CDS Operational Risk Management - October 28, 2005

Existing Methodologies for Operational Risk Mitigation -

CDS’s ERM Program

Existing Methodologies for Operational Risk Mitigation -

CDS’s ERM Program

ACSDA Seminar - October 26 - 28, 2005 Punta del Este, Uruguay

2

2 CDS Operational Risk Management - October 28, 2005

AgendaAgenda

Enterprise Risk Management Framework Governance of Operational Risk Self-Assessments Key Risk Indicators Reporting Internal Controls Risk Financing Program Lessons Learned Conclusions

3

3 CDS Operational Risk Management - October 28, 2005

Enterprise Risk Management FrameworkEnterprise Risk Management Framework

A process for CDS to manage enterprise-wide risks (including operational risk) in an integrated fashion in order to optimize returns from risk-taking activities.

Mission of ERM: Identify and understand risks inherent in CDS’s

business activities and processes Enable management to make better decisions

through balanced focus on risk and returns of decisions and ongoing education of personnel.

4

4 CDS Operational Risk Management - October 28, 2005

Enterprise Risk Management FrameworkEnterprise Risk Management Framework

Objectives of ERM Framework: Promote shared vision of risk management to facilitate

integrated reviews of risks and provide managers with better understanding of risk/reward trade-offs

Apply leading practice methodologies to identify, assess, measure, manage, monitor and report risks

Assign appropriate attention/resources to key risks Find appropriate balance between costs and risk controls More accurately factor risk into decisions, products and

projects Satisfy regulatory requirements.

5

5 CDS Operational Risk Management - October 28, 2005

Enterprise Risk Management FrameworkEnterprise Risk Management Framework

Guiding principles: Clearly define responsibilities for management of risks:

Each business unit responsible for managing their risks Overall responsibility for ERM should be independent from

business units: Risk Management at CDS Risk management risk avoidance Risk management should be proactive not reactive Timely, accurate and consistent management, monitoring

and measurement of risk Reporting structure that includes senior management, board

of directors, auditors and regulators.

6

6 CDS Operational Risk Management - October 28, 2005

Governance of Operational RiskGovernance of Operational Risk

Business Line Management

Board of Directors

Audit Committee Executive Committee Finance Committee

Strategy Group

Risk Committee Operations CommitteeExecutive Steering

Committee

Board Committees

Risk Management Functions

Management Committees

LegalInformation Security

and ControlInternal Audit Risk Management Human ResourcesFinance

7

7 CDS Operational Risk Management - October 28, 2005

Self-AssessmentsSelf-Assessments

Risk identification and definition using common categories: Strategic risks Operational risks (essentially same as Basle II)

People Processes Business Projects Technology Legal and regulatory External

Financial risks.

8

8 CDS Operational Risk Management - October 28, 2005

Self-AssessmentsSelf-Assessments

Risk assessment and measurement to rank risks and prioritize action.

Risk exposure determined by the probability and impact of a given event.

Probability ranked on scale of 1 (<25% probability) - 4 (>75%) for a five-year period.

Impact ranked by potential loss of staff, service capability, capital, assets, customer base, reputation or some combination.

9

9 CDS Operational Risk Management - October 28, 2005

Self-AssessmentsSelf-Assessments

Multiples of probability x impact yield rankings for prioritizing risks: Green (1 - 4)Green (1 - 4) Yellow (4 - 8)Yellow (4 - 8) Red (9 - 16)Red (9 - 16)..

Risks are grouped by categories to profile areas of higher risks and to produce an average overall risk profile for the company.

Risk profile allows tracking of changes of risk by category and at enterprise level.

10

10 CDS Operational Risk Management - October 28, 2005

Self-AssessmentsSelf-Assessments

Risk monitoring reports include: description of risk probability x impact ranking, with explanation risk mitigants action plans for reducing risk target dates for implementation.

11

11 CDS Operational Risk Management - October 28, 2005

Key Risk IndicatorsKey Risk Indicators

Early warning indicators of risks requiring attention. Suitable for activities that are trackable on a regular

basis for trend analysis, such as: Staff turnover Financial performance against plan System interruptions Participant claims.

Business unit proposes suitable threshold for Risk Committee approval. If threshold is breached, action may be required.

12

12 CDS Operational Risk Management - October 28, 2005

Key Risk IndicatorsKey Risk Indicators

Transaction Vol. As a % of Plan

0%

25%

50%

75%

100%

125%

150%

175%

200%

Sep-04 Oct-04 Nov-04 Dec-04 Jan-05 Feb-05 Mar-05 Apr-05 May-05 Jun-05 Jul-05 Aug-05 Sep-05

Monthly

Perc

enta

ge O

ver P

lan

Exch Trades Non-Exch Trades ACCESS Threshold

Key Risk Indicators (KRIs) Definition and Explanation Threshold

Trade Volume Fluctuations The indicator shows the fluctuations in monthly trade volume against the plan, which has a direct impact on revenues.

