Date: June 3, 2011

The New Third-Party Oversight Framework: Trust but Verify kpmg.com

University of St. Gallen Law School Law and Economics Research Paper Series. Working Paper No June 2007

Client Update Basel Committee 2015 Corporate Governance Principles

Risk appetite as a dynamic management tool

IT Transformation. Moving Beyond Service Management to a Strategic Business Role. August kpmg.com

Risk management and the transition of projects to business as usual

Getting to strong Leading Practices for value-enhancing internal audit By Richard Reynolds and Abhinav Aggarwal - PricewaterhouseCoopers LLP

Principles for An. Effective Risk Appetite Framework

RISK MANAGEMENT REPORT (for the Financial Year Ended 31 March 2012)

THE SOUTH AFRICAN HERITAGE RESOURCES AGENCY ENTERPRISE RISK MANAGEMENT FRAMEWORK

The Definition of Leveraged Lending

GUIDANCE NOTE FOR DEPOSIT-TAKERS. Operational Risk Management. March 2012

Managing Risk at Bank of America Corporation. Overview

Enhancing Audit Technology Effectiveness Key Insights from TeamMate s 2014 Global Technology Survey

Enterprise Risk Management: From Theory to Practice

Applying Risk Assessment to Your Audit Plan Break-out Session T3, Tuesday, October 26 2:00-2:50pm

Enterprise Risk Management

Investment Management: Rising to the Risk and Compliance Challenge kpmg.com

Scenario Analysis Principles and Practices in the Insurance Industry

ADVISORY SERVICES. Risk management in an evolving world. Making the case for social media governance. kpmg.com

How to stay competitive in a converging healthcare system kpmg.com

KPMG LLP Credit Risk Management Practices 2014 Survey on Credit Bureau Reporting

Developing a Free Credit Score Program. kpmg.com

PART B INTERNAL CAPITAL ADEQUACY ASSESSMENT PROCESS (ICAAP)

Beyond risk identification Evolving provider ERM programs

Guidance Note: Corporate Governance - Board of Directors. March Ce document est aussi disponible en français.

Risk Management Framework

2015 GLOBAL ASSET MANAGEMENT SURVEY

Driving business performance Using data analytics

Placing a Value on Enterprise Risk Management ADVISORY

Connecting the dots: A proactive approach to cybersecurity oversight in the boardroom. kpmg.bm

STRESS TESTING GUIDELINE

Accenture Risk Management. Industry Report. Life Sciences

Governance structures and leading. central banks

The validation of internal rating systems for capital adequacy purposes

Enterprise Risk Management & Information Technology

Prudential Practice Guide

Enterprise Risk Management

Leveraging data analytics and continuous auditing processes for improved audit planning, effectiveness, and efficiency. kpmg.com

GUIDELINES FOR THE MANAGEMENT OF OPERATIONAL RISK

Effective risk management

Remarks by. Carolyn G. DuChene Deputy Comptroller Operational Risk. at the

WHITE PAPER THIRD PARTY MANAGEMENT: FUNDAMENTALS

Integrated Risk Management:

Tying It All Together: Practical ERM Integration. Richard Scanlon Vice President Enterprise Risk Management CIGNA Corporation

Oracle Financial Services Broker Compliance

HSBC FINANCE CORPORATION CHARTER OF THE RISK COMMITTEE

Confident in our Future, Risk Management Policy Statement and Strategy

Consumer Goods and Services

BEYOND AMA PUTTING OPERATIONAL RISK MODELS TO GOOD USE POINT OF VIEW

Enterprise Risk Management in a Highly Uncertain World. A Presentation to the Government-University- Industry Research Roundtable June 20, 2012

New supervisory guidance on model Overview, analysis, and next steps

Guidance on Supervisory Interaction with Financial Institutions on Risk Culture. A Framework for Assessing Risk Culture

Deriving Value from ORSA. Board Perspective

How ERM programs evolve

An Oracle White Paper November Financial Crime and Compliance Management: Convergence of Compliance Risk and Financial Crime

fs viewpoint

ENTERPRISE RISK MANAGEMENT FRAMEWORK

Capital Requirements Directive Pillar 3 Disclosure. December 2015

Italy. EY s Global Information Security Survey 2013

FINANCIAL ASSESSMENT CRITERIA (The Assessment Criteria should be read in conjunction with OSFI s Supervisory Framework)

MISSION VALUES. The guide has been printed by:

Vital Risk Insights kpmg.com

ACCELUS COMPLIANCE MANAGER FOR FINANCIAL SERVICES

Supervisory Guidance on Operational Risk Advanced Measurement Approaches for Regulatory Capital

Practical Vendor Management to Minimize Compliance Risks November 12, 2015

Vendor Risk Management in the New Regulatory Environment. kpmg.com

BOARD OF GOVERNORS FEDERAL RESERVE SYSTEM

Understanding Financial Consolidation

Portfolio Management for Banks

Take the right steps 9 principles for building the Risk Intelligent Enterprise

Sustainability reporting What you should know kpmg.com

KPMG Internal Audit 2015: Top 10 considerations for private equity firms. kpmg.com

Risk Management. Trends for Insurance Companies. Jeffrey Lovern Genworth Financial VP, Enterprise Risk Management Global Mortgage Insurance

Cyber Security and the Board of Directors

Transcription:

KPMG/RMA Operational Risk Management Excellence 2015 Global Heightened Practices Survey Executive Report kpmg.com

