Operational Risk

What is Operational Risk?

According to the Basel III framework, operational risk is defined as the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. This definition includes legal risk, but excludes strategic and reputational risk.

The Basel III framework presents three methods for calculating operational risk capital requirements in a continuum of increasing sophistication and risk sensitivity:

(1) the Basic Indicator Approach;

(2) the Standardised Approach; and

(3) Advanced Measurement Approaches (AMAs).

Banks are encouraged to move along the spectrum of available approaches as they develop more sophisticated operational risk measurement systems and practices.

Internationally active banks and banks with significant operational risk exposures (for example, specialised processing banks) are expected to use an approach that is more sophisticated than the Basic Indicator Approach and that is appropriate for the risk profile of the institution.

A bank will be permitted to use the Basic Indicator or Standardised Approach for some parts of its operations and an AMA for others provided certain minimum criteria are met.

A bank will not be allowed to choose to revert to a simpler approach once it has been approved for a more advanced approach without supervisory approval. However, if a supervisor determines that a bank using a more advanced approach no longer meets the qualifying criteria for this approach, it may require the bank to revert to a simpler approach for some or all of its operations, until it meets the conditions specified by the supervisor for returning to a more advanced approach.

A bank will be permitted to use an AMA for some parts of its operations and the Basic Indicator Approach or Standardised Approach for the balance (partial use), provided that the following conditions are met:

(1) All operational risks of the bank’s global, consolidated operations are captured;

(2) All of the bank’s operations that are covered by the AMA meet the qualitative criteria for using an AMA, while those parts of its operations that are using one of the simpler approaches meet the qualifying criteria for that approach;

(3) On the date of implementation of an AMA, a significant part of the bank’s operational risks are captured by the AMA; and

(4) The bank provides its supervisor with a plan specifying the timetable to which it intends to roll out the AMA across all but an immaterial part of its operations. The plan should be driven by the practicality and feasibility of moving to the AMA over time, and not for other reasons.

Subject to the approval of its supervisor, a bank opting for partial use may determine which parts of its operations will use an AMA on the basis of business line, legal structure, geography, or other internally determined basis.

Advanced Measurement Approaches (AMA)

Under the Advanced Measurement Approaches (AMA), the regulatory capital requirement will equal the risk measure generated by the bank’s internal operational risk measurement system using the quantitative and qualitative criteria for the AMA discussed below. Use of the AMA is subject to supervisory approval.

A bank adopting the AMA may, with the approval of its host supervisors and the support of its home supervisor, use an allocation mechanism for the purpose of determining the regulatory capital requirement for internationally active banking subsidiaries that are not deemed to be significant relative to the overall banking group but are themselves subject to this Framework.

Supervisory approval would be conditional on the bank demonstrating to the satisfaction of the relevant supervisors that the allocation mechanism for these subsidiaries is appropriate and can be supported empirically. The board of directors and senior management of each subsidiary are responsible for conducting their own assessment of the subsidiary’s operational risks and controls and ensuring the subsidiary is adequately capitalised in respect of those risks.

Subject to supervisory approval, the incorporation of a well-reasoned estimate of diversification benefits may be factored in at the group-wide level or at the banking subsidiary level. However, any banking subsidiaries whose host supervisors determine that they must calculate stand-alone capital requirements may not incorporate group-wide diversification benefits in their AMA calculations (eg where an internationally active banking subsidiary is deemed to be significant, the banking subsidiary may incorporate the diversification benefits of its own operations — those arising at the sub-consolidated level — but may not incorporate the diversification benefits of the parent).

The appropriateness of the allocation methodology will be reviewed with consideration given to the stage of development of risk-sensitive allocation techniques and the extent to which it reflects the level of operational risk in the legal entities and across the banking group. Supervisors expect that AMA banking groups will continue efforts to develop increasingly risk-sensitive operational risk allocation techniques, notwithstanding initial approval of techniques based on gross income or other proxies for operational risk.

Banks adopting the AMA will be required to calculate their capital requirement using this approach as well as the 1988 Accord.

General standards for using the AMA

In order to qualify for use of the AMA a bank must satisfy its supervisor that, at a minimum:

(1) Its board of directors and senior management, as appropriate, are actively involved in the oversight of the operational risk management framework;

(2) It has an operational risk management system that is conceptually sound and is implemented with integrity; and

(3) It has sufficient resources in the use of the approach in the major business lines as well as the control and audit areas.