Actual should not fall below plan

13

13 CDS Operational Risk Management - October 28, 2005

ReportingReporting

Each meeting, Risk Committee receives a summary risk monitoring report showing: New and materially-updated self-assessments Updated risk profile Updated key risk indicators.

Internal Audit uses risk assessments at year-end to help develop areas of focus for coming year’s audit plan.

14

14 CDS Operational Risk Management - October 28, 2005

Risk Profile ReportRisk Profile ReportEnterprise Risk Profile ReportFor the period ending: < Insert Date>

Risk Categories No. of Items

No. of Risk with Red Ranking

Total Prob. Score

Avg. Prob Score (1-4)

Total Impact Score

Avg. Impact Score (1-4)

Risk Exposure Previous

Period

Risk Exposure

This PeriodRanking This

Period

Strategic RiskDevelopment/Implementation 0 0 0.0 0.0 0.0 0.0 0.0 0.0

Reputation 0 0 0.0 0.0 0.0 0.0 0.0 0.0

Operational Risk

People 0 0 0.0 0.0 0.0 0.0 0.0 0.0

Processes 0 0 0.0 0.0 0.0 0.0 0.0 0.0

Projects 0 0 0.0 0.0 0.0 0.0 0.0 0.0

Technology 0 0 0.0 0.0 0.0 0.0 0.0 0.0

External 0 0 0.0 0.0 0.0 0.0 0.0 0.0

Legal and Regulatory 0 0 0.0 0.0 0.0 0.0 0.0 0.0

Business 0 0 0.0 0.0 0.0 0.0 0.0 0.00

Financial RiskCredit 0 0 0.0 0.0 0.0 0.0 0.0 0.0

Market 0 0 0.0 0.0 0.0 0.0 0.0 0.0

Liquidity 0 0 0.0 0.0 0.0 0.0 0.0 0.0

Over-all 0 0 0.0 0.0 0.0 0.0 0.0 0.0

Highlights:

Risk Exposure Ranking Equivalent(P rob X Impact) 1 – 3 = Green (Low) 4 – 8 = Yellow (Medium) 9 + = Red (High)

15

15 CDS Operational Risk Management - October 28, 2005

ReportingReporting

Audit Committee receives a summary key risks report showing: Current risk profile Red risks and other material changes in higher risks Key risk indicators that have breached their thresholds

with actions for mitigation. Exception is annual risk report presented to Audit

Committee after fiscal year-end, which reviews risk profile of last year and risks requiring attention in coming year.

16

16 CDS Operational Risk Management - October 28, 2005

Internal ControlsInternal Controls

Intended to provide reasonable assurance regarding: effectiveness and efficiency of operations reliability of financial reporting compliance with applicable laws and regulations.

Adequacy audited under Canadian Auditing Standard 5900 for service organizations and reported in Report on Internal Controls and Safeguards (RICS).

New audit standard 5970, comparable to SAS 70, to be applied in 2006.

17

17 CDS Operational Risk Management - October 28, 2005

Internal ControlsInternal Controls

Moving from checklist approach to more thorough COSO-based framework.

Framework based on key processes required to conduct business: Objectives and risks identified and assessed Process flowcharted to identify areas requiring control Existing controls identified, with support documentation and

management assurance process Gaps in controls require remediation within an acceptable time

period. Signed by supervisor upon completion and basis for future testing by

audit.

18

18 CDS Operational Risk Management - October 28, 2005

Internal ControlsInternal Controls

Internal controls for key processes supporting financial reporting to be completed by 10/31/06.

Will allow CEO/CFO certification of financial reporting by fiscal year-end 2007.

Key reliance will be on internal control structure and attestation by division heads of compliance.

Tone at the top reinforces importance of internal controls.

Structure acceptable to regulators and external auditor.

19

19 CDS Operational Risk Management - October 28, 2005

Risk Financing ProgramRisk Financing Program

Insurance (e.g. FIB, D&O, E&O, general liability) to cover catastrophic losses.

Retain significant levels of risk backed by reserves. Ongoing education of underwriters of unique

nature and coverage needs of CDS. Differentiation from financial institutions to obtain

suitable wording. Ongoing disclosure and rigour of risk management

essential.

20

20 CDS Operational Risk Management - October 28, 2005

Lessons LearnedLessons Learned

Start with simple concepts to get buy in, then phase in enhancements.

Use common definitions/criteria. Initial education and reiteration of objectives and

benefits of ERM. Business units take responsibility for their risks. Regular review of risk tolerances. Ensure follow up on improved risk mitigants. Support from the top is essential.

21

21 CDS Operational Risk Management - October 28, 2005

ConclusionsConclusions

ERM has enhanced risk management culture. Improves decision-making in evaluating

potential returns Comparable approach used for assessing project

risks. Effective internal controls structure serves

multiple purposes. Ongoing education and monitoring process that

must be supported from the top.