HSBCs challenges in implementing an AMA framework worldwide

3rd Febraban International Operational Risk Conference; 13th May 2010, Sao Paolo

Presented by: Mike e Co Constantinou sta t ou G Global oba Head ead o of G Group oup Ope Operational at o a Risk s Policy o cy a and d Development, HSBC Holdings PLC Walter Fernandes Jr. Head of Operational Risk, HSBC Bank Brasil SA S.A.
GroupRisk

A forward-looking forward looking view of risk is essential to all organisations

Sovereign debt crisis Banking regulation

Gunasteinn

HSBC HSBC - The world world's s local bank bank

Our customers

Our reputation Our global presence

Our success

> 100 million

Best Global Bank 2009

8,000 offices in 88 countries

Our scale

Our employees

Our technology

$199 BN mkt cap1

300,000 staff

>45m internet banking customers

$13.3 BN pre-tax p profit2

1. Reported on December 31 2009 2. Year ending 2009

HSBCs global strategy is about joining up our customers and operations

Objectives of this presentation

 Share progress and challenges in rolling out our advanced Operational p Risk Framework

 Explain how HSBC Brasil is managing Operational Risk and implementing the advanced framework

` Answer any questions on the practicalities of our implementation

Managing Operational Risk is important for HSBC in order to achieve a variety of benefits for the Group

Risk aware culture

9 Proactive loss reduction 9 Proactive cost reduction

Risk based actions 9 Service improvement 9 Safeguarding reputation

Value and use

HSBC is in the process of developing an advanced Operational Risk and Control Framework

Operational Risk and Control Framework

Operational Risk and Internal Control Standards Operations Accounting Compliance Fiduciary Fraud Physical Business continuity Information Legal Tax Technology People

Incidents / Internal Losses Risk and Control Assessments Key Indicators

Top Risk Analysis a ys s

Reporting

External Incidents Capital Modelling

Governance

Identify

Set Risk Appetite

Assess

Control

Report

The frameworks success rests on increasing g risk awareness, , supporting risk based decisions and demonstrating value and use

Risk aware culture

Tone from the top Business ownership Individual awareness Focussing on material risks & controls Training Quality assurance Top-of-the-house reporting Action-focused Adequate monitoring
8

Risk based actions

Value and use

Management support for the advanced framework is essential to ensuring its success
` `Tone from the top
The objective is to achieve a reduction over time in the level of avoidable operational ti ll losses, and dt to d develop l processes which hi h support t sustainable t i bl growth, th are value-added and a contributor to the bottom line and to capital efficiency. Michael Geoghegan, Geoghegan Executive Director & Group CEO CEO, February 2010

Support for enhanced framework Investment in enhanced Operational Risk processes Increased resourcing for Operational Risk

Business ownership and individual awareness

B i Business ownership hi
Awareness pack

I di id l awareness Individual
Mandatory e-learning course

Balanced scorecards & individual objectives

ORIGINAL TARGET SETTING FIRST UPDATE DATA
2010 TARGET
(bring fwd full-year, restate for contant fx or phased ytd target as appropriate to metric)
2008 Actual 2009 Latest Estimate 1.1 Function specific metric 1.2 Function specific metric 1.3 Function specific metric 2010 Target 2008 Actual 2.1 Function specific metric 2.2 Function specific metric 2.3 Function specific metric 2.4 Function specific metric 2.5 Function specific metric 2009 Latest Estimate 2010 Target

2010 BALANCED SCORECARD - FUNCTION

1.0 FINANCE (20%) 2.0 CUSTOMER (30%)

SCORECARD

Metric 3.1 Operational Losses 3.2 Operational Losses 3.1 Operational Losses 3.1 Operational Losses 2 2 8 2 8 0 5

2009 ACTUAL $1,764.0m $1,052.2m $287.3m 196.3m $142.3m $42.9m $92.9m $1,127.0m $160.2m $946.5m $720.4m 2 0 $210.5m $507.9m $20.3m 2 2 1 8 $1,764.0m $1,764.0m $317.5m $189.1m

