ING Direct 2008 Annual Report Download - page 216
Download and view the complete annual report
Please find page 216 of the 2008 ING Direct annual report below. You can navigate through the pages in the report by either clicking on the pages listed below, or by using the keyword search tool below to find specific information within the annual report.-
1 -
2
-
3
-
4
-
5
-
6
-
7
-
8
-
9
-
10
-
11
-
12
-
13
-
14
-
15
-
16
-
17
-
18
-
19
-
20
-
21
-
22
-
23
-
24
-
25
-
26
-
27
-
28
-
29
-
30
-
31
-
32
-
33
-
34
-
35
-
36
-
37
-
38
-
39
-
40
-
41
-
42
-
43
-
44
-
45
-
46
-
47
-
48
-
49
-
50
-
51
-
52
-
53
-
54
-
55
-
56
-
57
-
58
-
59
-
60
-
61
-
62
-
63
-
64
-
65
-
66
-
67
-
68
-
69
-
70
-
71
-
72
-
73
-
74
-
75
-
76
-
77
-
78
-
79
-
80
-
81
-
82
-
83
-
84
-
85
-
86
-
87
-
88
-
89
-
90
-
91
-
92
-
93
-
94
-
95
-
96
-
97
-
98
-
99
-
100
-
101
-
102
-
103
-
104
-
105
-
106
-
107
-
108
-
109
-
110
-
111
-
112
-
113
-
114
-
115
-
116
-
117
-
118
-
119
-
120
-
121
-
122
-
123
-
124
-
125
-
126
-
127
-
128
-
129
-
130
-
131
-
132
-
133
-
134
-
135
-
136
-
137
-
138
-
139
-
140
-
141
-
142
-
143
-
144
-
145
-
146
-
147
-
148
-
149
-
150
-
151
-
152
-
153
-
154
-
155
-
156
-
157
-
158
-
159
-
160
-
161
-
162
-
163
-
164
-
165
-
166
-
167
-
168
-
169
-
170
-
171
-
172
-
173
-
174
-
175
-
176
-
177
-
178
-
179
-
180
-
181
-
182
-
183
-
184
-
185
-
186
-
187
-
188
-
189
-
190
-
191
-
192
-
193
-
194
-
195
-
196
-
197
-
198
-
199
-
200
-
201
-
202
-
203
-
204
-
205
-
206 -
207 -
208 -
209 -
210 -
211 -
212 -
213 -
214 -
215 -
216 -
217 -
218 -
219 -
220 -
221 -
222 -
223 -
224 -
225 -
226 -
227
-
228
-
229
-
230
-
231
-
232
-
233
-
234
-
235
-
236
-
237
-
238
-
239
-
240
-
241
-
242
-
243
-
244
-
245
-
246
-
247
-
248
-
249
-
250
-
251
-
252
-
253
-
254
-
255
-
256
-
257
-
258
-
259
-
260
-
261
-
262
-
263
-
264
-
265
-
266
-
267
-
268
-
269
-
270
-
271
-
272
-
273
-
274
-
275
-
276
-
277
-
278
-
279
-
280
-
281
-
282
-
283
-
284
 |
 |
2.1 Consolidated annual accounts
Operational risk framework
ING has developed a comprehensive framework supporting and governing the process of identifying, mitigating, measuring and
monitoring operational risks thus reflecting the stages described in the COSO model (Committee of Sponsoring Organisations of the
Treadway Commission). Generic mandatory controls are described in the ORM policy house. The policies have been refreshed in 2008
and are structured in line with the risk areas. Each policy has one or more minimum standards.
1. Governance1. Governance
6. Control activities
7. Information & Communication
8. Risk monitoring
2. Objective setting
3. Event identification
4. Risk assessment
5. Risk response
At all levels in the organisation Operational Risk Committees (ORCs) are established that identify, measure and monitor the operational
risks of the region or business unit with appropriate quality of coverage (granularity) and to ensure that appropriate management action
is taken by the responsible line managers at the appropriate level of granularity. ORCs, chaired by the business management, steer the
risk management activities of the first and second line of defence in their entities. On a group level the Operational & Residual Risk
Committee approves the operational risk capital model.
The operational risk appetite within ING is defined as the acceptable and authorised maximum level of risk, in each of the operational
risk areas that must be adhered to in order for ING to achieve its business plan within approved budgets. This risk appetite is monitored
quarterly through the Non-Financial Risk Dashboard which reports the key risk exposures.
Processes are in place to identify key threats, vulnerabilities and the associated risks which might cause adverse events. Event
identification is performed proactively and precedes a risk assessment. Different techniques for event identification exist within ING,
e.g. the Integrated Risk Assessment (IRA), scenario analysis, external events inventories, internal event analysis (e.g. based on information
from incident reporting), key risk indicator events and threat scans.
At least once a year all business units perform an integrated risk assessment with involvement of other risk departments such as
Compliance and Legal.
Based on the results of the risk assessment, response measures must be determined for the identified risks. Risk response actions balance
the expected cost for implementing these measures with the expected benefits regarding the risk reduction. Risk response can be
achieved through several combinations of mitigation strategies, for example reducing likelihood of occurrence, reducing impact, risk
avoidance, risk acceptance or through the transfer of risk. Tracking takes place through the global Audit Outstanding scan system.
Certain operational risks can best be transferred to the insurance market if risks are high but difficult to mitigate internally. In order to
protect ING against financial consequences of uncertain operational events ING has acquired insurance policies issued by third-party
insurers with world-wide cover for (Computer) Crime, Professional Liability, Directors and Officers Liability, Employment Practices Liability
and Fiduciary Liability. The portion of the risks that ING retains is of a similar magnitude to the risk retained for casualty business-related
catastrophe exposures.
Control activities are defined as the control measures that have been implemented and are maintained. Generic mandatory controls are
described in the ORM policy house.
Management at all levels in the organisation periodically need information on their key operational risks (including compliance and legal
risks) and mitigating actions. In order to make it easier for management to access this kind of information, the Non-Financial Risk
Dashboard (NFRD) was developed and rolled out in 2008 to all business units.
Risk management (continued)
ING Group Annual Report 2008
214