A bank’s AMA will be subject to a period of initial monitoring by its supervisor before it can be used for regulatory purposes. This period will allow the supervisor to determine whether the approach is credible and appropriate. As discussed below, a bank’s internal measurement system must reasonably estimate unexpected losses based on the combined use of internal and relevant external loss data, scenario analysis and bank-specific business environment and internal control factors.

The bank’s measurement system must also be capable of supporting an allocation of economic capital for operational risk across business lines in a manner that creates incentives to improve business line operational risk management.

Qualitative standards for using the AMA

A bank must meet the following qualitative standards before it is permitted to use an AMA for operational risk capital:

(1) The bank must have an independent operational risk management function that is responsible for the design and implementation of the bank’s operational risk management framework. The operational risk management function is responsible for codifying firm-level policies and procedures concerning operational risk management and controls; for the design and implementation of the firm’s operational risk measurement methodology; for the design and implementation of a risk-reporting system for operational risk; and for developing strategies to identify, measure, monitor and control/mitigate operational risk.

(2) The bank’s internal operational risk measurement system must be closely integrated into the day-to-day risk management processes of the bank. Its output must be an integral part of the process of monitoring and controlling the bank’s operational risk profile. For instance, this information must play a prominent role in risk reporting, management reporting, internal capital allocation, and risk analysis. The bank must have techniques for allocating operational risk capital to major business lines and for creating incentives to improve the management of operational risk throughout the firm.

(3) There must be regular reporting of operational risk exposures and loss experience to business unit management, senior management, and to the board of directors. The bank must have procedures for taking appropriate action according to the information within the management reports.

(4) The bank’s operational risk management system must be well documented. The bank must have a routine in place for ensuring compliance with a documented set of internal policies, controls and procedures concerning the operational risk management system, which must include policies for the treatment of non-compliance issues.

(5) Internal and/or external auditors must perform regular reviews of the operational risk management processes and measurement systems. This review must include both the activities of the business units and of the independent operational risk management function.

(6) The validation of the operational risk measurement system by external auditors and/or supervisory authorities must include the following:

(a) Verifying that the internal validation processes are operating in a satisfactory manner; and

(b) Making sure that data flows and processes associated with the risk measurement system are transparent and accessible. In particular, it is necessary that auditors and supervisory authorities are in a position to have easy access, whenever they judge it necessary and under appropriate procedures, to the system’s specifications and parameters.

Quantitative standards for using the AMA

Given the continuing evolution of analytical approaches for operational risk, the Committee is not specifying the approach or distributional assumptions used to generate the operational risk measure for regulatory capital purposes. However, a bank must be able to demonstrate that its approach captures potentially severe “tail” loss events. Whatever approach is used, a bank must demonstrate that its operational risk measure meets a soundness standard comparable to that of the internal ratings-based approach for credit risk (ie comparable to a one year holding period and a 99.9th percentile confidence interval).

In the development of operational risk measurement and management systems, banks must have and maintain rigorous procedures for operational risk model development and independent model validation.

The following quantitative standards apply to internally generated operational risk measures for purposes of calculating the regulatory minimum capital requirements.

(1) Any internal operational risk measurement system must be consistent with the scope of operational risk and the loss event types defined below.

(2) Supervisors will require the bank to calculate its regulatory capital requirement as the sum of expected loss (EL) and unexpected loss (UL), unless the bank can demonstrate that it is adequately capturing EL in its internal business practices. That is, to base the minimum regulatory capital requirement on UL alone, the bank must be able to demonstrate to the satisfaction of its national supervisor that it has measured and accounted for its EL exposure.

(3) A bank’s risk measurement system must be sufficiently ‘granular’ to capture the major drivers of operational risk affecting the shape of the tail of the loss estimates.

(4) Risk measures for different operational risk estimates must be added for purposes of calculating the regulatory minimum capital requirement. However, the bank may be permitted to use internally determined correlations in operational risk losses across individual operational risk estimates, provided it can demonstrate to the satisfaction of the national supervisor that its systems for determining correlations are sound, implemented with integrity, and take into account the uncertainty surrounding any such correlation estimates (particularly in periods of stress). The bank must validate its correlation assumptions using appropriate quantitative and qualitative techniques.