2010 TARGET $1,670.8m $960.9m $280.1m 197.8m $120.1m $42.9m $43.4m $1,100.0m

ACTUAL

Status R/A/G

GMB A1 - SGULLIVER A2 - GBM A3 - UK

1.4 Function specific metric 1.5 Function specific metric

A4 - CONT EUROPE3.1 Operational Losses A5 - MENA 3.1 Operational Losses (excl. SABB)

3.0 PROCESS (30%)

2008 Actual 3.1 Function specific metric 2009 Latest Estimate 2010 Target 2008 Actual

4.0 PEOPLE (20%)

2009 Latest Estimate 4.1 Employee engagement 4.2 % of Offshore FTE 2010 Target

A6 - PRIVATE BANK3.2 Operational Losses

B1 - SFLOCKHART 3.1 Operational Losses PFS (Inc HSBC Finance), CMB & Insurance (am B2 - CMB B3 - PFS B3 - PFS B5 - HTS B7 - LATAM B9 - INSURANCE C1A - DFLINT C2 - RISK 3.1 Operational Losses 3.1 Operational Losses - Total 3.1 Operational Losses - PFS - excl. HSBC Finance 3.1 Operational Losses 3.1 Operational Losses 3.1 Operational Losses 3.1 Operational Losses 3.1 Operational Losses

$156.2m $924.0m $703.5m $205.3m $509.7m $19.8m $1,670.8m $1,670.8m $286.4m $150.0m
Key:

3.2 Open High Risk Audit Points > 6 Months

3.3 Function specific metric

4.3 Employee Mobility

3.4 Function specific metric

4.4 Cultural Inclusion/Diversity

3.5 Function specific metric

4.5 Participation in GMB

Performance against target YTD: greater than 5% adverse to target within 5% adverse to target at or favourable to target

D3 - B MCDONAGH 3.2 Operational Losses D4 - ASP 3.2 Operational p Losses

10

A robust risk-based Risk and Control Assessment is being rolled out to ensure greater risk awareness in the business lines
Aim: Provide business areas with forward looking view of operational risks and help them proactively manage material risks within acceptable levels How does it work?
Identify Risks Extreme Risk Monitoring Metrics Identify & Assess Controls

Assess & Prioritise Risks

Test Plans Control Improvements

Typical Risk

11

The Top Risk analysis provides a top of the house view of typical and extreme risks
T Risk Top Ri k Scenario S i template t l t
Business Area
Area ABC

Owner Description

ABC

Date

07/09/2009

Define scope

Which top risks to include?

Name

External fraud and theft (excluding plastic fraud)

External fraud and theft may include electronic/ online fraud, money laundering, armed robberies, forgery o frauds where no internal staff member is involved. An attack on the e-channel has been selected for the pu scenario.

Summary statistics of internal data

Non Plastic Fraud Total m
Total Non Plastic Fraud (Rolling 12 mth)
1.8 1.6 1.4 1.2 1 m 0.8 0.6 0.4 02 0.2 0
39661 0.82284876 39692 1.46123026 39722 1.15489033 39753 1.18461623 39783 1.58670692 39814 0.37976016 39845 0.55855742 39873 1.00044565 39904 1.15701238 39934 0.5279179 39965 1.2879417 39995 1.62240685

Plan and prepare

What information to consider?

Rolling 12 mth Net loss YTD loss Average monthly loss (current year) Average loss per case (current year) Standard deviation of current losses Average monthly cases (current year)

XX XX XX XX XX XXX

Total

Relevant individual Internal Incidents

1/25 Risk Assessment

Major malware attack leading to a large number of customer details being compromised and a sustained attack by criminals. Total Direct Impacts =

Cost (rounded up to nearest USD1m)

30

Comments
Total online banking customers ~XX - Current controls will not stop payments below floor limit of XX (therefore very sophist transfer up to this amount) p upper pp limit of the loss = XX ( (if all accounts compromised) p ) - Implies

Conduct

What is the storyline?

