Role of Operational Risk in the Product Lifecycle Presented By: Chris Nestore, SVP Head of Operational Risk Management, TD Bank

Transcription

1 Role of Operational Risk in the Product Lifecycle Presented By: Chris Nestore, SVP Head of Operational Risk Management, TD Bank

2 Product Governance Overview Regulatory agencies have increased interest and scrutiny around product governance and oversight for large financial institutions. Heightened regulatory expectations include managing risk beyond just new product development. End-to-End product governance includes: New product development Post implementation monitoring and review - including when to retire a product Review of sales practices and disclosures associated with products Operational Risk Management's role in product governance is in the development and oversight of policies and processes to manage the risks associated with products throughout their lifecycle. 2

3 New, Modified or Expanded Bank Products and Services The OCC issued Bulletin in October 2017 to inform Banks of the risk management principles to prudently manage the risks associated with new, modified, or expanded products and services (collectively, "new activities"). Replaces OCC Bulletin Governance programs for new activities must include conducting due diligence and obtaining appropriate management approvals to fully assess the risks and benefits before implementation. On-going supervision and exams assess new product approval programs against the principles outlined in Bulletin

4 New Product Governance Model at TD Bank Three Lines of Defense First Line of Defense The Business Line Executive and Business Sponsor own the business risks and must ensure the risks associated with new activities are within the Company's risk appetite Second Line of Defense Operational Risk Management and Corporate Functions independent of the business provide oversight and independent review and challenge Real-time Response Team and Delegates Third Line of Defense Independent function that reports to the CEO and Board that provides a periodic independent verification of new activities encompassed within the First and Second Lines. 4

5 First Line of Defense Business Line Executive Business Sponsor Business Line Control Officer The most senior business executive in each major business line accountable for ensuring new activities are properly authorized, supported and in alignment with the Business Line's strategic objectives and the Bank's Risk Appetite. Senior business person sponsoring the new activity, or product manager within the business having direct knowledge or involvement with the new activity. Individuals with risk and governance control roles embedded within the business responsible for assisting the business in managing its risk by following the New Business and Product Approval ("NBPA") process. Responsibilities: Approves all new activities. Ensures that their Business is in compliance with the NBPA Policy and follows the NBPA Process to appropriately identify, control and monitor the risk associated with the new activities. Responsibilities: Engages Risk Partners throughout the lifecycle of the new activity to ensure risks are identified and controlled. Completes NBPA process documentation (e.g., Risk Assessment). Updates business policies, processes and procedures in relation to the new activity, as needed. Responsibilities: Assists the Business in determining whether new activities are in scope for the NBPA Process. Reviews all NBPA documentation, as completed by the Business. 5

6 Second Line of Defense Risk Partners Operational Risk Management Enterprise Risk Management Designated Corporate and Oversight functions who are engaged in the review of new activities to determine impact to their area and to provide businesses with subject matter expertise in the identification of risks in their area. Head of Operational Risk Management ("ORM"), ORM Segment Risk Leads and the New Business and Product Approval team all play a role in the NBPA process. The Head of Enterprise Risk Management ("ERM") informs the Business of risk impacts on new activities through monitoring of risk identification processes across the Bank. Responsibilities: Approve new activities when there is significant risk identified in their area. Documents and retains supplementary analysis as needed to support their review and sign-off. Ensures applicable Risk Partner policies and procedures affected by the new activity are updated, as needed. Responsibilities: The Head of ORM owns the NBPA Policy and approves all new activities. Segment Risk Leads are designated for each business line and provide an independent review and challenge of all NBPA documentation completed by the Business. The NBPA team is responsible for: o Oversight of the NBPA Process o Development and maintenance of the NBPA Policy, Process, and Forms o Providing training to Business Lines regarding the Policy and Process o Reporting on new activities and compliance with the NBPA Process to various governance and risk committees. Responsibilities: Approves all new activities. Ensure ERM team reviews NBPA documentation for impact on ERM programs and processes. 6

