Operational risk

Operational risk is the risk of loss resulting from inadequate or failed internal processes, people and systems (for example failed IT systems, or fraud perpetrated by a UBS employee), or from external causes, whether deliberate, accidental or natural. It is inherent in all of UBS's activities. Operational risks are monitored and, to the extent possible, controlled and mitigated. UBS's approach to operational risk is not designed to eliminate risk altogether but, rather, to contain risks within levels deemed acceptable by senior management. The Group Chief Risk Officer (Group CRO), supported by the Group Head of Operational Risk, is responsible for the effective design of the operational risk framework.

Operational risk framework

All UBS functions, whether business, control or logistics functions, must manage the operational risks that arise from their activities. Operational risks are pervasive, as a failure in one area may have a potential impact on several other areas. Each business division has therefore established a cross-functional body to actively manage operational risk as part of its governance structure.

To ensure the integrity of risk management decisions, each business division also has an Operational Risk Control unit, the head of which reports functionally to the Group Head of Operational Risk. The primary remit of these units is to confirm the effective implementation of the operational risk framework and to perform independent oversight of the design and conclusions regarding operating effectiveness reached by management.

The foundation of the operational risk framework is that all functions have adequately defined their roles and responsibilities. The functions can then collectively ensure that there is adequate segregation of duties, complete coverage of risks and clear accountability. From this analysis, they develop control objectives and standards to manage UBS's tangible and intangible assets, based on the types of operational risk events that might arise, ranging from daily reconciliation problems to potentially severe events such as fraud. UBS recognizes that it cannot eliminate all risks, because errors and accidents will always happen, and that even where it is possible to eliminate certain risks it is not always cost effective to do so.

The functions use their controls to monitor compliance and assess their operating effectiveness in several ways, including self-certification by staff, tracking of a wide range of metrics (for example, the number and characteristics of client complaints, deal cancellations and corrections, unreconciled items on cash and customer accounts, and systems failures), and the analysis of internal and external audit findings.

As major financial and non-financial operational risk events occur, UBS assesses their causes and the implications for its control framework. This includes events affecting third parties that are relevant to the firm's business, provided that sufficient information is publicly available.

The totality of this information is reviewed by functional managers to assess their operational risk exposure and the actions needed to address specific issues. These issues are formally captured in a risk inventory, which forms the basis of operational risk reporting to senior management. Regular reports are provided both within the business divisions and to the Group CRO to allow senior management to assess the overall operational risk profile of the firm.

Operational risk measurement

UBS has developed a model for the quantification of operational risk which meets the regulatory capital standard specified by the Basel II Advanced Measurement Approach (AMA). The model has two main components:

- The historical component is based on UBS's own internal losses and is used primarily to determine the expected loss portion of the capital requirement. UBS has been collecting operational risk event data (both profits and losses) since 2002.

- The scenario component is used primarily to determine the unexpected loss portion of the capital requirement. It is based on a set of generic scenarios that represent categories of operational risks which UBS is exposed to. The scenarios themselves are generated from an analysis of internal and external event information, the current business environment and UBS's own internal control environment. The scenarios are reviewed at least annually by experts to ensure their validity and may be updated based on material new information or events. During 2008, scenarios were adjusted for a number of industry-wide events including unauthorized trading losses and disputes over client practices.

UBS calculates its operational risk regulatory capital requirement using the AMA model for the consolidated Group and the parent bank in accordance with the requirements of FINMA. For regulated subsidiaries the standardized approaches are adopted as agreed with local regulators. Currently, UBS does not reflect mitigation through insurance in its AMA model.