0.00

1/100 Risk Assessment

Major malware attack leading to a large number of customer details being compromised and a sustained attack by criminals. Using this data, criminals simultaneously fraudulently log on to customer accounts and transfer funds into their own bank accounts, in small enough individual values that the payments fall 'under the radar' of existing controls Total Direct Impacts =

Cost (rounded up to nearest USD1m)

99

g - Current controls will not stop payments below floor limit of XX (therefore very sophist transfer up to this amount) - Implies upper limit of the loss = XX (if all accounts compromised) - Assume an accidental uptake rate for malware of up to XX% (XXk) of the customers' a compromised and targeted in one attack - XXk * 1XX = XXMM

Comments

0.00

Act, Monitor & Report

Suggested controls

What do we do next?

Key Control
Example 1

Control Assess Owner

Monitoring KRI

Further Actions to

Action Owner

Target date

Example 2

Example 3

12

By reporting in a consistent and transparent manner manner, tangible actions can be identified at the top of the house
Top risks ` Risk type ` Description ` Typical ` 1 in 100 year ` Controls ` Actions ` Owner Risk indicators ` Risk type ` Description ` Threshold ` Value & trend ` Actions ` Progress Control issues ` Description ` Actions ` Progress ` Owner Internal Losses ` Internal loss statistics against target ` Large internal incidents External Losses ` Pertinent risks reported to inform senior management decision making

Illustrative
13

The governance structure at HSBC Brasil ensures effective implementation of the framework
1st line of defence RISK MANAGEMENT Primary responsibility for management of operational risk within Business Unit Business Unit Head (DCEO/CRO) Business Unit Line Managers Operational Risk Business Co-coordinators Business Unit Staff 2nd line of defence RISK OVERSIGHT Provides operational risk policy, minimum standards and guidance ALCO Risk Management Committee (RMC) OpRisk and Internal Control Committee (ORICC) Operational Risk Coordinator (WF) Group Operational Risk 3rd line of defence INDEPENDENT ASSURANCE Provides independent assurance over the robustness of the operational risk model Audit

Direct Report (sets objectives, monitors performance, etc) Indirect Report (Receives information, provides guidance and advice) Interface (Co-ordination of activity to ensure efficiency and effectiveness)

14

The use test is an important tool to implement the framework in Brasil

 Senior Management Commitment Importance of Operational Risk Management strongly encouraged with a toppp down approach Notion that Operational Risk must be used extensively in the decision-making process  Risk awareness E-learning training Management Awareness Pack  4 main pillars for Use Test: Governance Information Use Quality y Data Q Ongoing Enhancements
15

Rolling out the enhanced TRA and RCA processes in Brasil

` TRA
Building on our Top Risk Reporting Focus on more robust quantification Training provided to our Operational Risk team Initial exercise is on lending g Fraud, , Rogue g Trading g and Information Risk

` RCA
Activity based across all business areas Prioritisation of high and medium risks and key controls Training provided in the new process Control certification
16

Operational loss capture in Brasil is focused on root cause analysis

 Centralised analysis by Operational Risk team  System used: CRO (Operational Risk Control)  Workflow-based with authority limits limits, GL booking all Banks Bank s branches and departments have access  Data also used for root cause analysis future loss prevention CRO Macro Flow:
BEGINNING G G Branches and Departments: Register and detail the incident MIDDLE p Risk / Losses Control: Operational The incident is analyzed with loss acceptance or not.

END Authority limit: Final approval

17

Main considerations for implementing p g the framework in Brasil

 Resolving different home / host regulatory requirements and timelines  Insert country-specific types of losses (e (e.g. g Economic Plans) into global loss models and scenario analysis  External Loss Database: Local or Global?  How we can work together to share knowledge

18

Questions?

19