(5) Any operational risk measurement system must have certain key features to meet the supervisory soundness standard set out in this section. These elements must include the use of internal data, relevant external data, scenario analysis and factors reflecting the business environment and internal control systems.

(6) A bank needs to have a credible, transparent, well-documented and verifiable approach for weighting these fundamental elements in its overall operational risk measurement system. For example, there may be cases where estimates of the 99.9th percentile confidence interval based primarily on internal and external loss event data would be unreliable for business lines with a heavy-tailed loss distribution and a small number of observed losses. In such cases, scenario analysis, and business environment and control factors, may play a more dominant role in the risk measurement system. Conversely, operational loss event data may play a more dominant role in the risk measurement system for business lines where estimates of the 99.9th percentile confidence interval based primarily on such data are deemed reliable. In all cases, the bank’s approach for weighting the four fundamental elements should be internally consistent and avoid the double counting of qualitative assessments or risk mitigants already recognised in other elements of the framework.

Detailed loss event type classification

Internal fraud - Losses due to acts of a type intended to defraud, misappropriate property or circumvent regulations, the law or company policy, excluding diversity/ discrimination events, which involves at least one internal party.

External fraud - Losses due to acts of a type intended to defraud, misappropriate property or circumvent the law, by a third party.

Employment practices and workplace safety - Losses arising from acts inconsistent with employment, health or safety laws or agreements, from payment of personal injury claims, or from diversity / discrimination events.

Clients, products and business practices - Losses arising from an unintentional or negligent failure to meet a professional obligation to specific clients (including fiduciary and suitability requirements), or from the nature or design of a product.

Damage to physical assets - Losses arising from loss or damage to physical assets from natural disaster or other events.

Business disruption and system failures - Losses arising from disruption of business or system failures.

Execution, delivery and process management - Losses from failed transaction processing or process management, from relations with trade counterparties and vendors.

---

Learning from the Annual Reports

Operational risk, important parts from the 2021 Annual Report, Wells Fargo & Company

Operational risk, which in addition to those discussed in this section, includes compliance risk and model risk, is the risk resulting from inadequate or failed internal processes, people and systems, or from external events.

The Board’s Risk Committee has primary oversight responsibility for all aspects of operational risk, including significant supporting programs and/or policies regarding the Company’s business resiliency and disaster recovery, data management, information security, technology, and third-party risk management. As part of its oversight responsibilities, the Board’s Risk Committee reviews and approves significant operational risk policies and oversees the Company’s operational risk management program.

At the management level, Operational Risk Management, which is part of IRM, has oversight responsibility for operational risk. Operational Risk Management reports to the CRO and provides periodic reports related to operational risk to the Board’s Risk Committee. Operational Risk Management’s oversight responsibilities include change management risk, human capital risk, technology risk, third-party risk, information management risk, information security risk, data management risk, and fraud risk.

Information security is a significant operational risk for financial institutions such as Wells Fargo and includes the risk arising from unauthorized access, use, disclosure, disruption, modification, or destruction of information or information systems. The Board is actively engaged in the oversight of the Company’s information security risk management and cyber defense programs.

The Board’s Risk Committee has primary oversight responsibility for information security risk and approves the Company’s information security program, which includes the information security policy and the cyber defense program. A Technology Subcommittee of the Risk Committee assists the Risk Committee in providing oversight of technology, information security, and cybersecurity risks as well as data management risk. The Technology Subcommittee reviews and recommends to the Risk Committee for approval any significant programs and/or policies supporting information security risk (including cybersecurity risk), technology risk, and data management risk.

Wells Fargo and other financial institutions, as well as their third- party service providers, continue to be the target of various evolving and adaptive cyber attacks, including malware, ransomware, other malicious software intended to exploit hardware or software vulnerabilities, phishing, credential validation, and distributed denial-of-service, in an effort to disrupt the operations of financial institutions, test their cybersecurity capabilities, commit fraud, or obtain confidential, proprietary or other information.

