October 31, 2006
I.
Introduction: Framing the Challenge
II.
Overview of JPMC Operational Risk Initiatives
III. Achieving the Full Potential of Operational Risk Management
©2006 JPMorgan Chase & Co. All Rights Reserved. Confidential and Proprietary to JPMorgan Chase & Co.
1
− The consequences of failed operational risk management
Operation Provide Comfort / April 14, 1994
¾ Black Hawk Helicopter Incident
American Airlines Flight 965
¾ Miami – Cali / December 20, 1995
U.S. Financial Services Industry
¾ Publicly disclosed losses 1995 - 2005
©2006 JPMorgan Chase & Co. All Rights Reserved. Confidential and Proprietary to JPMorgan Chase & Co.
3
25
Curve Steepens?
Aggregate Loss
Event Count Trend Continues?
150
20 120
Curve Flattens?
15
Loss Levels Decline?
90
10 60
5 30
0
1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
0
Ad-hoc Risk Management Systematic Approach Dynamic Risk Management
Source: Fitch Risk; Analysis JPMorgan Chase
©2006 JPMorgan Chase & Co. All Rights Reserved. Confidential and Proprietary to JPMorgan Chase & Co.
4
Industry Background
Operational risk continues to increase in size, complexity and volatility due to:
• business growth, expansion, etc.
• external environment factors
• change management initiatives
• greater dependencies on complex products, operations and processes
Impact is significant in terms of losses, P/E compression, and reputation risk
For some, the complexity, size and impact of operational risk has outpaced the traditional, ad hoc approach to risk management
Expectations of other stakeholders have also increased, e.g. clients, rating agencies, regulators, auditors, Board members, etc.
JPMC Business Context
The size and complexity of operational risk varies significantly by business
• high frequency / low severity risks (e.g. credit card fraud) are well understood and controlled
• low frequency / high severity risks pose significant challenges
Many significant op risk losses, i.e. > $100m, result from undetected control weaknesses
Challenge: develop cost-effective operational risk framework that:
• improves financial performance by lowering losses and enhancing productivity
• scales down to minimum requirements for lowrisk businesses
• scales up to provide desired functionality for high-risk businesses
6
©2006 JPMorgan Chase & Co. All Rights Reserved. Confidential and Proprietary to JPMorgan Chase & Co.
Industry / regulatory definition and classifications of Operational Risk are:
Definition
Risk Categories
Operational Risk is the risk of loss resulting from inadequate or failed processes or systems, human factors or external events
For purposes of analysis and aggregation, operational risk is divided into six primary categories:
Risk Category
Clients, Products &
Business Practices
Fraud, Theft &
Unauthorized Activity
Execution & Processing
Errors / Tech Failures
Employment Practices &
Workplace Safety
Physical Asset &
Infrastructure Damage
Other
Risk Types
Suitability issues, breach of fiduciary duties, sales practices and related legal liability & costs
Unauthorized trading, money laundering, internal / external fraud
Front office / mid office / back office execution errors. Technology and infrastructure errors or failures
Wrongful dismissal, harassment and workers comp, and related legal liability and costs
Natural disasters and human-instigated acts of damage
Miscellaneous events
©2006 JPMorgan Chase & Co. All Rights Reserved. Confidential and Proprietary to JPMorgan Chase & Co.
7
We have embarked on a multi-year initiative to develop an integrated operational risk framework that is responsive to business needs and improves our understanding and management of the key drivers of operational risk. The components of the framework are:
Integrated Framework Design
Self Assessment
Governance
Framework
Business
Units
Risk Event
Loss
Reporting
Operational Risk
Capital Allocation
Integrated
Reporting / Best
Practices
Key Risk Indicators
Phoenix is the integrated application supporting this framework
Objectives
• Improve understanding of drivers of operational risk
• Create environment of reliable data, transparency of issues, escalation and accountability
• Move to ‘no surprise’ environment with capacity to identify / address issues as they develop and before losses are incurred
• Improve financial performance through lower losses, reduced volatility, greater productivity and more efficient capital usage
• Meet Basel II regulatory requirements; facilitate compliance with Sarbanes Oxley 404 & FDICIA
8
©2006 JPMorgan Chase & Co. All Rights Reserved. Confidential and Proprietary to JPMorgan Chase & Co.
