ING Direct 2008 Annual Report Download - page 215

Download and view the complete annual report

Please find page 215 of the 2008 ING Direct annual report below. You can navigate through the pages in the report by either clicking on the pages listed below, or by using the keyword search tool below to find specific information within the annual report.

Page out of 284

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120
  • 121
  • 122
  • 123
  • 124
  • 125
  • 126
  • 127
  • 128
  • 129
  • 130
  • 131
  • 132
  • 133
  • 134
  • 135
  • 136
  • 137
  • 138
  • 139
  • 140
  • 141
  • 142
  • 143
  • 144
  • 145
  • 146
  • 147
  • 148
  • 149
  • 150
  • 151
  • 152
  • 153
  • 154
  • 155
  • 156
  • 157
  • 158
  • 159
  • 160
  • 161
  • 162
  • 163
  • 164
  • 165
  • 166
  • 167
  • 168
  • 169
  • 170
  • 171
  • 172
  • 173
  • 174
  • 175
  • 176
  • 177
  • 178
  • 179
  • 180
  • 181
  • 182
  • 183
  • 184
  • 185
  • 186
  • 187
  • 188
  • 189
  • 190
  • 191
  • 192
  • 193
  • 194
  • 195
  • 196
  • 197
  • 198
  • 199
  • 200
  • 201
  • 202
  • 203
  • 204
  • 205
  • 206
  • 207
  • 208
  • 209
  • 210
  • 211
  • 212
  • 213
  • 214
  • 215
  • 216
  • 217
  • 218
  • 219
  • 220
  • 221
  • 222
  • 223
  • 224
  • 225
  • 226
  • 227
  • 228
  • 229
  • 230
  • 231
  • 232
  • 233
  • 234
  • 235
  • 236
  • 237
  • 238
  • 239
  • 240
  • 241
  • 242
  • 243
  • 244
  • 245
  • 246
  • 247
  • 248
  • 249
  • 250
  • 251
  • 252
  • 253
  • 254
  • 255
  • 256
  • 257
  • 258
  • 259
  • 260
  • 261
  • 262
  • 263
  • 264
  • 265
  • 266
  • 267
  • 268
  • 269
  • 270
  • 271
  • 272
  • 273
  • 274
  • 275
  • 276
  • 277
  • 278
  • 279
  • 280
  • 281
  • 282
  • 283
  • 284

ING GROUP – NON-FINANCIAL RISKS
In addition to the above financial risks (credit, market, insurance and liquidity risk) the next paragraphs describe the non-financial risks,
being operational and compliance risks.
OPERATIONAL RISKS
Operational risk is the risk of direct or indirect loss resulting from inadequate or failed internal processes, people and systems or from
external events. It includes the related risk of reputation loss, as well as legal risk whereas strategic risks are not included. Effective
operational risk management leads to more stable business processes (including IT systems) and lower operational risk costs.
ING recognises the following operational risk areas:
Control risk• is the risk of loss due to non-adherence to business policies or guidelines. Control risks can lead to losses incurred due to
non-compliance with controls established in connection with items such as governance procedures, new product approval procedures,
and/or project management methods. Control risk can stem from improper or insufficient monitoring of entities or activities.
The risk of a loss caused by unauthorised employee activities, including -but not limited to- unauthorised approvals or overstepping •
of authority are considered unauthorised activity risk.
Processing risk• deals with the risk of losses due to failed transaction processing or process management. These events are normally
not intentional and usually involve documenting or completing current business transactions.
Employment practice risk• is the risk of loss due to actions which are consistent with employment, health or safety laws, or agreements,
from payment of personal injury claims or from diversity/discrimination events. Managing this risk means: meeting health and
workplace regulations; preventing discrimination and harassment; and in case this does happen, taking adequate counter measures.
Personal and physical security risk• is the risk of criminal and environmental threats that might endanger the security of ING personnel
(within and outside ING locations, while travelling or being expatriated) and ING assets or might have an impact on the ING
organisation.
Information (Technology) risk• is the risk of loss due to inadequate information security, resulting in a loss of information confidentiality
and/or integrity and/or availability. Aspects of information (technology) risks are user access controls, platform security controls, change
management controls, sourcing controls, security monitoring controls and fundamental information security controls.
Continuity risk• is the risk of events (e.g. natural disasters, power outages, terrorism) leading to a situation that threatens the
continuation of business (including people and assets).
Internal and external fraud risk• is the risk of loss due to deliberate abuse of procedures, systems, assets, products and/or services of ING
by those who intend to deceitfully or unlawfully benefit themselves or others.
Clear and accessible policies and minimum standards are embedded in ING business processes in all business lines. An infrastructure is
in place to enable management to track incidents and operational risk issues. A comprehensive system of internal controls creates an
environment of continuous improvement in managing operational risk. ING uses this knowledge (including lessons learned from
incidents) to improve the control of key processes.
Organisation of Operational Risk Management
The General Manager Corporate Operational Risk management (CORM) reports directly to the CRO and is responsible for managing
operational risks and developing and establishing the Operational Risk Framework within ING Group, ING Bank and ING Insurance. The
General Manager Corporate ORM also establishes and approves the Minimum Standards, and assists and supports the Executive Board
in managing ING’s operational risks. The ORM function is organised along functional reporting lines. The Business Line operational risk
managers report functionally to the General Manager CORM.
The CORM function consists of functional departments for operational risks & risk reporting, for Information (Technology) risks, for
Security & Investigations and for SOX testing. The CORM function is responsible for developing and communicating ING’s operational risk
framework, policies, minimum standards and guidelines. The corporate function advises the business line ORM staff, monitors the quality
of operational risk management and co-ordinates the group-wide reporting of operational risks to the Executive Board.
ORM uses a layered functional approach within business lines to ensure systematic and consistent implementation of the group-wide
ORM framework, policies and minimum standards. The local and regional/division ORM Officer has the responsibility to assist local and
regional/division management in managing operational risk. The business line ORM officer has a monitoring role in the operational risk
management process and manages and supervises all functional activities of the ORM officers in the business line and region/division.
To avoid potential conflicts of interests, it is imperative that the ORM officer is impartial and objective when advising business
management on operational risk matters in their business unit or business line. To facilitate this, a strong functional reporting line to
the next higher level ORM officer is in place. The functional reporting line has clear accountabilities with regard to objective setting,
remuneration, performance management and appointment of new ORM staff.
213
ING Group Annual Report 2008