1 KPMG/RMA Operational Risk Management Excellence

KPMG/RMA Operational Risk Management Excellence Initiative KPMG LLP (KPMG) and the Risk Management Association (RMA) teamed to initiate the first Operational Risk Management Excellence Get to Strong Survey in 2013. The objective was to give n financial institutions insights into leading industry operational risk management (ORM) practices in support of enhanced business value, strategy, and performance, heightened regulatory expectations for strong risk management, and Basel Advanced Measurement Approach (AMA) use test compliance in order to help gauge positioning against evolving industry practices, optimize their ORM frameworks, and enhance risk management. Since 2013, KPMG and RMA have continued to work with ORM leaders and regulators to expand the n survey to additional firms in Europe, the Middle East, and Africa () and Asia-Pacific (). Today, over eighty top financial institutions, including twenty global systemically important financial institutions (G-SIFIs), have completed the Operational Risk Management Excellence 2015 Global Heightened Practices Survey (the Survey ). KPMG and RMA have held ORM Excellence Executive Round Tables in New York, London, and Sydney as part of ongoing efforts to advance the ORM discipline and establish benchmark data on critical ORM themes and practices. KPMG and RMA appreciate those who have participated in the Survey and the Round Tables. The following pages highlight key Survey results and next steps in the global evolution of the ORM disclipine.* Table of Contents Executive Summary... 3 Survey Methodology and Background... 4 Operational Risk Management Processes and Functions... 6 Strategy and Value... 9 Stature, Risk Appetite, and Governance... 14 Assessment, Measurement, and Management... 18 Data, Analysis, and Reporting... 26 The Road Ahead... 30 *The full set of questions, quantitative responses, and qualitative inputs are only available to Survey participants.

3 KPMG/RMA Operational Risk Management Excellence Executive Summary The results of the Survey reveal that financial institutions continue to make important strides with respect to the following areas: Improved contribution of ORM to business/risk decisionmaking and strategic planning; Increased recognition of ORM contribution to business strategy and performance by the Board of Directors (Board) and other leaders; Improved standing of ORM with market, credit, and other risks; Broadened deployment of operational risk appetite at the enterprise, line of business, and other levels; Expanded use of standard risk taxonomies, assessment processes, and linkage to risk appetite; Improved processes to challenge, escalate, and communicate risks and issues; and Enhanced data quality for improved risk intelligence, decision-making, and reporting. There is, however, still work to be done by financial institutions as they strive towards operational risk excellence and strong risk management, including: Further positioning the ORM framework so that it is fully aligned with firm strategy and that operational risk is considered when launching and implementing significant strategic change; Expanding efforts to deploy qualitative and quantitative measures of operational risk appetite across business lines, legal entities, processes, and other key areas; Broadening efforts to identify, assess, measure, and manage operational risk against defined risk appetite levels and thresholds; Strengthening ORM s value at the business line level and continuing to enhance business line ORM maturity and ORM s impact on business performance; Reinforcing efforts to augment data governance, integrity, and aggregation for greater risk intelligence and actionable reporting and decision-making; and Broadening effective challenge of first line of defense risk data (e.g., risk and control self-assessments (RCSAs), key risk indicators (KRIs), loss events, and mitigation plans) and calibrating that data for increased accuracy, value, and use. Compliance with enhanced regulatory standards will likely pose considerable challenges to financial institutions operating in all jurisdictions. The three lines of defense (i.e., business lines, the risk management and compliance functions, and internal audit) will require extensive efforts and increased coordination in order to ensure compliance and drive optimal value as they address regulatory imperatives such as the Volcker Rule and the Liikanen and Vickers structural measures, multijurisdictional enhanced supervision and prudential standards, cyber security, third-party risk oversight, consumer compliance requirements, contemplated AMA methodology reforms, and the Basel Committee on Banking Supervision s Principles for Effective Risk Data Aggregation and Risk Reporting (BCBS 239), among others.

KPMG/RMA Operational Risk Management Excellence 4 Survey Methodology and Background The fifty-four question web-based Survey, which was developed in collaboration with leading institutions, focused on the following key areas of operational risk excellence and heightened regulatory expectations: Strategy and value: including queries about ORM s alignment with strategy and the benefits and objectives derived from the institutions enterprise ORM framework. Stature, risk appetite, and governance, including queries about the level of operational risk appetite deployment across the firms, the alignment of risk appetite with incentives, and ORM s standing with other risk types, such as market and credit risk. Assessment, measurement, and management, including queries about the institutions efforts to identify, assess, measure, and manage risk, as well as define and deploy forward looking indicators. Data, analysis, and reporting, including queries about the institutions efforts to accurately and completely aggregate, analyze, and report ORM exposures. The Survey consisted of multiple choice questions that gauged the evolution of ORM practices and deployment. For certain questions, participants could elaborate on their responses by providing qualitative inputs. Survey participants were comprised of n (44 percent), (33 percent), and (23 percent) financial institutions, including G-SIFIs and Basel AMA banks, non- AMA large banks, and mid-size banks. Survey results provided insights into evolving industry practices and areas where AMA and non-ama institutions diverge and regional differences exist. Among the AMA respondents, 63 percent of the North American participants were commercial banks, while 67 percent of participants and 60 percent of participants were universal banks. Among the non-ama respondents, 47 percent of the n participants and 36 percent of the participants were commercial banks, while 67 percent of participants and 36 percent of participants were universal banks. The remaining respondents included investment banks, brokerages, investment management firms, and insurance companies. Among the AMA institutions surveyed, 46 percent were headquartered in, 37 percent were headquartered in, and 17 percent were headquartered in. Among the non-ama institutions surveyed, 42 percent were headquartered in, 30 percent were headquartered in, and 28 percent were headquartered in. Among all AMA respondents, 83 percent of the Enterprise ORM Heads report to the Chief Risk Officer, with little variation among the regions, while the remaining ORM Heads report to either the Bank-Wide Risk Management Officer/Enterprise Risk Management (ERM) Officer, Chief Compliance Officer, or the Chief Executive Officer. Among non-ama respondents, 86 percent of the Enterprise ORM Heads report to the Chief Risk Officer, while the remaining ORM Heads report to either the Bank-Wide Risk Management Officer/ERM Officer, Chief Compliance Officer, or the Chief Financial Officer. Among all AMA respondents, 80 percent have been deploying their firms enterprise ORM framework for at least seven years, with little variation among the regions. Among the non-ama respondents, 75 percent of participants, 50 percent of participants, and 24 percent of n participants have been deploying their firms enterprise ORM framework for at least seven years (please see Chart 1).