Ad Hoc
No firm-wide data
• Traditional Audit &
Financial reviews
• Operational risk management mostly reactive
Risk
Orientation
Begin loss quantification
• Rigorous self assessment model
• Standard loss data reporting
• Governance framework
Integrated
Analytics
Projections, analysis, capital allocation
• Risk-based capital
• Dashboard reporting
• “Risk driver” analysis
• Root cause analysis
Integrated
Framework
Integrated risk management focused on continuous improvement
• Predictive models
• Correlations across risk classes
• Risk mitigation tools
Error avoidance
Pre 2000
Risk orientation
Integration
2002 2004
©2006 JPMorgan Chase & Co. All Rights Reserved. Confidential and Proprietary to JPMorgan Chase & Co.
2006+
9
($ in 000’s)
Business Unit
Asset & Wealth Management
Card Services
Chase Commercial Bank
Investment Bank
Retail Financial Services
Treasury and Securities Services
Subtotal
Private Equity
Chief Investment Office
Central Operations
Subtotal
Central Technology & Operations
Corporate Staff
Audit
Executive
Corporate Finance
Human Resources
Marketing & Communications
Legal/Compliance
Risk Management
Strategy & Development
Real Estate
General Services
Corporate Other
Subtotal
Total
Total
1
329
209
104
789
766
1,172
3,369
8
53
321
382
1,127
518
0
162
43
6
177
32
30
80
60
47
2,282
6,033
0.1%
0.9%
5.3%
6.3%
18.7%
0.0%
8.6%
0.0%
2.7%
0.7%
0.1%
2.9%
0.5%
0.5%
1.3%
1.0%
0.8%
37.8%
100.0%
Number of Users
%
5.5%
3.5%
1.7%
13.1%
12.7%
19.4%
55.8%
Avg Day
2
53
34
12
109
108
146
462
31
34
1
2
133
7
3
1
6
38
0
13
7
3
4
1
216
712
0.1%
0.3%
4.4%
4.8%
18.7%
0.0%
5.3%
0.0%
1.8%
1.0%
0.1%
0.8%
1.0%
0.4%
0.4%
0.6%
0.1%
30.3%
100.0%
%
7.4%
4.8%
1.7%
15.3%
15.2%
20.5%
64.9%
# Assessments
3
Number
447
132
101
599
585
989
2,853
14
12
420
446
522
2
0
270
24
1
6
18
25
37
12
0
917
4,216
%
10.6%
3.1%
2.4%
14.2%
13.9%
23.5%
67.7%
0.3%
0.3%
10.0%
10.6%
12.4%
0.0%
0.0%
6.4%
0.6%
0.0%
0.1%
0.4%
0.6%
0.9%
0.3%
0.0%
21.8%
100.0%
1. Actual Phoenix users as of June 30, 2006. Includes Self Assessment, Risk Event, IT Risk, Administration and Reporting users.
2. Daily average users of Poenix application Q2 2006.
3. Self Assessment data as of June 30, 2006
4. Risk Events from YTD June 30, 2006 (absolute vales). Excludes litigation provisions.
# Risk Events
4
$ Risk Events
4
Number % $ Amt %
135
1,981
59
411
932
145
3,663
124
127
1
2
0
0
12
3,802
2
1
0
0
2
0
4
3
0
0
3.6%
47.0%
1.4%
9.7%
22.1%
3.4%
6,453
46,223
1,534
162,448
67,145
21,127
2.0%
14.3%
0.5%
50.1%
20.7%
6.5%
96.3%
0.0%
0.0%
2.9%
Sa
3.3%
0.0% mp
$12,963 le
0
0
0.1%
0
4,410
0.1%
0.0%
$304,930
1,969
794 Da ta 94.1%
0.6%
0.2%
3.1%
4.0%
123
0
0.0%
0.0%
0.0%
1.4%
0.0%
0.0%
0.0%
0.0%
0.0%
0.0%
0.0%
0
572
549
504
0
0.0%
0.2%
0.2%
0.2%
0.0%
0.0%
0.3%
100.0%
0
$6,158
$324,051
0.0%
1.9%
100.0%
10
©2006 JPMorgan Chase & Co. All Rights Reserved. Confidential and Proprietary to JPMorgan Chase & Co.