Cyber attacks have also focused on targeting online applications and services, such as online banking, as well as cloud-based and other products and services provided by third parties, and have targeted the infrastructure of the internet causing the widespread unavailability of websites and degrading website performance. As a result, information security and the continued development and enhancement of our controls, processes and systems designed to protect our networks, computers, software and data from attack, damage or unauthorized access remain a priority for Wells Fargo.

Wells Fargo is also proactively involved in industry cybersecurity efforts and working with other parties, including our third-party service providers and governmental agencies, to continue to enhance defenses and improve resiliency to cybersecurity and other information security threats. See the “Risk Factors” section in this Report for additional information regarding the risks associated with a failure or breach of our operational or security systems or infrastructure, including as a result of cyber attacks.

OPERATIONAL, STRATEGIC AND LEGAL RISKS

A failure in or breach of our operational or security systems, controls or infrastructure, or those of our third-party vendors and other service providers, could disrupt our businesses, damage our reputation, increase our costs and cause losses.

As a large financial institution that serves customers through numerous physical locations, ATMs, the internet, mobile banking and other distribution channels across the U.S. and internationally, we depend on our ability to process, record and monitor a large number of customer transactions on a continuous basis. As our customer base and locations have expanded throughout the U.S. and internationally, as we have increasingly used the internet and mobile banking to provide products and services to our customers, as customer, public, legislative and regulatory expectations regarding operational and information security have increased, and as cyber and other information security attacks have become more prevalent and complex, our operational systems, controls and infrastructure must continue to be safeguarded and monitored for potential failures, disruptions and breakdowns.

Our business, financial, accounting, data processing systems or other operating systems and facilities may stop operating properly, become insufficient based on our evolving business needs, or become disabled or damaged as a result of a number of factors including events that are wholly or partially beyond our control.

For example, there have been and could in the future be sudden increases in customer transaction volume; electrical or telecommunications outages; degradation or loss of internet, website or mobile banking availability; natural disasters such as earthquakes, tornados, and hurricanes; disease pandemics; events arising from local or larger scale political or social matters, including terrorist acts; and, as described below, cyber attacks or other information security breaches. Furthermore, enhancements and upgrades to our infrastructure or operating systems may be time-consuming, entail significant costs, and create risks associated with implementing new systems and integrating them with existing ones.

Due to the complexity and interconnectedness of our systems, the process of enhancing our infrastructure and operating systems, including their security measures and controls, can itself create a risk of system disruptions and security issues. Similarly, we may not be able to timely recover critical business processes or operations that have been disrupted, which may further increase any associated costs and consequences of such disruptions. Although we have business continuity plans and other safeguards in place to help provide operational resiliency, our business operations may be adversely affected by significant and widespread disruption to our physical infrastructure or operating systems that support our businesses and customers.

For example, on February 7, 2019, we experienced system issues caused by an automatic power shutdown at one of our main data center facilities. Although applications and related workloads were systematically re-routed to back-up data centers throughout the day, certain of our services, including our online and mobile banking systems, certain mortgage origination systems, and certain ATM functions, experienced disruptions that delayed service to our customers.

As a result of financial institutions and technology systems becoming more interconnected and complex, any operational incident at a third party may increase the risk of loss or material impact to us or the financial industry as a whole. Furthermore, third parties on which we rely, including those that facilitate our business activities or to which we outsource operations, such as exchanges, clearing houses, financial intermediaries or vendors that provide services or security solutions for our operations, could continue to be sources of operational risk to us, including from information breaches or loss, breakdowns, disruptions or failures of their own systems or infrastructure, or any deficiencies in the performance of their responsibilities.

We are also exposed to the risk that a disruption or other operational incident at a common service provider to those third parties could impede their ability to provide services or perform their responsibilities for us. In addition, we must meet regulatory requirements and expectations regarding our use of third-party service providers, and any failure by our third-party service providers to meet their obligations to us or to comply with applicable laws, rules, regulations, or Wells Fargo policies could result in fines, penalties, restrictions on our business, or other negative consequences.

Disruptions or failures in the physical infrastructure, controls or operating systems that support our businesses and customers, failures of the third parties on which we rely to adequately or appropriately provide their services or perform their responsibilities, or our failure to effectively manage or oversee our third-party relationships, could result in business disruptions, loss of revenue or customers, legal or regulatory proceedings, compliance and other costs, violations of applicable privacy and other laws, reputational damage, or other adverse consequences, any of which could materially adversely affect our results of operations or financial condition.