5 KPMG/RMA Operational Risk Management Excellence Survey Methodology and Background (continued) Chart 1 How long has your firm s enterprise ORM framework been deployed? AMA 19% 56% 13% 13% 33% 56% 11% 40% 40% 20% 27% 53% 13% 7% 10 or more years 7-9 years 4-6 years 1-3 years Non-AMA 6% 18% 29% 47% 42% 33% 17% 8% 29% 21% 14% 36% 23% 23% 21% 33% 10 or more years 7-9 years 4-6 years 1-3 years May not equal due to rounding

KPMG/RMA Operational Risk Management Excellence 6 Operational Risk Management Processes and Functions As noted in Chart 2 below, AMA and non-ama respondents reported that the following processes and functions were directly under ORM management: Chart 2 What processes and functions are directly under ORM? AMA ORM policies 89% 97% Internal loss events 94% 89% 93% Risk Analysis 88% 89% 80% 87% Risk monitoring 94% 78% 80% 87% RCSAs 94% 56% 83% External loss events 89% 97% Scenario analysis/stress testing 88% 89% 90% KRIs 88% 78% 60% 80% ORM framework validation 81% 67% 80% Risk aggregation/risk profile 63% 67% 80% 67% ORM capital model 63% 89% 77% Risk/control testing 63% 44% 63% Risk appetite 56% 56% 60% 57% New product review 50% 56% 40% 50% Vendor risk management 38% 11% 40% 30% IT risk management 13% 67% 0% 27% BCP/DR 25% 0% 20% 17% Fraud/investigations 19% 11% 20% 17% Information security/cyber security 13% 11% 40% 17% Model governance 6% 33% 20% 17% Other 31% 0% 0% 17% Reputational risk management 0% 33% 20% 13% Financial controls/sox 13% 11% 20% 13% Compliance Physical security 6% 6% 0% 40% 10% 0% 20% 7%

7 KPMG/RMA Operational Risk Management Excellence Operational Risk Management Processes and Functions (continued) Chart 2 (continued) Non-AMA ORM policies Internal loss events 94% 79% 91% RCSAs 92% 79% 91% Risk Analysis 92% 71% 88% Risk monitoring 88% 92% 79% 86% Scenario analysis/stress testing 88% 75% 71% 79% KRIs 82% 92% 64% 79% External loss events 88% 92% 43% 74% Risk aggregation/risk profile 76% 75% 64% 72% ORM framework validation 71% 75% 64% 70% Risk appetite 47% 67% 71% 60% Risk/control testing 47% 50% 50% 49% New product review 41% 42% 43% 42% ORM capital model 41% 33% 29% 35% Vendor risk management 24% 17% 36% 26% BCP/DR 41% 25% 36% 35% Fraud/investigations 18% 17% 43% 26% IT risk management 24% 17% 29% 23% Information security/cyber security Model governance 6% 25% 36% 6% 8% 36% 21% 16% Other 24% 17% 21% 21% Reputational risk management 0% 25% 29% 16% Physical security 6% 8% 36% 16% Compliance 0% 0% 43% 14% Financial controls/sox 24% 0% 0% 9% Multiple responses allowed

KPMG/RMA Operational Risk Management Excellence 8 Operational Risk Management Processes and Functions (continued) For the Other category, respondents noted insurance, fiduciary risk, business process transition risk, concentration risk, operational risk economic capital allocation, risk-based incentive compensation, SSAE 16 report reviews, BSA/AML, embedded second line operational risk officers, policy and corporate governance, privacy and international operational risk, and financial crime policies and standards. RESULTS COMPARISON The results of AMA and non-ama participants were generally in line. The major differences were: RCSAs in the region 56 percent of AMA respondents reported it was under ORM management versus 92 percent of non-ama respondents. External loss events in the region 100 percent of AMA respondents reported it was under ORM management versus 43 percent of non-ama respondents. Scenario analysis/stress testing in the region 100 percent of AMA respondents reported it was under ORM management versus 71 percent of non-ama respondents. ORM framework validation in the region 100 percent of AMA respondents reported it was under ORM management versus 64 percent of non-ama respondents. ORM capital modeling across all regions 77 percent of AMA respondents reported it was under ORM management versus 35 percent of non-ama respondents.

9 KPMG/RMA Operational Risk Management Excellence Strategy and Value ORM alignment with strategy is critical to achieving sustainable planning. While a significant portion of AMA respondents value add, and to ensuring effective risk identification, (50 percent in to 89 percent in ) noted assessment, and mitigation. However, reflecting the need for partial ORM alignment with strategy, these results bring into further positioning of the ORM framework, the survey revealed question whether operational risk is fully considered in launching that no more than 20 percent of AMA respondents in the and implementing significant strategic change (please see regions stated their ORM framework fully aligns with their firms Chart 3). strategy, or that risk is an integrated component in their strategic Chart 3 Does your ORM framework enable integrated risk and performance management in your firm? AMA 19% 50% 31% 11% 89% 20% 60% 20% 17% 63% 20% Fully Partially Beginning to Does not Non-AMA 18% 24% 47% 12% 25% 42% 25% 8% 21% 43% 29% 7% 21% 35% 35% 9% Fully Partially Beginning to Does not May not equal due to rounding

KPMG/RMA Operational Risk Management Excellence 10 Strategy and Value (continued) Chart 3 (continued) RESPONDENT COMMENTS When asked if their ORM framework aligns process, people, policy, and infrastructure against strategy in their firms, respondents stated: : This could be more transparent, but work has started. We are not there yet with linking processes to our RCSA or ORM framework. With the recent rollout of risk profiling, RCSAs, policy governance, and new product and initiative policies throughout the company, we are enhancing the alignment of these elements with strategic decisions. Each of these elements is considered in assessing strategic plans, launching new businesses and products, or implementing significant change. Our strategic planning policy and new business and product policy are relatively new and processes around them are not yet embedded and practiced to their full strength. : Our ORM processes support management s decisions, but they are not fully integrated into our strategy. We are in the midst of rolling out our framework across our critical processes (i.e., those rated high and very high) across all of our locations. Although our alignment of process, people, and policy is underway, our alignment of infrastructure and strategy still needs to be developed further. : Our business strategy and ORM review have taken place for the past two years, however, they are not formally linked to our ORM assessment. Rather, they act as a guide in assessing the impact. Our ORM framework is a key lens for our strategy development, but it does not always align all aspects of process, people, policy, and infrastructure as there may be alternative drivers/lenses. Our risk appetite and strategy planning discussions will be linked with the Board this year.

