Morgan Stanley 2014 Annual Report Download - page 153

Download and view the complete annual report

Please find page 153 of the 2014 Morgan Stanley annual report below. You can navigate through the pages in the report by either clicking on the pages listed below, or by using the keyword search tool below to find specific information within the annual report.

Page out of 327

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120
  • 121
  • 122
  • 123
  • 124
  • 125
  • 126
  • 127
  • 128
  • 129
  • 130
  • 131
  • 132
  • 133
  • 134
  • 135
  • 136
  • 137
  • 138
  • 139
  • 140
  • 141
  • 142
  • 143
  • 144
  • 145
  • 146
  • 147
  • 148
  • 149
  • 150
  • 151
  • 152
  • 153
  • 154
  • 155
  • 156
  • 157
  • 158
  • 159
  • 160
  • 161
  • 162
  • 163
  • 164
  • 165
  • 166
  • 167
  • 168
  • 169
  • 170
  • 171
  • 172
  • 173
  • 174
  • 175
  • 176
  • 177
  • 178
  • 179
  • 180
  • 181
  • 182
  • 183
  • 184
  • 185
  • 186
  • 187
  • 188
  • 189
  • 190
  • 191
  • 192
  • 193
  • 194
  • 195
  • 196
  • 197
  • 198
  • 199
  • 200
  • 201
  • 202
  • 203
  • 204
  • 205
  • 206
  • 207
  • 208
  • 209
  • 210
  • 211
  • 212
  • 213
  • 214
  • 215
  • 216
  • 217
  • 218
  • 219
  • 220
  • 221
  • 222
  • 223
  • 224
  • 225
  • 226
  • 227
  • 228
  • 229
  • 230
  • 231
  • 232
  • 233
  • 234
  • 235
  • 236
  • 237
  • 238
  • 239
  • 240
  • 241
  • 242
  • 243
  • 244
  • 245
  • 246
  • 247
  • 248
  • 249
  • 250
  • 251
  • 252
  • 253
  • 254
  • 255
  • 256
  • 257
  • 258
  • 259
  • 260
  • 261
  • 262
  • 263
  • 264
  • 265
  • 266
  • 267
  • 268
  • 269
  • 270
  • 271
  • 272
  • 273
  • 274
  • 275
  • 276
  • 277
  • 278
  • 279
  • 280
  • 281
  • 282
  • 283
  • 284
  • 285
  • 286
  • 287
  • 288
  • 289
  • 290
  • 291
  • 292
  • 293
  • 294
  • 295
  • 296
  • 297
  • 298
  • 299
  • 300
  • 301
  • 302
  • 303
  • 304
  • 305
  • 306
  • 307
  • 308
  • 309
  • 310
  • 311
  • 312
  • 313
  • 314
  • 315
  • 316
  • 317
  • 318
  • 319
  • 320
  • 321
  • 322
  • 323
  • 324
  • 325
  • 326
  • 327

risk management and independently assesses, measures and monitors operational risk. The Company’s
Operational Risk Department works with the divisions and control groups to help ensure a transparent, consistent
and comprehensive framework for managing operational risk within each area and across the Company. The
Company’s Operational Risk Department scope includes the information and technology risk oversight program
(e.g., cybersecurity) and supplier management (vendor risk oversight and assessment) program. Furthermore, the
Company’s Operational Risk Department supports the collection and reporting of operational risk incidents and
the execution of operational risk assessments; provides the infrastructure needed for risk measurement and risk
management; and ensures ongoing validation and verification of the Company’s advanced measurement
approach for operational risk capital.
Business Continuity Management is responsible for identifying key risks and threats to the Company’s resiliency
and planning to ensure that a recovery strategy and required resources are in place for the resumption of critical
business functions following a disaster or other business interruption. Disaster recovery plans are in place for
critical facilities and resources on a company-wide basis, and redundancies are built into the systems as deemed
appropriate. The key components of the Company’s disaster recovery plans include: crisis management; business
recovery plans; applications/data recovery; work area recovery; and other elements addressing management,
analysis, training and testing.
The Company maintains an information security program that coordinates the management of information
security risks and satisfies regulatory requirements. Information security policies are designed to protect the
Company’s information assets against unauthorized disclosure, modification or misuse. These policies cover a
broad range of areas, including: application entitlements, data protection, incident response, Internet and
electronic communications, remote access and portable devices. The Company has also established policies,
procedures and technologies to protect its computers and other assets from unauthorized access.
In connection with its ongoing operations, the Company utilizes the services of external vendors, which it
anticipates will continue and may increase in the future. These services include, for example, outsourced
processing and support functions and consulting and other professional services. The Company manages its
exposures to these services through a variety of means such as the performance of due diligence, consideration of
operational risk, implementation of service level and other contractual agreements, and ongoing monitoring of
the vendors’ performance. The Company maintains a supplier risk management program with policies,
procedures, organization, governance and supporting technology. The programs are designed to ensure adequate
risk management controls over the services exist, including but not limited to information security, operational
failure, financial stability, disaster recoverability, reputational risk, safeguards against corruption, and
termination.
Legal and Compliance Risk.
Legal and compliance risk includes the risk of legal or regulatory sanctions, material financial loss including
fines, penalties, judgments, damages and/or settlements, or loss to reputation that the Company may suffer as a
result of failure to comply with laws, regulations, rules, related self-regulatory organization standards and codes
of conduct applicable to its business activities. This risk also includes contractual and commercial risk such as
the risk that a counterparty’s performance obligations will be unenforceable. The Company is generally subject
to extensive regulation in the different jurisdictions in which it conducts its business (see also “Business—
Supervision and Regulation” in Part I, Item 1 and “Risk Factors” in Part I, Item 1A). The Company has
established procedures based on legal and regulatory requirements on a worldwide basis that are designed to
facilitate compliance with applicable statutory and regulatory requirements. The Company, principally through
its Legal and Compliance Division, also has established procedures that are designed to require that the
Company’s policies relating to business conduct, ethics and practices are followed globally. In connection with
its businesses, for example, the Company has and continuously develops various procedures addressing issues
such as regulatory capital requirements, sales and trading practices, new products, information barriers, potential
conflicts of interest, structured transactions, use and safekeeping of customer funds and securities, lending and
credit granting, anti-money laundering, information security, privacy and recordkeeping. In addition, the
149