For DTCC, risk management means protecting and evolving with the financial markets. This entails analyzing different financial, operational and technology risks. An ever-changing risk landscape magnifies the importance of operational resilience – the ability of DTCC to anticipate and continue to provide its critical services regardless of the nature or origin of a disruptive event. Risk management is at the heart of the company’s mission as it has been since its inception more than 50 years ago.
While responsibility for proactive, day-to-day management of risk lies with business line and functional unit managers and their staff, senior management committees have an important role in implementing our risk management framework.
The Management Committee: The Management Committee provides enterprise-wide strategic direction for all aspects of DTCC’s businesses, technology and operations, human capital, financial health and risk management. Among its responsibilities, the Management Committee periodically reviews and assesses overall performance, including but not limited to, goals, metrics, targets and budget, and approves recommendations for change as necessary.
The Management Risk Committee (MRC): The MRC is primarily responsible for implementing DTCC’s risk management framework by overseeing the management of credit, market, liquidity, operational, technology and systemic risks in accordance with the DTCC Corporate Risk Framework Policy and the Risk Tolerance Statements.
Investment Management Committee (IMC): The IMC oversees and monitors DTCC’s portfolio of investments and initiatives and DTCC’s overall health. The committee’s investment oversight responsibilities include reviewing and evaluating the overall investment portfolio for adherence to DTCC’s budget and recommending to the Management Committee prioritization of ongoing and new initiatives that may be outside the original budget. The committee’s initiatives oversight responsibilities include approving material new initiatives and reviewing such initiatives through their lifecycles, including, evaluating documentation such as business cases and risk assessments and monitoring for alignment with DTCC’s strategic guidelines, performance against financial targets, risk assessments and application of lessons learned.
IT Governance Committee (ITGC): The ITGC provides holistic and comprehensive governance for DTCC’s IT organization to: (i) facilitate the oversight of the organization’s IT strategy; (ii) assess performance and progress against that strategy; and (iii) provide oversight of the technology capabilities that support DTCC’s technology. Consistent with this purpose, the ITGC oversees the development of infrastructure capabilities, technology resources, processes and controls necessary to fulfill delivery requirements and monitors key technology metrics associated with the delivery of IT’s services. The ITGC also reviews critical matters and material risk concerns related to new and existing IT services.
DTCC risks management revolves around four key areas: Resilience, Innovation, Stakeholders, and Employees.
DTCC has also established a Corporate Risk Management Framework, pursuant to which its risk tolerances are established, communicated and monitored. The goal of the Corporate Risk Management Framework is to define DTCC’s risk management program and provide guidelines to manage key risks across the organization in a comprehensive, consistent and effective manner, enabling DTCC to achieve its business objectives and remain consistent with its risk tolerances.
Risk management methodologies are integrated into all significant operations of the organization. DTCC achieves this through an approach involving three lines of defense:
The First Line of Defense: The first line of defense is comprised of the various business lines and supporting functional units including Product Management, Global Operations, Information Technology and other areas critical to DTCC’s daily operations and functioning. Their mandate is to manage risk proactively on a day-to-day basis.
The Second Line of Defense: The second line of defense is comprised of DTCC’s control functions, including the Legal Department, the Privacy Office, Compliance and those areas that fall within the Group Chief Risk Office. Their mandate is to provide advice and guidance to the first line of defense for adhering to established risk standards and/or to monitor compliance with such established risk standards.
The Third Line of Defense: The third line of defense is the Internal Audit Department (IAD). IAD’s mission is to assess DTCC’s overall control environment, risk management and control framework and, in doing so, to raise awareness of control risk and promote changes for improving governance processes. IAD provides independent and objective assurance to assist in DTCC’s maintenance of effective risk management and control practices.
< Return to Managing Risk