11 KPMG/RMA Operational Risk Management Excellence Strategy and Value (continued) Resetting ORM for Enhanced Value: When asked if their firm had reset its ORM framework to drive greater strategic value for their business and to meet heightened regulatory expectations, AMA responses across the three regions varied from 33 percent for participants to 50 percent for participants who reported their efforts were well underway, while 11 percent of participants and 50 percent of participants reported they had completed efforts to strengthen their ORM frameworks. For both AMA and non-ama respondents in, the ability to meet heightened regulatory expectations through strong risk management was a driving factor in their ORM framework reset, while AMA and non-ama respondents in and cited stress testing/scenario analysis as a key driver (please see Chart 4). Chart 4 Has your firm restructured / reset its ORM framework to drive greater strategic value for the business and meet heightened regulatory standards? AMA 13% 44% 31% 13% 11% 33% 22% 11% 11% 11% 50% 50% 17% 41% 24% 3% 3% 10% Restructure/reset Well underway: Initiated: 1-2 years complete 2+ years Non-AMA Just started: 0-1 year In planning Not pursuing 18% 29% 24% 24% 6% 8% 17% 33% 8% 25% 8% 14% 29% 29% 14% 7% 7% 7% 21% 30% 16% 19% 7% Restructure/reset Well underway: Initiated: 1-2 years complete 2+ years Just started: 0-1 year In planning Not pursuing May not equal due to rounding

KPMG/RMA Operational Risk Management Excellence 12 Strategy and Value (continued) Chart 4 (continued) RESPONDENT COMMENTS When asked if their reset supported regulatory requirements such as supervisory examinations, the AMA use test, and Dodd-Frank compliance, respondents stated: : It supports the AMA use test and is being embedded in the business for management decision-making; embedding the ORM framework is the foundation for strong enterprise risk management and heightened OCC expectations. It is not actually a reset, because the ORM framework continually evolves with the environment and our learning. Our parent is applying for and expected to receive AMA accreditation. The Basel AMA is a future consideration. While we have several Dodd-Frank activities underway across the organization and we are utilizing appropriate program management and assessment techniques, we have not linked Dodd-Frank compliance specifically to the ORM framework. : No comments received. : It enhances the robustness of our risk management. Our original framework supported these elements. Australia Securities and Investments Commission (ASIC) requirements. The framework elements can be used as a basis for most assessments, such as stress testing, scenario analysis, or incident analysis. So far, only our incident analysis and part of our business strategy planning have utilized this framework. Key Objectives & Benefits: In terms of objectives to be derived from resetting their ORM frameworks, enhanced internal control, risk mitigation, regulatory compliance, and information security were noted as the most important ones cited by respondents in the three regions. The majority of AMA respondents across the regions also mentioned the importance of enhancing their reputation, while a significant percentage of AMA and non-ama respondents both cited vendor risk management and product/ system implementations as additional top objectives. When asked to describe the benefits they derived from their ORM frameworks, a reduction in the frequency and severity of losses and an improved regulatory standing were two of the top priorities noted by respondents in all regions. Respondents also noted increased role clarity across the three lines of defense and greater knowledge of top risks and control issues. It is interesting to note that achieving strategic objectives/ return targets and improved customer satisfaction were not yet cited as broadly derived benefits. These benefits will likely increase across the industry as additional firms focus on strategy, value, and the use-test results (please see Chart 5).

13 KPMG/RMA Operational Risk Management Excellence Strategy and Value (continued) Chart 5 What benefits have you derived from your ORM framework? AMA Regulatory standing 88% 93% Loss avoidance/reduction (frequency and severity) 81% 89% 80% 83% Basel AMA qualification 63% 89% 77% Enhanced reputation 63% 44% 60% 57% Efficiency 38% 56% 40% 43% Strategic objectives/return 38% 22% 60% 37% Customer satisfaction 31% 22% 20% 27% Other 19% 22% 0% 17% Regulatory standing Loss avoidance/reduction (frequency and severity) Basel AMA qualification 88% 88% 6% Non-AMA 67% 64% 74% 75% 93% 86% 0% 14% 7% Enhanced reputation 53% 42% 43% 47% Efficiency 29% 50% 50% 42% Strategic objectives/return 29% 25% 21% 26% Customer satisfaction 29% 33% 29% 30% Other 6% 0% 21% 9% Multiple responses allowed

KPMG/RMA Operational Risk Management Excellence 14 Stature, Risk Appetite, and Governance ORM Maturity & Stature Banks operating with strong ORM frameworks evidence that operational risk has consistent stature with other risk types and demonstrate ORM maturity across all lines of business. Survey results indicate that there is still work to be done in all regions. For instance, among AMA institutions, only 60 percent of and 56 percent of n institutions state that the Board and Executive Management have fully elevated the stature of ORM within their enterprise risk management framework (please see Chart 6), while 67 percent of institutions acknowledged that ORM s stature has been partially elevated. For non-ama institutions, participants (50 percent) lead n (35 percent) and (21 percent) ones in responding that ORM s stature has been fully elevated. Chart 6 Has the Board and Executive Management elevated the institutional stature of ORM to align with business strategy and heightened regulatory standards? AMA 56% 25% 19% 67% 22% 11% 60% 40% 40% 40% 17% 3% Fully Partially Beginning to Not yet Non-AMA 35% 35% 18% 12% 50% 25% 8% 17% 21% 21% 36% 21% 35% 28% 21% 16% Fully Partially Beginning to Not yet May not equal due to rounding

