Operational risk is the risk of loss resulting from inadequate or failed processes or systems, human factors or external events.
Overview
Operational risk is inherent in each of the Firm’s businesses and support activities. Operational risk can manifest itself in various ways, including errors, fraudulent acts, business interruptions, inappropriate behavior of employees, or vendors that do not perform in accordance with their arrangements. These events could result in financial losses, including litigation and regulatory fines, as well as other damage to the Firm, including reputational harm. To monitor and control operational risk, the Firm maintains an overall framework that includes oversight and governance, policies and procedures, consistent practices across the lines of business, and enterprise risk management tools intended to provide a sound and well-controlled operational environment.
The framework clarifies:
• Roles and Responsibilities
Ownership of the risk by the businesses and functional areas
Monitoring and validation by business control officers Oversight by independent risk management
• Governance through business risk and control committees
• Risk Categories
• Independent review by Internal Audit
• Tools to measure, monitor, and mitigate risk
The goal is to keep operational risk at appropriate levels, in light of the Firm’s financial strength, the characteristics of its businesses, the markets in which it operates, and the competitive and regulatory environment to which it is subject.
In order to strengthen the focus on the Firm’s control environment and drive consistent practices across businesses and functional areas, the Firm established a Firmwide Oversight and Control Group during 2012.
Oversight and Control is comprised of dedicated control officers within each of the lines of business and Corporate functional areas, as well as a central oversight team. The group is charged with enhancing the Firm’s controls by looking within and across the lines of business and Corporate functional areas to identify and control issues.
The group enables the Firm to detect control problems more quickly, escalate issues promptly and get the right people involved to understand common themes and interdependencies among the various parts of the Firm. The group works closely with the Firm’s other control-related functions, including Compliance, Legal, Internal Audit and Risk Management, to effectively remediate identified control issues across all affected areas of the Firm. As a result, the group facilitates the effective execution of the
Firm’s control framework and helps support operational risk management across the Firm.
Risk Management is responsible for defining the Operational Risk Management Framework and providing independent oversight of the framework across the Firm.
Operational risk management framework
The Firm’s approach to operational risk management is intended to identify potential issues and mitigate losses by supplementing traditional control-based approaches to operational risk with risk measures, tools and disciplines that are risk-specific, consistently applied and utilized firmwide. Key themes are transparency of information, escalation of key issues and accountability for issue resolution.
In addition to the standard Basel risk event categories, the Firm has developed the operational risk categorization taxonomy below for purposes of identification, monitoring, reporting and analysis:
• Fraud risk
• Market practices
• Client management
• Processing error
• Financial reporting error
• Information risk
• Technology risk (including cybersecurity risk)
• Third-party risk
• Disruption and safety risk
• Employee risk
• Risk management error (including model risk)
• Oversight and governance errors
Key components of the Operational Risk Management Framework include:
Risk governance
The Firmwide Control Committee (“FCC”) provides a forum for senior management to review and discuss firmwide operational risks including existing and emerging issues as well as operational risk metrics, management and
execution. The FCC serves as an escalation point for significant issues raised from LOB and Functional Control Committees, particularly those with potential enterprise-wide impact. The FCC (as well as the LOB and Functional Control Committees) oversees the risk and control environment, which includes reviewing the identification, management and monitoring of operational risk, control issues, remediation actions and enterprise-wide trends. The FCC escalates significant issues to the FRC.
Management’s discussion and analysis
156 JPMorgan Chase & Co./2013 Annual Report
Risk identification assessment
In order to evaluate and monitor operational risk,
businesses and functions utilize the Firm’s standard risk and control self-assessment (“RCSA”) process and supporting architecture. The RCSA process requires management to identify material inherent operational risks, assess the design and operating effectiveness of relevant controls designed to mitigate such risks, and evaluate residual risk.
Action plans are developed for control issues that are identified, and businesses are held accountable for tracking and resolving issues on a timely basis.
Risk monitoring
The Firm has a process for monitoring operational risk event data, which permits analysis of errors and losses as well as trends. Such analysis, performed both at a line of business level and by risk-event type, enables identification of the causes associated with risk events faced by the businesses. Where available, the internal data can be supplemented with external data for comparative analysis with industry patterns.
Risk reporting and analysis
Operational risk management reports provide information, including actual operational loss levels, self-assessment results and the status of issue resolution to the lines of business and senior management. The purpose of these reports is to enable management to maintain operational risk at appropriate levels within each line of business, to escalate issues and to provide consistent data aggregation across the Firm’s businesses and functions.
