Morgan Stanley 2010 Annual Report Download - page 123

Download and view the complete annual report

Please find page 123 of the 2010 Morgan Stanley annual report below. You can navigate through the pages in the report by either clicking on the pages listed below, or by using the keyword search tool below to find specific information within the annual report.

Page out of 288

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120
  • 121
  • 122
  • 123
  • 124
  • 125
  • 126
  • 127
  • 128
  • 129
  • 130
  • 131
  • 132
  • 133
  • 134
  • 135
  • 136
  • 137
  • 138
  • 139
  • 140
  • 141
  • 142
  • 143
  • 144
  • 145
  • 146
  • 147
  • 148
  • 149
  • 150
  • 151
  • 152
  • 153
  • 154
  • 155
  • 156
  • 157
  • 158
  • 159
  • 160
  • 161
  • 162
  • 163
  • 164
  • 165
  • 166
  • 167
  • 168
  • 169
  • 170
  • 171
  • 172
  • 173
  • 174
  • 175
  • 176
  • 177
  • 178
  • 179
  • 180
  • 181
  • 182
  • 183
  • 184
  • 185
  • 186
  • 187
  • 188
  • 189
  • 190
  • 191
  • 192
  • 193
  • 194
  • 195
  • 196
  • 197
  • 198
  • 199
  • 200
  • 201
  • 202
  • 203
  • 204
  • 205
  • 206
  • 207
  • 208
  • 209
  • 210
  • 211
  • 212
  • 213
  • 214
  • 215
  • 216
  • 217
  • 218
  • 219
  • 220
  • 221
  • 222
  • 223
  • 224
  • 225
  • 226
  • 227
  • 228
  • 229
  • 230
  • 231
  • 232
  • 233
  • 234
  • 235
  • 236
  • 237
  • 238
  • 239
  • 240
  • 241
  • 242
  • 243
  • 244
  • 245
  • 246
  • 247
  • 248
  • 249
  • 250
  • 251
  • 252
  • 253
  • 254
  • 255
  • 256
  • 257
  • 258
  • 259
  • 260
  • 261
  • 262
  • 263
  • 264
  • 265
  • 266
  • 267
  • 268
  • 269
  • 270
  • 271
  • 272
  • 273
  • 274
  • 275
  • 276
  • 277
  • 278
  • 279
  • 280
  • 281
  • 282
  • 283
  • 284
  • 285
  • 286
  • 287
  • 288

Operational Risk.
Operational risk refers to the risk of financial or other loss, or potential damage to a firm’s reputation, resulting
from inadequate or failed internal processes, people, systems, or from external events (e.g., fraud, legal and
compliance risks or damage to physical assets). The Company may incur operational risk across the full scope of
its business activities, including revenue generating activities (e.g., sales and trading) and control groups (e.g.,
information technology and trade processing). Legal and compliance risk is included in the scope of operational
risk and is discussed below under “Legal Risk.”
The Company has established an operational risk management process to identify, measure, monitor and control
risk across the Company. Effective operational risk management is essential to reducing the impact of
operational risk incidents and mitigating legal, regulatory and reputational risks. The framework is continually
evolving to account for changes in the Company and in response to the changing regulatory and business
environment landscape. The Company has implemented operational risk data and assessment systems to monitor
and analyze internal and external operational risk events, business environment and internal control factors and
perform scenario analysis. The collected data elements are incorporated in the operational risk capital model. The
model encompasses both quantitative and qualitative elements. Internal loss data and scenario analysis results are
direct inputs to the capital models while external operational incidents, business environment internal control
factors and metrics are indirect inputs to the model.
Primary responsibility for the management of operational risk is with the business segments, the control groups
and the business managers therein. The business managers generally maintain processes and controls designed to
identify, assess, manage, mitigate and report operational risk. Each business segment has a designated
operational risk coordinator. The operational risk coordinator regularly reviews operational risk issues and
reports to senior management within each business. Each control group also has a designated operational risk
coordinator and a forum for discussing operational risk matters with senior management. Oversight of
operational risk is provided by regional risk committees and senior management. In the event of a merger, joint
venture, divestiture, reorganization, or creation of a new legal entity, a new product or a business activity,
operational risks are considered, and any necessary changes in processes or controls are implemented.
The independent Operational Risk Department (“ORD”) works with the business segments and control groups to
help ensure a transparent, consistent and comprehensive program for managing operational risk within each area
and across the Company globally. ORD is responsible for facilitating, designing, implementing and monitoring
the company-wide operational risk program.
Business Continuity Management is responsible for identifying key risks and threats to the Company’s resiliency
and planning to ensure a recovery strategy and required resources are in place for the resumption of critical
business functions following a disaster or other business interruption. Disaster recovery plans are in place for
critical facilities and resources on a company-wide basis, and redundancies are built into the systems as deemed
appropriate. The key components of the Company’s disaster recovery plans include: crisis management; business
recovery plans; applications/data recovery; work area recovery; and other elements addressing management,
analysis, training and testing.
The Company maintains an information security program that coordinates the management of information
security risks and satisfies regulatory requirements. Information security policies are designed to protect the
Company’s information assets against unauthorized disclosure, modification or misuse. These policies cover a
broad range of areas, including: application entitlements, data protection, incident response, Internet and
electronic communications, remote access and portable devices. The Company has also established policies,
procedures and technologies to protect its computers and other assets from unauthorized access.
The Company utilizes the services of external vendors in connection with the Company’s ongoing operations.
These may include, for example, outsourced processing and support functions and consulting and other
professional services. The Company manages its exposures to the quality of these services through a variety of
117