15 KPMG/RMA Operational Risk Management Excellence Stature, Risk Appetite, and Governance (continued) The responses show the same trend for the question as to whether ORM receives equal time and attention from the Board and Executive Management as credit risk and market risk. The maturity of ORM business ownership continues to evolve, as AMA and non-ama institutions across regions recognize there is important work ahead to strengthen business ownership and operational risk maturity consistently across all lines of business. For example, only about 20 percent of AMA respondents in the three regions stated that business ownership and operational risk maturity are fully consistent across business lines. Full consistency was reported by even fewer non-ama institutions. Clear Roles & Responsibilities: Similarly, less than half of AMA respondents in each region stated that ORM roles, responsibilities, policies and procedures are clearly defined and understood by the first and second lines of defense. The majority of AMA respondents stated, however, that they have made partial efforts towards this goal. The responses of non-ama respondents demonstrated the same trend: less than half of non-ama respondents stated they have made full progress with these efforts, but about half (41 percent in and 50 percent in and ) stated that they have made partial progress. On a positive note, AMA respondents in the three regions almost universally reported that Risk Management and the Board firmly recognize ORM s value to the organization and its alignment with business strategy and performance. That recognition was also noted by Executive Management. However, recognition of ORM by the lines of business trailed recognition by other areas reinforcing that ORM use-test and value have yet to be fully embedded at the business line level. ORM Integration with Business Activities: It is encouraging to see that all AMA respondents in and, and almost 90 percent of n respondents, stated they have fully or partially integrated and embedded their ORM processes and systems into business activities across the enterprise. It was interesting to note that 50 percent or more of non-ama respondents in the three regions stated they have also embedded their processes and systems, or are working to do so.

KPMG/RMA Operational Risk Management Excellence 16 Stature, Risk Appetite, and Governance (continued) Risk Appetite & Governance Effectively defining a firm s risk appetite (i.e., the aggregate level and type of risk the Board and Executive Management are willing to assume to achieve the bank s strategic objectives and business plan, consistent with applicable capital, liquidity, and other regulatory requirements), and then monitoring and managing that appetite is a key element for strong risk management. Survey results indicate that firms are working to define and manage their risk appetite, but additional work is needed to fully deploy both qualitative and quantitative measures of operational risk appetite across the enterprise (please see Chart 7). Chart 7 Has the Board and Executive Management defined and cascaded operational risk appetite at the following levels? AMA Enterprise level 94% 78% 90% Business lines 56% 33% 80% 53% Entity 31% 22% 40% 30% Location 13% 22% 0% 13% Process 13% 0% 0% 7% Product 38% 44% 40% 40% Other 13% 33% 0% 17% None 0% 11% 0% 3% Non-AMA Enterprise level 88% 83% 86% 86% Business lines 35% 50% 57% 47% Entity 12% 17% 7% 12% Location 6% 8% 0% 5% Process 0% 8% 0% 2% Product 18% 25% 29% 23% Other 0% 17% 14% 9% None 12% 8% 7% 9% Multiple responses allowed

17 KPMG/RMA Operational Risk Management Excellence Stature, Risk Appetite, and Governance (continued) For example, almost all AMA and non-ama institutions in the three regions reported that they define operational risk appetite at the enterprise level. However, results vary significantly as to defining operational risk appetite at lower levels. For Instance, 33 percent () to 80 percent () of AMA respondents stated that they have defined and cascaded their operational risk appetite to the business line level. As chart 7 indicates, operational risk appetite below the business line is yet to be defined. However, several n AMA respondents commented that, while operational risk appetite was not defined below the business line level, operational risk key risk indicator (KRI) thresholds and tolerances were in place across processes. Operational Risk Appetite Monitoring & Management: With respect to operational risk appetite monitoring and management, a significant portion of AMA n and respondents indicated that ORM is fully escalating issues that exceed their firm s operational risk appetite; only 22 percent of AMA respondents did (please see Chart 8). However, 67 percent of non-ama respondents reported full escalation of issues outside of risk appetite/thresholds. Some respondents commented that consistency of escalation improves as their firms operational risk appetite matures and is defined in more quantitative terms. However, quantifiable measures of risk appetite that span and link operational risk taking, business performance, and compensation have yet to be deployed. Chart 8 Does ORM consistently escalate issues that are outside the firm s risk appetite/thresholds? AMA 56% 25% 19% 22% 44% 22% 11% 60% 20% 20% 47% 30% 17% 7% Fully Partially Beginning to Not yet Non-AMA 47% 24% 18% 12% 67% 17% 8% 8% 43% 21% 21% 14% 51% 21% 16% 12% Fully Partially Beginning to Not yet May not equal due to rounding

KPMG/RMA Operational Risk Management Excellence 18 Assessment, Measurement, and Management Integrated Risk & Performance Integrated risk and performance management is an increasing priority for many institutions. In a positive industry trend, the Survey noted that at least 80 percent of AMA respondents across the three regions stated their ORM framework fully or partially enables integrated risk and performance management, including regular metric reporting via dashboards. While non-ama response rates are relatively close to those by AMA respondents, non-ama institutions in and are in the beginning stages of the effort. It was also noted that the majority of AMA and non- AMA respondents across the three regions stated that ORM was fully integrated into their firm s ERM framework. Risk Assessment The ability to effectively identify, assess, measure, and manage risk is vital for operational risk excellence and strong risk management. Survey results show that operational risk assessment efforts continue to evolve and strengthen, including efforts to define and deploy forward-looking indicators. At least 69 percent of AMA respondents in the three regions fully or partially tie risk assessment identification, escalation, and management to their operational risk appetite (please see Chart 9). While the response rates for non-ama institutions in the three regions varied widely, 92 percent of non-ama respondents in stated that they fully or partially tie risk assessment identification, escalation, and management to their operational risk appetite. Chart 9 Do your operational risk assessment processes (i.e., RCSA, KRIs, loss data, and scenario analysis) tie to defined risk appetite thresholds for effective identification, escalation, and management of risk? AMA 44% 25% 25% 6% 11% 67% 11% 11% 20% 60% 20% 30% 43% 20% 7% Fully Partially Beginning to Not yet