7 Risk Partners Risk Partners are key in the due diligence process for new activities. In addition to providing subject matter expertise in the assessment of the risks and controls associated with the new activity, they also assist with determining: How the activity affects the Bank's current and projected capital position. The requirements of applicable laws and regulations. The expertise needed to effectively manage the new activity, including the need to hire or otherwise acquire additional expertise. The operational infrastructure requirements to support the new activities, including technology. The potential impact on the bank's reputation. As well as: Conducting the appropriate due diligence on relevant third-party providers. Developing a financial plan. Mandatory Risk Partners (Must sign-off on all new activities) Legal Anti-Money Laundering Compliance Other Risk Partners (Must sign-off when significant risk has been identified for their area) Credit Risk Enterprise Business Continuity & Crisis Management Financial Crimes & Fraud Management Technology Risk Management & Information Security Strategic Sourcing Group / Third Party Risk Management Payments Risk Management Finance Tax Model Risk Management Capital Management Market Risk Control Treasury & Balance Sheet Management Human Resources Corporate Development Office of the Chief Data Officer 7

8 Product Risk Assessments Assessing and mitigating risk associated with new activities prior to implementation is the main objective of a governance program for new product development. The TD Bank NBPA Process requires that a risk assessment be completed for all new activities, which is based on nine major risk categories and eight sub-categories of Operational Risk. Each category of risk has a corresponding Risk Partner as illustrated below. Major Risk Categories Strategic Risk Legal, Regulatory Compliance and Conduct Risk Reputational Risk Model Risk Credit Risk Market Risk (Trading and Non-Trading) Liquidity Risk Capital Adequacy risk Risk Partners Corporate Development Legal and Compliance Reputational Risk Committee Model Risk Management Credit Risk Management Market Risk Control Treasury & Balance Sheet Management Capital Management Operational Risk Sub-categories External Event Risk Process Risk People Risk Supplier Risk Fraud and Criminal Activity Risk Technology Risk Cyber Security Risk Data Asset Risk Risk Partners Enterprise Business Continuity & Crisis Mgmt. Bank Operations and Operational Risk Mgmt. Human Resources Third Party Risk Management Financial Crimes & Fraud Management Technology Risk Management & Information Security Office of the Chief Data Officer 8

9 NBPA Program Links To Other Risk Management Programs TD Bank, like many other financial institutions, has developed many separate oversight and governance programs over the years to manage the various risk categories. The challenge for Operational Risk Management going into the future is linking these programs together in a way that provides a comprehensive product risk management program that enables business lines to quickly and efficiently introduce new products into the market, while effectively managing risk. TD Bank's NBPA program is linked to other risk management programs across the Bank as illustrated in the table below. Program Enterprise Risk Management ("ERM") Third Party Risk Management Program Compliance / Privacy Strategic Business Plan ("SBP") Process Volker Rule Compliance Process Process Risk and Control Self Assessment ("prcsa") Program Strategic Portfolio Delivery - Project Delivery Life Cycle ("PDLC") / Change Management Process Product Review Program ("PRP") Description ERM reviews new activities as a source for identifying potential risks, as part of their Risk Identification, Catalog, Materiality and Measurement Methodology process. In addition, the Head of ERM is a mandatory Risk Partner required to approve all new activities. The NBPA form indicates whether a 3 rd party is involved with the new activity. Third Party Risk Management is a Risk Partner in the NBPA process and reviews all NBPA forms to ensure the business has completed the requirements of the Third Party Risk Management process. The Head of Third Party Risk Management is required to approve all new activities with 3 rd party involvement. A link to the Privacy Impact Assessment ("PIA") form is included on the NBPA form to remind businesses that it must be completed for all new activities. Compliance is a mandatory Risk Partner required to approve all new activities. The NBPA form indicates whether the new activity is in alignment with the Business' s SBP. Corporate Development is a Risk Partner in the NBPA process and receives all NBPA forms for review. The NBPA form indicates when a new activity is subject to the Volker Rule. Approval validates that all requirements of the Volker Rule compliance process are met. The NBPA form indicates whether the new activity will either require a change to an existing core process or require the development of a new core process. This information is provided to the prcsa program lead and the ORM Segment Risk Lead for awareness. The NBPA process is incorporated into the PDLC process. References to the NBPA process are documented within the PDLC process on the Project Management Office intranet site. Complements the NBPA process by annually assessing the risks associated with products after implementation and reviewing them on a periodic basis, based on their risk profile. The PRP program applies to existing products, as well as those that were approved through the NBPA program. 9

