Bank of Montreal 2015 Annual Report Download - page 100

Download and view the complete annual report

Please find page 100 of the 2015 Bank of Montreal annual report below. You can navigate through the pages in the report by either clicking on the pages listed below, or by using the keyword search tool below to find specific information within the annual report.

Page out of 193

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120
  • 121
  • 122
  • 123
  • 124
  • 125
  • 126
  • 127
  • 128
  • 129
  • 130
  • 131
  • 132
  • 133
  • 134
  • 135
  • 136
  • 137
  • 138
  • 139
  • 140
  • 141
  • 142
  • 143
  • 144
  • 145
  • 146
  • 147
  • 148
  • 149
  • 150
  • 151
  • 152
  • 153
  • 154
  • 155
  • 156
  • 157
  • 158
  • 159
  • 160
  • 161
  • 162
  • 163
  • 164
  • 165
  • 166
  • 167
  • 168
  • 169
  • 170
  • 171
  • 172
  • 173
  • 174
  • 175
  • 176
  • 177
  • 178
  • 179
  • 180
  • 181
  • 182
  • 183
  • 184
  • 185
  • 186
  • 187
  • 188
  • 189
  • 190
  • 191
  • 192
  • 193

MD&A
Operational Risk
Operational risk is the potential for loss resulting from inadequate or failed internal processes or systems, human interactions or external
events, but excludes business risk.
BMO is exposed to potential losses arising from a variety of operational risks, including process failure, theft and fraud, regulatory non-compliance,
business disruption, information security breaches and exposure related to outsourcing, as well as damage to physical assets. Operational risk is
inherent in all our business activities, including the processes and controls used to manage all of the risks we face. While operational risk can never
be fully eliminated, it can be managed to reduce exposure to financial loss, reputational harm or regulatory sanctions.
Operational Risk Governance
Operational risk management is governed by a robust committee structure supported by a comprehensive set of policies, standards and operating
guidelines. The Operational Risk Committee (ORC), a sub-committee of the RMC, is the main decision-making committee for all operational risk
management matters and has responsibility for the oversight of operational risk strategy, management and governance. The ORC provides advice and
guidance to the lines of business on operational risk assessments, measurement and mitigation, and related monitoring of change initiatives. The ORC
also oversees the development of policies, standards and operating guidelines that give effect to the governing principles of the Operational Risk
Management Framework (ORMF). These governance documents incorporate industry leading practices and are reviewed on a regular basis to ensure
they are current and consistent with our risk appetite.
Regular analysis and reporting of our enterprise operational risk profile to the various committees (ORC, RMC and RRC) are important elements of
our ORMF. Enterprise reporting provides an integrated view of top and emerging risks, trends in loss data, capital consumption, key risk indicators and
operating group portfolio profiles. We continue to invest in our reporting platforms to support timely and comprehensive reporting capabilities that
enhance risk transparency and facilitate the proactive management of operational risk exposures.
Operational Risk Management
The ORMF defines the processes we use to identify, measure, manage, mitigate, monitor and report key operational risk exposures. A primary
objective of the ORMF is to ensure that our operational risk profile is consistent with our risk appetite and supported by adequate capital. Executing
our ORMF strategy also involves continuing to embed our risk culture by promoting greater awareness and understanding of operational risk within
our first line of defence through training and communication. In addition, we continue to invest in resources to further strengthen our second line of
defence capabilities.
Consistent with the management of risk across the organization, we employ the three lines of defence approach to operational risk.
The operating groups, as the first line of defence, are responsible for the day-to-day management of operational risk in a manner consistent with
our enterprise-wide principles. Independent risk management oversight is provided by the Operational Risk Management function, Corporate Support
areas and Operational Risk Officers (OROs). OROs independently assess group operational risk profiles, identify material exposures and potential
weaknesses in controls, and recommend appropriate mitigation strategies and actions as the second line of defence. The Corporate Audit Division
verifies our adherence to policies and procedures and highlights opportunities to strengthen our process as the third line of defence. Corporate
Support areas develop tools and processes for the management of specific operational risks across the enterprise. Corporate Operational Risk
Management establishes the ORMF and the necessary governance framework, with the operating group CROs providing governance and oversight
for their respective business units.
The key programs, methodologies and processes we have developed to support the framework are highlighted below:
Risk Control Assessment (RCA) is an established process used by our operating groups to identify the key risks associated with their businesses and
the controls required for risk mitigation. The RCA process provides a forward-looking view of the impact of the business environment and internal
controls on operating group risk profiles, enabling the proactive prevention, mitigation and management of risk. On an aggregate basis, RCA results
also provide an enterprise-level view of operational risks relative to risk appetite, so that key risks can be appropriately managed and mitigated.
Process Risk Assessment (PRA) provides a deeper insight in identifying key risks and controls in our business processes and can span multiple
business units. The PRA process enables a greater understanding of our key processes, which facilitates more effective oversight and ensures risks
are appropriately mitigated.
BMO’s initiative assessment and approval process is used to assess, document and approve qualifying initiatives when new business, services and
products are developed or existing services and products are enhanced. The process ensures that due diligence, approval, monitoring and reporting
requirements are appropriately addressed at all levels of the organization.
Key Risk Indicators (KRIs) provide an early indication of any adverse changes in risk exposure. Operating groups and Corporate Support areas
identify metrics related to their material operational risks. These KRIs are used in monitoring operational risk profiles and their overall relationto
our risk appetite, and are linked to thresholds that trigger management action.
Internal loss data serves as an important means of assessing our operational risk exposure and identifying opportunities for future risk prevention
measures. Under this process, internal loss data is analyzed and benchmarked against external data. Material trends are regularly reported to the
ORC, RMC and RRC to ensure preventative and corrective action can be taken where appropriate. BMO is a member of the Operational Risk Data
Exchange Association, the American Bankers Association and other international and national associations of banks that share loss data information
anonymously to assist in risk identification, assessment and modelling.
BMO’s operational risk management training programs ensure employees are qualified and equipped to execute the ORMF strategy consistently,
effectively and efficiently.
Effective business continuity management ensures that we have the capability to sustain, manage and recover critical operations and processes
in the event of a business disruption, thereby minimizing any adverse effects on our customers and other stakeholders.
BMO’s Corporate Risk & Insurance team provides a second level of mitigation for certain operational risk exposures. We purchase insurance in
amounts that are expected to provide adequate protection against unexpected material loss and where insurance is required by law, regulation
or contractual agreement.
BMO Financial Group 198th Annual Report 2015 111