19 KPMG/RMA Operational Risk Management Excellence Assessment, Measurement, and Management (continued) Non-AMA 18% 35% 35% 12% 42% 50% 8% 21% 43% 14% 21% 26% 42% 19% 14% Fully Partially Beginning to Not yet May not equal due to rounding With respect to forward-looking indicators, 60 percent () and 78 percent () of AMA respondents felt their ORM assessment processes fully or partially serve as forwardlooking indicators of current and emerging risk. As one would expect, results were less favorable for non-ama respondents. Efforts to develop forward-looking indicators and enhance their predictability are vital as firms work to strengthen their capabilities to identify and manage operational risk. Over 50 percent of AMA and non-ama respondents in the three regions stated that their ORM processes currently promote efficient risk taking and mitigation. Respondents stated efforts towards more efficient and effective risk taking and mitigation is evolving as business lines mature, risk appetite is further deployed, scenario processes gains robustness, and risk acceptance and/or mitigation alternatives are evaluated. Roles and Responsibilities: Consistent with the need to strengthen operational risk governance, over 50 percent of AMA respondents in the three regions confirmed the need to further clarify roles and responsibilities across the first and second lines of defense, including those impacting risk assessment in support functions, such as Finance, Human Resources, and Technology. For non-ama respondents, 8 percent () and 29 percent () stated they are just beginning efforts to clarify roles and responsibilities critical efforts for effective risk identification, assessment, measurement, and management.

KPMG/RMA Operational Risk Management Excellence 20 Assessment, Measurement, and Management (continued) Communication A large majority of both AMA and non-ama respondents indicated that communication between their first and second lines of defense on emerging operational risks and changes to the internal and external environment is an area that, although improving, needs strengthening. For instance, only 22 percent (), 25 percent (), and 40 percent () of AMA respondents felt communication was effective. Respondents noted that several governance structures were in place to support communication, including committees, working groups, risk assessment forums and structured meetings. Still, other respondents indicated that evidence of effective communication is difficult to provide and the tools and techniques to identify forward-looking and emerging risks are still in development (please see Chart 10). Chart 10 How effective is communication between the 1st and 2nd lines on emerging operational risks and on changes to the internal and external environment? AMA 25% 69% 6% 22% 67% 11% 40% 40% 20% 27% 63% 10% Effective Improving Non-AMA Limited Weak 18% 53% 29% 8% 75% 17% 21% 57% 14% 7% 16% 60% 21% 2% Effective Improving Limited Weak May not equal due to rounding

21 KPMG/RMA Operational Risk Management Excellence Assessment, Measurement, and Management (continued) Risk Taxonomies: An overwhelming majority of AMA and non-ama respondents in the three regions stated they have fully or partially established consistent ORM definitions and taxonomies across the first and second lines of defense. One respondent stated consistent definitions and taxonomies was the "corner stone" of their efforts to build effective ORM and ERM frameworks. Risk Assessment Convergence: In a positive development, 38 percent of AMA respondents in and stated they have established a consistent RCSA approach for multiple risk assessment types (i.e., ORM, compliance, and business continuity planning, vendor, and information technology security). Those figures increased to over 70 percent for AMA respondents in. As these efforts progress, firms can expect enhanced risk management effectiveness, integration, and efficiency.

KPMG/RMA Operational Risk Management Excellence 22 Assessment, Measurement, and Management (continued) Back Testing & Calibration institutions across the three regions have yet to begin back- No AMA respondents in and approximately testing efforts (please see Chart 11). This is an important area 20 percent of AMA respondents in and of focus, as the value derived from using ORM data for risk are fully conducting back testing to confirm the intelligence and decision-making requires confidence and accuracy and consistency of first line of defense operational accuracy in the data. risk assessments. In addition, at least 19 percent of AMA Chart 11 Do you conduct back testing to confirm the 1st line of defense is accurately and consistently assessing operational risk? AMA 19% 31% 31% 19% 22% 33% 22% 22% 60% 40% 17% 37% 23% 23% Fully Partially Beginning to Not yet Non-AMA 24% 24% 53% 8% 50% 25% 17% 8% 31% 62% 5% 33% 17% 45% Fully Partially Beginning to Not yet May not equal due to rounding Stress Testing: Fifty-six percent () and 80 percent () of AMA respondents reported they stress test ORM capital against economic cycles, downturns, and tail events via their Comprehensive Capital Analysis and Review (CCAR) or other activities. However, about 70 percent of non-ama respondents in and either do not maintain ORM capital or have yet to stress test it.

23 KPMG/RMA Operational Risk Management Excellence Assessment, Measurement, and Management (continued) Challenge Effective challenge of the first line of defense continues to initiatives. Nevertheless, survey results show there is still advance in the industry among AMA and non-ama institutions, more to be done to strengthen challenge activities (please see particularly with respect to RCSA tools and new product Chart 12). Chart 12 Does ORM provide effective challenge to 1st line (business lines) assessment, monitoring, mitigation, reporting, planning, and strategic/tactical decision-making? AMA 31% 44% 25% 11% 89% 40% 40% 20% 27% 57% 13% 3% Fully Partially Beginning to Not yet Non-AMA 13% 63% 25% 25% 42% 33% 7% 43% 43% 7% 14% 50% 33% 2% Fully Partially Beginning to Not yet May not equal due to rounding

KPMG/RMA Operational Risk Management Excellence 24 Assessment, Measurement, and Management (continued) Towards the goal of effective challenge, Survey results did show that 11 percent () and 40 percent () of AMA respondents fully leverage their ORM framework to challenge business model options and returns, including the assumptions, risks, and controls embedded in their new products, mergers, acquisitions, and divestitures. However, it was surprising to find that at least 20 percent of AMA respondents in the three regions have not yet started to apply effective challenge in these areas. With respect to non-ama respondents, it was encouraging to see that over 50 percent of respondents in the three regions are at least partially leveraging their ORM frameworks to enhance challenge and to foster better risk management. Risk Intelligence Accurate risk information provides the intelligence firms need to make informed, risk-based decisions in day-to-day activities and strategic planning. As noted elsewhere, while many respondents are making important strides to enhance the quality of their operational risk intelligence, there is still much work ahead. For instance, only 11 percent of AMA respondents in and 13 percent in state they have calibrated their ORM assessment processes to create reliable, actionable risk intelligence for decision-making. At the same time, 40 percent of AMA respondents in have calibrated their ORM assessment processes (please see Chart 13). Chart 13 Do your operational risk assessment processes calibrate against each other to create reliable, actionable risk intelligence for decison making? AMA 13% 63% 13% 13% 11% 56% 33% 40% 40% 20% 17% 57% 17% 10% Fully Partially Beginning to Not yet

