Managing Your Risk Taxonomy within StratexPoint

Monitor compliance. Manage risk. Execute strategy.

Managing Your Risk Taxonomy within StratexPointOctober 2016

2

Purpose

Purpose

The purpose of this presentation is to provide an understanding of how to manage a risk taxonomy via StratexPoint.

Topics covered Managing a regulatory risk taxonomy Managing a business risk taxonomy

3

Regulatory Risk Taxonomy A three level taxonomy based

on the standard Basel classification of operational risk (See Appendix A).

Designed to support regulatory reporting and compliance.

Business Risk Taxonomy A multi level taxonomy based

on leading management methodologies, including the Risk-Based Performance Management methodology.

Designed to support strategic and operational decision-making & execution.

The StratexPoint solution is designed to support two risk taxonomy within its ‘Framework’

Regulatory Risk Taxonomy(Supported by the Stratex framework)

Level 1 Classification

(Master within StratexPoint)


(Major within StratexPoint)


(Minor within StratexPoint)

Risk Group

Risk Type

4

1.7 Execution, delivery and process management

1.7.1 Transaction capture, execution and maintenance

1.7.1.3 Non-conformance with Policy or procedure

Key

Operational

Example

Taxonomy

5

Business Risk Taxonomy (Inherent within the Stratex framework)

Strategic Risk

Busin

ess M

odel

Risk

Busin

ess E

xecu

tion

Risk

Busin

ess A

lignm

ent R

isk Operational Risk

Proc

ess R

iskPr

ojec

t (Ch

ange

) Ri

skTe

chno

logy

Risk

Peop

le R

iskVe

ndor

(3rd P

arty

) Ri

skIn

form

atio

n As

sets

Phys

ical A

sset

s

Finan

cial A

sset

s

Compliance Risk

Lega

l Risk

Prod

uct R

iskRe

gula

tory

Risk

Qual

ity R

iskBu

sines

s As

sura

nce

Risk

Conduct Risk

Busin

ess M

odel

Ri

skBu

sines

s Ex

ecut

ion

Risk

Proc

ess R

iskPr

ojec

t Risk

Tech

nolo

gy R

iskPr

oduc

t Risk

Peop

le R

isk

Reputational Risk

Stra

tegi

c Ri

skOp

erat

iona

l Risk

Com

plia

nce

Risk

Cond

uct R

iskPe

ople

Risk

Busin

ess

Assu

ranc

e Ri

sk

Cultu

re &

Acc

ount

abili

ties


Appendix ABasel Operational Risk classification

6

7

Basel Operational Risk Classification

0. Unassigned1.1 Internal Fraud1.2 External Fraud1.3 Employment practices & workplace safety1.4 Clients, products & business practises1.5 Damage to physical assets1.6 Business disruption and systems failure1.7 Execution, delivery and process management

0. Unassigned1.1.1.1 Transactions performed without delegated authority1.1.1.2 Transactions performed beyond delegated authority1.1.1.3 Deliberate misrepresentation, deceit, deception1.1.1.4 Computer crime1.1.2.1 Theft, robbery, misappropriation of assets1.1.2.2 Fraud (other than forgery)1.1.2.3 Destruction of assets1.1.2.4 Forgery1.1.2.5 Bribes / inducements1.2.1.1 Theft, robbery1.2.1.2 Forgery1.2.2.1 Hacking1.2.2.2 Theft of information1.3.1.1 Compensation, benefit, termination issues1.3.1.2 Organised labour activity1.3.1.3 Lack of suitable employees, loss of key personnel, other personnel issues1.3.2.1 Failure to comply with legislative requirements1.3.2.2 Failure to comply with the organisations rules1.3.3.1 Discrimination of all types1.4.1.1 Suitability / disclosure (e.g.KYC)1.4.1.2 Breach of confidentiality (except data protection matters)1.4.2.1 Market manipulation, improper trade / market practices1.4.2.2 Insider trading, unlicensed activity1.4.2.3 Money Laundering1.4.3.1 Product defects1.4.3.2 Model errors

