Operational risk

Operational risk is the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external causes, whether deliberate, accidental or natural. It is inherent in all our activities, not only in the business we conduct but also from the fact that we are a business – because we are an employer, we own and occupy property, and we hold assets, including information, belonging to ourselves and to our clients. Our approach to operational risk is not designed to eliminate risk per se but, rather, to contain it within acceptable levels, as determined by senior management, and to ensure that we have sufficient information to make informed decisions about additional controls, adjustments to controls, or other risk responses. The Group CRO, and the Group Head of Operational Risk who reports to him, are responsible for the independence, objectivity and effectiveness of our operational risk framework.

Operational risk framework

Every function, whether a front-end business or a control or logistics unit, must manage the operational risks that arise from its own activities. Because these risks are all-pervasive, with a failure in one area potentially impacting many others, our framework is based on mutual oversight across all functions. Each Business Group has therefore established cross-functional bodies as an integral part of its governance structure, to actively manage operational risk.

To ensure the integrity of risk management decisions, each Business Group also has an Operational Risk Control unit, the head of which reports functionally to the Group Head of Operational Risk. The primary remit of these units is to confirm the effective implementation of the operational risk framework in the Business Group, to ensure transparent assessment and reporting of risks to senior management, and to coordinate with their counterparts in other Business Groups and with the Group Head of Operational Risk on cross-Business Group matters.

The foundation of the operational risk framework is the definition by all functions of their roles and responsibilities so that, collectively, they can ensure that there is adequate segregation of duties, complete coverage of risks and clear accountability. From this analysis, they develop control objectives and standards to protect our tangible and intangible assets and interests, based on the types of operational risk event that might arise, ranging from everyday reconciliation problems to potentially severe events such as fraud. We recognize that we cannot eliminate all risks, because errors and accidents will always happen, and that even where it is possible it is not always cost effective to do so. Our internal control framework differentiates potential events depending on their likely frequency and impact. Our mitigation and avoidance efforts are focused on areas where we believe we are most exposed to severe events – including both those that are reasonably foreseeable and those that, while not predictable, are thought to be reasonably possible. For lower impact risks we concentrate on management and monitoring.

The functions monitor compliance with their controls and assess their operating effectiveness in several ways, including self-certification by staff, and evaluation of responses by management. Additionally, they track a wide range of metrics to provide potential early warning of increased risk associated with non-attainment of control objectives. These include numbers and characteristics (severity, size, age etc.) of, for example, client complaints and claims, deal cancellations and corrections, unreconciled items on cash and customer accounts, and systems failures. We also assess the implications of internal and external audit findings and other relevant sources of information.

As major operational risk events occur, we assess their causes and the implications for our control framework, whether or not they lead to direct financial loss. This includes events affecting third parties that are relevant to our business if sufficient information is made public. It is important that we use all available information to test our control framework because, even if an internal event does not lead to a direct or indirect financial loss, it may indicate that our standards are not being complied with.

The totality of this information is reviewed by functional managers to assess their operational risk exposure and the actions needed to address specific issues. Regular reports are made both within the Business Groups and to the Group CRO to allow senior management to assess the overall operational risk profile.

Operational risk measurement

The specific risks that are identified by operational risk management and reported to senior management are evaluated in terms of their potential frequency of occurrence and the likely severity of the resulting impact. These assessments are validated by the Operational Risk Control units within the Business Groups.

We maintain a database of financial events (both profits and direct losses) that result from operational failures, and use this loss data, and scenarios that represent potential future losses, as inputs to a model that quantifies our operational risk exposure. The output from this model will ultimately form the basis of our operational risk regulatory capital requirement under Basel II, for which we intend to use an advanced measurement approach.

This quantification, while useful, does not necessarily tell the whole story. A single event can impact us financially in ways other than direct costs or losses such as fines, compensation to clients or asset writedowns – we may also suffer lost revenues from business disruption, and incur costs associated with remediation. The impact of an event may also be larger than its immediate monetary cost might suggest – a publicly disclosed regulatory fine can, for example, result in withdrawal of clients or loss of business. In summary, the level of risk at any time is not directly correlated to actual financial losses or their frequency of occurrence, which are, at best, only indicative.

As far as accounting for operational risks is concerned, many potential loss situations are identified before the probability, timing or amount of future expenditure are known with certainty. IFRS requires us to make a provision, based on the best estimate of a liability, when it is probable that a payment will be required, even if the amount to be paid has not yet been exactly determined. This requires the exercise of judgment. Once we are able to quantify any potential operational risk more accurately, the corresponding provision is revised up or down. The outstanding provision balances, which are included in Note 21 to our Financial Statements, are used as the best estimate of current loss for the purposes of operational risk quantification.

Operational risk developments

We use the operational risk framework as the basis for specialist internal control assessments in areas such as legal, compliance, tax and human resources and to assist in meeting internal control-related regulatory requirements including Basel II and Sarbanes-Oxley Section 404 (SOX 404).

UBS was required to comply with SOX 404 for the first time at the end of 2006. The Group SOX Office (GSO), formed last year and reporting to the Group Chief Financial Officer, has coordinated a specialist assessment of the effectiveness of internal controls over financial reporting, starting with the Business Groups' own assessments. GSO analyzed these results and made recommendations to the SOX 404 Assessment Committee and the Group Executive Board which in turn made a group-level assessment.

Following the precedent of the approach to SOX 404, we have continued to work during the past year to leverage the operational risk framework to assist with assessments of policy implementation, regulatory reporting, and legal entity governance. A key focus over the coming year will be alignment of the framework with a group-wide approach for business continuity and crisis management.

Finally, continued business expansion during 2006 has also led to efforts to extend the framework to new areas including the "India Service Center", a dedicated internal shared service center for offshoring, Dillon Read Capital Management, the new alternative investment management business in Global Asset Management, and Pactual, one of Brazil's top wealth managers, investment banks, and asset managers, which we acquired during 2006. We continue to ensure that our framework is sufficiently scalable and flexible to extend its scope to new activities and businesses as they are created or acquired.