Operational and Technology Risk Management

In line with our operational risk framework, we have established protocols for analyzing, reporting, escalating and mitigating operational risks. We work with business unit management and support functions to help them manage their operational risk exposures.

The Technology Risk Management (TRM) department is responsible for setting strategic direction in the areas of IT Risk and Information Security. They are accountable for:

Maintaining DTCC corporate security policies and control standards.
Acting as a second line of defense via a robust collection of risk and control assessments.
Reporting to Executive Management and the Board on the status of the IT Risk and Information Security Programs.
Acting as an operational arm for monitoring threat intelligence, understanding when threats are being targeted against the firm and responding to potential incidents.
Serving as the main interface for Regulatory and Client reviews that focus on IT Risk and Information Security.

Cybersecurity

Cyber threats are evolving rapidly and at an accelerating pace. At the same time, the importance of operational and business resilience grows every day as DTCC and the broader financial market collectively look to improve processes and technology. At DTCC, innovation must be purpose driven, deliver value and reduce risk. It is through this lens that DTCC sees its role as a critical, resilient and forward-looking infrastructure providing efficiencies, mitigating risks for its stakeholders and reducing systemic risk for the ever-changing financial industry.

Large-scale cyberattacks on critical financial infrastructure are a major threat, with the potential to cause significant damage and disruption to the financial sector and the larger economy. The complexity of the financial services industry, the interconnectedness of financial firms and the markets in which they operate, and the introduction of new and innovative technologies further heighten the risk of a large-scale cyberattack.

When it comes to cybersecurity, DTCC follows core tenets that have proven effective: patch management, vulnerability management, effective monitoring of infrastructure, identity management, network segregation, segregation of duties and network access, to name a few.

In keeping with the commitment to reduce risk as well as provide certainty and reliability to the global financial system, DTCC’s Client Cybersecurity Program (CCSP) is a collaborative effort between DTCC and its clients to ensure firms have adopted proper frameworks to safeguard against cyber risks.

This is essential since an attack on one or more institutions or critical infrastructures could have a contagion effect across the financial system, especially as interconnectedness continues to grow. Raising the cyber resilience of individual firms makes the entire financial services ecosystem safer and more secure.

In addition, cyber-threat information sharing is a cornerstone of a resilient cyber defense program. What one firm learns from its peers can be used to strengthen its defenses before an attack hits or to limit its impact and recover more quickly. DTCC works with sector-specific and government agencies to enhance threat intelligence sharing and the resilience of the global financial ecosystem.

Guidance is also taken, as applicable, from a number of recognized information security standards, including:

The internationally recognized standard “ISO/IEC 27001:2013 – Information technology – Security techniques – Information security management systems – requirements”.
The FFIEC Information Technology (IT) Examination Handbook, which is comprised of several booklets covering a variety of technology and technology-related risk management guidance for financial institutions and examiners.
The NIST Cybersecurity Framework (NIST CSF) consisting of standards, guidelines, and practices to promote the protection of critical infrastructure.
The Cyber Risk Institute Cybersecurity Profile, which is a scalable and extensible assessment that financial institutions of all types can use for cyber risk management assessment and as a mechanism to evidence compliance with various regulatory frameworks.

Post-Quantum Security Considerations for the Financial Industry brings this near-term risk into focus for the financial industry, to identify initial steps financial institutions can take, and to provoke a more intentional dialogue about how the industry can act now to ward off post-quantum risk.

Operational Risk Management

DTCC maintains an operational risk management program that enables the identification, assessment, management, monitoring and reporting of the risks encountered in the day-to- day business. The program establishes DTCC’s overall approach for identifying internal and external sources of risks, assessing the implications, prioritizing and developing plans to address such risks so that they can be remediated to the extent practicable.

Each business unit implements an operational risk management program and related elements in accordance with the Clearing Agency Operational Risk Management Framework.

To determine how to address these risks, management regularly conducts operational risk profile assessments, which includes a thorough analysis of DTCC’s business functions and how each of these risk categories may be implicated in the business operations. The data collected informs the organization’s business planning and helps guide decision-making with respect to the need for additional investments that may further reduce risk or the readjustment of risk tolerance. Furthermore, to enhance the current risk framework, DTCC has processes to enable the enterprise to identify and consider future scenarios that may materially impact an DTCC business to an extent that threatens everyday viability of the business/organization. These activities allow the organization to identify possible vulnerabilities in critical functions and critical external dependencies across the enterprise.

With respect to human capital and people risk, DTCC defines job responsibilities in order to recruit qualified talent and compensates them competitively based on market data and internal equity. Personnel have access to a range of in-house, online and external learning offerings and programs to support risk management capabilities, professional/leadership development and business/functional knowledge. DTCC regularly tracks voluntary attrition, conducts exit interviews and takes appropriate action to mitigate the impact of turnover. Succession and replacement plans are in place to address key-person risk for Managing Directors and other key jobs.