25 KPMG/RMA Operational Risk Management Excellence Assessment, Measurement, and Management (continued) Chart 13 (continued) Non-AMA 12% 47% 41% 25% 50% 17% 8% 43% 21% 36% 12% 47% 28% 14% Fully Partially Beginning to Not yet May not equal due to rounding It was also interesting to note that, while robust risk intelligence is still being developed, at least half of AMA and non-ama respondents in the three regions stated that their operational risk intelligence is partially influencing management behavior. Further, both AMA and non-ama respondents stated business lines are maturing in both their ownership of risk and in business line use of "risk intelligence." As a result, the majority of AMA respondents in the three regions and a slightly smaller portion of non-ama respondents stated they were at least partially applying "risk intelligence" in business line decision-making. Metrics Reporting via ORM Dashboards: With respect to operational risk metrics and reporting (covered further in the next section), the data vary by region, with 22 percent of AMA respondents (versus 75 percent of n AMA respondents) stating their reporting includes ORM dashboards to alert Board and Executive Management of changing risk conditions and support decision-making. In addition, respondents also noted that enhancements to their KRIs and taxonomies for dashboard information are needed. Early Identification & Escalation: The responses regarding early identification and escalation show variations between the three regions as well. Fiftysix percent of AMA respondents in stated their operational risk KRIs include triggers for early warning notification and management of risk, while only 20 percent of AMA respondents did. In contrast, 60 percent of AMA respondents in felt they already had effective processes to escalate operational risk events, versus lower responses elsewhere. While the response rates differed by region, over half of all AMA and non-ama respondents stated they incorporated, or were well underway to incorporating, operational risk appetite and risk intelligence into their new business/product decisions to reflect process capacities and threats. Additionally, at least 30 percent of AMA firms across the three regions stated they have deployed scenario analysis to support capital planning, business decision-making, and process/system enhancement (versus less than 25 percent for non-ama respondents). However, near miss analysis has yet to be broadly deployed by several AMA and non-ama respondents a potentially significant area of risk intelligence yet to be developed.

KPMG/RMA Operational Risk Management Excellence 26 Data, Analysis, and Reporting The ability to completely and accurately aggregate, analyze, and report ORM exposures is an essential capability of strong risk management and a requirement for global systemically important banks (G-SIBs) as noted in the BCBS 239 publication. Data related issues are becoming increasingly important to AMA and non-ama institutions as the regulatory community and business leaders continue to stress the importance of sound risk data governance, aggregation, integration, and reporting. The Survey reveals that the industry is continuing to make advancements with respect to data quality. For example, 86 percent of AMA and 65 percent of non-ama respondents stated that their ORM data is fully, or partially, supported by effective governance, standards, and data stewards. Only 13 percent of AMA and 35 percent of non-ama respondents stated they are beginning to, or have yet to, deploy effective data governance and standards (please see Chart 14). Chart 14 Is your operational risk data supported by clear governance, standards, and data stewards? AMA 50% 31% 13% 6% 56% 33% 11% 60% 40% 53% 33% 10% 3% Fully Partially Non-AMA Beginning to Not yet 41% 24% 24% 12% 33% 50% 8% 8% 29% 21% 21% 29% 35% 30% 19% 16% May not equal due to rounding Fully Partially Beginning to Not yet

27 KPMG/RMA Operational Risk Management Excellence Data, Analysis, and Reporting (continued) Furthermore, 87 percent of AMA and 51 percent of non-ama respondents state they validate, or partially validate, the accuracy and completeness of their ORM data through formal quality assurance (QA) processes. One respondent stated that, while some elements of their institution s QA process are quite new and are being refined, there is a comprehensive program in place that includes data quality validation and monitoring. Almost 70 percent of AMA respondents and 65 percent of non-ama respondents stated that their ORM dashboards were at least partially supported by integrated data and metrics (please see Chart 15). However, several respondents indicated that fully robust data quality is still on the horizon and management factors data accuracy and integrity into its decision-making and planning for this reason. Chart 15 Is your operational risk dashboard supported by robust and integrated data and metrics? AMA 38% 44% 13% 6% 33% 22% 33% 11% 40% 20% 40% 37% 33% 17% 13% Fully Partially Beginning to Not yet Non-AMA 12% 53% 24% 12% 25% 42% 25% 8% 7% 57% 7% 29% 14% 51% 19% 16% Fully Partially Beginning to Not yet May not equal due to rounding

KPMG/RMA Operational Risk Management Excellence 28 Data, Analysis, and Reporting (continued) RESPONDENT COMMENTS When asked if their operational risk dashboard was supported by robust and integrated data and metrics, respondents stated: : Not sure that it can be called robust yet. Several KRIs for the various business lines have been established within the last year. They are still developmental and being reassessed. We need to improve the quality of many of our KRIs, but there is still a lot of good information being gathered, shared, and applied to management decisions. The operational risk dashboard is supported by data and metrics, but it is currently more qualitative than ideal and not fully integrated with all elements of the framework. An effort is underway to enhance the dashboard with metrics and linkages with all elements of the framework. : Our dashboard looks at process and controls as well as their operating effectiveness on a monthly basis. Control defects are identified and form the basis of determining residual risk. : We apply a mixture of key indicators and qualitative judgment. A divisional operational risk dashboard has been completed that is also consolidated at the group level. Although robustness is subjective, there are indicators and/or controls identified for every risk type. We have multiple dashboards across all elements of our ORM framework based on key metrics.

