This document discusses proactive management of operational risk. It outlines various types of operational risks including internal fraud, external fraud, workplace safety violations, and system failures. It also discusses potential areas of loss from an operational risk perspective as defined by the Basel Committee. These include losses from people, processes, systems, and external events. The document then examines costs of operational losses and provides examples of potential losses including penalties from FERC and impacts of Dodd-Frank regulations. It emphasizes the importance of planning for risk through developing an operational risk capability including assessing requirements and impacts, identifying gaps, and creating a roadmap to address gaps over time. The goal is to effectively manage operational risk on an ongoing basis.

1. Proactive Management of Operational Risk
April 19th, 2012

2. Evolution of Risk
Market Credit Operational
Risk Risk Risk
Page 2

3. Operational Risk
Internal fraud
Safety
violation
External fraud
Execution
System
failure
Failed
products
Physical
asset
damage
Page 3

4. Operational Risk
“The risk of loss resulting from
inadequate or failed
internal processes,
people and systems
or from external events.”
Source: Basel Committee
Page 4

5. Areas of Loss
Basel Committee’s
People Processes Systems External Events
Potential Areas of Loss
Internal Fraud Insider trading, employee theft
External Fraud Robbery, computer hacking
Employment Practices Discrimination, violation of organized
and Workplace Safety labor activities, safety violations
Clients, Products, and Negligent failure to meet a
Business Practices professional obligation
Damage to Natural
Physical Assets disaster, terrorism
Business Disruption
Hardware/software failures, utility outages
and System Failures
Execution, Delivery, and Data entry errors, incomplete legal documentation, incorrect
Process Management valuation, exceeding limits or controls , compliance violations
Page 5

6. Cost of Losses
Direct Costs Indirect Costs
 Cost to fix: Internal  Enhancement of controls
investment or payments to  Preventative action
third-parties
 System upgrades or
 Write-downs: Loss or enhancement
impairment of assets
 Process improvement
 Resolutions: Correcting the
 Lost or forgone revenue
consequences
 Brand value loss
 Public relations: Cost to
address loss with stakeholders
Page 6

7. Potential Loss – FERC Penalties
FERC Civil Penalties ($MM)
300
250
200
150
100
50
0
2007
2008
2009
2010
2011
2012
Page 7

8. Potential Loss – Dodd Frank Impact
The Edison Electric Institute recently
estimated that Dodd-Frank
mandates, which may require electric
utilities to post margin on over-the-
counter transactions, would have a
negative average annual cash flow
impact of $250-$400 million per
utility
Page 8

9. Potential Loss / Expense – Cyber Threats
In January 2012, US FBI director Robert
Mueller testified before the US Senate
Select Committee on Intelligence that
cyber threats, both espionage and
disruption, by both rogue hackers and
foreign governments, would surpass
terrorism as the country’s top concern
Page 9

10. Planning for Risk
Operational
Risk Capability
Requirements &
“Snapshot” Gap Analysis Roadmap
Impact
Page 10

11. Take a “Snapshot”
Requirements Gap
“Snapshot” Roadmap
& Impact Analysis
 Accountability and oversight model
 Supporting processes
 Technology architecture
 In-flight efforts
Page 11

12. Qualify the Impact
Requirements Gap
“Snapshot” Roadmap
& Impact Analysis
 Business requirements
− Strategy
− Process
− Technology
− Capabilities
 Pending regulation or market change
 Risks to organization, process, and technology
Page 12

13. Map the Gaps
Gap
“Snapshot” Requirements Roadmap
Analysis
 Approximate costs and potential benefits
 Identify big opportunities and low hanging fruit
 Prioritize gaps
Page 13

14. Plan Ahead
Gap
“Snapshot” Requirements Roadmap
Analysis
 Develop enhancement strategy
 Estimate budget
 Develop business case
 Develop implementation plan
Page 14

15. What Will Your Future Look Like?
Regulatory changes
Industry dynamics
Competitive pressures
Market volatility
Page 15

16. Thank You!
Questions?
Page 16

17. Appendix - Case Study Example
Communication Risk Assessment
Situation
The power merchant group within a global energy company
needed an executive-level view of operational
processes, with a focus on key nodes of communication
and potential risks due to outages of those nodes
Outcome
 Detailed risk assessment
 Risk heat map
 Path forward
Page 17