Operational risk is the risk of loss resulting from inadequate or failed processes or systems or due to external events that are neither market nor credit-related. Operational risk is inherent in the Firm’s activities and can manifest itself in various ways, including fraudulent acts, business
interruptions, inappropriate behavior of employees, failure to comply with applicable laws and regulations or failure of vendors to perform in accordance with their arrangements.
These events could result in financial losses, litigation and regulatory fines, as well as other damage to the Firm. The goal is to keep operational risk at appropriate levels, in light of the Firm’s financial strength, the characteristics of its businesses, the markets in which it operates, and the competitive and regulatory environment to which it is subject.
Overview
To monitor and control operational risk, the Firm maintains an overall Operational Risk Management Framework (“ORMF”) which comprises governance oversight, risk assessment, capital measurement, and reporting and monitoring. The ORMF is intended to enable the Firm to function with a sound and well-controlled operational environment.
Risk Management is responsible for prescribing the ORMF to the lines of business and corporate functions and to provide independent oversight of its implementation. In 2014, Operational Risk Officers (“OROs”) were appointed across each line of business and corporate function to provide this independent oversight.
The lines of business and corporate functions are responsible for implementing the ORMF. The Firmwide Oversight and Control Group, comprised of dedicated control officers within each of the lines of business and corporate functional areas, as well as a central oversight team, is responsible for day to day review and monitoring of ORMF execution.
Operational risk management framework
The components of the Operational Risk Management Framework are:
Oversight and governance
Control committees oversee the operational risks and control environment of the respective line of business, function or region. These committees escalate operational risk issues to their respective line of business, function or regional Risk committee and also escalate significant risk issues (and/or risk issues with potential Firmwide impact) to the Firmwide Control Committee (“FCC”). The FCC provides a monthly forum for reviewing and discussing Firmwide operational risk metrics and management, including existing and emerging issues, and reviews
execution against the ORMF. It escalates significant issues to the Firmwide Risk Committee, as appropriate. For additional information on the Firmwide Control Committee, see Risk Governance on pages 106–109.
Risk self-assessment
In order to evaluate and monitor operational risk, the lines of business and functions utilize the Firm’s standard risk and control self-assessment (“RCSA”) process and supporting architecture. The RCSA process requires
management to identify material inherent operational risks, assess the design and operating effectiveness of relevant controls in place to mitigate such risks, and evaluate residual risk. Action plans are developed for control issues that are identified, and businesses are held accountable for tracking and resolving issues on a timely basis. Commencing in 2015, Risk Management will perform sample
independent challenge of the RCSA program.
Risk reporting and monitoring
Operational risk management and control reports provide information, including actual operational loss levels, self-assessment results and the status of issue resolution to the lines of business and senior management. The purpose of these reports is to enable management to maintain operational risk at appropriate levels within each line of business, to escalate issues and to provide consistent data aggregation across the Firm’s businesses and functions.
The Firm has a process for capturing, tracking and monitoring operational risk events. The Firm analyzes errors and losses and identifies trends. Such analysis enables identification of the causes associated with risk events faced by the lines of business.
Capital measurement
Operational risk capital is measured primarily using a statistical model based on the Loss Distribution Approach (“LDA”). The operational risk capital model uses actual losses (internal and external to the Firm), an inventory of material forward-looking potential loss scenarios and adjustments to reflect changes in the quality of the control environment in determining Firmwide operational risk capital. This methodology is designed to comply with the Advanced Measurement rules under the Basel framework.
The Firm’s capital methodology incorporates four required elements of the Advanced Measurement Approach (“AMA”):
• Internal losses,
• External losses,
• Scenario analysis, and
• Business environment and internal control factors (“BEICF”).
The primary component of the operational risk capital estimate is the result of a statistical model, the LDA, which simulates the frequency and severity of future operational risk losses based on historical data. The LDA model is used to estimate an aggregate operational loss over a one-year time horizon, at a 99.9% confidence level. The LDA model incorporates actual operational losses in the quarter following the period in which those losses were realized,
Management’s discussion and analysis
142 JPMorgan Chase & Co./2014 Annual Report
and the calculation generally continues to reflect such losses even after the issues or business activities giving rise to the losses have been remediated or reduced.
The LDA is supplemented by both management’s view of plausible tail risk, which is captured as part of the Scenario Analysis process, and evaluation of key LOB internal control metrics (BEICF). The Firm may further supplement such analysis to incorporate management judgment and feedback from its bank regulators. For information related to operational risk RWA, see Regulatory capital on pages 146–153.
Audit alignment
Internal Audit utilizes a risk-based program of audit coverage to provide an independent assessment of the design and effectiveness of key controls over the Firm’s operations, regulatory compliance and reporting. This includes reviewing the operational risk framework, the effectiveness of the RCSA process, and the loss data-collection and reporting activities.