10 New Product Lifecycle Project Delivery Lifecycle Phases New Activities Initiation Planning Execution Closure / Post Implementation Development and testing completed. Risk mitigation plans/controls are implemented. Corresponding Risk Governance New Activities Business implements new activity. NBPA Phase 1 New Activity Summary NBPA Phase1 Risk Partner Review Meeting NBPA Phase 2 Risk Assessment NBPA Phase 2 Approvals NBPA Phase 3 Post Implementation Review Product Review Program NBPA Phase 1: Business Sponsor completes the Project Summary portion of the NBPA form, which includes a detailed description of the new activity. ORM distributes Phase 1 of the NBPA form to Risk Partners for their awareness. Business Sponsor presents the new activity at a Risk Partner Review meeting. Risk Partners determine whether the new activity will impact their area and provide the Business Sponsor with their engagement requirements on the project. NBPA Phase 2: Business Sponsor engages Risk Partners as appropriate to identify significant risks and appropriate mitigation plans. Business collaborates with Risk Partners to document significant risks and mitigation plans on the Risk Assessment portion of the NBPA form. ORM distributes Phase 2 of the NBPA form to the Risk Partners for their approval, including any conditions. Risk Partners provide approval, as required. NBPA Phase 3: Business completes the Post Implementation Review (PIR) portion of the NBPA form. (One year following launch of new activity) ORM distributes Phase 3 of the NBPA form to applicable Risk Partners for review and response. PIR is approved by the Head of ORM. Product Review Program: On-going risk review under the Product Review Program begins at least 2 years after implementation of a new activity. 10

11 TD Bank Product Review Program Going beyond just new products Before - Gap in Product Governance Businesses are responsible for ongoing monitoring of the performance and risks related to their products; however, limited centralized oversight program in place to validate this was occurring and to review/report the results. The New Business and Product Approval (NBPA) program only assesses the risk of new activities prior to implementation and one year post launch; there was no ongoing risk review. The Process Risk and Control Self-Assessment ("prcsa") program only assesses the key risks of core processes associated with the execution of products; not the overall risk profile of the product itself. Other product risk assessments at the Bank only assess specific categories of risk related to products, for example, AML product risk ratings; there was no overall product risk assessment process for existing products. After - Product Review Program ORM developed the Product Review Program ("PRP") at TD Bank in partnership with business product management and governance & control group representatives. The primary objective was to compile and maintain an inventory of bank products, which will be risk assessed annually and periodically reviewed based on the product risk profile. TD Bank implemented the PRP in The initial program has been shared with the regulators; which will be examined as part of their on-going supervision and compared to industry best practices as this area of governance evolves. 11

12 TD Bank Product Review Program Product Risk Rating Products must be risk assessed annually to determine a "High", "Medium" or "Low" overall risk rating. ORM developed definitions to assist businesses in assigning a High, Medium or Low rating for each risk category. The Product Risk Rating is based on the various major risk categories and subcategories of operational risk.. Reputational Risk for each product will be assessed independent of the other risks categories. Ratings are to be based on inherent risk, exclusive of any controls in place or the effectiveness of those controls. Products with an overall "High" risk rating, and/or products that have "High" Reputational risk, require a Product Review to be completed every three years or earlier, if considered necessary by the Business or Risk Management. Product Review The Product owner must complete a Product Review Form for review by the Product Review Council, which includes: A detailed description of the product, including its use, target customer base and distribution channels. Questions that provide insight into the product's risk profile. A list of the product's key risks and/or challenges for each major risk category. The Product Risk profile includes: How the structure of the product has changed since inception or last review? How the use and/or customer base of the product has evolved since inception or last review? The product's fraud loss experience in comparison to the industry. The technology environment for the product. Regulatory oversight of the product. Whether the growth/account volumes are in alignment with the business plan or strategy. Product complaint history. Issues with third party suppliers related to this product. Product Review Council Accountable for the oversight of the PRP, which includes providing direction and guidance on the development of the program and recommendations for program enhancements. Review existing products and services with overall risk rating and/or reputational risk rating of "High". Challenge the Business Line's product risk assessment, including: Whether the product/service remains relevant for the Company; should the product be retired? The risks are understood, are being managed and are within the Bank's risk appetite Provide subject matter expertise and advise on potential action(s) to address any issues or risks identified with existing products and services. Ensure any action items for the product owner/manager are completed. Escalate risk issues to the CRO as deemed necessary. 12

13 Key Messages Increased Expectations on Product Oversight Product Oversight is throughout the Lifecycle Maintain Strong Risk Culture Evolve Risk Environment and Practices 13