Operational risk continues to increase in size, complexity and volatility due to:
¾ normal business growth
¾ external environment factors
¾ significant change management initiatives
¾ increasing dependencies on complex products, operations and processes
Overall impact is significant in terms of losses. P/E compression, and reputation risk
For some organizations the complexity, size and impact of operational risk has outpaced the traditional, ad hoc approach to operational risk management
Expectations of key stakeholders have increased; e.g. clients, auditors, regulators,
Board members, rating agencies, etc.
©2006 JPMorgan Chase & Co. All Rights Reserved. Confidential and Proprietary to JPMorgan Chase & Co.
12
Data quantification and analysis goes beyond loss data and capital measurement
Standard definition / classifications of operational risk just now emerging
No accepted and practiced taxonomy exists that facilitates good communication regarding operational risk
The breadth of scope of operational risk crosses multiple types of unrelated risks and business processes. Scope exceeds the expertise of any single team
Effort is constrained by limitations on data integrity (completeness, accuracy and timeliness of data)
No market data or viable time series of data exists
Cultural barriers exist that inhibit full transparency and timely escalation
Loss data analysis efforts to date are forensic in nature rather than preventative
©2006 JPMorgan Chase & Co. All Rights Reserved. Confidential and Proprietary to JPMorgan Chase & Co.
13
‘Run rate’ of losses and the capital supporting this risk are meaningful; many losses are the result of ‘surprises’
Challenge / opportunity exists to develop a framework and toolkit for operational risk which measurably improves financial performance by:
¾ lowering losses
¾ reducing the probability of ‘tail’ events
¾ enhancing productivity
¾ improving capital efficiency
As loss data collection and quantification becomes more practiced, data can be used for accurate benchmarking and performance measurement
As the discipline of operational risk management develops and risk quantification becomes more reliable and consistent, opportunities for proactive risk management and real risk transfer will develop
Measuring risk accurately will greatly facilitate improved risk management
©2006 JPMorgan Chase & Co. All Rights Reserved. Confidential and Proprietary to JPMorgan Chase & Co.
14
Status quo approach to operational risk management no longer sufficient for key stakeholders
Improving risk management is the objective, not precise risk measurement
Understanding the nature of the risks incurred and the quality of the control environment around those risks; avoid the ‘rear-view mirror’ syndrome
Balancing the unique demands and risk profile of each business unit versus standardizing the approach and toolkit across all businesses
Understanding operational risks on an ‘End-to-End’ process basis rather than from a vertical organizational hierarchy perspective
The value proposition of an operational risk initiative is difficult to measure and demonstrate; i.e. what is the ROI and how is success measured?
Where are we going & how can we get there?
©2006 JPMorgan Chase & Co. All Rights Reserved. Confidential and Proprietary to JPMorgan Chase & Co.
15
Accurate and timely data produced in cost efficient manner
- profile of the firm’s control environment on end-to-end process basis
- understanding of loss experience and potential for future losses
Accurate and dynamic risk quantification methodology which provides direct incentives for sustainable process and control improvements
Process fully oriented to risk management with ownership by and engagement of business managers
Create “demand pull” for accurate information and drive an environment of “no surprises”
©2006 JPMorgan Chase & Co. All Rights Reserved. Confidential and Proprietary to JPMorgan Chase & Co.