A cyber attack or other information security breach could have a material adverse effect on our results of operations or financial condition. Information security risks for large financial institutions such as Wells Fargo have generally increased in recent years in part because of the proliferation of new technologies, the use of the internet, mobile devices, and cloud technologies to conduct financial transactions, and the increased sophistication and activities of organized crime, hackers, terrorists, activists, and other external parties, including foreign state-sponsored parties.

Those parties also may continue to attempt to misrepresent personal or financial information to commit fraud, obtain loans or other financial products from us, or attempt to fraudulently induce employees, customers, or other users of our systems to disclose confidential information in order to gain access to our data or that of our customers. As noted above, our operations rely on the secure processing, transmission and storage of confidential information in our computer systems and networks.

Our banking, brokerage, investment advisory, and capital markets businesses rely on our digital technologies, computer and email systems, software, hardware, and networks to conduct their operations. In addition, to access our products and services, our customers may use personal smartphones, tablets, and other mobile devices that are beyond our control systems.

Our technologies, systems, software, networks, and our customers’ devices are likely to continue to be the target of cyber attacks or other information security breaches, which could materially adversely affect us, including as a result of fraudulent activity, the unauthorized release, gathering, monitoring, misuse, loss or destruction of Wells Fargo’s or our customers’ confidential, proprietary and other information, or the disruption of Wells Fargo’s or our customers’ or other third parties’ business operations.

For example, various retailers have reported they were victims of cyber attacks in which large amounts of their customers’ data, including debit and credit card information, was obtained. In these situations, we generally incur costs to replace compromised cards and address fraudulent transaction activity affecting our customers. We are also exposed to the risk that an employee or other person acting on behalf of the Company fails to comply with applicable policies and procedures and inappropriately circumvents controls for personal gain or other improper purposes.

Due to the increasing interconnectedness and complexity of financial institutions and technology systems, an information security incident at a third party may increase the risk of loss or material impact to us or the financial industry as a whole. In addition, third parties on which we rely, including those that facilitate our business activities or to which we outsource operations, such as internet, mobile technology, hardware, software, and cloud service providers, could continue to be sources of information security risk to us. If those third parties fail to adequately or appropriately safeguard their technologies, systems, networks, hardware, and software, we may suffer material harm, including business disruptions, losses or remediation costs, reputational damage, legal or regulatory proceedings, or other adverse consequences.

Our risk and exposure to cyber attacks or other information security breaches remains heightened because of, among other things, the persistent and evolving nature of these threats, the prominent size and scale of Wells Fargo and its role in the financial services industry, our plans to continue to implement our digital and mobile banking channel strategies and develop additional remote connectivity solutions to serve our customers when and how they want to be served, our geographic footprint and international presence, the outsourcing of some of our business operations, and the current global economic and political environment.

For example, Wells Fargo and other financial institutions, as well as their third-party service providers, continue to be the target of various evolving and adaptive cyber attacks, including malware, ransomware, other malicious software intended to exploit hardware or software vulnerabilities, phishing, credential validation, and distributed denial-of-service, in an effort to disrupt the operations of financial institutions, test their cybersecurity capabilities, commit fraud, or obtain confidential, proprietary or other information.

Cyber attacks have also focused on targeting online applications and services, such as online banking, as well as cloud-based and other products and services provided by third parties, and have targeted the infrastructure of the internet, causing the widespread unavailability of websites and degrading website performance. As a result, information security and the continued development and enhancement of our controls, processes and systems designed to protect our networks, computers, software and data from attack, damage or unauthorized access remain a priority for Wells Fargo. We are also proactively involved in industry cybersecurity efforts and working with other parties, including our third-party service providers and governmental agencies, to continue to enhance defenses and improve resiliency to cybersecurity and other information security threats.

As these threats continue to evolve, we expect to continue to be required to expend significant resources to develop and enhance our protective measures or to investigate and remediate any information security vulnerabilities or incidents. Because the investigation of any information security breach is inherently unpredictable and would require time to complete, we may not be able to immediately address the consequences of a breach, which may further increase any associated costs and consequences. Moreover, to the extent our insurance covers aspects of information security risk, such insurance may not be sufficient to cover all losses associated with an information security breach.

