ING Direct 2008 Annual Report Download - page 217

Download and view the complete annual report

Please find page 217 of the 2008 ING Direct annual report below. You can navigate through the pages in the report by either clicking on the pages listed below, or by using the keyword search tool below to find specific information within the annual report.

Page out of 284

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120
  • 121
  • 122
  • 123
  • 124
  • 125
  • 126
  • 127
  • 128
  • 129
  • 130
  • 131
  • 132
  • 133
  • 134
  • 135
  • 136
  • 137
  • 138
  • 139
  • 140
  • 141
  • 142
  • 143
  • 144
  • 145
  • 146
  • 147
  • 148
  • 149
  • 150
  • 151
  • 152
  • 153
  • 154
  • 155
  • 156
  • 157
  • 158
  • 159
  • 160
  • 161
  • 162
  • 163
  • 164
  • 165
  • 166
  • 167
  • 168
  • 169
  • 170
  • 171
  • 172
  • 173
  • 174
  • 175
  • 176
  • 177
  • 178
  • 179
  • 180
  • 181
  • 182
  • 183
  • 184
  • 185
  • 186
  • 187
  • 188
  • 189
  • 190
  • 191
  • 192
  • 193
  • 194
  • 195
  • 196
  • 197
  • 198
  • 199
  • 200
  • 201
  • 202
  • 203
  • 204
  • 205
  • 206
  • 207
  • 208
  • 209
  • 210
  • 211
  • 212
  • 213
  • 214
  • 215
  • 216
  • 217
  • 218
  • 219
  • 220
  • 221
  • 222
  • 223
  • 224
  • 225
  • 226
  • 227
  • 228
  • 229
  • 230
  • 231
  • 232
  • 233
  • 234
  • 235
  • 236
  • 237
  • 238
  • 239
  • 240
  • 241
  • 242
  • 243
  • 244
  • 245
  • 246
  • 247
  • 248
  • 249
  • 250
  • 251
  • 252
  • 253
  • 254
  • 255
  • 256
  • 257
  • 258
  • 259
  • 260
  • 261
  • 262
  • 263
  • 264
  • 265
  • 266
  • 267
  • 268
  • 269
  • 270
  • 271
  • 272
  • 273
  • 274
  • 275
  • 276
  • 277
  • 278
  • 279
  • 280
  • 281
  • 282
  • 283
  • 284

To ensure robust operational risk management ORM develops and communicates the ORM framework, policies and guidance throughout
ING Group and monitors the key risks of ING Group to ensure that ING’s risk policies and Minimum Standards are fully implemented.
Business units have to demonstrate that the appropriate steps have been taken to control their operational risk. ING applies scorecards to
measure the quality of management of the operational risk processes within a business unit. Scoring is based on the ability to demonstrate
that the required risk management processes are in place with the business units. The scorecards indicate the level of control within the
business units. These scorecards are integral part of ING’s Dutch Central Bank approved regulatory capital model (AMA).
The Operational Risk Capital model of ING is based on a Loss Distribution Approach (LDA). The Loss Distribution is based on both
external and internal loss data exceeding EUR 1 million. The model is adjusted for the scorecard results taking into account the specific
quality of control in a business line and the occurrence of large incidents (bonus/malus’). This provides an incentive to local (operational
risk) management to better manage operational risk. From 2008 onwards, the model is used for regulatory capital reporting purposes
as well. ING received approval for its Advanced Measurement Approach (AMA) from the Dutch Central Bank.
Developments in 2008
Enhancements of the Non-financial Risk Dashboard
The introduction of a Non-financial Risk Dashboard (NFRD) was given priority by the Chief Risk Officer (CRO) with the aim to keep focus
on the key risk exposures when looking at the risk faced by business. The objective of the NFRD is to deliver comprehensive and integrated
risk information on Operational, Compliance and Legal Risk, using a consistent approach and risk language at all levels in the organisation.
It gives management an overview of all key risks within their jurisdiction with forced ranking and a clear description of the risks and
responses so that they can balance priorities. This supports the ING strategy for making things ‘easier’ whereby management is better
able to manage risk and give priority where it is necessary.
Corporate Operational Risk Management, in close coordination with Group Compliance Risk Management and Corporate Legal, has been
rolling out the NFRD in the ING organisation. The NFRD covers all BUs in the ING organisation. A number of existing risk reports, e.g. the
IT Risk & Control report, Compliance report and the Incident report, have been integrated into the NFRD.
The NFR Dashboard was presented to the Executive Board and the Audit Committee in November 2008. As of the fourth quarter 2008
report, the quarterly NFRD will be a recurring agenda point in Executive Board and Audit Committee meetings.
Product Approval Process
ING has revised the Product Approval Process (PAP) Minimum Standard to ensure that adequate risk assessment procedures are executed
prior to the development and/or launch of new or modified products. The PAP ensures that adequate controls are put in place to manage
the inherent risks associated with new products, related processes and system implementation, and other initiatives.
IT Risk forecasting
An IT risk forecasting model is introduced to represent the expected IT risk profile after implementation of defined mitigating actions.
Through the model, management can determine if additional mitigation projects are necessary to reduce or to maintain the IT risks at
an acceptable level.
Continuity risk
As a risk response to mitigate the risk of power supply failure in one of the data centres ING accelerated an improvement programme
for the business continuity and disaster recovery capability and platform security of its data centres.
Fraud risks
Based on the Corporate Anti-Fraud policy each business unit had to conduct a fraud-risk assessment and translated this into an anti-fraud
implementation plan (to prevent both internal and external fraud). In reaction to the SocGen incident ING initiated a project aiming to
further mitigate all trading risk related fraud risks.
Refreshment of policies and standards
ORM policies and Minimum Standards have been further enhanced to fully encompass the integrated approach of Operational,
Compliance and Legal risks (between risk departments and along functional lines). All major IT risk policies and standards have been
re-assessed against the current internal and external threats and adapted consequently.
COMPLIANCE RISK
Compliance Risk is defined as the risk of damage to ING’s integrity as a result of failure (or perceived failure) to comply with relevant
laws, regulations, internal policies and procedures or ethical standards. In addition to reputational damage, failure to effectively manage
Compliance Risk can expose financial institutions to fines, civil and criminal penalties, payment of damages, court orders and suspension
or revocation of licenses. A failure (or perceived failure) can adversely impact customers, staff and shareholders of ING.
215
ING Group Annual Report 2008