Insurance
One of the ways operational loss is mitigated is through insurance maintained by the Firm. The Firm purchases insurance to be in compliance with local laws and regulations (e.g., workers compensation), as well as to serve other needs (e.g., property loss and public liability).
Insurance may also be required by third parties with whom the Firm does business. The insurance purchased is reviewed and approved by senior management.
Cybersecurity
The Firm devotes significant resources to maintain and regularly update its systems and processes that are designed to protect the security of the Firm’s computer systems, software, networks and other technology assets against attempts by unauthorized parties to obtain access to confidential information, destroy data, disrupt or degrade service, sabotage systems or cause other damage.
In 2014, the Firm spent more than $250 million, and had approximately 1,000 people focused on cybersecurity efforts, and these efforts are expected to grow significantly over the coming years.
Third parties with which the Firm does business or that facilitate the Firm’s business activities (e.g., vendors, exchanges, clearing houses, central depositories, and financial intermediaries) could also be sources of cybersecurity risk to the Firm, including with respect to breakdowns or failures of their systems, misconduct by the employees of such parties, or cyberattacks which could affect their ability to deliver a product or service to the Firm or result in lost or compromised information of the Firm or its clients. In addition, customers with which or whom the Firm does business can also be sources of cybersecurity risk to the Firm, particularly when their activities and systems are beyond the Firm’s own security and control systems.
Customers will generally be responsible for losses incurred due to their own failure to maintain the security of their own systems and processes.
The Firm and several other U.S. financial institutions have experienced significant distributed denial-of-service attacks from technically sophisticated and well-resourced
unauthorized parties which are intended to disrupt online banking services. The Firm and its clients are also regularly targeted by unauthorized parties using malicious code and viruses.
On September 10, 2014, the Firm disclosed that a cyberattack against the Firm had occurred. On October 2, 2014, the Firm updated that information and disclosed that, while user contact information (name, address, phone number and email address) and internal JPMorgan Chase information relating to such users had been compromised, there had been no evidence that account information for such affected customers -- account numbers, passwords, user IDs, dates of birth or Social Security numbers -- was compromised during the attack. The Firm continues to vigilantly monitor the situation. In addition, as of the October 2, 2014 announcement, as well as of the date of this Annual Report, the Firm has not seen any unusual customer fraud related to this incident. The Firm is cooperating with government agencies in connection with their investigation of the incident. The Firm also notified its customers that they were not liable for unauthorized transactions in their accounts attributable to this attack that they promptly alerted the Firm about.
The Firm has established, and continues to establish, defenses on an ongoing basis to mitigate this and other possible future attacks. The cyberattacks experienced to date have not resulted in any material disruption to the Firm’s operations or had a material adverse effect on the Firm’s results of operations. The Board of Directors and the Audit Committee are regularly apprised regarding the cybersecurity policies and practices of the Firm as well as the Firm’s efforts regarding this attack and other significant cybersecurity events.
Cybersecurity attacks, like the one experienced by the Firm, highlight the need for continued and increased cooperation among businesses and the government, and the Firm continues to work with the appropriate government and law enforcement agencies and other businesses, including the Firm’s third-party service providers, to continue to enhance defenses and improve resiliency to cybersecurity threats.
Business and Technology Resiliency
JPMorgan Chase’s global resiliency and crisis management program is intended to ensure that the Firm has the ability to recover its critical business functions and supporting assets (i.e., staff, technology and facilities) in the event of a business interruption, and to remain in compliance with global laws and regulations as they relate to resiliency risk.
The program includes corporate governance, awareness and training, as well as strategic and tactical initiatives aimed to ensure that risks are properly identified, assessed, and managed.
JPMorgan Chase & Co./2014 Annual Report 143
The Firm has established comprehensive tracking and reporting of resiliency plans in order to proactively anticipate and manage various potential disruptive circumstances such as severe weather, technology and communications outages, flooding, mass transit shutdowns and terrorist threats, among others. The resiliency
measures utilized by the Firm include backup infrastructure for data centers, a geographically distributed workforce, dedicated recovery facilities, providing technological capabilities to support remote work capacity for displaced staff and accommodation of employees at alternate locations. JPMorgan Chase continues to coordinate its global resiliency program across the Firm and mitigate business continuity risks by reviewing and testing recovery procedures. The strength and proficiency of the Firm’s global resiliency program has played an integral role in maintaining the Firm’s business operations during and quickly after various events in 2014 that have resulted in business interruptions, such as severe winter weather in the U.S., tropical storms in the Philippines, and geopolitical events in Brazil and Hong Kong.
Management’s discussion and analysis
144 JPMorgan Chase & Co./2014 Annual Report