Cyber attacks or other information security breaches affecting us or third parties on which we rely, including those that facilitate our business activities or to which we outsource operations, or security breaches of the networks, systems or devices that our customers use to access our products and services, could result in business disruptions, loss of revenue or customers, legal or regulatory proceedings, compliance, remediation and other costs, violations of applicable privacy and other laws, reputational damage, or other adverse consequences, any of which could materially adversely affect our results of operations or financial condition.

---

Operational risk, important parts from the 2021 Annual Report, Royal Bank of Canada

Operational risk is the risk of loss or harm resulting from people, inadequate or failed internal processes, controls and systems or from external events. Operational risk is inherent in all of our activities and third-party activities and failure to manage operational risk can result in direct or indirect financial loss, reputational impact or regulatory scrutiny and proceedings in the various jurisdictions where we operate.

Our management of operational risk follows the three lines of defence governance model, encompassing the organizational roles and responsibilities for a coordinated enterprise-wide approach. For further details, refer to the Risk management – Enterprise risk management section.

Operational risk framework

We have an Enterprise Operational Risk Framework which sets out the processes to identify, assess, monitor, measure, report and communicate on operational risk. The processes are established through the following:

• Risk identification and assessment tools, including the collection and analysis of risk event data, help risk owners understand and proactively manage operational risk exposures. Risk assessments are intended to ensure alignment between risk exposures and efforts to manage them. Management uses outputs of these tools to make informed risk decisions.

• Risk monitoring tools alert management to changes in the operational risk profile. When paired with escalation and monitoring triggers, risk monitoring tools can identify risk trends, warn management of risk levels that approach or exceed defined limits, as well as prompt actions and mitigation plans to be undertaken.

• Risk capital measurement provides credible estimation of potential risk exposure, including surfaces risk vulnerabilities, and informs strategic and capital planning decisions, which are ultimately intended to ensure that the bank is sufficiently resilient to withstand operational risk losses both in normal times and under stress situations.

• Risk reporting and communication processes ensure that relevant operational risk information is made available to management in a timely manner to support risk-informed business decisions.

Conclusions from our operational risk programs enable learning based on what has happened to us, whether it could happen elsewhere in the organization, and what controls we need to amend or implement. These conclusions support the articulation of our operational risk appetite and are used to inform the overall level of operational risk exposure which thereby defines our operational risk profile. This profile includes significant operational risk exposures, potential new and emerging exposures and trends, and overall conclusions on the control environment and risk outlook. We proactively identify and investigate corporate insurance opportunities to mitigate and reduce potential future impacts of operational risk.

We consider the potential risks and rewards of our decisions to strike a balance between accepting potential losses versus incurring costs of mitigation, the expression of which is in the form of our operational risk appetite. Our operational risk appetite is established at the Board level and cascaded throughout each of our business segments.

Management reports have been implemented at various levels to support proactive management of operational risk and transparency of risk exposures. These reports are provided to senior management on a regular basis and provide detail on the main drivers of the risk status and trend for each of our business segments and the bank overall. In addition, changes to the operational risk profile that are not aligned to our business strategy or operational risk appetite are identified and discussed at GRC and the Risk Committee of the Board.

Operational risks

Cybersecurity risk

Cybersecurity risk is the risk to the business associated with cyber-attacks initiated to disrupt or disable our operations or to expose or damage data. We have a dedicated team of technology and cybersecurity professionals that manage a comprehensive program to help protect the organization against breaches and other incidents by ensuring appropriate security and operational controls are in place.

We continue to strengthen our cyber-control framework and to improve our resilience and cybersecurity capabilities including 24 hour monitoring, cyber intelligence analysis of internal and external threats and alerting of potentially suspicious security events and incidents. Throughout the year, we continued to invest in our cybersecurity program, and multiple scenarios, assessments and simulations were conducted to test our resiliency strategy.

Data management and privacy risk

Data management risk is the risk of failing to manage information appropriately throughout its lifecycle due to inadequate processes and controls, resulting in legal or regulatory consequences, reputational damage or financial loss.