16
• Operational risk is best understood on an end-to-end process basis as large losses generally occur as the result of simultaneous, multiple points of failure
• Phoenix has the proto-type functionality to enable business managers to see operational risk data components integrated in an end-to-end view of their businesses
• This leverages the current CSA hierarchy structure of Process, Activity, Risk, Control
• See legend below and example on the following page
Control Summary
Activity Description
Process ‘Swim Lanes’
SOX Controls
(shaded)
Business Process Map Legend with Integrated Op Risk Data
Investment Bank Trading Business Americas
Per formance Summary
Overall
Transaction
Ongoing Management
Internal Environment
Research Deal
7
FS-1
Controls
100.0
Credit Limit Check
Transaction Suitability
Appropriateness Policy
Know Your Customer (KYC)
New Product Approval
Significant Transactions Review
Non Standard Transaction
Approval
2%
1%
1%
0%
16%
6%
3%
3%
S c o re
87
82
100
87
Control Ass e s sm e nt
We igh t
100%
44%
22%
34%
# C o nt ro ls
84
29
16
39
Remediation
Risk Accepts
Completed
In Progress
Late
0
0
1
0
$0.2M
Manage Clients
4
# R e d &
Ye llo w
14
7
0
7
Remediation
Risk Accepts
Completed
In Pr ogr ess
Late
1
0
0
0
% R e d &
Ye llo w
17%
24%
0%
18%
Execute Deal
$2.5M
4
A c c e p t e d
4
1
0
3
FS-2
Con trols
96.4
Customer Account Documentation
Client Data Management
Written Customer Identification
New Accounts Review
Provide Client
Support
FS-7 100.0
2
Controls
Client Valuation Processing
Appropriate Disclaimers
2%
1%
0%
2%
1%
1%
0%
0%
FS-3
Cont rols
Transaction Capture
Non-Routine Transactions
Execution Monitoring
Manual T ickets Check
Manage Risk
FS-8
73.7
100.0
Co ntrols
Market Limit Monitoring
Market System Reconciliation
Market Model Review
Exposure Management
Daily Mark to Market
Front-to-Back Reconciliation
Management Signoff
Model Inventory
P&L Explanation
9
2%
2%
2%
1%
16%
2%
2%
2%
1%
1%
6%
3%
1%
1%
1%
FS-4
Co m ple te
Controls
Re m e diation and Im prove m ent Plans
2
0
0
2
Timely Confirmation
Independent Affirmation
-
On T ime
40.0
5
4
0
1
Remediation
Risk Accepts
Completed
In Progress
Late
1
1
0
0
Confirm Deal
$7.0M
2
8%
4%
4%
L a te
2
2
0
0
Settle Deal
% A c c e p t
29%
14%
43%
3
FS-5
Con trols
100.0
Timely Settlement
Funds/Securities Transfer
Signing & Thresholds
1%
1%
1%
0%
Manage Positions &
Cash
FS-9 100.0
Controls
Transaction Amendments
Reserve/Price Adjustments
Transaction/Position Maintenance
Instrument Data Management
Other Reference Data
Management
-
5
5%
1%
1%
1%
1%
0%
-
Capital
% La te
14%
29%
0%
C a p ita l ($ M )
$
$
21
12
$ 9
% o f T o ta l
100%
55%
0%
45%
Remediation
Risk Accepts
Completed
0
0
2
1
$2.2M
In Pr ogr ess
Late
Account and Report
9
Deal
FS-6
Controls
83.6
G/L Balance Substantiation
Compliance with Reg Rpting
G/L Separ ation of Duties
G/L Reconciliation
Credit System Feeds
Credit System Reconciliations
Interentity Reconciliation
Regulatory Reporting Rec
Other Transaction Monitoring
1%
1%
1%
1%
10%
2%
1%
1%
1%
0%
Oversight &
Governance
IE-1
Contro ls
Active Management
New Legislation Review
Management Information
100.0
Business Strategy
Service Level Agreements
6
5%
2%
1%
1%
1%
1%
0%
Remediation
Risk Accepts
Completed
In Pr ogr ess
