1. Operational Risk ACSDA Leadership Forum ACSDA Leadership Forum New York City, USA - October 8-10, 2007 Diana Downward, DTCC

2. 2 Agenda Background DTCC’s Operational Risk Management Program DTCC Risk Scenarios DTCC Risk Metrics

3. 3 Why Focus on Operational Risk Management? Largest financial and reputational losses in the financial services industry are attributed to Operational Risk Good business sense Regulatory Expectations  Sound Risk Management Practices  Robust Business Resiliency

4. 4 Examples of Op Risk Events Enron Arthur Andersen Timeliness of Rating Agency Downgrades CMO Pricing Issues Barings REFCO August 2003 Blackout Tyco NYSE Hurricane Katrina!

5. 5 DTCC’s Operational Risk Definition “The risk of loss, including reputational harm, resulting from inadequate or failed internal processes, people and systems or from external events.”

6. 6 What Operational Risk is Not Operational Risk is not Credit Risk, Market Risk, Liquidity Risk or Strategic Risk. However, Operational Risk is NOT LIMITED to the processing type of risks generally associated with a back-office operation.

7. 7 Operational Risks at a CSD Customer Confidentiality Failure Incomplete Due Diligence Computer Hacking Corporate Actions Losses External Threats Missing Certificates Fraud Settlement Fails Data Entry Errors Governance Issues System Failures AML

8. 8

9. 9 DTCC Operational Risk Management Objectives Establish a common risk language across the organization Foster a climate where risks are identified and openly discussed by all departments and employees Inform senior management and Board about Operational Risk across the enterprise Reinforce transparency and comply with regulatory expectations

10. 10

11. 11 Program Components Enterprise-wide reporting Risk and Control Self-Assessment Risk Metrics Leveraging off existing risk event information

12. 12 Status of Effort to Date Governance Structure in place Corporate Policy and other documents issued Risk & Control Self-Assessment (RCSA) process formalized-initial and periodic updates System internally built High level reporting developed Risk Metrics in progress Scenario analysis process recently established Risk incident collection in initial stages

13. 13 Governance Structure Board of Directors Audit Committee Compliance and Operational Risk Management Committee DTCC Management Committee DTCC Internal Risk Management Committee DTCC Internal Operational Risk Steering Committee

14. 14 2007 Objectives Develop a plan to collect Risk incidents Implement a scenario analysis process Continue to enhance Management reporting Continue to work with business units to identify risk metrics

15. 15 High Level Reporting Enterprise Major Risk Report  39 risk scenarios major to DTCC  Mitigants addressing risks  Additional plans to further mitigate risk Enterprise Risk Metrics Report  Metrics that address the major risks of DTCC

16. 16 Enterprise Risk Scenario Categories Liquidity Risk Market Risk Concentration Risk Operational Risk Reputational Risk People & Culture Risk External Risk Process Risk Business Continuity Risk Technology Risk

17. 17 Enterprise Risk Scenario Examples Liquidity RiskCredit Risk Insufficient liquidity to fund settlement Exposure from related entities Not informed timely about major credit event/ insolvency involving a member Inability to access liquidity to fund settlement

18. 18 Enterprise Risk Scenario Examples – cont’d Market Risk Concentration Risk Insufficient clearing fund/ insufficient collateral Model risk Multiple forms of exposure to one member

19. 19 Enterprise Risk Scenario Examples – cont’d Operational Risk Theft of funds or securities Corporate Action processing errors Inability to complete settlement Disaster eliminates primary operating region capability Unauthorized access to company systems Cyber attack disables key production systems Insufficient system capacity

20. 20 Enterprise Risk Metrics Examples Adequacy of clearing fund coverage Adequacy of liquidity Settlement timeliness System availability Timely implementation of Internal Audit recommendations Operations losses >$10,000