Privacy risk is the risk of improper creation or collection, use, disclosure, retention or destruction of information. The collection, use and sharing of data, as well as the management and governance of data, are increasingly important as we continue to invest in digital solutions and innovation, as well as, expanding our business activities. This is also reflected through regulatory developments relating to data privacy.

The Chief Privacy Office and the Chief Data Office partner with cross-functional teams to develop and implement enterprisewide standards and practices that describe how data is used, protected, managed and governed.

Money laundering and terrorist financing risk

Money laundering and Terrorist financing risk is the risk that our products and services are used to facilitate the laundering of proceeds of crime, including the financing of terrorist activity. We maintain an enterprise-wide program designed to deter, detect and report suspected money laundering and terrorist financing activities across our organization, while seeking to ensure compliance with the laws and regulations of the various jurisdictions in which we operate.

Our Global AML Compliance Group is dedicated to the continuous development and maintenance of robust policies, guidelines, training and risk-assessment tools and models to help our employees deal with ever-evolving money laundering and terrorist financing risks. The global anti-money laundering/anti-terrorist financing program is regularly evaluated in an effort to ensure it remains aligned with industry standards, best practices and all applicable laws, regulations and guidance. Risks of non-compliance include enforcement actions, criminal prosecutions and reputational damage.

Third-party risk

Third-party risk is the risk of failure to effectively manage third parties which may expose us to service disruptions, regulatory action, financial loss, litigation or reputational damage. We have a risk-based enterprise-wide program designed to provide oversight for third-party relationships that enables us to respond effectively to events that can cause service disruptions, financial loss or various other risks that could impact us.

Our approach to third-party risk mitigation is outlined in policies and standards that establish the minimum requirements for identifying and managing risks throughout the engagement with a third party, while ensuring compliance with global regulatory expectations. We monitor third-party providers that we consider critical to our operations for any impact on their ability to deliver services to us, including vendors of our third-party providers.

Business continuity risk

Business continuity risk is the risk of being unable to maintain, continue or restore essential business operations during and/or after an event that prevents us from conducting business in the normal course. Exposure to disruptive operational events interrupts the continuity of our business operations and could negatively impact our financial results, reputation, client outcomes and/or result in harm to our employees. These operational events could result from the impact of severe weather, pandemics, failed processes, technology failures or cyber threats.

Our risk-based enterprise-wide business continuity management program considers multiple scenarios to address the consequences of a disruption and its effects on the availability of our people, processes, facilities, technology, and third-party arrangements. Our approach to business continuity management is outlined in policies and standards embedded across the organization and the related risks are regularly measured, monitored, reported and integrated in our operational risk management and control framework.

Operational risk capital

Requirements for operational risk capital are determined in accordance with OSFI issued guidelines. Currently, our operational risk capital is assessed using the Standardized Approach (TSA) which is a formula-based calculation predicated on gross income. Upon implementation of final Basel III reforms, OSFI will require deposit-taking institutions to adopt a new Standardized Approach (SA) for measurement of operational risk capital. The SA methodology is based on the Business Indicator Component (BIC), which is a financial statement-based proxy for operational risk, and the Internal Loss Multiplier, a scaling factor that is based on the historical internal loss average relative to the BIC. Once implemented, SA will replace TSA. For further details on operational risk capital, refer to the Capital management section.

---

You may also visit:

The Role of the Risk Officer: https://www.risk-officer.com/Role_Of_Risk_Officer.html

Credit Risk: https://www.risk-officer.com/Credit_Risk.htm

Market Risk: https://www.risk-officer.com/Market_Risk.htm

Operational Risk: https://www.risk-officer.com/Operational_Risk.htm

Systemic Risk: https://www.risk-officer.com/Systemic_Risk.htm

Political Risk: https://www.risk-officer.com/Political_Risk.htm

Strategic Risk: https://www.risk-officer.com/Strategic_Risk.htm

Conduct Risk: https://www.risk-officer.com/Conduct_Risk.htm

Reputation Risk: https://www.risk-officer.com/Reputation_Risk.htm

Liquidity Risk: https://www.risk-officer.com/Liquidity_Risk.htm

Cyber Risk: https://www.risk-officer.com/Cyber_Risk.htm

Climate Risk: https://www.risk-officer.com/Climate_Risk.htm

Emerging Risk: https://www.risk-officer.com/Emerging_Risk.htm

---