Late
Compliance
2
0
0
0
IE- 2
Controls
$4.2M
83.3
Compliance Procedures
Registration and Licensing
Transaction Surveillance
Suspicious Transactions
Record Retention Policy
Anti-Money Laundering Training
Adherence to Credit Manual
AML Risk Ranking
8
1%
1%
0%
0%
8%
1%
1%
1%
1%
Risk Management
IE-3
Co ntrols
Control Committee
Error Discovery
Control Review Process
Issue Management
100.0
4
4%
1%
1%
1%
1%
Remediation
Risk Accepts
Completed
In Pr ogr ess
Late
1
0
0
0
$1.7M
Human Resources
4
Management
IE-4
Controls
85.0
Appropriate Skill Sets
Adequate Training
Performance Review Process
Two Week Rule
5%
2%
1%
1%
0%
Remediation
Risk Accepts
Completed
In Pr ogr ess
Late
0
2
0
1
$2.3M
IT Management
8
IE- 5
Cont rols
72.1
Incident Management
Change Contr ol Process
Access Administr ation Process
Access Recertification
Information Classification
Information Ownership
Security Awareness
Data Confidentiality
1%
1%
0%
0%
6%
1%
1%
1%
1%
-
Remediation
Risk Accepts
Completed
In Pr ogr ess
Late
0
0
1
0
$1.1M
Business Continui ty
9
IE- 6
Controls
89.2
Recovery Resources
Business Continuity Plan
Business Continuity Testing
BC Change Management
Personnel
Facilities Access
Essential Business Profile
LOB Crisis Management
Safekeeping of Valuables
0%
0%
0%
0%
0%
5%
1%
1%
1%
1%
P r o c e s s V ie w
P ro c e s s M a p
A c tiv ity D e sc rip tio n
S u b ris ks
C o n t ro ls
S O X -4 0 4 K e y C o n tro ls
C S A S c o re s a n d W e ig h t s
A c tio n P la n s
C S A C a p ita l Im p a c t
R E D D a t a
A u d it Im p a c t
K R I s
$20,000
RED Events
($ Thousands)
Absolute Value
$15,000
$10,000
$5,000
$0
Timing
Economic
2001 2002 2003
$400 $370 $0
$15,451 $1,522 $30
Audit Summary
(12/31/03 Rolling 12 Mo.)
Rating
A
Audits
1
Capital
Impact
B
C
D
F
Total
4
1
0
0
6
$6.7
$6.7
Display Selection Menu
Capital Impact
Op Risk Losses
Audit Profile
Gap Remediation Data Control Ratings Control Score
©2006 JPMorgan Chase & Co. All Rights Reserved. Confidential and Proprietary to JPMorgan Chase & Co.
17
Investment Bank
Equities
Equity Derivatives Group - US
Organization View
December 31, 2005
New York
See appendix for legend and data sources.
Note: Activity included in End to End view
Note: Activity included in End to End view
Note: Activity included in End to End view
D
Process View
Process Map
Activity Description
Subrisks
D Controls
D SOX-404 Key Controls
D CSA Scores and Weights
D Action Plans
D CSA Capital Impact
D RED Data
D Audit Impact
KRIs
Audit Summary
(3/31/04 Rolling 12 Mo.)
Rating Audits
Capital
Impact
A
B
0
6
C
D
F
Total
0
7
1
0
$5.6
$5.6
RED Events
($ Thousands)
Absolute Value
$20,000
$15,000
$10,000
$5,000
$0
Timing
Economic
2001 2002 2003
$400 $370 $0
$15,451 $1,522 $30
Note: RED data is as of 12/31/2003
18
©2006 JPMorgan Chase & Co. All Rights Reserved. Confidential and Proprietary to JPMorgan Chase & Co.
25
150
Aggregate Loss
Event Count "Natural Path"
20 120
VALUE
15 90
10
5
"Improved Risk
Management"
60
30
0
1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
0
Ad-hoc Risk Management Systematic Approach Dynamic Risk Management
Source: Fitch Risk; Analysis JPMorgan Chase
©2006 JPMorgan Chase & Co. All Rights Reserved. Confidential and Proprietary to JPMorgan Chase & Co.
19
October 31, 2006