Partnering With Our Vendors

At DTCC, we recognize that building strong relationships with our supply chain partners is critical to our success. In our effort to deliver outstanding products and services, we strive to position our supply chain as a key differentiator.

Learn more on our Vendor Management page.

Business Continuity

Business Continuity (BC) is concerned with the governance and implementation of proactive and reactive measures which ensure that enterprise and business functions have resilience and recovery capabilities to continue, should a serious event occur. This is done through the (i) integration and alignment with the various risk functions throughout the organization and sector; (ii) development of guidance and standards relating to business continuity, crisis management and location; (iii) monitoring compliance; and (iv) promotion of awareness and education. DTCC’s Global Business Continuity Policy establishes requirements for how DTCC will affect and maintain controls that address defined threats which, if not otherwise implemented, could result in a high level of risk to the continuity of enterprise operations. This policy defines the governance structure, high-level roles and responsibilities and framework for DTCC’s BC process.

Given the nature and breadth of significant business disruptive events, BC aligns its controls to the global, regional, site, service, business and support levels. The business processes have a relative importance based on the service they provide to the financial sector. The ability to deploy sensible and balanced controls, as well as to triage recovery efforts, is based on this relative importance. BC plans enable DTCC to assess the impact of the disruption, organize communication and decision-making, and coordinate the company’s response effort effectively and efficiently.

To ensure the continuity of critical business functions, DTCC’s Business Continuity and Resilience (BCR) department is responsible for working with business areas to identify instances of key person risk, workforce balance risk, and geographic concentration risk. To mitigate these types of risk, BCR utilizes work area recovery strategies that may be employed in the event of a disruption.

Work area recovery strategies (inclusive of workforce balance, work from anywhere, transference, and on-demand seating) are assigned by BCR to employees as part of the bench strength analysis (BSA).
The BSA is completed semiannually in tandem with business line and support unit resilience plan reviews to identify gaps with respect to key person risk, geographic concentration risk, and workforce balance risk.
To address gaps that have been identified, short-term or long-term remediation strategies are put into place (including, but not limited to, hiring personnel and cross-training existing personnel).
The BSA is considered best practice in the business continuity space; DTCC’s BCR program built a homegrown tool to complete this BSA, achieving a level of detail that is unique in the industry and informed by a series of inputs.
DTCC also uses third-party tools to gather employee information and build out resilience plans, inclusive of business area call lists. Individuals in the call list are fed into the BSA tool, along with the region they work in, the facility they are assigned to, the hours they work, and the work area recovery strategy they are capable of. Subject matter experts then assign each individual bench strength capabilities per business function in their area.

Once this data is collected, BCR representatives run an automated analysis to identify instances of key person risk, geographic concentration risk, and workforce balance risk, as defined per DTCC’s Global BCR Policy.

Key person risk occurs when only one individual in a given business area is identified with a bench strength of “same day.”
Geographic concentration risk occurs for critical business functions when more than 60% of staff are located in one region.
Workforce balance risk occurs when more than 60% of staff with “same day” capabilities for a given business function are concentrated in a single facility and work the same shift.

Physical Security

Global Security Management utilizes a comprehensive security assessment approach as part of an overall program aimed at developing and maintaining a consistent, structured and integrated methodology for identifying, monitoring, managing and reporting on security risks across physical sites and locations throughout the organization.

The process consists of several components, which include (i) a Security Vulnerability Assessment checklist which is risk-specific and facilitates the analysis and reporting of risk information using a common language; and (ii) quantitative information, including internal theft events and security breaches, area threat analysis (from a Federal and local perspective) and local area crime statistics to ascertain the effectiveness of current security control structures.

There is no single relevant international, national or industry-level standard for physical security by which guidance can be solely taken. Accordingly, select guidance is taken from a number of applicable resources.

Industry Resiliency Engagement

Along with other financial industry organizations, DTCC is an active participant in the Financial Services Sector Coordinating Council (FSCC) for Critical Infrastructure Protection and Homeland Security, a private sector group that interfaces with the U.S. Department of Treasury and the Financial Banking Information Infrastructure Committee on infrastructure protection issues. The FSSCC works to coordinate the financial services industry’s initiatives to protect critical financial services infrastructure. The goal is to ensure that these efforts focus on complementary objectives and contribute to achieving the highest possible level of overall industry resiliency.

DTCC staff actively participate in industry-wide business continuity testing. Some of these tests include FEMA pandemic, cyber security and backup site testing.

DTCC is a member of the Analysis & Resilience Center (ARC) for Systemic Risk. ARC is a cross-sector organization designed to mitigate systemic risk to the nation’s most critical infrastructure from existing and emerging threats.

DTCC is also a member of Sheltered Harbor. Sheltered Harbor is a voluntary industry initiative undertaken by the U.S. financial services sector to enhance the sector’s resiliency, and to provide additional protections for consumer account information. Its goal is to extend the industry’s capabilities to securely save and restore account data in the event of a loss of operational capability.

< Return to Managing Risk