Risk measurement
Operational risk is measured using a statistical model based on the loss distribution approach. The operational risk capital model uses actual losses, a comprehensive inventory of forward looking potential loss scenarios and adjustments to reflect changes in the quality of the control environment in determining firmwide operational risk capital. This methodology is designed to comply with the Advanced Measurement rules under the Basel framework. For additional information on operational risk capital, see Regulatory Capital on pages 161–165 of this Annual Report.
Operational risk management system
The Firm’s operational risk framework is supported by Phoenix, an internally designed operational risk system, which integrates the individual components of the operational risk management framework into a unified, web-based tool. Phoenix enhances the capture, reporting and analysis of operational risk data by enabling risk identification, measurement, monitoring, reporting and analysis to be done in an integrated manner across the Firm.
Audit alignment
Internal Audit utilizes a risk-based program of audit coverage to provide an independent assessment of the design and effectiveness of key controls over the Firm’s operations, regulatory compliance and reporting. This includes reviewing the operational risk framework, the effectiveness of the business self-assessment process, and the loss data-collection and reporting activities.
Insurance
One of the ways operational loss is mitigated is through insurance maintained by the Firm. The Firm purchases insurance to be in compliance with local laws and regulations (e.g., workers compensation), as well as to serve other needs (e.g., property loss and public liability).
Insurance may also be required by third parties with whom the Firm does business. The insurance purchased is reviewed and approved by senior management.
Cybersecurity
The Firm devotes significant resources to maintain and regularly update its systems and processes that are designed to protect the security of the Firm’s computer systems, software, networks and other technology assets against attempts by third parties to obtain unauthorized access to confidential information, destroy data, disrupt or degrade service, sabotage systems or cause other damage.
The Firm and several other U.S. financial institutions continue to experience significant distributed denial-of-service attacks from technically sophisticated and well-resourced third parties which are intended to disrupt online banking services. The Firm is also regularly targeted by third-parties using malicious code and viruses, and has also experienced other attempts to breach the security of the Firm’s systems and data which, in certain instances, have resulted in unauthorized access to customer account data.
The Firm has established, and continues to establish, defenses on an ongoing basis to mitigate these attacks, and these cyberattacks have not, to date, resulted in any material disruption of the Firm’s operations, material harm to the Firm’s customers, and have not had a material adverse effect on the Firm’s results of operations.
Third parties with which the Firm does business or that facilitate the Firm’s business activities (e.g., vendors, exchanges, clearing houses, central depositories, and financial intermediaries) could also be sources of cybersecurity risk to the Firm, including with respect to breakdowns or failures of their systems, misconduct by the employees of such parties, or cyberattacks which could affect their ability to deliver a product or service to the Firm or result in lost or compromised information of the Firm or its clients.
The Firm is working with appropriate government agencies and other businesses, including the Firm's third-party service providers, to continue to enhance defenses and improve resiliency to cybersecurity threats.
JPMorgan Chase & Co./2013 Annual Report 157
Business resiliency
JPMorgan Chase’s global resiliency and crisis management program is intended to ensure that the Firm has the ability to recover its critical business functions and supporting assets (i.e., staff, technology and facilities) in the event of a business interruption, and to remain in compliance with global laws and regulations as they relate to resiliency risk.
The program includes corporate governance, awareness and training, as well as strategic and tactical initiatives to ensure that risks are properly identified, assessed, and managed.
The Firm’s Global Resiliency team has established comprehensive and qualitative tracking and reporting of resiliency plans in order to proactively anticipate and manage various potential disruptive circumstances such as severe weather, technology and communications outages, flooding, mass transit shutdowns and terrorist threats,
among others. The resiliency measures utilized by the Firm include backup infrastructure for data centers, a
geographically distributed workforce, dedicated recovery facilities, ensuring technological capabilities to support remote work capacity for displaced staff and
accommodation of employees at alternate locations.
JPMorgan Chase continues to coordinate its global resiliency program across the Firm and mitigate business continuity risks by reviewing and testing recovery procedures. The strength and proficiency of the Firm’s global resiliency program has played an integral role in maintaining the Firm’s business operations during and quickly after various events that have resulted in business interruptions, such as Superstorm Sandy and Hurricane Isaac in the U.S., monsoon rains in the Philippines, tsunamis in Asia, and earthquakes in Latin America.
Management’s discussion and analysis
158 JPMorgan Chase & Co./2013 Annual Report