Risk management is the primary function of DTCC and has been since the organization's inception more than 40 years ago. The company's risk management role entails effective and efficient identification, measurement, monitoring and control of credit, market, liquidity, systemic, operational and other risks for the DTCC enterprise, its users and the marketplace.
Events in 2012 underscored how the risk landscape is marked by an evolving array of threats that require DTCC to continuously rethink the way in which the organization and the industry at large respond. From DTCC's business continuity planning during Superstorm Sandy, which allowed the financial markets to remain operational, to the company's role in protecting the organization and its users from potential losses related to Knight Capital, DTCC builds on its experience and expertise to continually strengthen its risk management capabilities and, in the process, expands its footprint globally as a critical financial service provider.
In 2012, with financial regulatory reform accelerating throughout the world, DTCC worked continuously with supervisors globally to develop and maintain new and heightened risk requirements for financial infrastructures, such as central counterparties and trade repositories. Among these initiatives was the organization's ongoing and comprehensive response to the new CPSS-IOSCO Principles for Financial Market Infrastructures, which are helping to reinforce DTCC's risk management practices and standards.
Under the authority of the U.S. Dodd-Frank Act, the U.S. Financial Stability Oversight Council designated, among others, DTCC subsidiaries National Securities Clearing Corporation (NSCC), The Depository Trust Company (DTC) and Fixed Income Clearing Corporation (FICC) as Systemically Important Financial Market Utilities (SIFMUs). This designation requires the company to meet prescribed risk management standards and subjects it to heightened oversight by U.S. regulatory authorities.
With financial infrastructures expected to play an even larger role in global risk management in the future, DTCC took important steps in 2012 to strengthen its risk controls and improve its ability to manage risk. The company developed a new suite of reverse stress tests that requires a bottom-up approach that will help identify potential vulnerabilities and opportunities to strengthen the control environment across the entire risk spectrum. Additionally, DTCC made numerous improvements to the way it conducts simulated closeout exercises. For example, the company developed the DTCC Closeout Playbook, which documents the steps to take during a participant closeout at the enterprise level and helps to streamline the overall closeout process, in the event of a participant failure.
DTCC also made significant enhancements to its reporting of risk analytics to senior management, its regulators and the Board. These enhancements facilitate ongoing dialogue and support timely action in response to the information presented.
In addition, the company developed a new framework to more accurately assess the potential risks associated with proposed new initiatives and established a Data Governance Team responsible for validating the integrity of the data that feeds the company's risk systems. Moreover, DTCC continued to be proactive in its risk management practices, including creating a Market Analytics Team, which monitors market developments and analyzes their potential impact on DTCC and its users.
To sustain an enterprise-wide focus on systemic risk, DTCC launched a new Systemic Risk Council in 2012. The Council is an advisory group comprising senior representatives from DTCC's core business and control functions. Among other things, the Council is responsible for reviewing the company's systemic risk strategy on an annual basis, identifying emerging risks from its users' respective areas and helping DTCC prioritize the most critical risk mitigation initiatives.
DTCC's "risk tolerances" – the levels of risk the organization is prepared to confront, under a range of possible scenarios, in carrying out its business functions – are determined by the Board, in consultation with the Group Chief Risk Officer.
The company's risk tolerances are defined in terms of these major risk families: credit, market, liquidity, operational, strategic and other risks. To protect the organization and its users, DTCC uses a combination of risk management tools, including strict criteria for participation. Some of the most important tools are described below.
Members/participants are subject to ongoing qualitative and quantitative monitoring of their financial condition to mitigate credit risk exposure.
The principal tool employed to manage exposure to a member's/family's potential default is the calculation and collection of margin from that member. In addition, as appropriate, DTCC clearing agency subsidiaries maintain a risk-based clearing/participant fund that estimates the potential market value volatility of unsettled positions. DTCC's models are subject to back-testing and are independently validated. The company's exposure is assessed via daily testing.
This process is designed so that DTCC's clearing agency subsidiaries maintain sufficient funding resources to cover settlement obligations in the event of a default by a member/participant or family thereof.
This area works closely with the business lines to create and execute a comprehensive program that provides each business and senior management with relevant operational risk information in order to facilitate a better business decision-making process, while balancing risk (risk/reward) decisions across all levels of the organization.
In 2012, Operational Risk collaborated with the businesses to develop metrics that are aligned to risk tolerances. These newly developed metrics allow for a more accurate measurement of DTCC's risk exposure against stated risk tolerances.
Risk tolerance levels are measured using metrics as provided by the various lines of business. Key Risk Indicators (KRIs) are highlighted and reported in the monthly Operational Risk Profiles, which include trending information on risk incidents, metrics, action plans and other indicators, mapped to the overall risk tolerance statements. Ongoing assessment, measurement, monitoring and reporting of compliance with risk tolerance help DTCC protect clients and the financial markets and systems as a whole.
In early 2012, DTCC launched its Vendor Risk Management Program, which is designed to provide a more robust and comprehensive analysis of the security, business continuity, regulatory and performance risks of key suppliers. This program will also help ensure that the company's supplier services are continually available, and that performance standards and expectations are met.
Understanding the systemic threats to DTCC, its users and the industry at large remains a top priority. Throughout 2012, DTCC continued to strengthen its systemic risk management capabilities and position itself as a thought leader on issues related to systemic risk.
DTCC offers guidance and instruction on its risk management focus in its user handbooks, which provide details of the processes by which each subsidiary identifies, monitors and manages risks.
In 2013, DTCC will continue to evolve its risk management framework in response to the current environment and potential new risks. As part of these efforts, the company is embarking on a multiyear investment in its risk systems and capabilities. DTCC is also moving expeditiously to finalize the CPSS-IOSCO self-assessment and disclosure framework.