1.4.4.1 Failure to investigate client1.4.4.2 Exceeding client exposure limits1.4.5.1 Disputes over provision of inappropriate advice1.5.1.1 Natural disaster losses1.5.1.2 War, changes in law, political risk1.5.1.3 Terrorism, vandalism1.5.1.4 Theft & Robbery of physical assets1.5.2.1 Inadequate maintenance of physical assets1.6.1.2 Major IT systems failure – other (Hardware, software, telecommunications utilities)1.7.1.1 Miscommunication1.7.1.2 Data entry, maintenance or loading error1.7.1.3 Non-conformance with Policy or procedure1.7.1.4 Non-compliance with statutory / legal obligation1.7.1.5 Non-compliance with regulatory obligation1.7.1.6 Model / system mis-operation, delivery failure1.7.1.7 Accounting error1.7.1.8 Other task mis-performance1.7.1.9 Inappropriate behavior1.7.1.10 Collateral management failure1.7.1.11 Ineffective change management1.7.1.12 Failure to realise project objectives1.7.2.1 Failed regulatory reporting obligation1.7.2.2 Failed statutory reporting obligation1.7.3.1 Customer authorities missing1.7.3.2 Legal documents missing / incomplete1.7.4.1 Unauthorised access given to customer / client accounts1.7.4.2 Incorrect client records1.7.4.3 Negligent loss or damage of client assets1.7.5.1 Non-client counterparty mis-performance1.7.5.2 Non-client counterparty disputes1.7.6.1 Failed / ineffective outsourcing arrangements1.7.6.2 Vendor disputes

Level 1(Master Category within

StratexPoint)Level 2

(Major Category within StratexPoint)Level 3

(Minor Category within StratexPoint)

0. Unassigned1.1.1 Unauthorised Activity1.1.2 Theft & Fraud1.2.1 Theft1.2.2 Systems Security1.3.1 Employee relations1.3.2 Safe Environment1.3.3 Diversity & Discrimination1.4.1 Suitability, disclosure and fiduciary1.4.2 Improper business or market practices1.4.3 Product flaws1.4.4 Selection, sponsorship and exposure1.4.5 Advisory activities1.5.1 Disaster & other events1.5.2 Maintenance of Physical Assets1.6.1 Systems1.7.1 Transaction capture, execution and maintenance1.7.2 Monitoring & Reporting1.7.3 Customer intake & documentation1.7.4 Customer / client account management1.7.5 Trade counterparties1.7.6 Vendor & suppliers


About Ascendore & StratexPoint

9

About Ascendore

We believe that risk management and compliance must enable strategy execution and value creation, not simply tick

regulatory boxes.

Who we are

We are a technology firm that understands Governance, Risk and Compliance (GRC) and how to embed cultural change and accountabilities.

What we do

We provide the leading SharePoint based Governance, Risk and Compliance (GRC) solution to financial services firms and their regulators.

How we do it

We manage the delivery of our solution as a business change project not as a technical software implementation

Our Values

Ambitious Accountable Aligned Agile

We wrote the book on integrating strategy and risk management

Our conceptually sound framework and change roadmap is based on a proven methodology.

10

Typical problems we solve with our customers

Embedding the right risk and compliance culture

Establishing a single repository of risk and

compliance data

Reducing the time and complexity associated with using spreadsheet-based

risk and compliance registers

Ensure each of the three lines of defence play the

correct role, and have the tools & data to do so.

Automating risk and compliance activities and

processes, including reporting and dashboards

Demonstrating to regulators (and the board) that risk and compliance

are at the heart of the firm’s decision-making

11

About StratexPoint

We provide Integrated Governance, Risk & Compliance solution(s) built on familiar, office platforms. We propose to provide StratexPoint, an Integrated GRC (Governance, Risk & Compliance) software solution.

Strategy and Risk Appetite are central

Built on the world’s leading collaboration platform

Incorporating a proven Governance model - ‘RACI’

Built around a conceptually sound

data model

Delivering world-class risk reporting, plus enabling the

‘right risk culture’

An Integrated GRC solution

12

Our solutions

We provide Integrated Governance, Risk & Compliance solution(s) built on familiar, office platforms.

Our solutions deliver

High ROI High User Adoption High Levels of assurance that your

business is operating within appetite

StratexPoint

Built on the ubiquitous SharePoint platform

Supports each of the Three Lines of Defence

Comprehensive in nature but modular in deployment

StratexCloud – our Azure cloud platform.

Stratex365* – our Office 365 app

StratexStudio* – our mobile app

* Available end of 2016

StratexPoint was designed to support an integrated GRC approach

Performance

Management

Risk Managem

ent

Strategy Managem

ent

Appetite

What are we trying to achieve?

Are we on track?

What is our Risk Appetite?

Are we operating within appetite?

Governance & Communications

Culture

14

The Stratex FrameworkLe

gal

Business Objective

s

KPIs Actions Key Risks

KRIs Issues Assessment

Key Controls

KCIs Actions Assessment

Events

Certification

Risk Appetite

Business Entity

Business Drivers

Checklists

Checklists

Checklists Tests

Issues

Actions

IssuesGovernance Commentary Notifications

Build a strategy focused, risk aware culture

Workflows

Benchmarks Dashboards Reporting Templates

Processes Initiatives Systems

Relationships People

Operational & Compliance enablers are aligned to strategy

Assets

Products Audits

RulebookCompliance

Roles

Regulation

Policy Standards


Managing Your Risk Taxonomy within StratexPointOctober 2016