 | Actionnaires & analystes | | Rapports annuels 2005 |
 |
|
|
|
|
|
|
|
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
|
|
|
|
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
|
|
|
|
|
||||
|
||||
|
||||
|
||||
|
|
|
|
|
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
|
|
|
|
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
|
|
|
|
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
|
|
|
|
|
||||
|
||||
|
||||
|
||||
Operational risk
Operational risk is the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external causes, whether deliberate, accidental or natural. It is inherent in all our activities, not only in the business we conduct but also from the fact that we are a business – because we are an employer, we own and occupy property, and we hold assets, including information, belonging to ourselves and to our clients. Our approach to operational risk is not designed to eliminate risk per se but, rather, to contain it within acceptable levels, as determined by senior management, and to ensure that we have sufficient information to make informed decisions about additional controls, adjustments to controls, or other risk responses. The Group CRO and the Head of Operational Risk, who reports to him, are responsible for the independence, objectivity and effectiveness of our operational risk framework.
Operational risk framework
Every function, whether a front-end business or a control or logistics unit, must manage the operational risks that arise from its own activities. Because operational risk is all pervasive, with a failure in one area potentially impacting many others, our framework is based on mutual oversight across all functions. Each Business Group has therefore established cross-functional bodies as an integral part of its governance structure, to actively manage operational risk.
To ensure the integrity of risk management decisions, each Business Group also has an Operational Risk Control unit, the head of which reports functionally to the Group Head of Operational Risk. The primary remit of these units is to confirm the effective implementation of the operational risk framework in the Business Group and to ensure transparent assessment and reporting of operational risks to senior management.
The foundation of the operational risk framework is the definition by all functions of their roles and responsibilities so that, collectively, they can ensure that there is adequate segregation of duties, complete coverage of risks and clear accountability. From this analysis, they develop control objectives and standards to protect our tangible and intangible assets and interests, based on the types of operational risk event that might arise, ranging from every day reconciliation problems to potentially severe events such as fraud. We recognize that we cannot eliminate all risks, because errors and accidents will always happen, and that even where it is possible it is not always cost effective to do so. We therefore adopt a risk-based approach to the design and implementation of our internal control framework.
The functions monitor compliance with their controls and assess their operating effectiveness in several ways, including self-certification by staff, and evaluation of responses by management. Additionally, they track a wide-ranging set of metrics to provide potential early warning of increased risk associated with non-attainment of control objectives. These include numbers and characteristics (severity, size, age etc.) of, for example, client complaints and claims, deal cancellations and corrections, unreconciled items on cash and customer accounts, and systems failures. We also assess the implications of internal and external audit findings and other relevant sources of information.
As major operational risk events occur, we assess their causes and the implications for our control framework, whether or not they lead to direct financial loss. This includes events affecting third parties that are relevant to our business if sufficient information is made public. It is important that we use all available information to test our control framework because, even if an internal event does not lead to a direct or indirect financial loss, it may indicate that our standards are not being complied with.
The totality of this information is reviewed by functional managers to assess their operational risk exposure and the actions needed to address specific issues. Regular reports are made both within the Business Groups and to the Group CRO to allow senior management to assess the overall operational risk profile.
Operational risk measurement
The specific risks that are identified by operational risk management and reported to senior management are evaluated in terms of their potential frequency of occurrence and severity of the resulting impact. These assessments are validated by the Operational Risk Control functions within the Business Groups.
We maintain a database of financial events (both profits and losses) and their underlying causes, and are developing a model to quantify our operational risk. This will ultimately form the basis of our operational risk regulatory capital requirement under Basel II, for which we intend to use an advanced measurement approach. This quantification, while useful, does not necessarily tell the whole story. A single event can impact us financially in ways other than direct costs or losses such as fines, compensation to clients or asset write-downs – we may also suffer lost revenues from business disruption, and incur costs associated with remediation. The impact of an event may also be larger than its immediate monetary cost might suggest – a publicly disclosed regulatory fine can, for example, result in withdrawal of clients or loss of business. In summary, the level of risk at any time is not directly correlated to actual financial losses or their frequency of occurrence, which are, at best, only indicative.
As far as accounting for operational risks is concerned, many potential loss situations are identified before the probability, timing or amount of future expenditure are known with certainty. IFRS requires us to make a provision, based on the best estimate of a liability, when it is probable that a payment will be required, even if the amount to be paid has not yet been exactly determined. This requires the exercise of judgment. Once we are able to quantify any potential operational risk more accurately, the corresponding provision is revised up or down.
Operational risk developments
Regulatory compliance is a prerequisite for effective operational risk management and control and comes primarily in the form of Basel II, Sarbanes-Oxley Section 404 (SOX 404) and other related requirements (e.g. the Federal Deposit Insurance Corporation Improvement Act in the US). The Operational Risk Framework serves broadly as the backbone of the Bank’s approach to internal control requirements, and thus forms a key component of the SOX 404 compliance requirement that will come into effect at the end of 2006. Because this evaluation is a specialized form of risk assessment, a specific SOX Office has been created under the Group CFO. This office liaises closely with the Group and Business Group Operational Risk Controllers to ensure an efficient flow of information.
The operational risk framework provides information that can be used in specialized risk evaluations. The operational risk assessments by the Business Groups can, for example, provide valuable information in support of legal and compliance risk assessments. This concept will be developed further for use in other specialist areas such as human resources and tax to ensure that the operational risk framework continues to help us achieve excellence in operational risk management and control.
| Operational risk in practice |
Following public disclosure of two major incidents (relating to bank notes trading and US withholding tax) in 2004, operational risk events in 2005 have been less high profile. Among the more notable was the outcome of the US investigation into market timing in the mutual funds business, which led to a financial settlement with several US regulatory authorities. A loss of client data relating to approximately 9,500 accounts in Japan, reported in May 2005, highlights the continuing challenges we face in managing a complex, integrated, fast changing, global business, particularly against the backdrop of heightened regulatory and public sensitivity to shortcomings in corporate processes. At the end of 2004, the GEB started developing a number of measures that addressed areas exposed to operational risk in terms of regulatory requirements and management oversight. Those measures made significant progress in 2005. As part of the overall project, a firm-wide communication and education framework has been rolled out to all employees to raise awareness of operational risk issues and to provide specific training where necessary. |
Important legal information - please read the disclaimer before proceeding.
Products and services in these webpages may not be available for residents of certain nations. Please consult the sales restrictions relating to the service in question for further information.
© UBS 1998-2008. All rights reserved.
Privacy Policy
| ||||||
| | | | | | |
| ||||||
| ||||||
| | | | |||
| Create your own report by searching and selecting articles of our Annual Reporting products. | | | | | |
| | | | |||
| | | | | ||
| | | | |||
| ||||||
| | | | | | |
| ||||||
| | | | |||
| UBS is committed to high standards of corporate behaviour | | | | | |
| | | | |||
| | | | | ||
| | | | |||
| ||||||
| | | | | | |
| ||||||
| | | | |||
| UBS is committed to meet the highest international standards of Corporate Governance | | | | | |
| | | | |||
| | | | | ||
| | | | |||