29 KPMG/RMA Operational Risk Management Excellence Data, Analysis, and Reporting (continued) Operational Risk Reporting With respect to reporting, both AMA and non-ama respondents noted that, while they have comprehensive ORM reporting at the Board, Executive Management, and business line levels, they need to enhance their reporting across other areas, such as process, product, location, and legal entity (please see Chart 16). The importance of enhancing risk data aggregation and risk reporting across all material group entities was also echoed in the BCBS 239 publication. Chart 16 Do you have comprehensive reporting of operational risk and its impact on business strategy, performance, risk appetite, and capital at the following levels? AMA Enterprise 94% 80% 93% Board level 81% 90% Business lines 81% 89% 80% 83% Entity 38% 67% 40% 47% Location 19% 33% 60% 30% Process 6% 33% 20% 17% Product 13% 22% 20% 17% Other None 6% 6% 22% 0% 10% 0% 0% 3% Enterprise 76% Non-AMA 67% 79% 74% Board level 71% 75% 71% 72% Business lines 65% 75% 50% 63% Entity 29% 33% 29% 30% Location 18% 17% 7% 14% Process 24% 25% 7% 19% Product 6% 17% 0% 7% Other None 6% 6% 8% 0% 5% 8% 14% 9% Multiple responses allowed

KPMG/RMA Operational Risk Management Excellence 30 The Road Ahead Conclusion ORM remains critically important to the strategic success of all financial institutions, and Survey results reveal that important strides continue to be made across all regions by both AMA and non-ama institutions. ORM is improving its standing with other risk types and its contribution to business/ risk decision-making and strategic planning. Going forward, financial institutions will need to expand efforts to deploy qualitative and quantitative measures of risk appetite across business lines, legal entities, processes, and other key areas. Firms need to broaden efforts to identify, assess, measure, and manage operational risk against defined risk appetite levels and thresholds. They also will be expected to provide effective challenge to first line risk information and enhance data governance, integrity, and aggregation for greater risk intelligence and actionable reporting. As financial institutions move forward, they are also likely to face considerable challenges in meeting competitive business pressures and in complying with the heightened regulatory environment. Current and emerging regulatory imperatives will all require expanded efforts by risk management and business lines to strengthen ORM even as AMA requirements change. The financial services industry also continues to contend with identifying, quantifying, and mitigating risks embedded within their products and services as well as establishing an effective, measurable, and sustainable risk culture. Achieving this is particularly challenging, as operational risk resides in every business line and functional area of an institution and often surfaces in other risk areas. Nevertheless, the industry is seeing a distinct maturing of the ORM discipline across many leading financial institutions and an evolving awareness of ORM within business lines. Firms are no longer considering operational risk in isolation but, rather, are now seeking to link their ORM frameworks with their broader risk management initiatives. They are continuing to connect their strategic decision-making with their risk-taking activities in order to better communicate and cascade their risk appetites throughout their business lines. This involves enabling firms to understand the risks they are taking and providing those accountable with tools to actively monitor and assess these risks. While it is essential for financial institutions to proactively address increasingly stringent regulatory expectations, these requirements alone should not be used as a substitute for establishing an effective risk culture and strong ORM processes that will, in turn, provide invaluable strategic insights, better inform management of true products costs and emerging exposures, and guide capital planning efforts. The KPMG/RMA Operational Risk Management Excellence 2015 Global Heightened Practices Survey results are encouraging, as they confirm the industry is continuing efforts to further evolve ORM to provide enhanced business value and meet heightened regulatory expectations. Nonetheless, it is clear that there is still room for ORM to grow in order to truly become the third leg of the enterprise risk management stool alongside credit and market risk.

KPMG and the RMA appreciate the respondents support of this Survey and look forward to the further evolution of the ORM discipline. For additional information, please contact: Global Survey Leadership and Americas Region Hugh C. Kelly Principal and National Lead (retired), Bank Regulatory Advisory, KPMG LLP T: 202-533-5200 E: hckelly@kpmg.com Phil Bray Principal, Operational Risk Management KPMG, LLP T: 704-516-441 E: pbray@kpmg.com Edward J. DeMarco, Jr. General Counsel and Director of Operational Risk & Regulatory Relations/Communications, The Risk Management Association T: 215-446-4052 E: edemarco@rmahq.org David L. Stone Director, Financial Services Risk Management, KPMG LLP T: 703-380-7247 E: dstone2@kpmg.com Sylwia Czajkowska Associate Director, Operational Risk, The Risk Management Association T: 215-446-4071 E: sczajkowska@rmahq.org Lisa M. Newport Associate Director, Americas Financial Services Regulatory Center of Excellence KPMG LLP T: 202-533-3075 E: lisanewport@kpmg.com Region Steven Shaw Senior Regional Consultant, Europe The Risk Management Association T: +44-0-1732-463875 E: sshaw@rmahq.org Prof. Dr. Thomas Kaiser Director, Financial Risk Management KPMG AG T: +49-69-9587-6283 E: thomaskaiser@kpmg.com Andrea Antonio Colombo Senior Manager KPMG Advisory S.p.A. T: +3902676431 E: andreacolombo@kpmg.it Region Chris Yip Senior Regional Consultant, Asia The Risk Management Association T: +65-9631-1866 E: cyip@rmahq.org Mike Ritchie Partner in Charge, Advisory KPMG LLP T: +61-2-9335-8251 E: mikeritchie@kpmg.com.au Contributions by Seiji Kamiya, Partner, KPMG Japan; Gary Daniel Chia, Partner, KPMG Singapore; Simon Topping, Partner, KPMG Hong Kong; Gary Mellody, Partner, KPMG Hong Kong; Daniel Casey, Senior Associate, KPMG LLP; Dace Embrekte-Ives, Senior Associate, KPMG LLP; and Maja Parcinski, Senior Associate, KPMG LLP. kpmg.com rmahq.com 2015 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. Printed in the U.S.A. The KPMG name, logo and cutting through complexity are registered trademarks or trademarks of KPMG International. NDPPS 514802

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information